Showing results for 
Search instead for 
Did you mean: 

Community Live FAQ- Cisco SD-WAN Policies: Leveraging the Full Power of Cisco SD-WAN



This event had place on Tuesday 24th, March 2020 at 10hrs PDT 


Event slides


Featured Experts

daniel.jpgDaniel Dib is a Senior Network Architect at Conscia. He works with creating scalable, modular, and highly available network designs that meet business needs. He started out his career in the implementation and operations field. Daniel obtained his CCIE certification in 2012 and in May 2016 he became the second person in Sweden to get CCDE certified. Daniel has been recognized as a Cisco Designated VIP by the Cisco Learning Network. He often acts as a subject matter expert for his customers with deep expertise in routing, switching, multicast, and fast convergence. Daniel holds a CCIE Enterprise (#37149) and a CCDE (#20160011).

david.pngDavid Samuel Peñaloza Seijas works as a Senior Network Consulting Engineer at Verizon Enterprise Solutions in the Czech Republic. Previously, he worked as a Network Support Specialist in the IBM Client Innovation Center in the Czech Republic. David is an expert interested in all topics related to networks. However, he focuses mainly on data centers, enterprise networks, and network design, including software-defined networking (SDN). David has a long relationship with Cisco. He has been a Cisco Instructor for the Cisco Academy and was recognized as a Cisco Champion and a Cisco Designated VIP for 2017, 2018, 2019 and 2020. David holds CCNP R&S, CCDP, CCNA Security, CCNA CyberOps, and CCNA SP certification. Currently, he is pursing a CCDE.

You can download the slides of the presentation in PDF format here.


Live Questions

Q: Does Cisco SD-WAN policy support packet replication?

A: It does support FEC and packet duplication, yes.


Q: Is there a "tracker" feature you can use on a service side VPN?

A: No, only towards transport VPN (0).


Q: How would you implement a dynamic failover in a net service VPN?

A: You might use a routing protocol. It’s complicated to do everything dynamic if you can underline on something like IPS on a BSD probe. For the service router I would rather prefer to use routing if it is available and if it’s like a simple site you would normally like VR vpn on the server side and fail over locally if one of the devices is not available.


Q: Does the destination NAT is supported so the vEdge internet underlay can reach my inet fws in the data center?

A: You can find the answer at the Ask Me Anything event of this session here


Q: What are the limitations of using svi interface for service VPN?

A: Do you mean instead of a physical one? If that is the case, it should be based on throughput supported by the box.


Q: If we have 5 services, then we will have 5 VPN IDs?

A: It would be 5 service routes, each with its own label etc. Check BRKRST-2791 to see more details what it looks like.


Q: On the cEdge the DIA doesn't work ok, when the traffic is down for the biz-internet color, automating doesn’t commute for the MPLS canal. In which SD-WAN IOS that problem is ok?

A: You can find the answer at the Ask Me Anything event of this session here


Q: I am using DIA in ISR 4300 and 4400 and I need a way to delete this route and start using the default route, I am learning from the DC. Is there a workaround?

A: You can filter it out using a control policy. Nevertheless, we would need to know to which specific default route you’re referring to. 


Q: If there is a degraded traffic (latency, packet loss) on the Internet, can we move DIA traffic to SD-WAN (MPLS)?

A: It depends on your defined SLAs, you put the limit in the SLA class.


Q: To use the tracker and DIA, do you have to NAT?

A: I always do NAT, it will simply aim to an external service.


Q: I need to use a tracker in the DIA route in the cEdge, so if this internet link fails, it can use the MPLS tunnel to DC and start using internet from DC. Sis there a workaround to solve this?

A: You can find the answer at the Ask Me Anything event of this session here


Q: About troubleshooting (Cisco vs Viptela) I meant i.e. ping, traceroute from vManage GUI?

A: CLI is actually faster - but the GUI provides the same info - it depends on your patience and which generation of engineer you are (I don’t like GUIs).
The capture works quite well!


Q: I have third party connections that still uses SLA's for dynamic failover today. I’m looking for a way to use something like that within a service VPN, any recommendations?

A: I know IP SLA will support that soon, but I don’t know if it will be supported in the server VPNs rather than towards the transfer of VPN as we do with the tracker. 


Q: Every time I implement a new site, I only configure NAT on the secondary vEdge transport interface and the Tloc extension to the primary vEdge which has the MPLs. Any comments or feedback?

