In this lesson, we are going to explore one of the design options of Cisco SD-WAN that has recently been developed to help the WAN network scale more efficiently. The Hierarchical Cisco SD-WAN architecture is geared toward organizations that have network environments operating in large geographic areas such as intercontinental networks.

What is Hierarchical Cisco SD-WAN?

Hierarchical SD-WAN is a design option of the Cisco SD-WAN overlay that provides the capability to separate the WAN network into independent regions. Similarly to the OSPF area logic, a hierarchical SD-WAN network must always have a core region, called region 0, that connects all other access regions.

Hierarchical Cisco SD-WAN Architecture
Figure 1. Hierarchical Cisco SD-WAN Architecture

Figure 1 shows an example of a hierarchical SD-WAN network divided into three access regions 1 - 3 that connect to the core region 0. The vEdge routers that sit on the edge of a region and connect to the core region are called Border Routers (BR). The vEdge routers that sit within the same region and connect to other vEdges but not to region 0 are called Edge Routers (ER). 

Challenges to large-scale SD-WAN networks

Large-scale SD-WAN deployments that span enormous geographical areas experience some unique networking challenges with the overlay fabric. For example, a WAN network operating in North America, South America, and Europe, face the following challenges, graphically illustrated in figure 2 below:

  1. Controller deployment - Since the network operates on three continents, the organization deploys a dedicated vSmart controller group on each continent. However, this means that different controller groups will manage the vEdge routers that connect the regions together. This could lead to sub-optimal inter-regional traffic paths and black holes.
  2. Disjointed WAN providers - Commonly, a WAN provider in one geographic region (for example Europe) could not provide direct IP connectivity to another WAN provider in another region (for example South America). In such cases, the organization will have to route the inter-regional traffic using complex policies via gateway routers that have reachability to both providers. However, forcing traffic to intermediate hop's tlocs requires a complicated control policy and makes the network susceptible to black holes in case of an intermediate hop failure.
  3. Long-distance overlay tunnels -  Generally, the organization would want to strictly control the establishment of long-distance overlay tunnels. For example, an Internet tloc in Europe should not be able to form a tunnel to an Internet tloc in South America because the tunnel will not meet the organization's required performance.
  4. Different Topologies per region - Additionally, the organization will most likely want to have different overlay topologies in the different geographical regions. For example, hub-and-spoke in North America, full-mesh in North America, and partial-mesh in Europe.

Of course, complex policies that control the route and tloc advertisements can overcome all these challenges, but they quickly become a nightmare to manage.

Large-scale SD-WAN challanges
Figure 2. Large-scale SD-WAN challanges

How does Hierarchical SD-WAN solve these challenges?

The Hierarchical SD-WAN architecture is designed to solve these scaling challenges by dividing the networking into regions, pretty much implementing the same logic that OSPF utilizes for scaling.

Core Region 0

One of the essential advantages of the hierarchical SD-WAN architecture is that it clearly separates the intra-regional traffic from the inter-regional traffic. The inter-regional traffic is completely handled by a set of dedicated routers called Border Routers (BRs) that create the core region 0. Similarly to OSPF, traffic originating in one region destined for another region always goes through the core region 0. This solves the use-case of disjointed service providers. The core region provides connectivity between two regions that use disjointed providers.

Separating the inter-regional traffic into an independent region allows the organization to use different service providers for long-distance WAN connectivity and apply different policies to the long-haul WAN. Nowadays, it is pretty common for organizations to use Software-defined Cloud Interconnect (SDCI) providers such as Megaport Virtual Edge and Equinix Fabric that can create end-to-end multiregional connections in minutes. 

Region 0 using SDCI
Figure 3. Using SDCI for long-distance WAN

Another big advantage of the hierarchical architecture is the flexibility to use different service providers in each individual region. This allows the organization to select the most cost-efficient provider in each geographical area without compromising the availability and manageability of the network. Additionally, the organization can use different routing infrastructures and different traffic policies per region.

Regional vSmart Controllers

The hierarchical SD-WAN architecture allows the organization to assign different dedicated vSmart controllers to each independent region. This considerably simplifies the organization's policy design. 

Technically speaking, if a region contains only a small number of vEdge routers, a pair of controllers can be assigned to multiple regions. However, for simplicity and better manageability, it is highly recommended that dedicated vSmart controllers serve each region.

Regional Topologies

Hierarchical SD-WAN allows the organization to easily define a different topology for each independent region without the need for complex Centralized Control Policies. However, it is highly recommended that the core region uses a full mesh of tunnels between all border routers. 

Hierarchical SD-WAN Components

Now that we have explored in brief what is hierarchical SD-WAN architecture and why organizations need it, let's dive into the details of the main architectural components. Figure 4 below will serve as a graphical example.

Hierarchical SD-WAN Components
Figure 4. Hierarchical SD-WAN Components


A region is a logical grouping of routers and controllers that can be treated independently of all other network devices in the environment. Each organization decides the level of granularity that best suits the organization's geographical presence. For example, if the organization operates only in the USA, dividing the SD-WAN network into two access regions and a core region may be the most efficient. The access ones will most likely be East Coast and West Coast. However, if the organization operates in Canada as well, it might be necessary to create an additional region and so on. 

In the example shown in figure 4, we have three access regions (1 through 3) and a core region 0 highlighted in green.

Core Region 0

The core region handles the WAN transport between distant geographic areas that are divided into access regions. For example, if an organizational network operates in North America and Europe, the core region will manage only the long-haul intercontinental traffic. Traffic originating in Europe destined for North America will be routed to the closed border router that will route it through the core region and into the North America region. Notice that the traffic between two access regions will always traverse at least three overlay tunnels.

Full Content Access is for Registered Users Only (it's FREE)...

  • Learn any CCNA, DevNet or Network Automation topic with animated explanation.
  • We focus on simplicity. Networking tutorials and examples written in simple, understandable language for beginners.