This chapter covers Software-Defined Wide Area Networking (SD-WAN) concepts, a critical topic for the N10-009 exam. SD-WAN represents a paradigm shift from traditional WAN architectures, decoupling the control plane from the data plane to enable dynamic, application-aware routing over multiple transport links. Expect 2-3 exam questions on SD-WAN terminology, components, and benefits, often comparing it to traditional MPLS-based WANs. Mastering this chapter will help you identify SD-WAN's role in modern enterprise networks.
Jump to a section
Imagine a national highway system where each road is owned by a different company (MPLS, broadband LTE, satellite). Traditionally, a company would lease a single, expensive express lane (MPLS) for all traffic, even if some cargo (like email backups) could use cheaper back roads. SD-WAN is like a GPS-enabled fleet management system. The central controller (orchestrator) knows the real-time condition of every road—congestion, toll costs, weather (latency, jitter, packet loss). It assigns each shipment (application flow) to the best route based on its priority: critical live video gets the express lane (low-latency MPLS), while software updates take the cheap gravel road (broadband). If the express lane gets a pothole (packet loss over 2%), the controller instantly reroutes the video to a secondary lane. The fleet manager (network admin) sets policies via a web dashboard, not by manually repaving roads. This dynamic, policy-driven routing is the essence of SD-WAN: centralized control with distributed, automated forwarding decisions based on real-time network conditions and application requirements.
What is SD-WAN and Why Does It Exist?
SD-WAN (Software-Defined Wide Area Network) is an architectural approach to WAN design that uses software-defined networking (SDN) principles to manage connectivity between branch offices, data centers, and cloud resources. Traditional WANs rely on dedicated MPLS circuits from a single carrier, with static routing and manual configuration. This model is expensive, inflexible, and poorly suited to cloud-centric traffic patterns. SD-WAN addresses these limitations by:
Abstracting the control plane from the underlying hardware, allowing centralized policy management.
Using multiple transport links simultaneously (e.g., MPLS, broadband, LTE) to increase bandwidth and resilience.
Applying application-aware routing based on real-time network conditions and business policies.
Automating provisioning and orchestration via a central controller or orchestrator.
How SD-WAN Works: The Control and Data Plane Separation
SD-WAN separates the WAN architecture into two planes:
Control Plane (Orchestration Plane): A centralized SD-WAN controller (or multiple controllers for redundancy) maintains a global view of the network topology, link states, and policies. It uses protocols like OMP (Overlay Management Protocol) or proprietary equivalents to distribute routing information and policies to edge devices. The controller does NOT forward user traffic; it only manages the overlay.
Data Plane (Forwarding Plane): SD-WAN edge devices (routers or virtual appliances) at each site perform packet forwarding based on rules received from the controller. They create encrypted tunnels (typically IPsec or DTLS) over each transport link, forming an overlay network. The edge devices monitor link quality (latency, jitter, packet loss) and enforce policies locally, even if connectivity to the controller is lost.
Key Components of SD-WAN
SD-WAN Edge (CPE): Physical or virtual device at the branch or data center that terminates overlay tunnels and applies policies. Examples: Cisco vEdge, Viptela, VMware SD-WAN Edge, Fortinet FortiGate.
SD-WAN Controller (Orchestrator): Centralized management system that provides a single pane of glass for configuration, monitoring, and policy management. It pushes configurations to edges and collects telemetry.
SD-WAN Gateway (Optional): Acts as a hub in hub-and-spoke topologies, aggregating traffic from multiple branches. Some architectures use gateways for interconnecting with cloud providers (e.g., AWS Transit Gateway integration).
Overlay Tunnels: Encrypted tunnels (IPsec with IKEv2, DTLS) between edges. Each tunnel is associated with a specific transport link (e.g., MPLS, broadband). The overlay uses a private IP addressing scheme (e.g., TLOC in Cisco SD-WAN).
