3.2 Control Plane Security
| Item |
Details |
| Document ID |
SDWAN-SEC-3.2 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Abhavtech Network Architecture Team |
| Classification |
Internal Use |
Executive Summary
Control plane security forms the foundation of SD-WAN trustworthiness. This section details the comprehensive security mechanisms protecting Abhavtech's SD-WAN control plane including certificate-based authentication, DTLS encryption, OMP security, and controller hardening. All control plane communications are encrypted and mutually authenticated using X.509 certificates issued by a hierarchical PKI infrastructure.
1. Control Plane Security Architecture
1.1 Control Plane Overview
+------------------------------------------------------------------+
| CONTROL PLANE SECURITY |
+------------------------------------------------------------------+
| |
| +------------------+ DTLS 1.2 +------------------+ |
| | SD-WAN Manager |<--------------->| vSmart | |
| | (vManage) | Port 8443 | Controller | |
| +------------------+ +------------------+ |
| ^ ^ |
| | HTTPS 443 | DTLS 12346 |
| | TLS 1.2 | OMP Protocol |
| v v |
| +------------------+ DTLS 12346 +------------------+ |
| | vBond |<--------------->| WAN Edge | |
| | Orchestrator | Orchestration | Router | |
| +------------------+ +------------------+ |
| |
| Security Mechanisms: |
| - Mutual TLS/DTLS Authentication |
| - X.509 Certificate Validation |
| - Certificate Revocation (OCSP/CRL) |
| - Perfect Forward Secrecy |
| - Replay Protection |
+------------------------------------------------------------------+
1.2 Control Plane Communication Matrix
| Source |
Destination |
Protocol |
Port |
Security |
Purpose |
| WAN Edge |
vBond |
DTLS |
12346 |
Certificate |
Discovery/auth |
| WAN Edge |
vSmart |
DTLS |
12346 |
Certificate |
OMP peering |
| WAN Edge |
vManage |
HTTPS |
8443 |
Certificate |
Config/telemetry |
| vSmart |
vSmart |
DTLS |
12346 |
Certificate |
Inter-controller |
| vManage |
vSmart |
DTLS |
8443 |
Certificate |
Policy push |
| vManage |
vBond |
HTTPS |
443 |
Certificate |
Orchestration |
| Admin |
vManage |
HTTPS |
443 |
SAML/MFA |
Management |
1.3 Security Protocol Stack
+------------------------------------------------------------------+
| PROTOCOL SECURITY STACK |
+------------------------------------------------------------------+
| |
| Layer 7 (Application): |
| +----------------------------------------------------------+ |
| | OMP Protocol | REST API | NETCONF | CLI (SSH) | |
| +----------------------------------------------------------+ |
| | |
| Layer 6 (Presentation): | |
| +----------------------------------------------------------+ |
| | JSON/XML Encoding | Certificate Validation | |
| +----------------------------------------------------------+ |
| | |
| Layer 5 (Session): | |
| +----------------------------------------------------------+ |
| | DTLS 1.2 Session | TLS 1.2 Session | Session Tickets | |
| +----------------------------------------------------------+ |
| | |
| Layer 4 (Transport): | |
| +----------------------------------------------------------+ |
| | UDP (OMP/DTLS) | TCP (HTTPS/SSH) | Port Security | |
| +----------------------------------------------------------+ |
| | |
| Layer 3 (Network): | |
| +----------------------------------------------------------+ |
| | IPv4/IPv6 | VPN 0 (Transport) | ACL Protection | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
2. Certificate-Based Authentication
2.1 PKI Architecture
+------------------------------------------------------------------+
| CERTIFICATE HIERARCHY |
+------------------------------------------------------------------+
| |
| +---------------------+ |
| | Cisco Root CA | |
| | (Built-in Trust) | |
| +----------+----------+ |
| | |
| +-------------------+-------------------+ |
| | | |
| +-------v-------+ +---------v---------+ |
| | Cisco vManage | | Enterprise PKI | |
