TTechclick ⚡ XP 0% All lessons
Cisco SD-WAN · Segmentation · VPNsInteractive · L1 / L2 / L3

Cisco SD-WAN Segmentation: — VPN 0, VPN 512, Service VPNs & Labels

In Cisco SD-WAN a "VPN" is not a remote-access tunnel — it's a VRF, a segment. VPN 0 faces the WAN, VPN 512 is the side door for management, and VPNs 1–511 carry your Corp, Guest and PCI traffic in separate tables. The magic that keeps Guest out of Corp end-to-end is one number riding every OMP route: the VPN label.

📅 2026-06-09 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Cisco SD-WAN segmentation explained: VPN 0 transport, VPN 512 management, service VPNs 1-511, how the VPN label rides OMP to keep segments isolated, plus inter-VPN route leaking and firewall service insertion. ENSDWI 300-415.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The two reserved VPNs

VPN 0 = transport, VPN 512 = out-of-band mgmt.

 2

Service VPNs 1–511

Corp, Guest, PCI — one VRF each, isolated.

 3

Labels ride OMP

Every route carries a VPN label to demux.

 4

Leak it on purpose

Control policy + firewall service insertion.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A junior engineer says "I'll put the WAN ISP interface in VPN 10 with the Corp users." What's wrong?

Answered in The two reserved VPNs.

2. In Cisco SD-WAN, what does the word "VPN" actually mean?

Answered in Labels ride OMP.

3. Guest users in VPN 30 somehow see Corp servers in VPN 10. With no leaking policy configured, what is the likely real cause?

Answered in Service VPNs 1–511.

Most engineers think…

Most engineers coming from remote-access VPNs think a Cisco SD-WAN "VPN" is a tunnel you dial into, and that to keep Guest away from Corp you bolt on ACLs and firewalls between them.

Wrong frame. An SD-WAN VPN is a VRF / segment, not a client tunnel. Isolation is the default, not something you add — a Guest in VPN 30 and a Corp host in VPN 10 live in different routing tables, carry different OMP labels, and simply have no route to each other. You don't write an ACL to keep them apart; you write a policy only when you deliberately want a controlled hole between segments (route leaking) or want traffic to detour through a shared firewall (service insertion).

① VPNs ARE segments — and two of them are reserved

The first thing to unlearn: in Cisco SD-WAN a VPN is not the AnyConnect-style tunnel you dial into from a café. It is a VRF — a segment with its own routing table on the same router. Rahul at Infosys can run Corp, Guest and a PCI zone on one WAN Edge, and each lives in its own table, blind to the others. Newer Catalyst SD-WAN even shows you the word VRF in places where the field has said VPN for years — they are the same idea.

Out of the whole numbering space, two VPNs are special and you cannot use them for users. VPN 0 is the transport VPN — your MPLS and Internet uplinks, the TLOCs, the default route to the underlay, and the DTLS control connections to the controllers all live here. VPN 512 is the management VPN — out-of-band SSH, SNMP and NTP to the box, completely off the data path.

👉 So far: a VPN = a VRF/segment; VPN 0 faces the WAN, VPN 512 is the management side door. Next: see all three kinds living on one router at once.
Figure 1 — One WAN Edge, three jobs
One WAN Edge runs many VPNs at once — VPN 0 faces the WAN, VPN 512 is the side door, service VPNs face the LAN A single Cisco WAN Edge router box holds three kinds of VPN. VPN 0 (transport) owns the WAN-facing interfaces, the TLOCs and the default route to the underlay, and builds DTLS control connections to the controllers. VPN 512 is an out-of-band management VPN reached over a dedicated port. Service VPNs 1 to 511 (Corp VPN 10, Guest VPN 30, PCI VPN 40) face the LAN, each its own isolated routing table. One WAN Edge, three jobs — transport, management, and the LAN segments WAN Edge (cEdge) system-ip 10.255.6.6 one router, many routing tables Corp VRF · Guest VRF · PCI VRF + transport + mgmt tables VPN 0 — TransportWAN ports · TLOCs · default routeMPLS + Internet to the underlay DTLS control → VPN 512 — Managementout-of-band: SSH · SNMP · NTP VPN 10 — Corp LAN VPN 30 — Guest LAN VPN 40 — PCI LAN service VPNs 1–511 → face the LAN VPN 0 carries the overlay; service VPNs ride INSIDE it; VPN 512 never touches either. A "VPN" here is a VRF/segment — NOT a remote-access client tunnel. underlay/untrustedoverlay/trustedcontrol/policykey insightallowed
Look at the single router box: VPN 0 (red, transport) faces the WAN and builds the overlay; VPN 512 (amber, mgmt) is the side door; the service VPNs (blue) face the LAN. One router, many routing tables.

