Study Guide: Chapter 12 — Cisco SD-WAN (Catalyst SD-WAN) API Automation

Pre-Check — Architecture & API Overview

1. Which SD-WAN controller is the single target for all northbound REST API automation?

A. vBond B. vSmart C. vManage D. WAN Edge (cEdge)

2. What is a TLOC in Cisco SD-WAN?

A. A virtual routing table stored on vSmart B. A three-tuple of (system-IP, color, encapsulation) identifying a transport endpoint C. The TCP session between vManage and the WAN Edge D. A VPN tunnel identifier used only by BFD

3. What is the base URL path prefix for all vManage REST API calls?

A. /api/v1 B. /rest/sdwan C. /dataservice D. /vmanage/api

4. Which header must be included in all write API requests to vManage 19.2 and later?

A. Authorization: Bearer <token> B. X-XSRF-TOKEN C. X-API-Key D. X-Cisco-Meraki-API-Key

5. When a long-running API operation (like template attach) is POSTed to vManage, what does the API immediately return?

A. The complete rendered device configuration B. HTTP 202 with no body C. An asynchronous action ID to poll for completion D. A list of affected device system IPs

12.1.1 The Cisco Catalyst SD-WAN Fabric

Cisco Catalyst SD-WAN separates the WAN into distinct functional planes, each managed by a dedicated controller:

Plane	Controller	Role
Management	vManage (SD-WAN Manager)	Central GUI/API — all automation targets this controller
Control	vSmart (SD-WAN Controller)	Distributes routing, TLOC, and policy to all devices via OMP
Orchestration	vBond (SD-WAN Validator)	NAT traversal broker; authenticates devices during onboarding
Data	vEdge / cEdge (WAN Edge)	Forwards user traffic; runs BFD and OMP

The data-plane fabric is built from encrypted IPsec tunnels. Each endpoint is identified by a TLOC — a three-tuple of (system-IP, color, encapsulation). Colors represent logical transport labels: mpls, biz-internet, lte, etc.

OMP (Overlay Management Protocol) — TCP-based control-plane protocol (similar to BGP) running between WAN Edge devices and vSmart. Distributes routes, TLOCs, and service chain reachability.
BFD (Bidirectional Forwarding Detection) — Runs between every WAN Edge pair across each transport color. Detects data-plane tunnel liveness at subsecond intervals.

12.1.2 The vManage REST API & Authentication

Every vManage instance ships with a Swagger UI at https://<vManage-IP>:8443/apidocs. All API requests target paths under /dataservice. Authentication requires two steps:

Session Cookie — POST credentials to /j_security_check to receive a JSESSIONID cookie.
CSRF Token — GET /dataservice/client/token and set the result as the X-XSRF-TOKEN request header for all subsequent write operations.

sequenceDiagram participant Client as Python Client participant vM as vManage API Client->>vM: POST /j_security_check (j_username, j_password) vM-->>Client: HTTP 200 + Set-Cookie: JSESSIONID Client->>vM: GET /dataservice/client/token (Cookie: JSESSIONID) vM-->>Client: HTTP 200 + X-XSRF-TOKEN value Note over Client: session.headers["X-XSRF-TOKEN"] = token Client->>vM: GET/POST /dataservice/endpoint (Cookie + X-XSRF-TOKEN) vM-->>Client: JSON response data

vManage Authentication Flow

POST /j_security_check — send j_username + j_password as form data

← Response: HTTP 200 + Set-Cookie: JSESSIONID

GET /dataservice/client/token — with JSESSIONID cookie

← Response: plain-text X-XSRF-TOKEN value

All subsequent calls: Cookie + X-XSRF-TOKEN header + Content-Type: application/json

API Response Patterns

Pattern	When Used	How to Handle
JSON data block	GET list/detail operations	Parse `response.json()["data"]`
Object ID	POST creating new objects	Parse `response.json()["policyId"]`, `["listId"]`, etc.
Async task ID	Template attach, policy activate	Poll `GET /device/action/status/<id>` until done or failure
Empty body (HTTP 200)	Update/delete operations	Check `response.status_code == 200`

Key Points — Architecture & API Overview

vManage is the single northbound API target for all SD-WAN automation; vSmart, vBond, and WAN Edges receive configuration indirectly.
Authentication is a two-step process: session cookie via /j_security_check, then CSRF token via /dataservice/client/token.
All API paths are rooted at /dataservice; the Swagger UI at /apidocs provides interactive documentation.
Long-running operations return an async action ID; poll GET /device/action/status/<id> until status is done or failure.
TLOCs uniquely identify transport paths as (system-IP, color, encapsulation); BFD detects path liveness while OMP distributes control-plane state.

