Cisco SD-WAN Overlay Management Protocol (OMP)
Cisco SD-WAN Deep-Dive Series — Part 1
vRoutes • TLOC Routes • Service Routes • Attributes & CLI Verification
🎯 Table of Contents
- OMP Overview — Beyond Just Routing
- OMP Session Establishment
- Three Types of OMP Routes
- OMP Routes (vRoutes) — Attributes Deep Dive
- CLI Examples & Route Status Flags
- TLOC Routes — Transport Location Identifiers
- TLOC Color — Public vs Private
- TLOC Advertised Attributes
- Service Routes — Service Insertion
- Wrap-Up & Key Takeaways
1. OMP Overview — Beyond Just Routing
In the Cisco SD-WAN solution, the Overlay Management Protocol (OMP) is the primary control-plane protocol. It is a TCP-based protocol — similar to BGP — that runs between WAN Edge routers (cEdge / vEdge) and vSmart controllers. OMP goes far beyond simple routing and powers the entire SD-WAN control plane.
🎯What OMP Provides
|
Network Communication Enables data plane connectivity between sites, service chaining, and multi-VPN topology. |
Security Distribution Distributes encryption keys for secure data plane communication across the fabric. |
Best-Path Selection Determines optimal paths and communicates routing policies across the network. |
All OMP control-plane updates are protected via DTLS or TLS sessions, ensuring end-to-end security between WAN Edges and vSmart controllers.
2. OMP Session Establishment
When a WAN Edge joins the SD-WAN network, it automatically establishes an OMP peering session with all vSmart controllers using its System-IP address — similar to BGP loopback-based peering. This ensures stability across all available WAN links.
🎯 Figure 1 — OMP Session Establishment
|
vEdge11 System-IP: 1.1.1.11 Site 10 | Viptela OS |
cEdge21 System-IP: 1.1.1.21 Site 20 | IOS-XE |
|
vSmart Controller
System-IP: 9.9.9.30
OMP Peer Hub — All WAN Edges connect here
|
|
cEdge41 System-IP: 1.1.1.40 Site 40 | IOS-XE |
System-IP Based Peering Like BGP Loopback Sessions |
vEdge31 System-IP: 1.1.1.31 Site 30 | Viptela OS |
WAN Edges peer only with vSmart — not with each other (scalable hub-and-spoke control plane)
Key Advantage: OMP eliminates the scaling problem of traditional IGP by having WAN Edges connect only to vSmart — not to each other. vSmart handles all route computation and policy distribution, keeping WAN Edges lightweight.
OMP Peers — CLI Verification
vEdge11# show omp peers
R -> routes received | I -> routes installed | S -> routes sent
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
---------------------------------------------------------------
9.9.9.30 vsmart 1 1 99 up 0:10:16:52 2/2/2
cEdge41# show sdwan omp peers
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
---------------------------------------------------------------
9.9.9.30 vsmart 1 1 99 up 6:03:33:18 1/1/2
vSmart1# show omp peers
DOMAIN OVERLAY SITE
PEER TYPE ID ID ID STATE UPTIME R/I/S
--------------------------------------------------------------
1.1.1.11 vedge 1 1 10 up 0:10:20:15 2/0/2
1.1.1.40 vedge 1 1 40 up 6:08:41:00 2/0/1
3. Three Types of OMP Routes
OMP advertises three distinct route types between vSmart and WAN Edge routers. Each type serves a specific role in the SD-WAN fabric.
🎯 Figure 2 — OMP Route Types
|
OMP vRoutes Network Prefixes Data Center, Branch, Campus connectivity — like BGP prefixes |
OMP Control Plane via vSmart |
TLOC Routes Transport Locators Data plane tunnel endpoints — the "next-hop" for vRoutes |
️ Service Routes
Firewall / IPS / IDS locations — enables traffic steering through network services
OMP Routes (vRoutes) — Prefix Reachability
Network prefixes enabling connectivity for data centers, branches, and any endpoint in the SD-WAN fabric. These carry 8+ attributes beyond the prefix itself — TLOC, Origin, Originator, Preference, Site ID, Service, Tag, and VPN.