The Indian-life picture that sticks: think of a railway station. VPN 0 is the main entrance off the public road — everyone and everything that comes in from outside arrives through it, and it's where the platform numbers (TLOCs) are posted. VPN 512 is the locked staff door at the back — only the station master walks through it for maintenance, and no passenger ever uses it. The service VPNs are the separate waiting rooms — first class, general, ladies — each with its own door, and a passenger in one room can't wander into another.

Four words you'll say every day on the job

Tap each card — these are the vocabulary anchors for the whole lesson.

🚪
VPN 0 (Transport)
tap to flip

Holds WAN interfaces, TLOCs and the default route to the underlay; builds the overlay. No user data sits here directly. So: ISP links go here, never users.

🔧
VPN 512 (Mgmt)
tap to flip

Out-of-band management only — SSH, SNMP, NTP to the device. Off the data path entirely. So: losing it never drops user traffic.

🏢
Service VPN
tap to flip

Any VPN 1–511 (or 513–65525): a LAN-facing segment = a VRF. Corp, Guest, PCI each get one. So: this is where users live.

🧱
VPN = VRF
tap to flip

Same routing table separation as classic VRFs. Isolation is the default. So: you don't add ACLs to separate VPNs — they already are.

Quick check · Q1 of 10

Priya at ICICI is told "put the branch's two ISP uplinks and the default route into the right VPN." Which VPN?

Correct: b. WAN/ISP transport interfaces, TLOCs and the underlay default route all belong in VPN 0, the transport VPN — that's what builds the overlay. VPN 512 is out-of-band management only; service VPNs (like VPN 10) face the LAN, not the ISP; and you cannot freely place transport interfaces in just any VPN.

Pause & Predict

Predict: if VPN 512 (management) on a branch router goes down for an hour, what happens to the Corp users in VPN 10 on that same router? Type your guess.

Answer: Nothing — they keep working. VPN 512 is out-of-band management (SSH/SNMP/NTP to the box) and sits completely off the data path. User data rides the service VPNs over the overlay built in VPN 0. Losing management visibility is an operations problem, not a user-traffic outage. That separation is exactly why VPN 512 exists.

② Service VPNs (1–511) — one VRF per department

Everything that isn't VPN 0 or VPN 512 is a service VPN, and that's where your users live. The usable range is 1–511 and 513–65525; Cisco reserves 0, 512, and 65526 and above. So Sneha at TCS gives Corp VPN 10, Guest VPN 30, and the card-data zone VPN 40 — three departments, three completely separate routing tables, on the very same WAN Edge.

Each service VPN maps one-to-one onto a traditional VRF. A prefix learned in VPN 10 goes into the VPN 10 table and only the VPN 10 table. There is no shared global table that Corp and Guest both fall into — that's the whole point. The CLI even uses VRF language on modern cEdge boxes.

cEdge CLI — define a service VPN (Guest = VPN 30) and put a LAN interface in it
vrf definition 30
 address-family ipv4
 exit
!
interface GigabitEthernet0/0/1.30
 vrf forwarding 30
 ip address 172.16.30.1 255.255.255.0
 no shutdown
!
! On vEdge/older syntax this is simply:  vpn 30  →  interface ge0/0/1  →  ip address 172.16.30.1/24
Expected output
Edge-A# show ip route vrf 30 | include 172.16.30
C   172.16.30.0/24 is directly connected, GigabitEthernet0/0/1.30
L   172.16.30.1/32 is directly connected, GigabitEthernet0/0/1.30
! VPN 30's prefixes live ONLY in vrf 30 — invisible to vrf 10.

In production you almost never type this by hand — you do it once in a feature template and attach it to a hundred branches. The path Aditya at Wipro uses every day: Configuration > Templates > Feature > Add Template > VPN (set the VPN ID and what to advertise into OMP), then a separate VPN Interface Ethernet template for the LAN port. The same VPN number on every branch = the same segment end-to-end across the fabric.

