Build a Full Cisco SD-WAN Lab on EVE-NG: vManage, vBond, vSmart, and cEdge from Scratch

SD-WAN is eating enterprise WANs alive — the market crossed $8B in 2026 and 60% of enterprise WAN deployments now run some form of SD-WAN. If you're a network engineer who hasn't built a working SD-WAN lab yet, you're studying theory without touching the actual control plane.

This guide walks you through deploying a fully functional Cisco SD-WAN lab on EVE-NG — vManage, vBond, vSmart, and cEdge — with every config, every gotcha, and the exact order of operations that actually works. Total time: about 3-4 hours for your first build.

Why Build This Lab?

Cisco's SD-WAN architecture has four distinct components that interact through certificate-based authentication, OMP route exchange, and IPsec data plane tunnels. You can't learn this by reading docs. The bootstrap sequence, certificate exchange, and control connection establishment have specific ordering requirements that only make sense when you see them fail.

This lab covers:

• Orchestration Plane — vBond (DTLS/TLS, NAT traversal)
• Management Plane — vManage (GUI, templates, API)
• Control Plane — vSmart (OMP, route policies)
• Data Plane — cEdge (IPsec tunnels, BFD)
• Edge Onboarding — the full zero-touch provisioning workflow

Hardware Requirements (The Real Numbers)

Every Reddit thread about SD-WAN labs devolves into "how much RAM do I actually need?" Here's the answer:

Minimum Viable Lab (4 Nodes)

Component	vCPUs	RAM	Storage	Notes
vManage	8	32 GB	200 GB	Cannot run with less — UI becomes unusable
vBond	1	2 GB	—	Lightweight orchestrator
vSmart	1	4 GB	—	Control plane processing
cEdge (CSR8000v)	1–2	4 GB	—	Per edge device
Total Minimum	12+	64 GB	500 GB SSD	Bare metal or nested ESXi

vManage's 32GB RAM is non-negotiable. I've watched people try 16GB — the UI loads but becomes unresponsive during configuration, and API calls time out. Don't waste hours debugging what's actually a resource problem.

Hardware Options That Work

1. Used Dell PowerEdge R730/R740 — 128GB RAM, dual Xeon, ~$500–$800 on eBay. Best value.
2. Custom AMD build — Ryzen 9/Threadripper, 128GB DDR4. ~$1,200–$1,500.
3. Cloud — AWS bare metal or Hetzner dedicated servers. $150–$300/month.

Preparing the SD-WAN Images for EVE-NG

Image preparation is where most people rage-quit. Here's the exact process:

Download Images from Cisco

You need four image types from software.cisco.com:

• vManage — viptela-vmanage-genericx86-64.qcow2 (version 20.15+)
• vBond — viptela-edge-genericx86-64.qcow2
• vSmart — viptela-smart-genericx86-64.qcow2
• cEdge — csr1000v-universalk9.17.15.xx.qcow2 or c8000v-universalk9.17.15.xx.qcow2

All three controllers must run the same version. Version mismatch = silent failures.

Create Image Directories on EVE-NG

mkdir -p /opt/unetlab/addons/qemu/vtmgmt-20.15.1
mkdir -p /opt/unetlab/addons/qemu/vtbond-20.15.1
mkdir -p /opt/unetlab/addons/qemu/vtsmart-20.15.1
mkdir -p /opt/unetlab/addons/qemu/csr1000v-17.15.01

Convert and Rename Images

For vManage (OVA format — needs extraction):

cd /opt/unetlab/addons/qemu/vtmgmt-20.15.1
tar -xvf viptela-vmanage-genericx86-64.ova
qemu-img convert -f vmdk -O qcow2 *.vmdk virtioa.qcow2

For vBond and vSmart (QCOW2 — just rename):

cd /opt/unetlab/addons/qemu/vtbond-20.15.1
mv viptela-edge-*.qcow2 virtioa.qcow2

cd /opt/unetlab/addons/qemu/vtsmart-20.15.1
mv viptela-smart-*.qcow2 virtioa.qcow2

For cEdge:

cd /opt/unetlab/addons/qemu/csr1000v-17.15.01
mv csr1000v-universalk9*.qcow2 virtioa.qcow2

Fix Permissions (Don't Skip This)

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

This step is often forgotten and causes "image not found" errors in the EVE-NG UI.

Deploying the Topology

Network Design

                    [Internet/Transport]
                          |
         +--------+------+------+--------+
         |        |             |         |
     [vBond]  [vSmart]     [cEdge-1]  [cEdge-2]
         |        |             |         |
         +--------+------+------+---------+
                         |
                     [vManage]
                    (OOB Mgmt)

Create four cloud networks in EVE-NG:

• Management — bridges to your host network for GUI access
• Transport-Internet — simulates internet WAN
• Transport-MPLS — simulates private MPLS WAN (optional but recommended)
• Service-LAN — service-side user networks

Node Configuration

Node	Image	vCPUs	RAM	Interfaces
vManage	vtmgmt-20.15.1	8	32768 MB	eth0 (mgmt), eth1 (transport)
vBond	vtbond-20.15.1	1	2048 MB	eth0 (transport), eth1 (mgmt)
vSmart	vtsmart-20.15.1	1	4096 MB	eth0 (transport), eth1 (mgmt)
cEdge-1	csr1000v-17.15.01	2	4096 MB	Gi1 (transport), Gi2 (service)
cEdge-2	csr1000v-17.15.01	2	4096 MB	Gi1 (transport), Gi2 (service)

Start all nodes — vManage takes 10–15 minutes to fully boot on first launch.