Post-Check — Architecture & API Overview

1. Which SD-WAN controller is the single target for all northbound REST API automation?

A. vBond B. vSmart C. vManage D. WAN Edge (cEdge)

2. What is a TLOC in Cisco SD-WAN?

3. What is the base URL path prefix for all vManage REST API calls?

A. /api/v1 B. /rest/sdwan C. /dataservice D. /vmanage/api

4. Which header must be included in all write API requests to vManage 19.2 and later?

A. Authorization: Bearer <token> B. X-XSRF-TOKEN C. X-API-Key D. X-Cisco-Meraki-API-Key

5. When a long-running API operation (like template attach) is POSTed to vManage, what does the API immediately return?

A. The complete rendered device configuration B. HTTP 202 with no body C. An asynchronous action ID to poll for completion D. A list of affected device system IPs

12.2 Device Template Management

Pre-Check — Device Template Management

6. What is the relationship between feature templates and device templates in Cisco SD-WAN?

A. Feature templates are applied directly to devices; device templates are backup copies B. Feature templates are building blocks for individual features; device templates assemble them into a full device configuration C. Device templates define a single feature; feature templates combine multiple device configs D. They are interchangeable names for the same object type

7. Which API endpoint is used to initiate a device template attachment?

A. POST /template/device/config/apply B. POST /template/device/config/attachfeature C. PUT /template/device/attach D. POST /device/template/push

8. In the template attachment workflow, what is the purpose of the first API call to /template/device/config/input?

A. To push the template configuration directly to the device B. To delete the old template before applying the new one C. To retrieve the variable input schema that the device needs filled in for the template D. To validate that the template syntax is correct

12.2.1 Feature Templates vs. Device Templates

Feature templates define a single feature's configuration — a VPN interface, BGP routing, NTP settings — with parameterized fields. Some values are hardcoded; others are marked as device-specific variables (e.g., vipType: "variableName"). Device templates assemble multiple feature templates into a complete device configuration blueprint.

graph TD FT1[Feature Template: cisco_system] --> DT FT2[Feature Template: cisco_vpn VPN 0] --> DT FT3[Feature Template: cisco_vpn_interface] --> FT2 FT4[Feature Template: cisco_vpn VPN 512] --> DT FT5[Feature Template: cisco_ntp] --> DT DT[Device Template: Branch-C1111-Standard] DT -->|attach with variables| D1[Branch Site 1] DT -->|attach with variables| D2[Branch Site 2] DT -->|attach with variables| D3[Branch Site N] style DT fill:#0055aa,color:#ffffff style FT1 fill:#0077cc,color:#ffffff style FT2 fill:#0077cc,color:#ffffff style FT3 fill:#0077cc,color:#ffffff style FT4 fill:#0077cc,color:#ffffff style FT5 fill:#0077cc,color:#ffffff

12.2.2–12.2.3 Template API Operations

Feature templates are managed at /template/feature; device templates at /template/device. Both use the same CRUD pattern: GET to list, POST to create, PUT to update, DELETE to remove. Creating a feature template payload requires templateType (e.g., cisco_vpn_interface), deviceType, and a templateDefinition object where each field specifies its vipType as either constant or variableName. Device templates reference previously created feature template IDs inside generalTemplates (with optional subTemplates for nested components).

12.2.4 Template Attachment Workflow

Template attachment is a three-phase asynchronous transaction:

flowchart TD A([Start: Select Template + Target Devices]) --> B B["Phase 1 — Generate Variables\nPOST /template/device/config/input\nreturns variable schema per device"] B --> C["Fill in device-specific values\nsystem-IP, hostname, interface IPs, site-ID"] C --> D["Phase 2 — Preview Configuration\nPOST /template/device/config/preview\nreturns rendered CLI config"] D --> E{Config correct?} E -- No --> C E -- Yes --> F["Phase 3 — Attach Template\nPOST /template/device/config/attachfeature\nreturns action_id"] F --> G["Poll Task Status\nGET /device/action/status/{action_id}\nevery 10 seconds"] G --> H{status?} H -- done --> I([Attachment successful]) H -- failure --> J["Log error\nCall detachfeature to rollback"] H -- in-progress --> G

If attachment fails, use POST /template/device/config/detachfeature to return the device to CLI mode. This is the rollback mechanism.