🖥️ This is the screen you'll define the Guest segment on — vManage → Configuration → Templates → Feature → Add Template → VPN. Real fields. (Recreated for clarity — your vManage matches this.)
vmanage.lab.local · Configuration · Templates · Feature · VPN
1
Template Name
VPN30-Guest-Branch
2
VPN
30
Name
Guest-WiFi
3
Advertise OMP · Connected (IPv4)
On
Advertise OMP · Static (IPv4)
On
4
Device-specific (interface)
VPN Interface Ethernet → ge0/0/1
Save
Common mistake — two subnets, one VPN number

Symptom: "Guest can ping Corp servers and I have NO leaking policy — SD-WAN segmentation is broken!" Cause: the Guest LAN interface and the Corp LAN interface were both dropped into the same VPN (e.g. both ended up in VPN 10) on one branch template. Same VPN = same routing table = they see each other by design. Fix: put each department in its own VPN ID (Corp 10, Guest 30) and confirm with show ip route vrf 30 — Guest prefixes must appear only under vrf 30.

Quick check · Q2 of 10

Karthik at HCL must add an IoT segment that is isolated from Corp (VPN 10) and Guest (VPN 30) on the same routers. What's the minimal correct action?

Correct: b. Giving IoT its own service VPN (say VPN 50) makes it a separate VRF that is isolated from VPN 10 and VPN 30 by default — no ACL needed. An ACL between existing VPNs doesn't help the new segment; VPN 0 is for WAN transport and VPN 512 is out-of-band management — neither is for user/IoT data.

Pause & Predict

Predict: you configure Corp as VPN 10 at the Mumbai branch but accidentally as VPN 11 at the Pune branch. Both have the right subnets. Can Mumbai Corp reach Pune Corp over the fabric? Type your guess.

Answer: No. The segment is defined by the VPN-ID, not the subnet. OMP only advertises a VPN 10 prefix into other VPN 10 tables; VPN 11 is a different segment with different labels, so the two never exchange routes. The fix is to use the SAME VPN number for the same segment on every site. This is the single most common 'it's configured but not working' segmentation bug.

③ How segmentation rides OMP — the VPN label

Here's the engine room. When you create a VPN on a WAN Edge, the router quietly assigns it a VPN label. It then advertises that label + VPN-ID together in every OMP route up to vSmart, which reflects it to the other edges. The remote edge stores: "to reach that prefix in that VPN, push this label."

The detail that trips people up: labels are locally significant. On Edge-A, VPN 30 might be label 1015; on Edge-B the very same VPN 30 might be label 1013. The numbers don't have to match — each edge advertises its own, and the sender simply copies whatever label sits in the OMP route it's using. That's why the fabric scales: adding a new edge or a new VPN never forces every other router to renumber.

Figure 2 — The label is the boarding pass
The VPN label is the boarding pass — it tells the far WAN Edge which routing table to drop the packet into Control plane: each WAN Edge assigns a locally significant label per VPN and advertises label plus VPN-ID to the vSmart controller over OMP; vSmart reflects it. Data plane: the ingress edge pushes the VPN label, encrypts with IPsec, sends it over the WAN. The egress edge decrypts, reads the label, and demultiplexes the packet into the matching VPN routing table. A wrong or missing label means the packet lands in the wrong table or is dropped. Segmentation rides OMP: advertise the label, then forward by the label vSmart Controllerreflects OMP routes + labels Edge-A (Mumbai)VPN 30 → LABEL 1015VPN 10 → LABEL 1014labels are LOCALLY significant Edge-B (Pune)VPN 30 → LABEL 1013VPN 10 → LABEL 1012same number ≠ same VPN! OMP: VPN-ID+label OMP: VPN-ID+label [ IPsec | LABEL 1013 | IP pkt to 172.16.30.5 ]ingress pushes label 1013 (Edge-B's VPN 30), THEN encrypts Guest user 172.16.30.9 → Edge-B decrypts → reads LABEL 1013 → lands in its VPN 30 table.Guest (VPN 30) can NEVER reach Corp (VPN 10) — different label, different table. underlay/untrustedoverlay/trustedcontrol/policykey insightallowed
Trace the blue packet: the ingress edge pushes Edge-B's VPN 30 label (1013), encrypts, and sends. Edge-B decrypts, reads 1013, and drops the packet into its VPN 30 table. Wrong label = wrong table or drop.