TLOC Routes — Underlay Reachable Endpoints
Transport Locators — the only IP addresses routable in the underlay. They serve as endpoints for IPsec/GRE data plane tunnels and act as the "next-hop" for OMP vRoutes. A TLOC = System-IP + Color + Encapsulation Type.
️ Service Routes — Service Insertion
Routes that advertise the physical location of network services (firewall, IPS, IDS, load balancer). SD-WAN policy can then steer traffic through these services before it reaches its final destination.
4. OMP Routes (vRoutes) — Attributes Deep Dive
OMP can advertise connected routes, static routes, and routes learned from OSPF, EIGRP, and BGP. Every vRoute carries a rich set of attributes beyond just the prefix — enabling policy-based routing, segmentation, and service insertion.
🎯 Figure 3 — OMP vRoute Attributes
OMP vRoute
e.g. 192.168.10.0/24
|
TLOC Next-hop |
ORIGIN Route source |
ORIGINATOR Advertising device |
PREFERENCE Like BGP |
|
SITE ID Like BGP ASN |
SERVICE FW/IPS |
TAG Optional metadata |
VPN / VRF Segment isolation |
TLOCTransport Locator — The OMP Next-Hop
The TLOC represents the next-hop for the OMP route — analogous to BGP_NEXT_HOP. It is a triplet: System IP + Color + Encapsulation Type. Identifies which WAN interface and tunnel type to use when forwarding traffic to the advertised prefix.
ORIGINRoute Source Protocol
Specifies the source: BGP, OSPF, EIGRP, Connected, or Static — along with the protocol's original metric. Used in best-path selection and can be configured via policy to influence routing decisions.
PREFERENCEPath Selection Weight (Like BGP LOCAL_PREF)
Higher preference = higher priority. Can be modified via policy to influence which path is chosen for a prefix.
Tip: A larger OMP preference value = higher priority. Opposite of routing metrics where lower = better.
SITE IDLike BGP Autonomous System Number
Each SD-WAN site has a unique Site ID. Multiple WAN Edges at the same site must share the same Site ID to prevent routing loops — similar to how BGP uses AS numbers for loop prevention.
VPN / VRFNetwork Segmentation
Identifies the VPN or VRF from which the route was advertised. VPN tags allow overlapping subnets across different VPNs — enabling logical segmentation similar to MPLS VRF. In Cisco SD-WAN, VPNs and VRFs are used interchangeably.
5. CLI Examples & Route Status Flags
The following CLI examples show actual OMP route table output — one locally originated route and one received from a remote site via vSmart.
Example 1 — Locally Advertised Route (Status: C,Red,R)
---------------------------------------------------
omp route entries for vpn 100 route 192.168.10.0/24
---------------------------------------------------
RECEIVED FROM:
peer 0.0.0.0
status C,Red,R
Attributes:
originator 1.1.1.11
tloc 1.1.1.11, public-internet, ipsec
site-id 10
origin-proto connected
origin-metric 0
ADVERTISED TO:
peer 9.9.9.30
Status Flag Decoder
|
C — Chosen Selected as the best path via OMP best-path election. |
Red — Redistributed Redistributed from IGP (connected, OSPF, BGP...) into OMP. |
R — Resolved TLOC next-hop is reachable and valid — route is usable. |
I — Installed Installed into the local routing table (remote routes). |
Example 2 — Route Received from vSmart (Remote Site, Status: C,I,R)
omp route entries for vpn 100 route 192.168.40.0/24
---------------------------------------------------
RECEIVED FROM:
peer 9.9.9.30 <-- vSmart System-IP
status C,I,R
Attributes:
originator 1.1.1.40 <-- cEdge41 System-IP
tloc 1.1.1.40, public-internet, ipsec
site-id 40
origin-proto connected
Reading this: 192.168.40.0/24 came from vSmart (9.9.9.30), but the original advertiser is cEdge41 (1.1.1.40) at site-id 40. Status C,I,R = best path chosen, installed in routing table, TLOC is resolved and reachable.
