What is Cisco SD-Branch?

What is SD-Branch?

Simply means you can create and build a branch with few steps from a centralized location, where you can build your branch with routers, switches, WLCs , Firewall, Win/Linux Servers, and WAN Edge routers.


Actually, all these branch gears and servers I mentioned above will be Virtual machines (VMs) we call it in this solution Virtual Network Functions (VNFs) using Cisco Enterprise Network Functions Virtualization (NFV)  

Which Hypervisor will be used?

Cisco had its own answer called Enterprise NFV Infrastructure Software (NFVIS)

But what if I would like to have Polo Alto Firewall as VM, can I?

Yes for sure, Cisco support many Thrid party VNFs , check below list that going to grow over time

Where this NFVIS software and VNFs will exist, it will need hardware for sure ?

yes we have multiple solutions to host it but the common way is hosting in an appliance called Enterprise Network Compute System (ENCS)

Add alt textNo alt text provided for this image

Ok NFVIS is software in ENCS hardware that helps me to create VMs (aka NFV) to create my Branch devices, but how I will access it to do that?

You can access it using CLI/GUI/REST API or You can use Controllers and Orchestrators such as

Cisco NSO

Cisco vManage

Cisco DNA-C

Cisco MSX

Imagine how pretty it is to use vManage to create WAN Edge VM and other required VMs remotely for your Branch

In May 2021 there is a new 2 days course for that, it is

Implementing Cisco Enterprise SD-Branch (ENSDBI)

Cisco SD-WAN Automation

Someone was asking me about Cisco SD-WAN Automation.

Mainly you use REST API to communicate with vManage.

To learn more about the Viptela API Library and Documentation, consult the product documentation:

They are also available by accessing the documentation through https://{{vmanage}}:{{port}}/apidocs.

You can even try it for free:


Log in using username devnetuser and password RE!_Yw519_27

More in blog:

The Viptela REST API calls expose the functionality of Viptela software and hardware features and of the normal operations you perform to maintain Viptela devices and the overlay network itself.

In REST API terminology, each of these features or operations is called a resource.

A resource is an object with a type, associated data, relationships to other resources, and a set of methods that operate on it.

Resources are grouped into collections.

Each collection contains a single type of resource, and so is homogeneous.

In the Viptela REST API, the collection of resources is present at the top level of the API.

The Viptela REST API resources are grouped into the following collections:

Monitoring: This collection views status, statistics, and other information about operational devices in the overlay network. Viptela devices collect monitoring information about themselves every 10 minutes. After collecting these statistics, each Viptela device places them in a zip file. The vManage server retrieves these zip files every 10 minutes or, if the vManage server cannot log in to the device, it retrieves them whenever it is next able to log in.

Real-Time Monitoring: This collection retrieves, views, and manages real-time statistics and traffic information. Real-time monitoring information is gathered in real time, approximately once per second.

Configuration: This collection creates feature and device configuration templates, retrieves the configurations in existing templates, and creates and configures vManage clusters.

Administration: This collection manages users and user groups, views audit logs, and manages the local vManage server.

Device Inventory: This collection collects device inventory information including serial numbers and system status.

Certificate Management: This collection manages certificates and security keys.

Troubleshooting Tools: This collection provides tools to help troubleshoot devices, determine the effect of policy, update software, and retrieve software version information.

Here is example I created
I used DevNet always on sandbox and I used this script which is part of it in Cisco CLN ENAUI materials.
The script will ask vManage for devices that exist in your Viptela org.
Try it by yourself. I am open to answer any question about the content of this script, But you need to ask it in the below CLN link.


Script Output:

Script can be downloaded from my github :

SD-WAN Automation can be done using REST API tools such as python requests module or Ansible uri module

There is another python module can be used called Sastre 

Sastre python module tutorial and how to install:

Sastre is available in two flavors:

Sastre: Public open-source under MIT license available on Cisco DevNet repository. Supports a limited set of tasks.

Sastre-Pro: Cisco licensed version, supporting the full feature-set. Sastre-Pro is available for customers with a CX BCS subscription and Cisco internal at Cisco eStore.