Order matters in the data plane. On the way out, the ingress edge pushes the VPN label first, then wraps it in IPsec — so the label is protected inside the tunnel. On the way in, the egress edge decrypts first, reads the label, then does the route lookup in the matching VPN table. Because the lookup happens inside one specific VPN table, a Guest packet (VPN 30) physically cannot resolve a Corp prefix (VPN 10) — there's no entry for it in that table. That is the isolation, and it needs zero access-lists.

▶ Follow one Guest packet across the fabric

Watch a Guest user's packet in VPN 30 get labelled, encrypted, carried, and demultiplexed into the right table on the far side. Press Play for the healthy path, then Break it to see the failure.

① AssignEdge-A creates VPN 30 → router auto-assigns label; Edge-B's VPN 30 = label 1013
② AdvertiseOMP carries prefix 172.16.30.0/24 + VPN-ID + label 1013 via vSmart to Edge-A
③ ForwardEdge-A pushes label 1013, then IPsec-encrypts → packet rides the overlay to Edge-B
④ DemuxEdge-B decrypts, reads label 1013 → lookup in its VPN 30 table only → delivered
Press Play to step through the healthy path. Then press Break it.
cEdge CLI — see the label per VPN and per route
Edge-B# show sdwan omp services
Edge-B# show sdwan omp routes vpn 30
Expected output
                          PATH                                  ATTRIBUTE
VPN  PREFIX            FROM PEER     ID  LABEL  STATUS  TLOC IP        COLOR        ENCAP
----------------------------------------------------------------------------------------
30   172.16.30.0/24   10.255.0.1    3   1013   C,I,R   10.255.6.6    biz-internet ipsec
30   172.16.30.0/24   10.255.0.1    4   1013   C,R     10.255.6.6    mpls         ipsec
! LABEL 1013 = this edge's VPN 30 table.  C=chosen I=installed R=resolved.
Quick check · Q3 of 10

On Edge-A, VPN 30 is label 1015; on Edge-B the same VPN 30 is label 1013. When Edge-A sends a Guest packet to a host behind Edge-B, which label does Edge-A push?

Correct: c. Labels are locally significant, so the sender copies the label carried in the OMP route it received — that's Edge-B's VPN 30 label, 1013. Edge-A's own 1015 is only relevant for traffic arriving AT Edge-A. There's no label stacking here, and the subnet alone never determines the VPN — the label does.

Pause & Predict

Predict: a colleague insists "all my branches must use the exact same label number for VPN 10 or routing breaks." True or false, and why? Type your guess.

Answer: False. Labels are locally significant — each WAN Edge picks its own per VPN and advertises it in OMP. The sender always uses whatever label is in the received OMP route, so Edge-A's VPN 10 label and Edge-B's VPN 10 label can differ freely. Requiring matching labels would defeat the whole point and stop the fabric from scaling. What MUST match across sites is the VPN-ID (the segment number), not the label.

④ Controlled leaking & firewall service insertion

Isolation is the default — but the business sometimes wants a controlled hole. Two patterns cover almost everything. Route leaking shares specific prefixes between two VPNs (e.g. let a shared printer in VPN 50 be reachable from Corp VPN 10). Service insertion (a.k.a. service chaining) forces VPN-to-VPN traffic to detour through a shared firewall before it's allowed across. Both are done from the controller, not on each branch.

Route leaking uses a centralized control policy. You build VPN lists and a prefix list, then write a topology/control policy that says export the VPN 50 prefixes to VPN 10 (and, if you want it both ways, a second rule the other direction). vSmart then advertises those leaked prefixes into the target VPN's tables. The vManage path Meera at Airtel uses: Configuration > Policies > Centralized Policy > Add Policy, build the lists, then a Custom Control (Route & TLOC) topology.

Meera at Airtel faces this

Meera, an L2 engineer, gets a ticket: "Corp (VPN 10) users must reach the shared license server 10.50.0.20 that lives in the Services VPN 50 — but only that one host, nothing else in VPN 50." She's about to merge the two VPNs.

Likely cause

Merging VPNs would collapse the whole isolation boundary — Corp would see ALL of VPN 50, and VPN 50 would see all of Corp. The ask is a single-prefix leak, not a merge.

Diagnosis

She picks the right tool: a centralized CONTROL policy on vSmart that exports just the 10.50.0.20/32 prefix from VPN 50 into VPN 10, and the Corp return subnet from VPN 10 into VPN 50.

vManage → Configuration → Policies → Centralized Policy → Add Policy → Lists (VPN 10, VPN 50, Prefix 10.50.0.20/32) → Custom Control (Route) → Action Accept + Export To
Fix

Two control-policy sequences (VPN 50→VPN 10 for the license host, VPN 10→VPN 50 for the Corp return route), applied inbound on vSmart for the relevant sites, then activate.

