ⓘ Accuracy Disclaimer
Technical content in this article was researched and compiled with AI assistance under the direct supervision of the author. While every effort has been made to ensure accuracy, errors may still be present. If you spot an inaccuracy or have a correction, the author welcomes feedback — please reach out at github@it-solutionsusa.com or open an issue at github.com/ikonstas70.
Topology Diagram
+------------------+
| vBond |
| 10.10.0.100 |
+--------+---------+
|
+--------+---------+
| vSmart |
| 10.10.0.101 |
+--------+---------+
|
+--------+---------+
| vManage |
| 10.10.0.102 |
+--------+---------+
|
+--------------------+--------------------+
| | |
+-----+------+ +------+-----+ +-------+----+
| CSR-Hub | | CSR-Branch1| | CSR-Branch2|
| Site 100 | | Site 101 | | Site 102 |
+------------+ +------------+ +------------+
Transport 1 (ISP-A): 10.10.0.0/24
Transport 2 (ISP-B): 10.20.0.0/24
Each edge router has two WAN interfaces — one per transport —
to exercise SD-WAN path selection and failover between ISP-A and ISP-B.
IP Addressing
Transport Layer (VPN 0)
| Device | ISP-A Gig0/0 | ISP-B Gig0/2 |
|---|
| CSR-Hub | 10.10.0.1/24 | 10.20.0.1/24 |
| CSR-Branch1 | 10.10.0.11/24 | 10.20.0.11/24 |
| CSR-Branch2 | 10.10.0.21/24 | 10.20.0.21/24 |
LAN Layer (VPN 1)
| Device | Interface | IP Address |
|---|
| CSR-Hub | Gig0/1 | 192.168.1.1/24 |
| CSR-Branch1 | Gig0/1 | 192.168.2.1/24 |
| CSR-Branch2 | Gig0/1 | 192.168.3.1/24 |
Controllers
| Device | IP | Role |
|---|
| vBond | 10.10.0.100 | Orchestrator — device onboarding |
| vSmart | 10.10.0.101 | Controller — policy distribution |
| vManage | 10.10.0.102 | Manager — config and monitoring |
Underlay Configuration (OSPF — VPN 0 Transport Only)
Underlay OSPF covers transport interfaces only. LAN subnets (VPN 1) are distributed across the SD-WAN overlay by vSmart — do not include them in underlay OSPF.
CSR-Hub
router ospf 1
router-id 1.1.1.1
network 10.10.0.0 0.0.0.255 area 0
network 10.20.0.0 0.0.0.255 area 0
CSR-Branch1
router ospf 1
router-id 2.2.2.2
network 10.10.0.0 0.0.0.255 area 0
network 10.20.0.0 0.0.0.255 area 0
CSR-Branch2
router ospf 1
router-id 3.3.3.3
network 10.10.0.0 0.0.0.255 area 0
network 10.20.0.0 0.0.0.255 area 0
Overlay SD-WAN Configuration Steps
- Onboard devices in vManage using device certificates (ZTP or manual)
- Configure TLOCs — assign a color per transport: Gig0/0 (ISP-A) →
public-internet, Gig0/2 (ISP-B) → biz-internet
- Assign VPNs: VPN 0 — Transport, VPN 1 — LAN/enterprise
- Apply Control policies via vSmart — route propagation, VPN membership
- Apply Data policies — SLA-based path selection, QoS DSCP marking
- Verify:
show sdwan control connections
show sdwan bfd sessions
show sdwan ipsec statistics
vManage Device Template Fields
| Field | CSR-Hub | CSR-Branch1 | CSR-Branch2 |
|---|
| System IP | 1.1.1.1 | 2.2.2.2 | 3.3.3.3 |
| Site ID | 100 | 101 | 102 |
| WAN Interface 1 | Gig0/0 | Gig0/0 | Gig0/0 |
| TLOC Color 1 | public-internet | public-internet | public-internet |
| WAN Interface 2 | Gig0/2 | Gig0/2 | Gig0/2 |
| TLOC Color 2 | biz-internet | biz-internet | biz-internet |
| VPN IDs | 0, 1 | 0, 1 | 0, 1 |
| QoS Policy | DSCP EF for VoIP | same | same |
Failover Testing
# Ping across the overlay
ping 192.168.2.1 source 192.168.1.1
ping 192.168.3.1 source 192.168.1.1
# Verify TLOCs and BFD
show sdwan tloc
show sdwan bfd sessions
show sdwan control connections
# Simulate WAN failover — shut ISP-A on CSR-Branch1
interface GigabitEthernet0/0
shutdown
# Verify SD-WAN switches to ISP-B automatically
show sdwan bfd sessions
show sdwan tunnel statistics
# Restore and confirm failback
interface GigabitEthernet0/0
no shutdown
Prerequisites
- Licensed CSR1000v v17.03.03 images (Cisco DevNet Sandbox or direct download)
- vManage, vSmart, vBond OVA/QCOW2 images (Cisco SD-WAN controller bundle)
- GNS3 2.x, EVE-NG Pro, or CML 2.x
- Minimum 32 GB RAM for full controller + 3-edge topology