[Part 7] Cisco SDWAN - Control Plane Operations - OMP

Control Plane Operation & Overlay Management Protocol Explanation


6 min read

[Part 7] Cisco SDWAN - Control Plane Operations - OMP


As discussed in the previous part "Cisco SDWAN Planes", The control plane in Cisco SD-WAN is responsible for establishing and maintaining logical connectivity and intelligence across the network. It encompasses the control plane protocols and functions that enable the exchange of routing information and the orchestration of data traffic flow.

In this article, we will be on the SD-WAN control plane and how OMP facilitates building the control plane.

Control Plane Operations

In the Cisco SD-WAN solution, the Overlay Management Protocol (OMP) is used to manage control plane operations. OMP enables a secure and scalable framework that works across various types of transport, including private options like MPLS, Layer 2 VPNs, and point-to-point networks, as well as public connectivity methods like the Internet and LTE.

The vSmart controller is responsible for handling the control plane. It ensures a scalable control plane infrastructure and distributes policy information to the WAN Edges.

To better understand its role, the vSmart controller can be compared to a BGP route reflector. It receives routing and topology information from the clients, performs calculations based on configured policies to determine the best paths, and then advertises these results to the WAN Edges, which act as route reflector clients.

In traditional networks, the control plane's primary focus was on managing how data flows within the network. This involved receiving routing updates, performing operations to determine the best paths, and using this information to populate forwarding tables.

However, configuring security using these protocols was often complex and time-consuming. It typically required manual effort and often resulted in network downtime during the transition to security mechanisms.

Security is a fundamental aspect of the Cisco SD-WAN solution. To ensure secure communication, the control plane tunnels in the SD-WAN overlay are encrypted and authenticated using Datagram Transport Layer Security (DTLS) or Transport Layer Security (TLS). In the SD-WAN overlay, all personas including vBond, vSmart, WAN Edges, and vManage maintain DTLS/TLS connections.

This ensures that all routing updates are validated and trusted to prevent the processing of any malicious routing information.

Figure 2. Cisco SDWAN Control Plane DTLS-TLS secure connections to protect OMP

These connections are established using SSL certificates. Each component in the network authenticates the other end and creates a one-way tunnel. During the negotiation process, devices validate that the received certificate is signed by a trusted root Certificate Authority (CA) and has a valid serial number with a matching organization name. This ensures the authenticity and integrity of the communication. You can refer to the above illustration of a tunnel between a WAN Edge and vSmart controller.

The default protocol for communication is DTLS (Datagram Transport Layer Security).

DTLS communication takes place over UDP port 12346. It is recommended to keep this port open for communication between vBond and all WAN Edges.
Additionally, TLS (Transport Layer Security) is also supported if specific requirements demand it. It's important to note that TLS operates using the TCP protocol and is therefore stateful.

The vSmart and vManage components are deployed as virtual machines capable of supporting multiple cores, up to a maximum of eight cores. Each core is associated with a base port. When inbound DTLS/TLS connections are established, they initially target port 12346.
You can refer to the below figure of a DTLS Tunnel Authentication between vSmart and vBond.

Once the control plane tunnels are established, various protocols can utilize these secure sessions. In addition to OMP (Overlay Management Protocol), protocols like Simple Network Management Protocol (SNMP) and Netconf can also leverage these secure channels. By utilizing the established DTLS/TLS tunnels, we no longer need to worry about the individual security implementations of these protocols or any vulnerabilities they may have.

Overlay Management Protocol (OMP)

In the Cisco SD-WAN solution, the Overlay Management Protocol (OMP) serves as the routing protocol. However, OMP goes beyond just routing and provides several essential services within the control plane:

  • Facilitation of network communication: OMP enables data plane connectivity between sites in the SD-WAN fabric, including service chaining and multi-VPN topology information.

  • Distribution of data plane security information: OMP handles the distribution of encryption keys, ensuring secure communication within the fabric.

  • Best-path selection and routing policy advertisement: OMP determines the optimal paths for data traffic and communicates routing policies across the network.

Read more: Cisco SDWAN vSmart Controllers

OMP is enabled by default in the SD-WAN solution and does not require explicit activation. As components in the fabric become aware of their control elements, they automatically establish control connections. This allows for reachability and orchestration of the network topology.

OMP is designed to interact with legacy routing protocols, including static routes and traditional interior gateway protocols such as OSPF, BGP, and EIGRP. However, unlike traditional IGPs, OMP peering occurs only between the WAN Edges and the vSmart controller(s). This peering model resembles the operation of a BGP route reflector within an Internal Border Gateway Protocol (IBGP) domain. This approach is beneficial for scalability, as it reduces CPU load on data plane devices by minimizing excessive routing updates and best-path recalculations.

OMP Graceful Restart

OMP in the Cisco SD-WAN solution also supports graceful restart functionality. Graceful restart allows WAN Edges to cache forwarding information in case they lose connectivity to the vSmart controllers. In such situations, the WAN Edge will continue using the last received routing information to maintain proper forwarding.

By default, graceful restart is enabled on both vSmart controllers and WAN Edge routers, with a default timer set to 12 hours. This timer can be adjusted within a range of 1 second to 7 days.

It's important to ensure that a valid IPsec encryption key is available during the entire graceful restart period. Otherwise, there is a risk of data plane tunnels being terminated when the graceful timer expires. To prevent IPsec rekey while OMP is down, it is recommended to set the IPsec rekey timer to twice the value of the graceful restart timer as a best practice.


The configuration of the graceful restart timer can be done through vManage using a CLI template or an OMP feature template. Further details on feature templates will be discussed in the next parts.

When a peering session with the vSmart controller becomes unavailable, the WAN Edge continuously tries to re-establish the connection. However, if the WAN Edge is reloaded, the cached information is lost.

In such cases, the WAN Edge will need to establish a new OMP session with the vSmart controller and receive updated forwarding information before it can resume forwarding traffic on the SD-WAN fabric.

Cisco SDWAN Type of Routes Overview

OMP in the Cisco SD-WAN solution is responsible for advertising different types of routes between the vSmart controllers and WAN Edge routers. These routes include:

  1. OMP routes (vRoutes): These routes represent network prefixes that enable connectivity services for data centers, branch offices, or any other endpoint within the SD-WAN fabric.

  2. Transport locations (TLOCs): TLOCs serve as identifiers that associate an OMP route with a physical location. They are the only IP addresses that are known and reachable within the underlying network.

  3. Service routes: Service routes identify network services within the SD-WAN overlay. These routes indicate the physical location of services such as firewalls, IPS, IDS, or any other device capable of processing network traffic. Service information is advertised through service routes and OMP routes.

My name is Nam who loves to talk and share knowledge related to Networking, Automation, and so on. More about me: nam-nguyen.me

Hope you enjoy the blog and don't forget to join the Tech-Learner-Hub to get more and more valuable content.

Get the Cisco SD-WAN Zero-to-One ebook