A: Whenever you implement a Tloc extension you’re simply allowing the other device to get access to you own transfer so in many cases, people will simply extend the being turn towards the MPLs and that even will be extending in the other way around. We would need more details to clarify what you’re looking for specifically.


Q: Can you please elaborate more on the 1:1 Nat Transversal function of vBond?

A: You can find the answer at the Ask Me Anything event of this session here


Q: What is the protocol used for communicatining b/w vBond & vSmart?

A: TLS/DTLS, they do not form OMP sessions. That's only between vSmart and Edge devices.


Q: Is just one central controler but within all these components or this are separate components individual?

A: It's three different VMs, so three separate ones.


Q: Can we also use web proxy traffic (WCCP) with the Service Route, and can we use it in the traffic so we optimize by WAAS?

A: I haven't seen any support for WCCP. I think support for WAAS is being added.


Q: In regards to the different type of topologies, is there a kind of dynamic on-demand site-to-site communication (like Cisco DMVPN) / or will this be supported (to limit the number of active tunnel between vEdges)?

A: Cisco SD-WAN does not have dynamic tunnels currently. By default, full mesh is formed. You can use policy to build Hub and Spoke or whatever topology you want.


Q: Can we use a primary DNS as public and a secondary DNS as private?

A: I think so. Haven't tried it myself. You can have a primary and secondary server. Not sure if it uses them like that or does round-robin style. You could probably add static entries as well if you need to.
Nevertheless, you might end up adding static entries indeed.


Q: Is fully automated On-Prem ZTP server supported yet? Or manual cert provisioning on Edges is needed?

A: It's supported for vEdge but not fully supported for cEdge yet. ALso, keep in mind the specific interface for ZTP and that there should be a template created and assigned to that device before it is provisioned.


Q: Are there any SD-WAN policies best practices for different types of traffic (voice, video, data, browsing)? Like latency, packet loss, FEC. transport utilization... etc.

A: That depends, there is an example in the event slides. However, there's not a single answer. We can refer you to some documents if you wish so. 


Q: What resource do you recommend to do a SD-WAN lab and start playing with the solution?

A: Check here:


Q: If we have 2 vSmarts in the same region, by default which routes from which vSmart will be installed in the routing table?

A: Both vSmart's routes.


Q: Should the underlay networks have reachability to NTP and DNS severs to reach vBond ,vManage and vSmart?

A: Yes. You should have DNS, could be Google DNS or whatever to look up hostnames towards vBond.


Q: Is it mandatory to consider VSmart to build SD-WAN architecture from the ground?

A: Yes, you need all of the controllers. Either cloud-hosted, which is the most common setup, or on-premises.


Q: Does vSmart maintains a seperate table for service routes based on label and changes next hop for that traffic based on who owns that label?

A: It takes the original route and modifies the TLOC, that is next-hop, of the route and changes the label from VPN label to service lab. You can refer to BRKRST-2791 for more details.


Q: Is there a way to use routes from 1 vSmart over the another?

A: You can find the answer at the Ask Me Anything event of this session here


Q: Is there a tool included with this SD-WAN software for capturing and inspecting traffic for src/dst/ports etc.?

A: I am not sure what can you capture, though, it is encrypted.
vMAnage allows you to capture, though, from the controller itself. Visibility might be limited.


Q: How does the Synchronization happen between vSmarts if we have vSmarts in different regions

A: vManage will make sure they are synchronized.


Q: I'm checking the policy from-vSmart, I could not see any poicy for that. Can you assist?

A: Firstly, you must have a policy created. The command is "show policy from-vsmart". Iif you are in vSmart, it is "Show running-config". If the policy is not defined and applied to a specific site (by matching site-ID), you will not see it anywhere.


Q: I wish you could show the config in here, but it can't be seen.

A: Please reach over twitter for further information! @davidsamuelps @danieldibswe


Q: In the svi template, it seems QoS is not supported. Any comments?

A: It's not supported in sub interfaces or virtual interfaces (As far as I know).


Q: You mentioned earlier that you may have scalability issues with full mesh depending on the model of router. Is there a doc showing the max tunnels each model supports?

A: In all honesty, I have not seen a specific tunnel count in Cisco's documentation. Datasheets are based on data throughput instead of tunnel count. But we can share some numbers we have seen in deployments.


Q: Does SD WAN device support session shares data paths between or against faulted tunnel? And, is it supported on a time based application policy?