Application Visibility & Policy Engine: Deep Packet Inspection (DPI) identifies applications (e.g., Office 365, Zoom, SAP). Policies define how each application is treated: priority, SLA requirements, and failover behavior.
Default Timers and Values
While SD-WAN implementations vary, common defaults include:
Link Health Check Interval: 10-20 seconds (e.g., Cisco SD-WAN uses 10-second keepalives).
Failover Trigger Thresholds: Latency > 150ms, Jitter > 30ms, Packet Loss > 2% (typical SLA thresholds).
Control Plane Keepalive: OMP hello interval is 10 seconds, dead timer 30 seconds.
Tunnel Rekey Interval: IPsec SA rekey every 86400 seconds (24 hours) or after 4.5 GB of traffic.
Configuration Example (Cisco SD-WAN vManage CLI)
# Configure a transport interface on an edge device
vpn 0
interface ge0/0
ip address 10.1.1.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
exit
exit
# Define a policy for voice traffic
policy
voice-traffic
match application voice
action accept
set
sla-class gold
preferred-color mpls
exit
exitInteraction with Related Technologies
MPLS: SD-WAN often uses MPLS as one of multiple transport links. SD-WAN adds dynamic load balancing and failover across MPLS and broadband, something MPLS alone cannot do.
IPsec: Almost all SD-WAN solutions encrypt traffic between sites using IPsec (IKEv2) or DTLS. This is mandatory for security over untrusted links (broadband).
BGP: SD-WAN can integrate with existing BGP routing. In some architectures, the SD-WAN overlay runs OMP (a proprietary protocol) internally but can redistribute routes into BGP for interconnecting with MPLS VPNs.
QoS: SD-WAN policies often map to QoS markings (DSCP) for prioritization on the underlay. The edge device can remark DSCP values based on application.
Cloud Connectivity: SD-WAN controllers often have direct integrations with cloud providers (AWS, Azure, GCP) to spin up virtual edges in cloud VPCs, enabling secure cloud connectivity without a VPN concentrator.
Underlay vs. Overlay
Underlay: The physical network (MPLS, broadband, LTE) that transports packets. SD-WAN does not control the underlay; it monitors its performance.
Overlay: The logical network of encrypted tunnels between SD-WAN edges. The overlay provides a virtual topology that is independent of the underlay. The controller manages the overlay, while the underlay is transparent to applications.
Traffic Steering and Load Balancing
SD-WAN uses per-flow load balancing based on policies. For example:
Voice traffic is pinned to the MPLS link with the lowest latency.
Office 365 traffic is load-balanced across all available links to maximize throughput.
Backup traffic is sent only over low-cost broadband.
When a link degrades beyond SLA thresholds, the edge device dynamically moves flows to another link without dropping sessions (if stateful inspection is maintained). This is called forward error correction (FEC) or packet duplication for critical flows.
Zero-Touch Provisioning (ZTP)
SD-WAN edge devices can be shipped to a branch with just power and internet connectivity. On first boot, the device contacts the controller (via a pre-configured URL or DHCP option) and downloads its configuration. This eliminates the need for on-site IT staff during deployment.
Security Features
SD-WAN often includes:
Full encryption of all inter-site traffic (IPsec).
Stateful firewall on the edge device.
Application filtering (block or allow specific apps).
Integration with cloud-based security (e.g., Zscaler, Palo Alto Prisma) for secure web gateway (SWG) and CASB.
SD-WAN vs. Traditional WAN: A Quick Comparison
| Feature | Traditional WAN | SD-WAN | |---------|----------------|--------| | Transport | Single MPLS circuit | Multiple links (MPLS, broadband, LTE) | | Routing | Static or BGP | Dynamic, policy-based, application-aware | | Provisioning | Manual CLI per device | Centralized, automated via controller | | Cost | High per Mbps | Lower cost using broadband | | Resilience | Active/passive failover | Active/active with load balancing | | Cloud Optimization | Poor (hairpin through data center) | Direct cloud access from branch |
The SD-WAN Market
Major vendors include: Cisco (Viptela, Meraki), VMware (Velocloud), Fortinet, Silver Peak (Aruba), Versa Networks, and Palo Alto Networks (CloudGenix). The exam does not require vendor-specific knowledge but may test general concepts that apply across implementations.
