1.3 Explain the working principles of the Cisco SD-WAN solution
📘CCNP Encore (350-401-v1.1)
1. Introduction to Cisco SD-WAN Architecture
Cisco SD-WAN is a software-defined wide area network solution that separates:
- Control Plane – decides how traffic should flow
- Data Plane – forwards actual traffic packets
- Management Plane – used for configuration and monitoring
This separation allows centralized control, better security, and intelligent routing decisions.
For this topic (1.3.a), the exam focuses specifically on:
- Control plane elements
- Data plane elements
- How these components interact
2. Planes in Cisco SD-WAN (Quick Overview)
| Plane | Purpose |
|---|---|
| Management Plane | Centralized configuration, monitoring, and policy |
| Control Plane | Routing intelligence, tunnel information, path selection |
| Data Plane | Actual packet forwarding |
⚠️ Exam note:
You must clearly understand which components belong to control plane and which belong to data plane.
3. Cisco SD-WAN Control Plane Elements
The control plane is responsible for:
- Exchanging routing information
- Establishing secure tunnels
- Distributing policies
- Making path-selection decisions
Main Control Plane Components:
- vSmart Controllers
- OMP (Overlay Management Protocol)
- Control Connections
- TLOCs (Transport Locators)
3.1 vSmart Controller (Control Plane Brain)
The vSmart controller is the central intelligence of Cisco SD-WAN.
Key Functions of vSmart:
- Maintains routing information for the entire SD-WAN fabric
- Receives routes from all SD-WAN edge devices
- Applies centralized policies
- Advertises optimized routes back to edge devices
- Controls traffic engineering and path selection
Important Characteristics:
- vSmart does NOT forward traffic
- It only handles control plane information
- Multiple vSmart controllers can exist for redundancy
⚠️ Exam tip:
If traffic forwarding is mentioned → NOT vSmart
3.2 OMP (Overlay Management Protocol)
OMP is the routing protocol used by Cisco SD-WAN.
What OMP Does:
- Exchanges routing information between:
- vSmart controllers
- SD-WAN edge devices
- Carries:
- Routes
- TLOC information
- Security keys
- Policy information
What OMP Replaces:
OMP replaces traditional WAN routing protocols such as:
- BGP
- OSPF
- EIGRP (within the SD-WAN overlay)
Information Carried by OMP:
- Prefixes (IP routes)
- TLOCs (transport details)
- Service routes (firewall, IDS, etc.)
⚠️ Exam note:
OMP runs over secure TLS connections, not directly over the internet.
3.3 Control Plane Connections
Control plane connections are secure communication channels used for exchanging control information.
Types of Control Connections:
- DTLS or TLS tunnels
- Established between:
- vEdge / cEdge devices
- vSmart controllers
Purpose:
- Exchange routing and policy information
- Securely distribute encryption keys
- Maintain control plane stability
⚠️ Key point for exam:
Control plane traffic is separate from data plane traffic.
3.4 TLOC (Transport Locator)
A TLOC identifies how an SD-WAN device is reachable.
A TLOC Is Defined By:
- System IP – unique identifier of the device
- Transport Color – type of WAN transport
- Encapsulation – IPsec or GRE
Example (IT Environment Context):
- MPLS interface → color mpls
- Internet interface → color biz-internet
- LTE interface → color lte
Each WAN interface on a device creates a separate TLOC.
⚠️ Exam tip:
TLOCs are exchanged using OMP.
4. Cisco SD-WAN Data Plane Elements
The data plane is responsible for:
- Forwarding actual user traffic
- Applying encryption
- Selecting the best available path based on policies
4.1 SD-WAN Edge Devices (vEdge / cEdge)
These devices forward traffic and form the data plane.
Types of Edge Devices:
| Device Type | Description |
|---|---|
| vEdge | Original Cisco SD-WAN router |
| cEdge | IOS-XE router running SD-WAN software |
Key Responsibilities:
- Forward packets between sites
- Encrypt traffic using IPsec
- Measure link performance (loss, latency, jitter)
- Apply centralized and local policies
⚠️ Exam note:
Edge devices participate in both control and data planes, but traffic forwarding happens in the data plane.
4.2 Data Plane Tunnels (IPsec)
All SD-WAN traffic is carried through secure IPsec tunnels.
Data Plane Tunnel Characteristics:
- End-to-end encryption
- Automatically created between edge devices
- Uses keys provided by vSmart
- Runs independently from control plane tunnels
What Runs Inside Data Plane Tunnels:
- User application traffic
- Business data
- Inter-site communication
⚠️ Important distinction:
- Control plane → TLS/DTLS
- Data plane → IPsec
4.3 Path Selection and Traffic Steering
Although vSmart decides policies, the edge device makes real-time forwarding decisions.
Data Plane Decisions Include:
- Selecting the best WAN link
- Switching paths when quality degrades
- Applying SLA-based routing
Metrics Used:
- Latency
- Packet loss
- Jitter
Edge devices continuously measure link quality and use this data to forward traffic intelligently.
5. Interaction Between Control and Data Planes
Step-by-Step Flow:
- Edge devices establish control connections to vSmart
- OMP exchanges routes and TLOCs
- vSmart applies policies and sends decisions
- Edge devices create IPsec data plane tunnels
- Traffic flows directly between edge devices
⚠️ Exam highlight:
vSmart is not in the traffic path
6. Key Exam Summary Table
| Component | Plane | Role |
|---|---|---|
| vSmart | Control | Routing intelligence and policies |
| OMP | Control | Routing and information exchange |
| Control Tunnels | Control | Secure management communication |
| TLOC | Control | WAN reachability info |
| vEdge / cEdge | Data | Packet forwarding |
| IPsec Tunnels | Data | Encrypted traffic transport |
7. Important Exam Takeaways
- Control plane decides, data plane forwards
- vSmart never forwards traffic
- OMP is the SD-WAN routing protocol
- Data plane uses IPsec
- Control plane uses TLS/DTLS
- Edge devices handle real-time path selection
8. Final Exam Tips
- Know which component belongs to which plane
- Expect match-the-component and multiple-choice questions
- Pay attention to keywords like routing, policy, forwarding, encryption