6. TLOC Routes — Transport Location Identifiers
TLOC (Transport Location Identifier) routes identify the physical WAN location of a device in the transport network. TLOCs are the only IP addresses that are routable in the underlay, making them the critical bridge between the SD-WAN overlay and the physical WAN.
|
"Next-Hop of OMP Routes" Every vRoute points to a TLOC as its next-hop for data plane forwarding. |
"VPN Tunnel Endpoint" TLOC = WAN interface endpoint for IPsec/GRE data plane tunnels. |
"NAT-Aware" Carries both private and public IPs via STUN for NAT traversal. |
⚒ Figure 4 — TLOC Triplet Structure & Multiple Transports
|
WAN Edge System-IP 1.1.1.11 2 WAN Interfaces |
→ |
TLOC #1 — Internet System-IP: 1.1.1.11 Color: public-internet Encap: IPsec TLOC #2 — MPLS System-IP: 1.1.1.11 Color: mpls Encap: IPsec |
→ |
Remote WAN Edge cEdge41 IPsec tunnels |
One WAN Edge with 2 transports = 2 separate TLOC routes advertised to vSmart
If a WAN Edge has multiple transports, a separate TLOC route is advertised for each interface. This ensures vSmart and all other WAN Edges know every available transport endpoint to build appropriate data plane tunnels.
7. TLOC Color — Public vs Private Transport
The Color attribute of the TLOC identifies the transport type and determines how data plane tunnels are built. There are 22 predefined colors — the public/private distinction controls whether the public or private IP is used when establishing tunnels.
⚒ Figure 5 — Default Full Mesh Tunnels (Per Color)
|
Site A TLOC: public-internet TLOC: mpls |
↔ Internet Tunnels A↔B | A↔C | B↔C ↔ MPLS Tunnels A↔B | A↔C | B↔C |
Site B TLOC: public-internet TLOC: mpls Site C TLOC: public-internet TLOC: mpls |
By default, WAN Edges build tunnels to all sites using all available colors (full mesh per color)
|
Public Colors (13 total) Use public IP for tunnel formation — crosses NAT boundaries via STUN.
public-internet
biz-internet
3g
lte
blue
green
red
bronze
silver
gold
custom1
custom2
custom3
|
Private Colors (6 total) Use private IP — stays within MPLS/L2VPN. Will NOT cross NAT boundaries.
mpls
private1
private2
private3
private4
private5
private6
|
⚠️ Default Behavior Warning: By default, WAN Edges build tunnels to every site using every available color — including MPLS sites trying to tunnel to public internet sites. Use the restrict command and/or tunnel groups to control which transports connect to which.
8. TLOC Route Advertised Attributes
When a TLOC route is advertised by a WAN Edge to vSmart, it carries the following information fields that vSmart then distributes to all other WAN Edges:
9. Service Routes — Service Insertion in SD-WAN
Service routes advertise the physical location of network services — firewalls, IPS, IDS, load balancers — within the SD-WAN overlay. Once advertised via OMP, SD-WAN policy can steer matching traffic through the service before it reaches its final destination.
⚒ Figure 6 — Service Route Insertion Flow
|
Branch cEdge |
Traffic → |
Service Site Firewall / IPS Advertises Service |
Inspected → |
vSmart Distributes |
→ |
Destination Data Center |
⚙️ SD-WAN Policy steers matching traffic through the service site before reaching destination
Service routes enable service chaining — traffic can traverse FW, IPS, or any processing device en route
|
Supported Services
|
How It Works
|
10. Wrap-Up & Key Takeaways
OMP is the engine of the Cisco SD-WAN control plane. By unifying routing, security, policy, and service information into a single scalable protocol, OMP enables SD-WAN to be enterprise-grade, flexible, and operationally simple.
✅ Key Takeaways from This Article
OMP is a TCP-based protocol like BGP — sessions use System-IP addressing secured via DTLS/TLS
OMP vRoutes carry 8+ attributes (TLOC, Origin, Originator, Preference, Site ID, Service, Tag, VPN)
TLOC = System-IP + Color + Encapsulation — the bridge between overlay and underlay. One TLOC per WAN interface.
22 TLOC colors — public colors use public IPs (NAT traversal), private colors use private IPs (no NAT)
Service routes enable traffic steering through FW, IPS, and IDS before reaching the destination
OMP scales better than IGP — WAN Edges peer only with vSmart, centralizing routing intelligence
Want to Master Cisco SD-WAN OMP?
Continue with the full series covering data plane, tunnel establishment, policies, and AAR.
Original Article ↗ Full Series ↗Tags