Bootstrapping the Controllers

This is the most error-prone phase. Follow this exact order.

1. vManage — Management Plane

system
 host-name             vManage
 system-ip             1.1.1.1
 site-id               1000
 organization-name     "CCIE-Lab"
 vbond 10.0.0.11
!
vpn 0
 interface eth1
  ip address 10.0.0.10/24
  tunnel-interface
   allow-service all
  !
  no shutdown
 !
 ip route 0.0.0.0/0 10.0.0.1
!
vpn 512
 interface eth0
  ip address 192.168.1.10/24
  no shutdown
 !

2. vBond — Orchestration Plane

vBond is the first contact point for all SD-WAN devices. It handles DTLS/TLS negotiation and NAT traversal.

system
 host-name             vBond
 system-ip             1.1.1.11
 site-id               1000
 organization-name     "CCIE-Lab"
 vbond 10.0.0.11 local vbond-only
!
vpn 0
 interface ge0/0
  ip address 10.0.0.11/24
  tunnel-interface
   encapsulation ipsec
   allow-service all
  !
  no shutdown
 !
 ip route 0.0.0.0/0 10.0.0.1
!

3. vSmart — Control Plane

vSmart runs OMP (Overlay Management Protocol) — the routing brain of the SD-WAN fabric.

system
 host-name             vSmart
 system-ip             1.1.1.12
 site-id               1000
 organization-name     "CCIE-Lab"
 vbond 10.0.0.11
!
vpn 0
 interface eth0
  ip address 10.0.0.12/24
  tunnel-interface
   allow-service all
  !
  no shutdown
 !
 ip route 0.0.0.0/0 10.0.0.1
!

4. Certificate Exchange (The Step Most Guides Skip)

This is where most people get stuck. SD-WAN controllers authenticate each other using certificates:

1. Access vManage GUI at https://192.168.1.10:8443
2. Administration → Settings → Set Organization Name (must match all nodes exactly)
3. Set the vBond address (10.0.0.11)
4. Administration → Settings → Controller Certificate Authorization → select "Enterprise Root Certificate"
5. Generate and install the root CA on all controllers

Without this step, DTLS/TLS tunnels won't form and control connections fail silently. No error message — just nothing happens.

Onboarding cEdge Devices

Configure cEdge Initial Settings

system
 host-name             cEdge-1
 system-ip             1.1.1.21
 site-id               100
 organization-name     "CCIE-Lab"
 vbond 10.0.0.11
!
vpn 0
 interface GigabitEthernet1
  ip address 10.0.0.21/24
  tunnel-interface
   encapsulation ipsec
   color default
   allow-service all
  !
  no shutdown
 !
 ip route 0.0.0.0/0 10.0.0.1
!
vpn 1
 interface GigabitEthernet2
  ip address 172.16.1.1/24
  no shutdown
 !
!

Add Device to vManage

1. In vManage → Configuration → Devices
2. Add the cEdge's chassis number and serial number (show sdwan certificate serial)
3. Upload or sync the device list
4. cEdge authenticates through vBond → establishes control connections to vSmart

Verify Everything Works

show sdwan control connections
show sdwan omp peers
show sdwan bfd sessions

You should see:

• DTLS tunnels to vManage, vBond, and vSmart
• OMP peering with vSmart
• BFD sessions to other cEdge devices

If any of these are missing, check: organization name consistency, certificate installation, and transport network reachability.

What to Practice After the Lab Is Running

OMP Route Manipulation

• Advertise service-side routes via OMP
• Apply control policies on vSmart to filter or manipulate routes
• Practice path selection with prefer-color and restrict
• Understand OMP vs. BGP route redistribution at the edge

Data Policies and Application-Aware Routing

• Create data policies for traffic steering based on DSCP, application, or source/destination
• Configure SLA classes (latency, jitter, loss thresholds)
• Practice centralized vs. localized data policies
• Understand BFD probe mechanics

Template-Based Deployment

• Create feature templates in vManage for consistent edge configuration
• Practice device templates that combine feature templates
• Push config changes from vManage and verify on cEdge
• Explore configuration groups (new in 20.14+)

EVE-NG vs CML: Quick Comparison

Factor	EVE-NG	CML Personal
Setup time	3–4 hours	~20 minutes
Cost	Free (Community) / $100 (Pro)	$199/year
Flexibility	Full control, any image version	Limited to included images
Learning value	High — you learn the bootstrap	Moderate — automated setup

My take: Build the EVE-NG lab at least once to understand the bootstrap process and certificate exchange. Then use CML for rapid iteration on specific scenarios.

FAQ

What are the minimum hardware requirements?
64GB RAM and 500GB SSD. vManage alone needs 32GB RAM and 200GB storage.

Which software version?
Use 20.15+ for controllers, IOS-XE 17.15 for cEdge. Version consistency across controllers is mandatory.

Do I need a Cisco SD-WAN license?
For EVE-NG, you need image downloads from Cisco's portal (requires entitlements). CML Personal includes SD-WAN images with no separate license.

How long does setup take?
2–4 hours for initial setup including image prep. Certificate exchange and edge onboarding add another 1–2 hours. After that, the lab is reusable.

---

Originally published on firstpasslab.com.

---

AI Disclosure: This article was adapted from the original with AI assistance. All technical content, configurations, and recommendations have been verified by network engineers.