Key Points — Device Template Management

Feature templates define single-feature config components; device templates compose them into full device blueprints — similar to IKEA parts vs. assembly instructions.
Variable substitution (vipType: "variableName") lets one device template serve many sites with different IP addresses and hostnames.
Template attachment is a three-phase async process: /input (get variable schema) → /preview (validate rendered config) → /attachfeature (execute).
Always poll GET /device/action/status/<action_id> to confirm completion; do not assume the task succeeded after the POST returns.
Use /detachfeature as the rollback mechanism to return devices to CLI mode after a failed attachment.

Post-Check — Device Template Management

6. What is the relationship between feature templates and device templates in Cisco SD-WAN?

7. Which API endpoint is used to initiate a device template attachment?

A. POST /template/device/config/apply B. POST /template/device/config/attachfeature C. PUT /template/device/attach D. POST /device/template/push

8. In the template attachment workflow, what is the purpose of the first API call to /template/device/config/input?

12.3 Policy Automation

12.3.1 Centralized vs. Localized Policies

Dimension	Centralized Policy (vSmart)	Localized Policy (vEdge/cEdge)
Enforced by	vSmart controllers	Individual WAN Edge routers
Scope	Fabric-wide: all devices in listed sites/VPNs	Per-device
Use cases	AAR, traffic engineering, control/data policies	QoS, ACLs, route policies, ZBF
API family	`/template/policy/vsmart`	`/template/policy/vedge`

12.3.2 Policy Building Blocks and AAR

A centralized policy is built in a layered hierarchy — each layer produces an ID referenced by the next:

Centralized Policy Build Order

Step 1: Policy Lists SLA classes, site lists, VPN lists, app lists
/template/policy/list/sla /template/policy/list/site

Step 2: Policy Definitions AAR rules reference List IDs
/template/policy/definition/approute

Step 3: Policy Assembly vSmart policy references Definition IDs + site/VPN scope
POST /template/policy/vsmart

Step 4: Activation Push to vSmart controllers; poll action ID
POST /template/policy/vsmart/activate/<id>?confirm=true

flowchart TD L1["Policy Lists\n/template/policy/list/sla\n/template/policy/list/site\n/template/policy/list/vpn"] L1 --> L2["Policy Definitions\n/template/policy/definition/approute\n(AAR sequences referencing List IDs)"] L2 --> L3["Policy Assembly\nPOST /template/policy/vsmart\nReferences definition IDs + site/VPN scope"] L3 --> L4["Policy Activation\nPOST /template/policy/vsmart/activate/{id}?confirm=true"] L4 --> L5["Poll Activation Task\nGET /device/action/status/{action_id}"] L5 --> L6{Done?} L6 -- Yes --> L7([Policy ACTIVE on vSmart]) L6 -- Failure --> L8([Deactivate + review]) L6 -- No --> L5 style L1 fill:#1a7a1a,color:#ffffff style L2 fill:#1a7a1a,color:#ffffff style L3 fill:#0055aa,color:#ffffff style L4 fill:#0055aa,color:#ffffff

12.3.3 AAR Policy Structure

An AAR policy definition (type: "appRoute") contains sequences. Each sequence has a match (on an app list) and actions (set preferred color, apply SLA class with fallbackToBestPath). The SLA class definition specifies latency, loss, and jitter thresholds.

12.3.4 Modifying Active AAR Policies

AAR policies can be updated in-place without recreation: GET the current definition, modify the preferredColor parameter in the target sequence, then PUT the updated object back. This is the GET-modify-PUT pattern — no deactivation required for definition edits.

Complete Policy Lifecycle Reference

Operation	Method	Endpoint
Create centralized policy	POST	/template/policy/vsmart
Activate centralized policy	POST	/template/policy/vsmart/activate/<id>?confirm=true
Deactivate centralized policy	POST	/template/policy/vsmart/deactivate/<id>?confirm=true
Create SLA class	POST	/template/policy/list/sla
Create site list	POST	/template/policy/list/site
Create VPN list	POST	/template/policy/list/vpn
Create AAR definition	POST	/template/policy/definition/approute
Update AAR definition	PUT	/template/policy/definition/approute/<id>

12.4 SD-WAN Monitoring and Operations

Pre-Check — Monitoring & Operations

12. Which endpoint provides the fastest single-call composite health summary for a WAN Edge device?

A. GET /device/bfd/sessions B. GET /device/counters?deviceId=<system-ip> C. GET /device/system/status D. POST /statistics/approute/fec/aggregation

13. BFD sessions in SD-WAN are established between which pair of components?

A. vManage and vSmart B. vBond and WAN Edge routers C. WAN Edge routers across each transport color (data plane) D. vSmart and vBond controllers

