Building a functional Cisco SD-WAN lab on EVE-NG requires 64GB+ RAM, controller images at version 20.15+, and roughly 3–4 hours of setup time — but it gives you hands-on access to every SD-WAN component tested on the CCIE EI v1.1 lab exam. This is the single most important lab you can build for CCIE Enterprise Infrastructure preparation in 2026.
Key Takeaway: SD-WAN covers five full subsections of the CCIE EI v1.1 blueprint (2.2.a through 2.2.e). A properly built EVE-NG lab with vManage, vBond, vSmart, and cEdge devices lets you practice every orchestration, control plane, and data plane scenario the exam throws at you.
I’ve built and rebuilt this lab multiple times while helping candidates prepare. Here’s the exact process, mapped to the blueprint sections you’re studying for, with every common pitfall addressed.
What Hardware Do You Need for a Cisco SD-WAN Lab?
This is the first question everyone asks on Reddit, and the answer determines whether your lab will actually work or crash constantly. Based on Reddit community feedback and my own testing, here are the real requirements:
Minimum Viable Lab (4-Node Setup)
| Component | vCPUs | RAM | Storage | Notes |
|---|---|---|---|---|
| vManage | 8 | 32 GB | 200 GB | Cannot run with less — UI becomes unusable |
| vBond | 1 | 2 GB | — | Lightweight orchestrator |
| vSmart | 1 | 4 GB | — | Control plane processing |
| cEdge (CSR8000v) | 1–2 | 4 GB | — | Per edge device |
| EVE-NG Host | — | — | — | Ubuntu 20.04/22.04 recommended |
| Total Minimum | 12+ | 64 GB | 500 GB SSD | Bare metal or nested ESXi |
Critical: vManage’s 32GB RAM requirement is non-negotiable. I’ve seen candidates try to run it with 16GB — the UI loads but becomes unresponsive during configuration, and API calls time out. Don’t waste your time trying to cut corners here.
Recommended Lab (Production-Like)
For serious CCIE EI preparation, add:
- 2x cEdge devices — You need at least two WAN edges to practice OMP route advertisement, hub-spoke vs. full-mesh topologies, and data policy steering
- 1x additional vSmart — Practice controller redundancy (tested on the exam)
- Total: 96GB RAM recommended for a smooth experience
Hardware Options
According to discussions on Reddit’s r/networking, the most popular hardware choices are:
- Used Dell PowerEdge R730/R740 — 128GB RAM, dual Xeon, ~$500–$800 on eBay. Best value.
- Custom PC build — AMD Ryzen 9/Threadripper, 128GB DDR4. ~$1,200–$1,500.
- Cloud instances — AWS bare metal or Hetzner dedicated servers. $150–$300/month.
For a comparison of EVE-NG against other lab platforms, see our CML vs INE vs GNS3: Best CCIE Lab Environment guide.
How Do You Prepare the SD-WAN Images for EVE-NG?
Image preparation is where most people get stuck. According to the EVE-NG official documentation, here’s the exact process:
Step 1: Download Images from Cisco
You need four image types from software.cisco.com:
- vManage —
viptela-vmanage-genericx86-64.qcow2(version 20.15+) - vBond —
viptela-edge-genericx86-64.qcow2(same version as vManage) - vSmart —
viptela-smart-genericx86-64.qcow2(same version as vManage) - cEdge —
csr1000v-universalk9.17.15.xx.qcow2orc8000v-universalk9.17.15.xx.qcow2
Version consistency is critical. All three controllers (vManage, vBond, vSmart) must run the same version. Use 20.15 or later — earlier versions lack features needed for CCIE EI v1.1 practice, as confirmed by Reddit users who built working labs.
Step 2: Create Image Directories on EVE-NG
SSH into your EVE-NG host and create the folder structure:
mkdir -p /opt/unetlab/addons/qemu/vtmgmt-20.15.1
mkdir -p /opt/unetlab/addons/qemu/vtbond-20.15.1
mkdir -p /opt/unetlab/addons/qemu/vtsmart-20.15.1
mkdir -p /opt/unetlab/addons/qemu/csr1000v-17.15.01
Step 3: Convert and Rename Images
For vManage (OVA format — needs extraction):
cd /opt/unetlab/addons/qemu/vtmgmt-20.15.1
tar -xvf viptela-vmanage-genericx86-64.ova
mv *.vmdk virtioa.qcow2
# If the extracted file is VMDK format, convert:
qemu-img convert -f vmdk -O qcow2 *.vmdk virtioa.qcow2
For vBond and vSmart (QCOW2 format — just rename):
cd /opt/unetlab/addons/qemu/vtbond-20.15.1
mv viptela-edge-*.qcow2 virtioa.qcow2
cd /opt/unetlab/addons/qemu/vtsmart-20.15.1
mv viptela-smart-*.qcow2 virtioa.qcow2
For cEdge:
cd /opt/unetlab/addons/qemu/csr1000v-17.15.01
mv csr1000v-universalk9*.qcow2 virtioa.qcow2
Step 4: Fix Permissions
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
This step is often forgotten and causes “image not found” errors in the EVE-NG UI.
