Cisco Guides
Field notes on Cisco — Catalyst SD-WAN and the ENSDWI certification track, plus routing, switching, VRF and BGP design, and the operational details that make the difference under pressure.
ENSDWI (300-415) Study Series
A twelve-part walk through the Implementing Cisco SD-WAN Solutions v1.2 blueprint, in blueprint order — architecture, controllers, router deployment, policies, security and QoS, and management.
-
ENSDWI Part 1: Exam Syllabus & Study Roadmap
Kicking off a twelve-part study series for the Cisco 300-415 ENSDWI exam. Part 1 breaks down the v1.2 blueprint domain by domain, maps every topic to a part of this series, and covers exam logistics, lab options, and how to study for a 90-minute concentration exam.
-
ENSDWI Part 2: Architecture — Planes, Components, and Multi-Region Fabric
Blueprint domain 1.1: the four planes and their components, OMP's three route types, TLOCs, IPsec vs GRE encapsulation, BFD's dual role, and Multi-Region Fabric — the v1.2 addition that older study material misses entirely.
-
ENSDWI Part 3: Edge Platforms and Cloud OnRamp
Finishing blueprint domain 1.0: the cEdge and vEdge platform families and how to pick between them, then all four Cloud OnRamp variants — SaaS, IaaS, Colocation, and Multicloud/Interconnect — at the depth the exam actually tests.
-
ENSDWI Part 4: Controller Deployment — Cloud, On-Prem, Scale, and Redundancy
Blueprint 2.1 and 2.2: Cisco-hosted vs on-premises controllers, hosting platform requirements, installing the vManage/vBond/vSmart trio, and the scalability and redundancy rules — clustering, affinity, and how many of each you actually need.
-
ENSDWI Part 5: Certificates, Device Lists, and Control-Plane Troubleshooting
Blueprint 2.3 and 2.4: the certificate trust model end to end — root CA options, controller CSRs, the WAN Edge authorized serial list — then the systematic control-connection troubleshooting flow behind most ENSDWI exhibit questions.
Catalyst SD-WAN Deep Dive
A ten-part architecture-first tour of Cisco Catalyst SD-WAN — OMP, TLOCs, policy, cloud on-ramp, security, automation, and where it breaks.
-
Cisco Catalyst SD-WAN Deep Dive Part 1: Components, Controllers, and the Four Planes
Starting a ten-part deep dive into Cisco Catalyst SD-WAN. Part 1 covers the Viptela lineage, the four controller planes (vManage, vSmart, vBond, WAN Edge), the certificate trust model, and the control-connection bring-up sequence.
-
Cisco Catalyst SD-WAN Deep Dive Part 2: OMP, the Overlay Management Protocol
Part 2 of the Cisco Catalyst SD-WAN series: what OMP actually carries between WAN Edge and vSmart — OMP routes, TLOC routes, and service routes — how best-path selection and multipath differ from BGP, and why the overlay/underlay split is the whole point.
-
Cisco Catalyst SD-WAN Deep Dive Part 3: TLOCs, Color, and Centralized Policy
Part 3 of the Cisco Catalyst SD-WAN series: what TLOC color actually constrains, how restrict/no-restrict shapes which tunnels can form, and how centralized control policy on vSmart turns that into enforced topology — full mesh, hub-and-spoke, or anything between.
-
Cisco Catalyst SD-WAN Deep Dive Part 4: BFD, App-Route SLAs, and cEdge Forwarding
Part 4: how BFD over every data tunnel drives both fast failure detection and continuous SLA measurement, how app-route policy steers on that data, and where cEdge's IOS-XE forwarding pipeline diverges from legacy vEdge.
-
Cisco Catalyst SD-WAN Deep Dive Part 5: Topology Walkthroughs — Dual Transport, DIA, and TLOC Extension
Part 5: VPN segmentation (transport vs. service VPNs), a worked dual-MPLS-plus-Internet branch design, direct internet access for local breakout, and TLOC extension for sites with no WAN circuit of their own.
-
Cisco Catalyst SD-WAN Deep Dive Part 6: Cloud OnRamp for SaaS and IaaS
Part 6: how Cloud OnRamp for SaaS continuously measures per-app, per-transport path quality to pick the best local breakout, and how Cloud OnRamp for IaaS extends the fabric directly into AWS and Azure as cloud-resident sites.
-
Cisco Catalyst SD-WAN Deep Dive Part 7: SIG, Secure Firewall, and Edge Security
Part 7: how DIA traffic gets inspected without a hub backhaul — Cisco Secure Internet Gateway integration, the on-box UTD container on cEdge, and how this converges with the broader SASE shift other vendors are making too.