14. The vQoE score is a composite metric combining which three measurements?

A. Bandwidth, CPU utilization, and packet drops B. Latency, loss, and jitter C. BFD up sessions, OMP peers, and tunnel count D. Throughput, retransmits, and RTT

15. Which alarm type indicates that the control-plane overlay routing protocol session to vSmart has dropped?

A. BFD_TLOC_DOWN B. TUNNEL_DOWN C. OMP_PEER_DOWN D. SLA_VIOLATION

12.4.1–12.4.2 Monitoring Architecture and Quick Health Check

The vManage monitoring API supports two access patterns:

Real-time device queries — GET with a deviceId query parameter (the device's system-IP). Returns live operational state.
Statistics aggregation queries — POST with a structured query payload to the statistics endpoints. Queries the vManage time-series database for historical metrics.

The fastest health check is GET /device/counters?deviceId=<system-ip>, which returns a composite summary including bfdSessionsUp, bfdSessionsDown, ompPeersUp, ompPeersDown, controlConnections, and certValidationStatus.

12.4.3–12.4.5 BFD, OMP, and Tunnel Monitoring

Endpoint	Data Returned
`GET /device/bfd/sessions?deviceId=<ip>`	Per-session state, peer IPs, TLOC colors, uptime
`GET /device/bfd/history?deviceId=<ip>`	State transitions — use for flap detection
`GET /device/omp/peers?deviceId=<ip>`	OMP peer sessions, state, routes/TLOCs exchanged
`GET /device/omp/routes/received?deviceId=<ip>`	Routes received from vSmart
`GET /device/omp/tlocs/received?deviceId=<ip>`	TLOC entries received via OMP
`GET /device/tunnel/statistics?deviceId=<ip>`	Per-tunnel latency, loss%, jitter
`GET /device/control/connections?deviceId=<ip>`	Active control-plane connections (vManage, vSmart, vBond)

12.4.6–12.4.7 AAR Statistics and Alarm Management

For trend analysis, use POST /statistics/approute/fec/aggregation with a structured query payload specifying time range, aggregation fields, histogram interval, and metrics (latency avg, loss_percentage avg, jitter avg, vqoe_score avg). The vqoe_score (0–10) is a composite application experience indicator.

Alarms follow a four-tier severity model: Critical (I), Major (II), Medium (III), Minor (IV). Query with POST /alarms using a structured JSON body with time-range and severity filter rules. Common alarm types:

BFD_TLOC_DOWN — data-plane tunnel lost
OMP_PEER_DOWN — control-plane OMP session dropped
SLA_VIOLATION — path metrics exceeded SLA thresholds
TUNNEL_DOWN — IPsec tunnel formation failure

12.4.8 Webhooks for Real-Time Alarm Delivery

For real-time incident response, configure vManage webhooks under Administration → Settings → Alarm Notifications. vManage POSTs alarm events to your URL when they fire. The target URL must be reachable from vManage's transport interface (VPN 0) on port 443 and must respond with HTTP 200.

flowchart TD A([Start Health Report]) --> B["GET /device — full device inventory"] B --> C["Filter: reachability == reachable"] C --> D{For each device} D --> E["GET /device/counters?deviceId={system_ip}"] E --> F{bfdSessionsDown > 0?} F -- Yes --> G["WARN: BFD sessions down"] F -- No --> H{ompPeersDown > 0?} G --> H H -- Yes --> I["CRITICAL: OMP peers down"] H -- No --> J{More devices?} I --> J J -- Yes --> D J -- No --> K["POST /alarms — severity Critical/Major, last 1 hour"] K --> L{Alarms found?} L -- Yes --> M["ALERT: N critical/major alarms"] L -- No --> N["Print all collected issues"] M --> N N --> O([Report complete])

Key Points — Monitoring & Operations

GET /device/counters is the fastest path to per-device health: it returns BFD sessions up/down, OMP peers up/down, and control connection count in one call.
BFD runs between WAN Edge routers across each transport color to detect data-plane tunnel liveness; /device/bfd/history is used for flap detection.
OMP monitoring (/device/omp/peers) reveals control-plane health; if OMP peers drop, the device loses routing knowledge from vSmart.
The statistics aggregation API uses POST with structured query payloads for time-series analysis; vQoE score (0–10) aggregates latency + loss + jitter into a single SLA indicator.
Supplement alarm polling (POST /alarms) with vManage webhooks for real-time push notifications to external incident management systems.

Post-Check — Monitoring & Operations