| | Signing CA | | (Abhavtech CA) | |
| +-------+-------+ +---------+---------+ |
| | | |
| +-------v-------+ +---------v---------+ |
| | Controller | | Custom WAN Edge | |
| | Certificates | | Certificates | |
| +---------------+ +-------------------+ |
| |
| Certificate Types: |
| - Root CA: Cisco (built-in) + Enterprise CA |
| - Controller: vManage/vSmart/vBond signed certs |
| - WAN Edge: Device identity certificates |
| - Enterprise CA: Optional for custom certificates |
+------------------------------------------------------------------+
2.2 Certificate Types and Usage
| Certificate Type |
Issued By |
Usage |
Validity |
Rotation |
| Root CA |
Cisco |
Trust anchor |
10 years |
N/A |
| Controller Identity |
vManage CA |
Controller auth |
10 years |
Manual |
| WAN Edge Identity |
vManage CA |
Device auth |
1 year |
Automatic |
| Enterprise CA |
Internal PKI |
Custom trust |
5 years |
Annual |
| Admin SAML |
IdP (Azure AD) |
User auth |
8 hours |
Session |
| API Token |
vManage |
Automation |
24 hours |
Per-request |
2.3 Certificate Configuration
vManage Enterprise CA Integration
! Enterprise CA Certificate Installation
! Step 1: Upload Enterprise Root CA
! vManage UI: Administration > Settings > Enterprise Root CA
! Step 2: Generate CSR for vManage
sdwan
certificate generate csr
common-name "vmanage-cluster.abhavtech.com"
organization "Abhavtech"
organizational-unit "Network Operations"
locality "Mumbai"
state "Maharashtra"
country "IN"
email "netops@abhavtech.com"
validity 3650
key-size 2048
! Step 3: Install signed certificate
sdwan
certificate install /home/admin/vmanage-signed.pem
! Verify certificate installation
show sdwan certificate installed
WAN Edge Certificate Configuration
! WAN Edge Device Certificate (Automatic via vManage)
! Configuration pushed during ZTP/onboarding
sdwan
certificate
device-certificate generate
organization-name "Abhavtech"
organization-unit "SD-WAN"
validity 365
!
!
! Verify WAN Edge certificate
show sdwan certificate serial
show sdwan certificate root-ca-cert
show sdwan certificate installed
2.4 Certificate Validation Process
+------------------------------------------------------------------+
| CERTIFICATE VALIDATION WORKFLOW |
+------------------------------------------------------------------+
| |
| WAN Edge vBond vManage |
| | | | |
| |-- 1. DTLS Hello -------->| | |
| | (Client Certificate) | | |
| | | | |
| |<-- 2. Server Hello ------| | |
| | (Server Certificate) | | |
| | | | |
| | 3. Certificate Chain | | |
| | Validation | | |
| | - Signature verify | | |
| | - Validity period | | |
| | - Revocation check | | |
| | | | |
| |-- 4. Key Exchange ------>| | |
| | (ECDHE for PFS) | | |
| | | | |
| |<-- 5. vSmart List -------| | |
| | | | |
| | | | |
| |--------------------------- 6. OMP to vSmart ------------->|
| | | (Authenticated) |
| | | | |
| Certificate Checks: Certificate Checks: |
| - CN matches expected - Serial in whitelist |
| - Not expired - Organization valid |
| - Not revoked (CRL/OCSP) - Root CA trusted |
| - Valid chain - Device authorized |
+------------------------------------------------------------------+
2.5 Certificate Revocation
! Certificate Revocation Configuration
! vManage: Configuration > Certificates > Enterprise Certificate
! Option 1: CRL Distribution Point
crypto pki trustpoint ABHAVTECH-CA
enrollment url http://pki.abhavtech.com/certsrv
revocation-check crl
crl cache delete-after 60
crl-cache query url http://pki.abhavtech.com/crl/abhavtech.crl
! Option 2: OCSP Responder
crypto pki trustpoint ABHAVTECH-CA
revocation-check ocsp
ocsp url http://ocsp.abhavtech.com
! Combined with fallback
crypto pki trustpoint ABHAVTECH-CA
revocation-check crl ocsp
! Verify revocation status
show crypto pki certificates
show crypto pki crl
3. DTLS Security
3.1 DTLS Configuration
DTLS (Datagram Transport Layer Security) protects all control plane UDP communications.