Protocols in SD-WAN
OMP (Overlay Management Protocol): Cisco proprietary; used between vEdge and vSmart controller to exchange routes, TLOCs, and policies. OMP runs over DTLS or TLS on port 12346.
DTLS: Datagram Transport Layer Security; used for control plane encryption in some SD-WAN solutions.
IPsec IKEv2: Standard for data plane encryption.
BGP: Can be used for route redistribution between SD-WAN overlay and underlay.
NETCONF/YANG: Used for programmatic configuration of SD-WAN devices.
Deployment Models
Hub-and-Spoke: All branch traffic goes through a data center hub. Simple but creates a bottleneck.
Full Mesh: Every site connects directly; best performance but more tunnels.
Partial Mesh / Hybrid: Some sites are hubs, others are spokes; common in large enterprises.
Cloud-First: Direct branch-to-cloud connectivity without backhauling through a data center.
Monitoring and Troubleshooting
Controller Dashboard: Shows real-time link quality, application usage, and policy violations.
Flow Records: SD-WAN edges export flow data (like NetFlow) to the controller for analysis.
Troubleshooting Commands:
show omp routes
show ipsec tunnels
show app-route statistics
show sdwan policySLA Measurement
SD-WAN edges continuously probe each tunnel using synthetic traffic (e.g., ICMP echo, UDP jitter). The probes measure:
Latency: Round-trip time in milliseconds.
Jitter: Variation in latency.
Packet Loss: Percentage of lost probes.
These measurements are reported to the controller and used to enforce SLA policies.
The Role of the Controller in Failure Scenarios
If the controller fails, the edges continue to forward traffic using the last known policies and routing tables. They cannot receive new policies or topology updates until the controller is restored. However, local link failover decisions (based on SLA monitoring) still function because edges monitor links independently.
SD-WAN and Cloud Services
SD-WAN optimizes cloud access by:
Direct internet breakout (DIA): Branch traffic destined for the internet (e.g., Office 365) exits locally instead of being backhauled to a data center.
Cloud on-ramp: SD-WAN controllers can automatically create tunnels to cloud provider virtual networks (AWS VPC, Azure VNet).
SaaS optimization: Policies can route traffic from specific SaaS applications through a cloud security service (e.g., Zscaler).
SD-WAN and MPLS: Complementary, Not Replacement
Despite claims, SD-WAN does not always replace MPLS. Many enterprises keep a low-bandwidth MPLS link for critical voice and real-time traffic while using broadband for bulk data. SD-WAN provides the intelligence to use both efficiently.
Deploy SD-WAN Edge Devices
The first step is physically or virtually deploying SD-WAN edge devices at each site. These can be hardware appliances (e.g., Cisco vEdge 1000 series) or virtual machines (vEdge Cloud) running on hypervisors. The edge device must have at least one WAN interface connected to a transport link (e.g., broadband). In Zero-Touch Provisioning (ZTP), the device boots up, obtains an IP address via DHCP, and contacts a pre-configured URL to download its initial configuration from the controller. Alternatively, a USB key with configuration can be used. The controller then pushes the full configuration, including tunnel parameters and policies.
Establish Overlay Tunnels
Once the edge devices have connectivity, they establish encrypted tunnels (IPsec or DTLS) to each other based on the topology defined in the controller. For example, in a hub-and-spoke topology, each spoke edge creates a tunnel to the hub edge. The tunnel endpoints are identified by TLOCs (Transport Locators) in Cisco SD-WAN. The control plane (OMP) runs over a separate DTLS tunnel to the controller. The edge devices exchange their TLOC and route information via OMP. The controller facilitates the initial exchange but does not forward data. Each tunnel is associated with a specific transport link (color) such as mpls, public-internet, or lte.