How Do You Deploy the SD-WAN Topology in EVE-NG?
Now for the actual topology build. According to NetworkAcademy.IO’s EVE-NG guide, here’s the topology that covers all CCIE EI blueprint requirements:
Recommended Lab Topology
[Internet/Transport]
|
+--------+------+------+--------+
| | | |
[vBond] [vSmart] [cEdge-1] [cEdge-2]
| | | |
+--------+------+------+---------+
|
[vManage]
(OOB Mgmt)
Network design:
- VPN 0 (Transport): All controllers and edges connect here — simulates WAN transport
- VPN 512 (Management): Out-of-band management for vManage GUI access
- VPN 1 (Service): Service-side networks on cEdge devices — where user traffic lives
Step-by-Step Deployment
1. Create a new EVE-NG lab and add four cloud networks:
Management— bridges to your host network for GUI accessTransport-Internet— simulates internet WANTransport-MPLS— simulates private MPLS WAN (optional but recommended)Service-LAN— service-side user networks
2. Add nodes from your imported images:
| Node | Image | vCPUs | RAM | Interfaces |
|---|---|---|---|---|
| vManage | vtmgmt-20.15.1 | 8 | 32768 MB | eth0 (mgmt), eth1 (transport) |
| vBond | vtbond-20.15.1 | 1 | 2048 MB | eth0 (transport), eth1 (mgmt) |
| vSmart | vtsmart-20.15.1 | 1 | 4096 MB | eth0 (transport), eth1 (mgmt) |
| cEdge-1 | csr1000v-17.15.01 | 2 | 4096 MB | Gi1 (transport), Gi2 (service) |
| cEdge-2 | csr1000v-17.15.01 | 2 | 4096 MB | Gi1 (transport), Gi2 (service) |
3. Connect interfaces to the appropriate cloud networks.
4. Start all nodes — vManage takes 10–15 minutes to fully boot on first launch. Be patient.
How Do You Bootstrap the SD-WAN Controllers?
This is the most error-prone phase. Follow this exact order — it matters.
Step 1: Configure vManage (Blueprint Section 2.2.b — Management Plane)
Console into vManage and set initial configuration:
system
host-name vManage
system-ip 1.1.1.1
site-id 1000
organization-name "CCIE-Lab"
vbond 10.0.0.11
!
vpn 0
interface eth1
ip address 10.0.0.10/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.0.0.1
!
vpn 512
interface eth0
ip address 192.168.1.10/24
no shutdown
!
Step 2: Configure vBond (Blueprint Section 2.2.a — Orchestration Plane)
The vBond is the orchestration plane — the first point of contact for all SD-WAN devices. This maps directly to CCIE EI blueprint section 2.2.a.
system
host-name vBond
system-ip 1.1.1.11
site-id 1000
organization-name "CCIE-Lab"
vbond 10.0.0.11 local vbond-only
!
vpn 0
interface ge0/0
ip address 10.0.0.11/24
tunnel-interface
encapsulation ipsec
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.0.0.1
!
CCIE EI exam note: Understand that vBond uses DTLS (or TLS) for control connections and handles NAT traversal for edge devices behind NAT. The exam tests scenarios where vBond must be publicly reachable.
Step 3: Configure vSmart (Blueprint Section 2.2.c — Control Plane)
The vSmart controller handles OMP (Overlay Management Protocol) — the routing protocol of the SD-WAN fabric:
system
host-name vSmart
system-ip 1.1.1.12
site-id 1000
organization-name "CCIE-Lab"
vbond 10.0.0.11
!
vpn 0
interface eth0
ip address 10.0.0.12/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.0.0.1
!
CCIE EI exam note: vSmart is where OMP policies, control policies, and route manipulation happen. Blueprint section 2.2.c specifically tests OMP route advertisement, route filtering, and path selection. This is the controller you’ll interact with most during policy labs.
Step 4: Exchange Certificates (The Step Most Tutorials Skip)
This is where most candidates get stuck. The SD-WAN controllers authenticate each other using certificates. According to TheTechGuy.it’s lab guide, here’s the process:
- Access vManage GUI at
https://192.168.1.10:8443 - Navigate to Administration → Settings
- Set the Organization Name (must match all nodes exactly)
- Set the vBond address (10.0.0.11)
- Navigate to Administration → Settings → Controller Certificate Authorization → select “Enterprise Root Certificate”
- Generate and install the root CA on all controllers
This certificate exchange ensures that vBond, vSmart, and vManage trust each other — without it, DTLS/TLS tunnels won’t form and your control connections will fail silently.