Verify

On a Corp cEdge run show sdwan omp routes vpn 10 | include 10.50.0.20 → the leaked /32 appears in VPN 10; a different VPN 50 host (e.g. 10.50.0.99) does NOT, proving only the one prefix leaked.

Service insertion goes further: instead of leaking routes, you make traffic physically pass through a firewall. The firewall is advertised as a service from the VPN it sits in (on the hosting edge you configure service FW address <ip> so it's announced to OMP), and a centralized control/data policy then steers matched VPN-to-VPN traffic to that firewall service before delivery. The exam loves the distinction: route leaking = share a route; service insertion = detour through an appliance.

Figure 3 — Segmentation cheat-card
Cisco SD-WAN segmentation on one card — reserved VPNs, ranges, label flow and the show commands A nine-tile cheat sheet covering VPN 0 transport, VPN 512 management, service VPN range 1 to 511 and 513 to 65525, reserved numbers 0 512 and 65526 plus, how the VPN label rides OMP, why two service VPNs stay isolated, route leaking via centralized control policy, service insertion of a firewall, and the verification show commands. SD-WAN segmentation — your one-glance card VPN 0 — TransportWAN ports · TLOCs · default routebuilds the overlay (DTLS to ctrl) VPN 512 — Mgmtout-of-band: SSH·SNMP·NTPnever carries data traffic Service VPNs1–511 & 513–65525 (LAN)reserved: 0, 512, 65526+ VPN labelper VPN, locally significantrides OMP with the VPN-ID Isolationdifferent label → different tableGuest VPN 30 ≠ Corp VPN 10 Route leakingcentralized CONTROL policyexport-to between VPN lists Service insertionadvertise "service FW" in a VPN,control policy steers VPN→FW→VPN Verify (cEdge CLI)show sdwan omp routes vpn 30show sdwan omp servicesshow ip route vrf 30 underlay/untrustedoverlay/trustedcontrol/policykey insightallowed
Your one-card map of the whole lesson — reserved VPNs, the service range, how the label rides OMP, and the show commands. Keep it open while you build, and revisit it before the ENSDWI exam.
Figure 4 — A service VPN IS a VRF — the fabric just carries it for you
A service VPN IS a VRF — but the fabric carries the segment for you instead of you stitching MPLS VRFs hop by hop Two columns compare classic MPLS-VPN VRF segmentation against Cisco SD-WAN service VPN segmentation. Traditional: you build a VRF per hop, run MP-BGP VPNv4, allocate MPLS labels, and the provider core must carry every VRF. SD-WAN: you define the VPN once at each WAN Edge, OMP advertises the label automatically, and the same overlay carries every segment over any transport with end-to-end isolation. The shared idea in the middle: both keep each segment in its own routing table. Traditional MPLS VRF vs SD-WAN service VPN Classic MPLS-VPN VRF • one VRF defined on EVERY hop • MP-BGP VPNv4 / route-targets to glue it • MPLS labels distributed by LDP • provider core must carry every VRF • single transport (the MPLS cloud) − slow to add a segment, vendor-locked − every new site = config on the core you stitch the segment hop by hop SD-WAN service VPN • define VPN once at each WAN Edge • OMP advertises VPN-ID + label for you • labels are locally significant, auto-assigned • ONE overlay carries all segments • any transport: MPLS, Internet, 4G/5G + add a segment in minutes via template + provider core is just IP, unaware of VRFs the fabric carries the segment for you Same end goal: each segment in its OWN routing table. Different machinery underneath. underlay/untrustedoverlay/trustedcontrol/policykey insightallowed
Why a service VPN feels familiar: it is the same per-segment routing-table idea as a classic MPLS VRF. The difference is the machinery — you define the VPN once at each WAN Edge, OMP advertises the VPN-ID + label automatically, and one overlay carries every segment over any transport, instead of you stitching VRFs and MP-BGP hop by hop across the provider core.
🖥️ This is the policy screen you'll steer traffic on — vManage → Configuration → Policies → Centralized Policy → Custom Options → Topology → Custom Control (Route & TLOC). (Recreated for clarity — your vManage matches this.)
vmanage.lab.local · Configuration · Policies · Centralized · Custom Control
1
Sequence Type
Route
2
Match · VPN List
VPN-10 (Corp)
Match · Prefix List
PL-License-Host (10.50.0.20/32)
3
Action
Accept
Action · Service
Type Firewall · VPN 60
4
Default Action
Reject (isolation stays the default)
Save Match And Actions → Activate
Prove you've got the segmentation model