+------------------------------------------------------------------+
| DTLS PARAMETERS |
+------------------------------------------------------------------+
| |
| Parameter | Value | Description |
| -----------------------+----------------------+-----------------|
| Protocol Version | DTLS 1.2 | TLS over UDP |
| Cipher Suite | AES-256-GCM-SHA384 | Encryption |
| Key Exchange | ECDHE-RSA-AES256 | PFS enabled |
| Certificate | RSA-2048 / ECDSA-256 | Authentication |
| Session Timeout | 86400 seconds | 24 hours |
| Handshake Timeout | 60 seconds | Initial setup |
| Anti-Replay Window | 64 packets | Replay protect |
| Rekey Interval | 3600 seconds | Hourly rekey |
| |
+------------------------------------------------------------------+
3.2 DTLS Connection Security
! WAN Edge DTLS Configuration
! Automatically configured via feature template
sdwan
security
tls-port 12346
tls-version TLSv1.2
cipher-suites
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
!
!
! Verify DTLS connections
show sdwan control connections
show sdwan control local-properties
show sdwan control connection-history
3.3 DTLS Session States
| State |
Description |
Duration |
Action on Failure |
| Initiating |
Starting handshake |
0-10s |
Retry 3x |
| Connecting |
Certificate exchange |
10-30s |
Retry with backoff |
| Handshake |
Key negotiation |
30-60s |
Alert, failover |
| Connected |
Established session |
Indefinite |
Monitor |
| Rekeying |
Session key refresh |
1-5s |
Transparent |
| Challenged |
Validation required |
0-30s |
Re-authenticate |
| Tear-down |
Session termination |
0-5s |
Cleanup |
4. OMP Protocol Security
4.1 OMP Security Overview
+------------------------------------------------------------------+
| OMP SECURITY ARCHITECTURE |
+------------------------------------------------------------------+
| |
| vSmart Controller |
| +---------------------+ |
| | OMP Route Table | |
| | +-------------+ | |
| | | OMP Routes | | |
| | | TLOC Info | | |
| | | Service Info| | |
| | | Policy | | |
| | +-------------+ | |
| +----------+----------+ |
| | |
| OMP over DTLS | OMP over DTLS |
| (Encrypted) | (Encrypted) |
| | |
| +----------------+ | +----------------+ |
| | WAN Edge 1 |<--------+------->| WAN Edge 2 | |
| | | | | |
| | OMP Attributes:| | OMP Attributes:| |
| | - Origin | | - Origin | |
| | - Origin-Proto | | - Origin-Proto | |
| | - Preference | | - Preference | |
| | - Site-ID | | - Site-ID | |
| | - TLOC | | - TLOC | |
| +----------------+ +----------------+ |
| |
| Security Features: |
| - All OMP runs over authenticated DTLS |
| - Route origin validation via site-ID |
| - TLOC authenticity via system-IP |
| - Policy integrity via controller signature |
+------------------------------------------------------------------+
4.2 OMP Authentication
! OMP graceful restart and timers
sdwan
omp
graceful-restart
graceful-restart-timer 43200
send-path-limit 4
ecmp-limit 4
shutdown false
timers
holdtime 60
advertisement-interval 1
graceful-restart-timer 43200
eor-timer 300
!
!
! OMP Authentication (Implicit via DTLS)
! No separate OMP authentication needed - secured by DTLS session
! Verify OMP security
show sdwan omp peers
show sdwan omp summary
show sdwan omp tlocs
4.3 OMP Route Security
| Security Feature |
Implementation |
Purpose |
| Route Authentication |
DTLS session |
Verify route source |
| Route Integrity |
HMAC-SHA256 |
Detect modification |
| Route Origin |
Site-ID binding |
Prevent spoofing |
| TLOC Binding |
System-IP lock |
Endpoint validation |
| Policy Signing |
Controller cert |
Policy authenticity |
| Prefix Filtering |
Control policy |
Route injection prevent |
4.4 OMP Security Policies
! Control Policy for Route Security
policy
control-policy ROUTE-SECURITY
sequence 10
match route
site-list TRUSTED-SITES
!
action accept
!
sequence 20
match route
prefix-list INFRASTRUCTURE
!
action accept
set
preference 1000
!