Build Your Lab for DevNet DEVCOR Study

I am using kali as my Linux Distro , Also I recommend to use Ubuntu or Debian if you do not like Kali.

My Hypervisor-type 2 is VMware® Workstation 15 Pro.

How to install Install Visual Studio Code on Kali Linux 2020

sudo apt update
sudo apt install curl gpg software-properties-common apt-transport-https
curl -sSL | sudo apt-key add
echo “deb [arch=amd64] stable main” | sudo tee /etc/apt/sources.list.d/vscode.list
sudo apt update
sudo apt install code

How to Install docker
sudo apt update
sudo apt install -y
sudo systemctl enable docker –now

How to Install ansible
sudo apt install ansible

How to Install puppet
sudo apt-get install puppet

How to Install git
sudo apt install git

Python 3 already installed in kali 2020.x to run it type python3
How to Install pip for python3

sudo apt-get install python3-pip

How to Install geany (Sometimes I used instead of VSC)
sudo apt-get install geany

VMS you might need like gitlab and MongoDB ,Neo4j ,PostgreSQL ,MySQL ,ELK ,NGINX Open Source:

You will need also GNS3 to practice with ansible

Python libraries you will work with during the course:

Devnet Sandboxes to practice with webex teams , Intent API , Meraki , etc:

Play with docker online:

UCS Platform Emulator UCSPE 4.1
You will need UCS Manager so you can communicate with it using APIs

Terraform basic files structure is required , you can use the following links:

Webex Teams and Meraki and how to ChatOps between them

You can use DevNet Sandboxs but first create account in webex Teams

Kindly note that

kubernetes and kubectl command are also required from you

For practice you can use

Graylog from

HAProxy from

Good Luck

Yasser Ramzy Auda

Cisco Firepower Terminology

Legend :
Cisco CDO = Cisco Defense Orchestrator
Cisco FTD = Cisco Firepower Threat Defense
Cisco FMC = Cisco Firepower Management Center
Cisco FDM = Cisco Firepower Device Management
Cisco FXOS = Cisco Firepower eXtensible Operating System


Cisco FTD is unified code for firewall capabilities AND IPS capabilities
Cisco FMC is your application to manage FTD devices (off-box)
Cisco FDM is your application to manage one FTD device (on-box)
Cisco FXOS is underlay OS in Cisco Firepower 4100/9300 chassis where you can install above it ASA , FTD , Radware DDoS software ( AS three physical modules in one chassis )

Cisco CDO is your cloud application to manage ASA , ASA 5500-X with FirePOWER Services , Firepower 2100/4100/9300

Cisco Firewalls that can use FTD are ASA 5500-X with FirePOWER Services , Firepower 2100/4100/9300.

Cisco FMC can manage also Firepower 7000/8000 and Firepower Services for Cisco ASA.

Cisco FXOS is the underlying operating system that manages hardware platforms like FP4100 and FP9300.

Those platforms can run different applications on them, such as FTD  ,Cisco ASA image, or even a third-party software like Radware anti-DoS.


In old days we used to have the following:
ASA is device with code for firewall capabilities only
ASDM is your application to manage ASA devices
Firepower 7000/8000 device with code for IPS capabilities only
Cisco FMC (aka FireSIGHT)  is your application to manage Firepower 7000/8000 and other Firepower devices
ASA with Firepower is device for firewall capabilities AND IPS capabilities, this code could be unified (FTD) or separate ASA code + Firepower (ips) code , in this case only Firepower code can be managed by Cisco FMC , for ASA we use ASDM.


Lets not forget Cisco firewall for ICS and IoT networks ISA 3000:
Cisco Industrial Security Appliance 3000 platforms can run either the Cisco ASA Firewall, Cisco ASA Firewall plus Sourcefire FirePOWER (ASA+FP) or Cisco Firepower Threat Defense (FTD).

Also for small business we have Meraki MX Series Firewall

Cisco Firepower Compatibility Guide