Take a real ask — "keep Guest, Corp and PCI apart but let Corp reach one license server in the Services VPN, and run all Guest-to-Corp traffic through the firewall." Name the segments (VPN 10/30/40 + Services VPN 50), the isolation mechanism (per-VPN OMP labels, no ACL needed), the controlled crossing for the license host (centralized control-policy route leak), and the firewall path (service insertion via control/data policy). If you can do that cold, you're ready for the ENSDWI Policies domain and the SOC floor.

Common mistake — leaking applied in the wrong direction

Symptom: after a leak policy, Corp can see the route to the license host but pings time out one-way. Cause: you exported VPN 50 → VPN 10 but forgot the return export VPN 10 → VPN 50, so the server has no route back to Corp. Fix: route leaking is directional — add the second control-policy sequence for the return prefix, then re-verify with show sdwan omp routes in BOTH VPNs.

Back: Data Plane — TLOCs & IPsecNext: Templates at scale
Quick check · Q4 of 10

The security team wants ALL traffic between Guest (VPN 30) and Corp (VPN 10) to pass through a shared firewall, not just be blocked or leaked. Which feature?

Correct: c. Forcing traffic THROUGH an appliance is service insertion (service chaining): the firewall is advertised as a service and a centralized control/data policy steers VPN 30↔VPN 10 traffic to it. A plain route leak just shares prefixes (no firewall in path); VPN 0 is transport; per-branch ACLs don't give fabric-wide, controller-driven steering.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Cisco SD-WAN docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In Cisco SD-WAN, which VPN holds the WAN transport interfaces, TLOCs and the default route to the underlay?

Correct: c. VPN 0 is the transport VPN — WAN/ISP interfaces, TLOCs and the underlay default route live here, and it builds the overlay. VPN 512 is out-of-band management; VPN 1 is a service VPN for user data; numbers 65526 and above are reserved.
Q6 · Apply

Sneha needs to add a card-data (PCI) segment isolated from Corp (VPN 10) and Guest (VPN 30) on the same WAN Edges. What does she do?

Correct: a. A new service VPN (VPN 40) is a separate VRF, isolated from VPN 10 and VPN 30 by default — exactly what PCI needs. VPN 0 is WAN transport and VPN 512 is OOB management (neither carries user data); an ACL between two existing VPNs does nothing for the new segment.
Q7 · Apply

Corp must reach exactly one license server (10.50.0.20/32) that lives in Services VPN 50, with nothing else crossing. Which tool?

Correct: b. A centralized control-policy route leak exports only the 10.50.0.20/32 prefix between the two VPNs (with a return sequence), keeping everything else isolated. Merging the VPNs exposes ALL of each side; per-branch ACLs aren't fabric-wide route control; VPN 0 is transport, not a place for servers.
Q8 · Analyze

Edge-A labels VPN 30 as 1015; Edge-B labels the same VPN 30 as 1013. Routing between them works fine. Why don't the mismatched labels break anything?

Correct: b. VPN labels are locally significant: each edge advertises its own per VPN, and the sender copies whatever label is in the OMP route it's using. Nothing renumbers them; service VPNs absolutely use labels; and the label — not the subnet — selects the egress VPN table. Mismatched numbers are normal and let the fabric scale.
Q9 · Analyze

Guest users (VPN 30) can reach Corp servers (VPN 10) on one branch, and there is NO leaking policy anywhere. Steering and OMP are healthy. Most likely root cause?

Correct: c. Same VPN-ID = same VRF = same routing table, so the two subnets see each other by design — the classic 'two subnets, one VPN number' error. SD-WAN VPNs are isolated by default; a dead vSmart would break routing, not create a leak; and matching label numbers are harmless because labels are locally significant.
Q10 · Evaluate

Security wants Guest↔Corp traffic to pass through a shared firewall, and separately wants Corp to reach one printer in VPN 50. Compare: (A) one big route leak between VPN 30, VPN 10 and VPN 50; (B) service insertion for Guest↔Corp plus a single-prefix control-policy leak for the printer. Which is correct and why?

