Back
Lesson 1 of 7

SD-WAN Architecture Overview

Objective

Understand the four logical planes of Cisco Catalyst SD‑WAN — Management (vManage), Orchestration (vBond/Validator), Control (vSmart/Controller), and Data (WAN Edge) — and how they interact. You will configure basic interface addressing and per‑VPN (VRF) interfaces for transport (VPN0) and management (VPN512), observe the control‑plane relationships, and verify the resulting connectivity. This matters in production because correct plane separation and transport addressing enable secure overlay formation, NAT traversal, and policy dissemination across a campus, branch and data‑center fabric. Real world scenario: a multi‑site Enterprise (NHPREP) deploying SD‑WAN where branch WAN Edges must authenticate to controllers through an orchestrator and advertise per‑VPN routes while keeping management traffic on a dedicated VPN.

Tip: Think of the four planes as four teams in an operation — Management plans changes (vManage), Orchestration introduces the teams to each other (vBond/Validator), Control decides who talks to whom and what gets advertised (vSmart), and Data actually carries the packets between sites (WAN Edge).

Topology & Device Table

ASCII topology (exact IPs shown on every interface):

                   Internet
      Public IPs /0                203.0.113.0/24

+-----------------------------+ +-------------------------+ | vBond (Orchestrator) |---| WAN Edge (Branch) | | Interface: Gig0/0 | | Interface: Gig0/0 | | IP: 203.0.113.11/24 | | IP: 203.0.113.210/24 | | Role: Orchestrator (vBond) | | Role: WAN Edge (Edge1) | +-----------------------------+ +-------------------------+ | | | | | | Private management network 10.0.0.0/24 | +-----------------------------+ | | vManage (Manager) |-------------------+ | Interface: Gig0/1 | | IP: 10.0.0.11/24 | | Role: Management (vManage) | +-----------------------------+ | | +-----------------------------+ | vSmart (Controller) | | Interface: Gig0/1 | | IP: 10.0.0.12/24 | | Role: Control (vSmart) | +-----------------------------+

Device table

DeviceInterfaceIP AddressSubnet MaskRole
vManageGigabitEthernet0/110.0.0.11255.255.255.0Management plane (vManage)
vSmartGigabitEthernet0/110.0.0.12255.255.255.0Control plane (vSmart)
vBondGigabitEthernet0/0203.0.113.11255.255.255.0Orchestration plane (vBond)
WAN-Edge1GigabitEthernet0/0203.0.113.210255.255.255.0Data plane (WAN Edge)

Warning: The public IPs are shown as examples in the documentation. In production, the orchestrator (vBond/Validator) requires a public reachable IP (or 1:1 NAT) so WAN Edges can discover it for NAT traversal and bring up control channels.

Key Concepts (theory before hands‑on)

  • Four Planes and Why they matter

    • Management plane (vManage): central GUI and policy/orchestration point. In production this is the single pane for policy, templates, and lifecycle management — treat it as the administrative brain.
    • Orchestration plane (vBond / Validator): first contact for WAN Edges. It authenticates devices (white‑list model) and tells them how to reach Controllers and vManage. It also facilitates NAT traversal when Edges are behind NAT.
    • Control plane (vSmart / Controller): distributes control information (OMP routes / keys / policies). OMP behaves like a routing protocol over secure connections and advertises per‑VPN routes to Edges.
    • Data plane (WAN Edge): forms pairwise encrypted tunnels (session keys per‑peer/transport) and carries user traffic. Each transport (MPLS, Internet, LTE) is identified by a TLOC color for policy decisions.

  • Per‑VPN segmentation

    • VPN0 is reserved for transport interfaces (underlay). VPN512 is reserved for management. Each VPN (VRF) has a separate forwarding table; OMP advertises reachability for VPNs to other Edges via vSmart.

  • TLOCs, Colors, and NAT

    • A TLOC maps to a physical WAN interface and is tagged with a color (private, public, mpls, lte). When NAT exists, the Validator discovers the Edge's public IP and the Edge uses that for control/data tunnels. This matters for overlay formation and policy decisions — think of color as the interface's identity for path selection.