Define Application-Aware Policies
The network administrator defines policies via the controller's web interface or API. Policies specify how different applications should be treated. For instance, a policy might state: 'Voice traffic must use the MPLS link unless latency exceeds 150ms, then failover to broadband.' The controller pushes these policies to all edge devices. Policies include match criteria (application, source/destination IP, DSCP) and actions (set SLA class, preferred color, backup color). The controller also distributes routing information (OMP routes) to all edges, which includes the TLOC reachability and associated transport link metrics.
Monitor Link Quality Continuously
Each SD-WAN edge device continuously monitors the quality of each transport link by sending synthetic probes (e.g., ICMP echo, UDP jitter) every 10-20 seconds. The probes measure latency, jitter, and packet loss. These metrics are reported to the controller and stored locally. The edge device maintains a real-time database of link performance. If a link degrades below the configured SLA thresholds (e.g., latency > 150ms, loss > 2%), the edge device marks that link as 'degraded' and triggers a re-evaluation of active flows. The controller can also use this data to recompute optimal paths.
Steer Traffic Based on Policies
When a new flow arrives at the edge device (e.g., a VoIP call), the edge performs deep packet inspection (DPI) to identify the application. It then applies the matching policy. For example, if the policy specifies 'voice traffic should use MPLS with backup broadband,' the edge device selects the tunnel that goes over the MPLS link. If the MPLS link is healthy, the flow is sent there. If the MPLS link is degraded, the edge device selects the broadband tunnel. The edge device maintains a flow table to ensure stateful forwarding. For existing flows, if a link degrades, the edge can seamlessly move the flow to another link (if the application supports it) or use packet duplication for critical flows.
Scenario 1: Retail Chain with 500 Branches
A national retailer had 500 stores each connected via a single MPLS circuit (T1 or Ethernet) back to the data center. As the company adopted cloud-based POS systems and Office 365, the MPLS links became congested, and backhauling internet traffic caused poor performance. They deployed SD-WAN (VMware Velocloud) with dual WAN links at each store: a primary MPLS (10 Mbps) and a secondary broadband (50 Mbps). Policies were set to route real-time credit card processing over MPLS (low latency) and bulk inventory sync over broadband. Direct Internet Breakout (DIB) was enabled for Office 365, allowing branch users to access the cloud directly. The result: 40% cost savings by reducing MPLS bandwidth, improved Office 365 performance, and centralized management via the cloud-based orchestrator. A common misconfiguration was setting the SLA thresholds too low (e.g., 10ms latency), causing constant flapping between links. Best practice is to set thresholds based on business tolerance, typically 100-150ms latency and 1-2% loss.
Scenario 2: Global Enterprise with Cloud Migration
A multinational company with data centers in NY, London, and Singapore was migrating workloads to AWS and Azure. Traditional MPLS was expensive and slow to provision for cloud connectivity. They deployed Cisco SD-WAN with virtual edges in each cloud VPC. The SD-WAN controller (vManage) was hosted in AWS. Policies directed traffic between data centers and cloud VPCs over encrypted tunnels, with dynamic failover. For example, traffic from London to AWS Ireland used the lowest-latency path (MPLS or broadband). The controller provided a single dashboard for monitoring all sites and cloud endpoints. A challenge was integrating with existing BGP routing from the MPLS provider; they used route redistribution between OMP and BGP. The key takeaway: SD-WAN enables a 'cloud-first' WAN where branches connect directly to cloud providers without backhauling through a data center.
Scenario 3: Healthcare with Strict Compliance
A hospital network needed to connect clinics while ensuring HIPAA compliance and high availability for telemedicine. They used Fortinet SD-WAN with built-in Next-Generation Firewall (NGFW) and IPS. Each clinic had dual 4G LTE and broadband links. Policies ensured that all patient data (EHR) was encrypted end-to-end and routed over the most reliable link (LTE). Telemedicine video traffic was duplicated across both links for zero packet loss. The SD-WAN controller provided compliance reports showing encryption status and link utilization. A frequent problem was that LTE data caps were exceeded because backup traffic was not prioritized; they implemented policy to send large file transfers only over broadband. This scenario highlights how SD-WAN can enforce security policies while optimizing for application needs.