-
Cisco Catalyst SD-WAN Deep Dive Part 8: Automation — vManage API, Terraform, and Ansible
Part 8: why vManage's API-first design means automating Catalyst SD-WAN looks nothing like CLI-scraping individual boxes, and where Terraform's declarative model and Ansible's procedural model each fit.
-
Cisco Catalyst SD-WAN Deep Dive Part 9: The MPLS-to-SD-WAN Cutover Playbook
Part 9: a phased, coexistence-based migration sequence from legacy MPLS to Catalyst SD-WAN — pilot sites first, hubs last, explicit rollback triggers, and why ripping MPLS out in one weekend is the wrong instinct.
-
Cisco Catalyst SD-WAN Deep Dive Part 10: Failure Modes, Scale Limits, and a Vendor Comparison
Part 10, the finale: what actually breaks (vBond, vSmart, vManage) and what doesn't when it does, vManage's documented scale ceiling, and a head-to-head of OMP/TLOC against Fortinet ADVPN, Arista DMPO, and VeloCloud.
Other Cisco Posts
-
Ansible Deep Dive Part 10 Lab: Automating a Cisco and FortiGate Fleet With Ansible
Part 10, the second lab: network-specific Ansible modules against a mixed Cisco IOS and FortiGate fleet — cisco.ios facts and config, fortinet.fortios firewall policy objects, connection: network_cli vs httpapi, and a config-drift check playbook.
-
SD-WAN Control Plane Showdown: Three Philosophies for Solving the Same Problem
Fortinet collapses control onto the data-plane device. Arista/VeloCloud collocates it on a multi-tenant Gateway. Cisco/Viptela decouples it fully into vSmart and OMP. Three architectures covered on this site, lined up side by side, right before the Cisco series picks up the third one.
-
A Brief History of SD-WAN Controllers: Viptela, VeloCloud, CloudGenix, and Why Cisco Runs Two SD-WAN Stacks
Three startups solved SD-WAN's control-plane problem within a year of each other. Two got bought by exactly the company you'd expect; one brand didn't survive. The acquisition history of Viptela, VeloCloud, and CloudGenix — and why Cisco still runs two unrelated SD-WAN stacks today.
-
From DSCP to Deep Packet Inspection: Why SD-WAN Application-Aware Routing Killed Traditional QoS
A deep technical comparison of legacy QoS (DSCP/CoS, static priority queues, box-by-box CLI) against SD-WAN Application-Aware Routing — plus a vendor-by-vendor breakdown of how Cisco Catalyst SD-WAN, Fortinet, Juniper Mist (128T), and VeloCloud actually identify and steer application traffic.
-
The Packet Never Lies: Advanced tcpdump Recipes for the Enterprise Engineer
Bitwise BPF masking, enterprise recipes for asymmetric routing and retransmission hunting, a safe SSH-to-Wireshark live-streaming setup that won't loop your own session, and a cross-vendor capture map spanning Debian, Cisco IOS, FortiOS, Junos, and VeloCloud.
-
BGP Route Dampening Part 1: The Flapping Problem, Exponential Decay, and Cisco Configuration
A deep dive into how BGP route dampening works: the 1990s internet instability that created it, the exponential decay algorithm behind it, every Cisco parameter explained, and a full configuration and verification reference.
-
BGP Route Dampening Part 2: RFC 7454, BFD, and Where Dampening Still Belongs
Why the IETF now discourages global BGP route dampening, how Bidirectional Forwarding Detection interacts with it, what RFC 7454 actually says, and the specific modern scenarios where dampening remains the right answer.
-
Adding Vendor Route-Table Parsers to route-compare, and Why the Work Lives on a Branch
A follow-up on the route-compare tool: I taught it to read raw show ip route, get router info routing-table all, show route, and show routing route output directly — no Excel cleanup step. The work lives on a branch rather than on main, and this is why.
-
Netmiko in Practice: From a Show-Command Script to a Repeatable Audit Tool
A working network engineer's guide to Netmiko — starting from a small repo of mine that runs show commands across a JSON inventory, and extending it into something you can use as a real audit tool with structured output, concurrency, secure credentials, and a sane dry-run for config changes.
-
Route Leaking Between VRFs on Cisco IOS: From BGP First Principles to Advanced Manipulation
A practical end-to-end walkthrough of route leaking between VRFs on Cisco IOS — starting with the BGP and VRF fundamentals you need to actually understand what's happening, the static and MP-BGP options for the leak itself, and the route-map machinery that lets you control exactly what crosses.