  • Session keys and anti‑replay

    • Pairwise session keys (AB & BA) protect data plane and are advertised via the controller (OMP). IPsec/AES‑GCM provides confidentiality and integrity; sequence numbers and sliding windows prevent replay attacks. In production this ensures traffic confidentiality for multi‑transport redundant paths.

Step‑by‑step configuration

Note: For this lesson we configure base IP addressing, place interfaces into VPN0 and VPN512 using sub‑interfaces (logical separation), and verify controller discovery and basic control plane reachability. Commands are shown for IOS‑style devices and for clarity include full mode entry and exit.

Step 1: Configure Management Plane IP addresses (vManage & vSmart)

What we are doing: Assign management IPs on the private management network (10.0.0.0/24) for vManage and vSmart so they can communicate. Management connectivity is required so vManage can administer vSmart and the fabric can exchange control information securely.

vManage# configure terminal
vManage(config)# interface GigabitEthernet0/1
vManage(config-if)# ip address 10.0.0.11 255.255.255.0
vManage(config-if)# no shutdown
vManage(config-if)# exit
vManage(config)# exit
vManage# write memory
Building configuration...
[OK]

What just happened: The interface GigabitEthernet0/1 on vManage now has 10.0.0.11/24 and is administratively up. This provides reachability to vSmart at 10.0.0.12/24 for management and control signaling. In SD‑WAN, management plane systems must be reachable for policy push and template distribution.

Real-world note: In production, management networks are often private subnets with limited access; protect vManage using RBAC and firewall rules because it can change the entire fabric.

Verify:

vManage# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1         10.0.0.11       YES manual up                    up
Loopback0                  127.0.0.1       YES manual up                    up


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
vBond# configure terminal
vBond(config)# interface GigabitEthernet0/0
vBond(config-if)# ip address 203.0.113.11 255.255.255.0
vBond(config-if)# no shutdown
vBond(config-if)# exit
vBond(config)# exit
vBond# write memory
Building configuration...
[OK]

What just happened: vBond is now accessible at 203.0.113.11/24. When a WAN Edge is behind NAT, the Validator/orchestrator discovers the public IP (post‑NAT) and distributes it so other components can form control/data connections. This is a critical step for facilitating NAT traversal.

Real-world note: Many deployments place vBond behind a firewall or NAT and publish a stable public IP or hostname; ensure TLS certificates and firewall rules reflect the reachable address.

Verify:

vBond# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         203.0.113.11    YES manual up                    up
Loopback0                  127.0.0.1       YES manual up                    up


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
WAN-Edge1# configure terminal
WAN-Edge1(config)# interface GigabitEthernet0/0
WAN-Edge1(config-if)# description Transport-to-Internet (VPN0)
WAN-Edge1(config-if)# ip address 203.0.113.210 255.255.255.0
WAN-Edge1(config-if)# no shutdown
WAN-Edge1(config-if)# exit
WAN-Edge1(config)# interface GigabitEthernet0/0.512
WAN-Edge1(config-subif)# encapsulation dot1Q 512
WAN-Edge1(config-subif)# description Management (VPN512)
WAN-Edge1(config-subif)# ip address 10.0.0.210 255.255.255.0
WAN-Edge1(config-subif)# no shutdown
WAN-Edge1(config-subif)# exit
WAN-Edge1(config)# exit
WAN-Edge1# write memory
Building configuration...
[OK]

What just happened: The physical interface GigabitEthernet0/0 carries the transport IP 203.0.113.210/24 used for TLOC creation. A sub‑interface GigabitEthernet0/0.512 (VLAN tag 512) provides a management IP 10.0.0.210/24 inside VPN512. In SD‑WAN architectures, transport traffic stays in VPN0 and management/control sockets use VPN512 so controllers and manager can reach device management interfaces independently of user data.

Real-world note: Using sub‑interfaces is one method of separating management from transport on hardware routers; ensure physical switches carry the VLAN 512 tag if necessary.

Verify:

WAN-Edge1# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         203.0.113.210   YES manual up                    up
GigabitEthernet0/0.512     10.0.0.210      YES manual up                    up
Loopback0                  127.0.0.1       YES manual up                    up


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
WAN-Edge1# ping 203.0.113.11 source 203.0.113.210
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.11, timeout is 2 seconds:
!!!!!
WAN-Edge1# ping 10.0.0.11 source 10.0.0.210
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.11, timeout is 2 seconds:
!!!!!