!
sequence 30
action reject
!
default-action reject
!
! Site List for Trusted Sites
policy
lists
site-list TRUSTED-SITES
site-id 100-105 ! Mumbai DC sites
site-id 200-205 ! Chennai DR sites
site-id 300-399 ! India branches
site-id 400-499 ! EMEA sites
site-id 500-599 ! Americas sites
!
prefix-list INFRASTRUCTURE
ip-prefix 10.100.0.0/16 ! Management
ip-prefix 10.252.0.0/16 ! Fabric handoff
ip-prefix 10.254.0.0/16 ! Controllers
!
!
5. Controller Security Hardening
5.1 vManage Security
+------------------------------------------------------------------+
| vMANAGE SECURITY HARDENING |
+------------------------------------------------------------------+
| |
| +--------------------+ +--------------------+ |
| | Access Controls | | Audit & Logging | |
| |--------------------| |--------------------| |
| | - SAML/SSO Auth | | - All API calls | |
| | - MFA Required | | - Config changes | |
| | - RBAC Policies | | - Login events | |
| | - Session Timeout | | - Security events | |
| | - IP Allowlist | | - SIEM export | |
| +--------------------+ +--------------------+ |
| |
| +--------------------+ +--------------------+ |
| | Network Security | | Data Protection | |
| |--------------------| |--------------------| |
| | - TLS 1.2+ only | | - DB encryption | |
| | - Strong ciphers | | - Config encrypt | |
| | - Port restrictions| | - Backup encrypt | |
| | - API rate limit | | - Log encryption | |
| +--------------------+ +--------------------+ |
| |
+------------------------------------------------------------------+
5.2 vManage Hardening Configuration
! vManage Cluster Security Settings
! Administration > Settings
! Session Security
system
organization-name "Abhavtech"
vbond vbond1.abhavtech.com port 12346
site-id 100
admin-tech-on-failure
idle-timeout 30
max-sessions 5
password-policy
min-password-length 12
min-uppercase-chars 1
min-lowercase-chars 1
min-numeric-chars 1
min-special-chars 1
password-history 12
password-max-age 90
!
!
! AAA Configuration with SAML
aaa
authentication-type saml
saml
idp-metadata-url https://login.microsoftonline.com/abhavtech/federationmetadata.xml
entity-id https://vmanage.abhavtech.com
assertion-consumer-url https://vmanage.abhavtech.com/saml/SSO
single-logout-url https://vmanage.abhavtech.com/saml/SLO
name-id-format email
signature-algorithm rsa-sha256
!
authorization
default-role read-only
group-mapping
group "SD-WAN-Admins" role admin
group "SD-WAN-Operators" role operator
group "SD-WAN-ReadOnly" role read-only
!
!
!
5.3 RBAC Configuration
| Role |
Permissions |
Group |
Users |
| Admin |
Full access |
SD-WAN-Admins |
3 |
| Operator |
Config, monitor |
SD-WAN-Operators |
8 |
| Read-Only |
View only |
SD-WAN-ReadOnly |
15 |
| Security |
Security config |
SD-WAN-Security |
2 |
| API-Service |
API access |
Service-Accounts |
5 |
! Custom RBAC Role
rbac
role NETWORK-ENGINEER
resource-group DEVICE-CONFIG
permission read write
!
resource-group TEMPLATE
permission read write
!
resource-group POLICY
permission read
!
resource-group ADMIN
permission deny
!
resource-group SECURITY
permission read
!
!
5.4 vSmart Security
! vSmart Controller Hardening
! Limit control connections
sdwan
control-connections
max-connections 2000
connection-timeout 300
retry-interval 30
!
! OMP security settings
omp
shutdown false
overlay-as 65100
graceful-restart
graceful-restart-timer 43200
send-path-limit 4
ecmp-limit 4
holdtime 60
advertisement-interval 1
!
! Port restriction
security
tls-port 12346
allowed-ports 12346 443
!
!
! SSH hardening
ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ssh server algorithm key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384
5.5 vBond Security
! vBond Orchestrator Hardening
! Strict device validation
sdwan
vbond
local 10.254.1.10 port 12346
only-allow-valid-certs
allowed-orgs "Abhavtech"
max-connections 5000
drain false
!