A: It does support per-flow load sharing, they will be moved depending on the behavior observed with BFD probes.
There are buckets that represent units of time (in regards to BFD information), and those unit of time are calculated in average.


Q: Is there a place where we can find the tunnel limits of the SDWAN routers?

A: In all honesty, I haven’t seen a specific tunnel count in Cisco's documentation. Datasheets are based on data throughput instead of tunnel count. I can share some numbers we have seen in deployments. If you requires further details, please let us know via the Ask Me anything of the session:


Q: I have two transports, MPLS and Internet, both transports underlay will need to be able to reach controllers. If I have controllers in data center, how can I have Internet underlay be able to connect to SD-WAN controllers in data center.

A:I'm unsure if this is on-premises or the cloud hosted or both, but something to be aware of is that each device will try to form control sessions over all transports, including private ones. If you have cloud hosted controllers, normally you won't be able to reach the controllers over the private path, so you may want to disable forming control connections over that transport, or you can provide connectivity towards the controllers over your MPLS transports. For example: by advertising a default route or the prefixes for the controllers into your underlay so that the other path, for instance, to your data center reaches the cloud hosted controllers.
I've done scenarios like that, it is not that complicated. You need to NAT the traffic because it's going to be coming form a private IP and you need to match the traffic before sending it towards internet, but it's possible to do it in that way or simply don't use the control connections over private transports. That depends if you've Internet available at the site.


Q: Is the CSR with SD-WAN code supported over GCP now? I know it was supported on Azure last year.

A: It should be in the roadmap, but I don't think it is supported yet. They had some issues with drivers and interfaces using GCP.


Q: If we have MPLS and Internet, do we need to specify public dns and private dns servers in Vedges?

A: Normally just DNS over the public transport. You can choose if you want to from control connections over MPLS or not. If you do, you need internet connectivity through MPLS.


Q: If traffic does not match anything in the policy, is it safe to assume it will be handled by a default policy?

A: It would either hit a default rule in the policy or no rule and just be forwarded according to routing.


Q: What is the difference between SDWAN / iWAN?

A: Ok so iWAN is what I used to configure 3-4 years ago, and it was based on DMVPN and standard routing protocols such as EIGRP and BGP, it was working in conjunction with PFR (performance routing) to perform similar actions that we do today with SD-WAN (path changes based on transport behavior/link statistics). The main difference is that iWAN wasn't designed from the start to have an orchestration and a management platform, which is the biggest advantage of the current solution: leveraging vManage the creation of templates and management, plus having these modes for distributing routes, policies and other information in the overlay.
I would definitely recommend going with Cisco SD-WAN and not iWAN.


Q: What if the next hop is a firewall that is doing the NAT?

A: That defies the purpose of the tracker.


Q: I have several sites with one MPLS and one Internet but I can't see any policy created for DIA, nevertheless, we still are able to access like 0365

A: It could be only forwarded based on their destination, we would have to check the configuration.


Q: If there are multiple match categories in a Tloc or route control policy, all the match statements have to be satisfied before you can apply an action to that match?

A: You can match on one or several attributes. You have sequence numbers similar to a route-map.


Q: For the Tloc policies are you assuming a vEdge device? Last year the "match" didn't work on cEdge

A: cEdge code has matured a lot. I have been able to use most policies now for cEdge.


Q: Does the Cisco routers troubleshooting works similar as the in the Viptela models?

A: It will take time to get feature parity - somebody wrote a list of commands:


Q: Is this available in Cisco VIRL? My company has not implemented this yet, but they will in future so I would like to be ready when they do so where we can learn more about SD-WAN. Any comments?

A:You can find the answer at the Ask Me Anything event of this session here


Q: Do you recommend the Meraki suite or Viptela acquisitions for site to site SD-WAN?

A:That depends on what do you require in the site - Meraki is an all-in-one box solution, but it doesn’t go deep with routing features. And Cisco SD-WAN is the other way around.


Q: Does the actual orchestrator/central controler is separated from all these components?

A: There are three main components used as controllers, vManage, vBond and vSmart. They all play an important role.


Q: How much detail is it possible to view about the TLOC component parameters/attributes?

A: Here you can find all components and attributes:


Related Information

Rising star

Good Questions; Wonderful Answers; thanks for sharing!

Community Manager

Hi @Martin L 

Thanks for your feedback, is kindly appreciated. We're glad this information is valuable and that the session details are useful.