What N10-009 Tests on SD-WAN
The CompTIA Network+ N10-009 exam objectives (Domain 1.6) cover SD-WAN concepts, including its benefits, components, and use cases. Specific areas tested: - Benefits: Lower cost, increased bandwidth, improved resilience, application-aware routing, centralized management, cloud optimization. - Components: Edge devices, controller/orchestrator, overlay tunnels, IPsec encryption. - Comparison to traditional WAN: MPLS vs. SD-WAN, static vs. dynamic routing. - Deployment scenarios: Hub-and-spoke, full mesh, cloud on-ramp. - Traffic steering: Policy-based routing based on application and link quality.
Common Wrong Answers and Traps
'SD-WAN replaces MPLS completely.' This is false. SD-WAN can incorporate MPLS as one of many transport links. Many enterprises keep MPLS for critical traffic while using broadband for less sensitive data.
'SD-WAN is only for large enterprises.' While enterprise-focused, SD-WAN is also used in SMBs with virtual edges and broadband links.
'SD-WAN requires a dedicated controller for every site.' The controller is centralized; edges operate independently if the controller fails.
'SD-WAN eliminates the need for firewalls.' SD-WAN often includes firewall capabilities, but dedicated security appliances may still be needed.
Specific Numbers and Terms to Memorize
SLA thresholds: Typical values: latency 150ms, jitter 30ms, packet loss 2%.
Tunnel encryption: IPsec with IKEv2 or DTLS.
Control plane protocol: OMP (Overlay Management Protocol) in Cisco SD-WAN.
Transport labels: TLOC (Transport Locator) identifies a tunnel endpoint.
Zero-Touch Provisioning (ZTP): Automated deployment without on-site IT.
Direct Internet Access (DIA): Branch traffic exits locally to the internet.
Edge Cases and Exceptions
Controller failure: Edges continue forwarding but cannot receive new policies. Local failover still works.
Loss of all transport links: If all WAN links fail, the branch is isolated. SD-WAN cannot create connectivity out of nothing.
Asymmetric routing: SD-WAN policies must ensure return traffic follows the same path; stateful firewalls may drop asymmetric flows.
Cloud integration: SD-WAN can connect to cloud VPCs but requires a virtual edge instance in the cloud.
How to Eliminate Wrong Answers
If an answer mentions 'replacing MPLS' or 'eliminating all dedicated circuits,' it is likely wrong.
If an answer says 'SD-WAN is only for cloud connectivity,' it is too narrow.
If an answer claims 'SD-WAN does not use encryption,' it is false; encryption is a core feature.
Look for keywords: 'application-aware,' 'multiple transport links,' 'centralized management,' 'cost reduction.'
SD-WAN decouples the control plane from the data plane, enabling centralized policy management and dynamic routing.
SD-WAN uses multiple transport links (MPLS, broadband, LTE) simultaneously to increase bandwidth and resilience.
Application-aware routing steers traffic based on real-time link quality (latency, jitter, packet loss) and business policies.
All inter-site traffic is encrypted using IPsec or DTLS, even over MPLS.
Zero-Touch Provisioning (ZTP) allows plug-and-play deployment of edge devices without on-site IT.
Common SLA thresholds: latency 150ms, jitter 30ms, packet loss 2%.
Direct Internet Access (DIA) allows branch users to access cloud services without backhauling through a data center.
SD-WAN does not eliminate MPLS but often reduces its use; MPLS can be one of many transport links.
These come up on the exam all the time. Here's how to tell them apart.
SD-WAN
Supports multiple transport links (MPLS, broadband, LTE) simultaneously.
Centralized management via a controller with policy-based automation.
Application-aware routing with dynamic failover based on real-time link quality.
Lower cost per Mbps by leveraging inexpensive broadband links.