! Connection security
security
tls-port 12346
cert-validity-check true
allowed-certificate-orgs
organization "Abhavtech"
!
!
!
! Rate limiting
ip access-list extended VBOND-PROTECT
permit udp any any eq 12346
deny ip any any
class-map match-all DTLS-CONTROL
match access-group name VBOND-PROTECT
policy-map VBOND-RATE-LIMIT
class DTLS-CONTROL
police rate 10 mbps burst 1 mb
conform-action transmit
exceed-action drop
6. Control Plane Protection
6.1 Anti-Spoofing Controls
+------------------------------------------------------------------+
| ANTI-SPOOFING MECHANISMS |
+------------------------------------------------------------------+
| |
| 1. Certificate Binding: |
| - Device serial number locked to certificate |
| - Organization name validation |
| - System-IP uniqueness enforcement |
| |
| 2. TLOC Validation: |
| - Color must match physical interface |
| - Public-IP must be reachable |
| - Private-IP must be consistent |
| |
| 3. Site-ID Enforcement: |
| - Site-ID per-device binding |
| - Duplicate site-ID detection |
| - Geographic validation (optional) |
| |
| 4. OMP Origin Validation: |
| - Routes tagged with originator system-IP |
| - TLOC binding verification |
| - Path attribute integrity |
| |
+------------------------------------------------------------------+
6.2 Rate Limiting and DoS Protection
! Control Plane Policing on WAN Edge
control-plane
service-policy input CONTROL-PLANE-POLICY
!
class-map match-any CONTROL-PLANE-DTLS
match access-group name DTLS-TRAFFIC
class-map match-any CONTROL-PLANE-BGP
match access-group name BGP-TRAFFIC
policy-map CONTROL-PLANE-POLICY
class CONTROL-PLANE-DTLS
police rate 10 mbps burst 2 mb
conform-action transmit
exceed-action drop
class CONTROL-PLANE-BGP
police rate 5 mbps burst 1 mb
conform-action transmit
exceed-action drop
class class-default
police rate 1 mbps
conform-action transmit
exceed-action drop
ip access-list extended DTLS-TRAFFIC
permit udp any any eq 12346
permit udp any eq 12346 any
ip access-list extended BGP-TRAFFIC
permit tcp any any eq bgp
permit tcp any eq bgp any
6.3 Session Security
| Protection |
Implementation |
Threshold |
| Connection limit |
Max sessions per device |
5 |
| Authentication timeout |
DTLS handshake |
60 seconds |
| Session timeout |
Idle disconnect |
86400 seconds |
| Rekey interval |
Session key refresh |
3600 seconds |
| Replay window |
Anti-replay |
64 packets |
| Rate limiting |
DTLS traffic |
10 Mbps |
7. Verification and Monitoring
7.1 Certificate Verification Commands
! Verify certificate status
show sdwan certificate root-ca-cert
show sdwan certificate installed
show sdwan certificate serial
show sdwan certificate validity
show sdwan certificate signing-request
! Verify certificate chain
show crypto pki certificates verbose
show crypto pki trustpoints status
! Check certificate expiration
show sdwan certificate installed | include Valid
7.2 Control Connection Verification
! Verify control plane connections
show sdwan control connections
show sdwan control local-properties
show sdwan control connection-history
! Expected Output:
! PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
! TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME
! vsmart dtls 10.254.1.20 100 1 10.254.1.20 12346 10.254.1.20 12346 mpls Yes up 0:15:00:00
! vmanage dtls 10.254.1.100 100 0 10.254.1.100 12346 10.254.1.100 12346 mpls Yes up 0:15:00:00
! vbond dtls 10.254.1.10 0 0 10.254.1.10 12346 10.254.1.10 12346 default - up 0:15:00:00
! Verify DTLS security
show sdwan control connection-info
show sdwan security-info
7.3 OMP Security Verification
! Verify OMP peers
show sdwan omp peers
! Expected Output:
! DOMAIN OVERLAY SITE
! PEER TYPE ID ID ID STATE UPTIME
! 10.254.1.20 vsmart 1 1 100 up 0:15:00:00
! 10.254.1.21 vsmart 1 1 100 up 0:15:00:00
! Verify OMP routes with security attributes
show sdwan omp routes
show sdwan omp tlocs
show sdwan omp services
! Verify route origin
show sdwan omp routes vpn 10 | include originator