Correct: d. The two asks are different shapes: 'inspect traffic in the path' = service insertion (steer through the firewall), while 'reach one host' = a scoped route leak of the single /32. Design B matches each requirement and keeps all other prefixes isolated. A broad leak across three VPNs would expose far more than intended and never routes traffic through the firewall.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does a Guest user in VPN 30 have no route to a Corp server in VPN 10, even with zero access-lists? Then compare to the expert version.

Expert version: Because VPN 30 and VPN 10 are separate VRFs with separate routing tables, and every OMP route carries the VPN's label — the egress edge looks up the packet only in the table that label points to, where the Corp prefix simply doesn't exist, so there's nothing to resolve.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

VPN (SD-WAN)
An isolated routing segment = a VRF. NOT a remote-access client tunnel.
VPN 0 (Transport)
Holds WAN interfaces, TLOCs and the default route; builds the overlay control connections.
VPN 512 (Management)
Out-of-band management VPN for SSH/SNMP/NTP to the device; off the data path.
Service VPN
Any VPN 1–511 or 513–65525 — a LAN-facing segment carrying user data. Reserved: 0, 512, 65526+.
VRF
Virtual Routing and Forwarding — a separate routing table; what an SD-WAN VPN actually is.
VPN label
A per-VPN, locally significant number carried in OMP routes and packets so the far edge picks the right VPN table.
OMP
Overlay Management Protocol — the BGP-like control protocol carrying routes, TLOCs, labels and service info to/from vSmart.
Locally significant
A label's value is chosen per router; the same VPN can use different labels on different edges.
TLOC
Transport Locator — a WAN Edge's overlay attachment (system-IP + colour + encap), lives in VPN 0.
Route leaking
Sharing specific prefixes between two VPNs via a centralized control policy (export-to).
Service insertion
Service chaining — steering VPN-to-VPN traffic through a shared firewall/IPS advertised as a service.
Centralized control policy
A vSmart-applied policy that filters/modifies the OMP routes the controller advertises to edges.

📚 Sources

  1. Cisco Catalyst SD-WAN Segmentation Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x — Segmentation (VPN 0 transport, VPN 512 management, service VPNs, VPN labels in OMP, label encapsulation in the data plane, VRF ranges 1–65525 excluding reserved 0/512/65526+). cisco.com/c/en/us/td/docs/routers/sdwan/configuration/segmentation/ios-xe-17/segmentation-book-xe/segmentation.html
  2. Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x — VPN (VPN 0 = transport carrying control traffic, VPN 512 = OOB management; feature-template VPN config). cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/vpn.html
  3. Cisco Support — "Configure Route Leaking for Service Chaining in SD-WAN" (Doc ID 221907): centralized control policy, export-to between VPN lists, service insertion of a firewall, vManage Configuration > Policies > Centralized Policy. cisco.com/c/en/us/support/docs/routers/sd-wan/221907-configure-route-leaking-for-service-chai.html
  4. Cisco Community — "SD-WAN segmentation through Label/VPN-ID" (TID 4944240): practitioner thread confirming VPN labels are locally significant and how the far edge demultiplexes by label. community.cisco.com/t5/sd-wan-and-cloud-networking/sd-wan-segmentation-through-label-vpn-id/td-p/4944240
  5. Cisco Release Notes — Cisco IOS XE Catalyst SD-WAN Release 17.15.x & Control Components 20.15.x (2025; VRF/VPN ID range 1–65525 excluding 512, reserved 0/512/65526+; extended-maintenance cadence). cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/17-15/sd-wan-rel-notes-xe-17-15.html
  6. Cisco Learning Network — 300-415 ENSDWI exam topics: Policies domain (~20%) covers control/data policies and end-to-end VPN segmentation; Security & QoS (~15%) covers segmentation, ZBF and service insertion. learningnetwork.cisco.com/s/ensdwi-exam-topics
  7. NetworkAcademy.IO CCIE Enterprise SD-WAN — "Understanding VPNs and LABELs" (worked example: per-router VPN→label mappings, OMP advertisement, locally significant demux, show sdwan omp routes columns). networkacademy.io/ccie-enterprise/sdwan/vpns-and-labels

What's next?

You can define and isolate segments by hand now — but you'd never type this on 200 branches. Next we turn VPNs, interfaces and policies into reusable vManage templates so one change rolls out fabric-wide.

Next · Templates: configuring Cisco SD-WAN at scale → Practice on exam.techclick.in →