Optimized cloud access with direct internet breakout and cloud on-ramp.
Traditional WAN (MPLS)
Typically uses a single MPLS circuit from one carrier.
Manual configuration per device using CLI or individual management tools.
Static routing or BGP with limited traffic engineering; failover is often slow (active/passive).
Higher cost per Mbps; dedicated circuits are expensive.
Cloud traffic must backhaul through a data center, increasing latency.
Hub-and-Spoke SD-WAN
Simpler to configure; all branches connect to a central hub (data center or cloud).
Lower tunnel count (N tunnels for N spokes).
Potential bottleneck at the hub; all traffic traverses the hub.
Easier to enforce security policies at the hub.
Common for small to medium deployments.
Full Mesh SD-WAN
Every site connects directly to every other site.
Higher tunnel count (N*(N-1)/2 tunnels).
No single point of failure; optimal path between any two sites.
More complex configuration and management.
Better for large deployments with high inter-site traffic.
Mistake
SD-WAN completely replaces MPLS.
Correct
SD-WAN can use MPLS as one of multiple transport links. It does not eliminate MPLS but often reduces reliance on it by adding broadband and LTE.
Mistake
SD-WAN requires a dedicated controller at each site.
Correct
The controller is centralized (on-prem or cloud). Edge devices operate autonomously and only need periodic contact with the controller for policy updates.
Mistake
SD-WAN is only for large enterprises with hundreds of branches.
Correct
SD-WAN is scalable and can be deployed in small businesses with just two sites using virtual edges or low-cost appliances.
Mistake
SD-WAN does not use encryption because it relies on MPLS which is already secure.
Correct
SD-WAN encrypts all traffic over any transport link, including MPLS, using IPsec or DTLS to ensure end-to-end security.
Mistake
SD-WAN eliminates the need for a firewall.
Correct
While many SD-WAN solutions include basic firewall capabilities, a dedicated next-generation firewall may still be required for advanced threat protection and compliance.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SD-WAN is a software-defined overlay that can use multiple transport links (including MPLS) to connect sites. MPLS is a dedicated circuit technology that provides guaranteed performance but at higher cost. SD-WAN adds application-aware routing, centralized management, and dynamic failover, while MPLS alone is static and expensive. The exam expects you to know that SD-WAN can incorporate MPLS, not replace it.
Yes, SD-WAN typically uses a centralized controller (or orchestrator) to manage policies, distribute routing information, and monitor the network. However, the controller is not in the data path; edge devices forward traffic locally. If the controller fails, edges continue to operate using the last known configuration. The exam may ask about the role of the controller in SD-WAN architecture.
Key benefits include: lower cost by using broadband links, increased bandwidth by aggregating multiple links, improved resilience with active/active failover, application-aware routing for better performance, centralized management, and optimized cloud connectivity. The exam often lists these as multiple-choice options.
Yes, SD-WAN encrypts all traffic between sites using IPsec or DTLS. Many solutions also include stateful firewall, application filtering, and integration with cloud security services. However, SD-WAN does not replace a dedicated firewall for advanced threat protection. The exam may test that encryption is a core feature of SD-WAN.
ZTP allows an SD-WAN edge device to be shipped to a remote site, plugged in, and automatically configured without on-site IT. The device contacts a central controller to download its configuration. This reduces deployment time and errors. The exam might ask about ZTP as a benefit of SD-WAN.
SD-WAN edge devices continuously monitor link quality using synthetic probes. If a link degrades below configured SLA thresholds (e.g., latency > 150ms), the edge device dynamically reroutes flows to another healthy link. This failover is typically sub-second and does not drop sessions if stateful inspection is enabled. The exam may ask about SLA thresholds and failover behavior.
DIA allows branch users to access the internet directly from the branch, rather than backhauling traffic through a data center. This reduces latency and bandwidth costs for cloud and SaaS applications. The exam may present DIA as a feature that optimizes cloud connectivity.
You've just covered SD-WAN Concepts — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?