7.4 Security Event Monitoring
! Enable security logging
logging buffered 512000 informational
logging host 10.254.2.50 vrf Mgmt-intf
logging source-interface Loopback0
! Security-specific logging
logging discriminator SECURITY severity includes 3-5 facility includes SEC
logging host 10.254.2.50 discriminator SECURITY
! Monitor security events
show sdwan security-info
show logging | include SEC
show logging | include DTLS
show logging | include certificate
! Audit log export
! vManage: Monitor > Audit Log > Export
7.5 Control Plane Health Dashboard
+------------------------------------------------------------------+
| CONTROL PLANE HEALTH METRICS |
+------------------------------------------------------------------+
| |
| Metric | Target | Alert | Critical |
| --------------------------+-----------+------------+----------- |
| Control Connections | 100% | <95% | <90% |
| OMP Peer State | All Up | Any Down | >1 Down |
| Certificate Validity | >30 days | <30 days | <7 days |
| DTLS Session Age | <24 hours | >24 hours | >48 hours |
| Control Plane CPU | <50% | >70% | >85% |
| OMP Route Count | Baseline | >20% delta | >50% delta |
| Authentication Failures | 0 | >5/hour | >20/hour |
| Certificate Errors | 0 | >0 | >5/hour |
| |
+------------------------------------------------------------------+
8. Security Incident Response
8.1 Control Plane Security Events
| Event |
Severity |
Detection |
Response |
| Certificate expired |
Critical |
Monitoring |
Emergency renewal |
| DTLS failure |
High |
Alarm |
Investigate, failover |
| OMP peer down |
High |
Health check |
Verify connectivity |
| Authentication failure |
Medium |
Log analysis |
Investigate source |
| Unknown device connect |
High |
Alert |
Block, investigate |
| Rate limit exceeded |
Medium |
Threshold |
Tune limits |
| Certificate revoked |
Critical |
CRL check |
Device quarantine |
8.2 Incident Response Procedures
+------------------------------------------------------------------+
| CONTROL PLANE INCIDENT RESPONSE |
+------------------------------------------------------------------+
| |
| 1. Detection (0-5 minutes): |
| - Automated alert from monitoring |
| - Security event correlation |
| - Control connection status check |
| |
| 2. Triage (5-15 minutes): |
| - Verify impact scope |
| - Check affected devices/controllers |
| - Review security logs |
| |
| 3. Containment (15-60 minutes): |
| - Isolate compromised devices |
| - Revoke certificates if needed |
| - Block malicious sources |
| |
| 4. Resolution (1-4 hours): |
| - Apply security patches |
| - Rotate credentials/certificates |
| - Restore normal operations |
| |
| 5. Post-Incident (24-48 hours): |
| - Root cause analysis |
| - Update security policies |
| - Document lessons learned |
| |
+------------------------------------------------------------------+
9. Best Practices Summary
9.1 Certificate Management
- Use enterprise CA for additional trust
- Monitor certificate expiration (30-day warning)
- Enable automatic certificate rotation
- Maintain offline backup of root CA
9.2 Controller Security
- Enable SAML/SSO with MFA
- Implement strict RBAC
- Set appropriate session timeouts
- Regular security audit reviews
9.3 Network Protection
- Rate limit control plane traffic
- Enable control plane policing
- Use strong cipher suites only
- Disable unused protocols
9.4 Monitoring and Response
- Centralized security logging
- Real-time alerting on events
- Regular penetration testing
- Documented incident response
References
| Document |
Description |
Location |
| Cisco SD-WAN Security Guide |
Official security documentation |
cisco.com |
| PKI Best Practices |
Certificate management guide |
Internal |
| Abhavtech Security Policy |
Corporate security standards |
SharePoint |
| NIST SP 800-57 |
Key management guidelines |
nist.gov |
| CIS Benchmarks |
Security hardening standards |
cisecurity.org |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.2