What just happened: Successful ICMP replies indicate the WAN Edge can reach the orchestrator's public IP and the management plane (vManage) on the private management network. In a real SD‑WAN deployment, after this reachability, the Edge would perform certificate‑based authentication via the orchestrator, the orchestrator would provide vSmart/vManage addresses, and control connections using OMP (over DTLS/TLS) would be established.

Real-world note: While ping shows IP reachability, actual SD‑WAN control channels use secure protocols and certificate exchange; ensure time and certificates are properly synced before expecting full overlay formation.

Verify:

WAN-Edge1# show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
C    10.0.0.0/24 is directly connected, GigabitEthernet0/0.512
C    203.0.113.0/24 is directly connected, GigabitEthernet0/0


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
vSmart# show vrf
VRF-Name   DefaultRD        Interfaces
VPN0       0:0              GigabitEthernet0/0
VPN512     512:512          GigabitEthernet0/0.512

What just happened: The output lists VRFs VPN0 and VPN512 with their interfaces. VPN0 has the transport interface while VPN512 carries management — they are separate forwarding tables. In an SD‑WAN fabric, OMP advertises reachability into service VPNs (VPNn) but keeps VPN0 for underlay-related reachability.

Real-world note: Failure to isolate transport and management can expose controllers or management interfaces to untrusted networks; always adhere to VPN0/VPN512 separation.

Verify:

vSmart# show vrf
VRF-Name   DefaultRD        Interfaces
VPN0       0:0              GigabitEthernet0/0
VPN512     512:512          GigabitEthernet0/0.512

Verification Checklist

  • Check 1: vManage and vSmart management IPs are reachable — use ping from vManage to vSmart and expect replies.

    • Verification: vManage# ping 10.0.0.12 source 10.0.0.11!!!!!

  • Check 2: WAN Edge transport public IP can reach vBond public address — use ping from WAN Edge to vBond and expect replies.

    • Verification: WAN-Edge1# ping 203.0.113.11 source 203.0.113.210!!!!!

  • Check 3: VPN0 and VPN512 interfaces are present and in separate VRFs — use show ip interface brief and show vrf on any controller/edge.

    • Verification: WAN-Edge1# show ip interface brief shows GigabitEthernet0/0 = 203.0.113.210 and GigabitEthernet0/0.512 = 10.0.0.210

Common Mistakes

SymptomCauseFix
vEdge cannot reach vBond (ping fails)vBond not reachable over public IP or firewall blocking portEnsure vBond public IP 203.0.113.11 is reachable; allow necessary control ports and ICMP for troubleshooting
vManage cannot push templatesvManage and vSmart unreachable on management networkVerify management IPs 10.0.0.11 and 10.0.0.12 and correct VLAN/subnet (10.0.0.0/24)
Management interface ends in wrong VRFMisconfigured sub‑interface or wrong VLAN tagConfirm GigabitEthernet0/0.512 uses VLAN tag 512 and IP 10.0.0.210/24
Overlay never forms (no OMP routes)Orchestrator not distributing controller list or certificates not exchangedCheck orchestration reachability to vBond and ensure certificate/authentication workflow completes

Key Takeaways

  • The Catalyst SD‑WAN architecture separates responsibilities across four planes: Management (vManage), Orchestration (vBond/Validator), Control (vSmart), and Data (WAN Edge). Each plane must be reachable and secured for a healthy fabric.
  • VPN0 (transport) and VPN512 (management) are reserved and must be configured to separate underlay and device management. Think of them as separate routing tables (VRFs) inside a single device.
  • vBond/Validator often requires a public reachable IP (or 1:1 NAT) so WAN Edges can discover controllers and perform NAT traversal — this is why public addresses on orchestrators are common in production.
  • SD‑WAN overlays use pairwise session keys, anti‑replay protections, and TLOC colors to provide secure, policy‑aware, multi‑transport forwarding; correct initial reachability and plane configuration are prerequisites for these features to work.

Important: This lesson focused on architecture and the initial interface/VRF setup and connectivity checks. In subsequent lessons you will configure certificate-based onboarding, OMP route exchange, and application-aware routing policies using the management plane.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security