How Do You Onboard cEdge Devices? (Blueprint Section 2.2.e)
Edge device onboarding maps directly to CCIE EI blueprint section 2.2.e — WAN Edge Deployment. This is the workflow:
Step 1: Configure cEdge Initial Settings
Console into each cEdge (CSR8000v):
system
host-name cEdge-1
system-ip 1.1.1.21
site-id 100
organization-name "CCIE-Lab"
vbond 10.0.0.11
!
vpn 0
interface GigabitEthernet1
ip address 10.0.0.21/24
tunnel-interface
encapsulation ipsec
color default
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.0.0.1
!
vpn 1
interface GigabitEthernet2
ip address 172.16.1.1/24
no shutdown
!
!
Step 2: Add Device to vManage
- In vManage, go to Configuration → Devices
- Add the cEdge’s chassis number and serial number (found via
show sdwan certificate serial) - Upload or sync the device list
- The cEdge will authenticate through vBond and establish control connections to vSmart
Step 3: Verify Control Connections
On the cEdge, verify all control connections are established:
show sdwan control connections
show sdwan omp peers
show sdwan bfd sessions
You should see:
- DTLS tunnels to vManage, vBond, and vSmart (control connections)
- OMP peering with vSmart (route exchange)
- BFD sessions to other cEdge devices (data plane health monitoring — blueprint section 2.2.d)
What Should You Practice After the Lab Is Running?
Once your lab is operational, here are the CCIE EI v1.1 scenarios to practice, mapped to blueprint sections:
OMP and Route Manipulation (Section 2.2.c)
- Advertise service-side routes via OMP
- Apply control policies on vSmart to filter or manipulate routes
- Practice OMP path selection with
prefer-colorandrestrict - Understand OMP vs. BGP route redistribution at the edge
Data Policies and Application-Aware Routing (Section 2.2.d)
- Create data policies for traffic steering based on DSCP, application, or source/destination
- Configure application-aware routing with SLA classes (latency, jitter, loss thresholds)
- Practice centralized vs. localized data policies
- Understand IPsec tunnel formation and BFD probes
Template-Based Deployment (Section 2.2.b)
- Create feature templates in vManage for consistent edge configuration
- Practice device templates that combine feature templates
- Push configuration changes from vManage and verify on cEdge
- Understand configuration groups (new in 20.14+)
Security Context
If you’re studying SD-WAN security, our coverage of recent Cisco SD-WAN vulnerabilities provides real-world context for why SD-WAN security architecture matters — and what the exam tests around control plane protection.
CML as an Alternative: The Fast Path
If building an EVE-NG lab feels too complex, Cisco’s CML (Cisco Modeling Labs) Personal edition offers a one-click alternative. According to NetworkLessons.com, CML’s SD-WAN Lab Deployment Tool can deploy a fully functional lab “in less than 20 minutes” — no separate SD-WAN license required.
EVE-NG vs CML for SD-WAN:
| Factor | EVE-NG | CML Personal |
|---|---|---|
| Setup time | 3–4 hours | ~20 minutes |
| Cost | Free (Community) / $100 (Pro) | $199/year |
| Flexibility | Full control, any image version | Limited to included images |
| Learning value | High — you learn the bootstrap process | Moderate — automated setup |
| CCIE EI relevance | Better — manual setup teaches architecture | Good — faster iteration |
My recommendation: build the EVE-NG lab at least once to understand the bootstrap process and certificate exchange. Then use CML for rapid iteration when practicing specific scenarios.
Frequently Asked Questions
What are the minimum hardware requirements for a Cisco SD-WAN lab on EVE-NG?
You need at minimum 64GB RAM and 500GB SSD storage. vManage alone requires 32GB RAM and 200GB storage. vSmart and vBond are lighter at 4GB RAM each. A cEdge (CSR8000v or CAT8kv) needs 4GB RAM per instance.
Which SD-WAN software version should I use for CCIE EI lab practice?
Use version 20.15 or later for controllers (vManage, vSmart, vBond). For cEdge devices, use IOS-XE 17.15 or matching controller version. Avoid older versions — they lack features tested on the CCIE EI v1.1 exam.
Do I need a Cisco SD-WAN license for EVE-NG labs?
For EVE-NG, you need to download images from Cisco’s software portal, which requires a valid Cisco account with appropriate entitlements. CML Personal is an alternative that includes an SD-WAN Lab Deployment Tool requiring no separate SD-WAN license.
How long does it take to set up a Cisco SD-WAN lab on EVE-NG?
Allow 2–4 hours for initial setup including image preparation, VM deployment, and controller bootstrap. Certificate exchange and edge onboarding typically takes another 1–2 hours. After that, the lab is reusable for ongoing practice.
What CCIE EI v1.1 blueprint sections does SD-WAN cover?
SD-WAN maps to blueprint sections 2.2.a (Orchestration Plane — vBond), 2.2.b (Management Plane — vManage), 2.2.c (Control Plane — vSmart, OMP), 2.2.d (Data Plane — IPsec, BFD), and 2.2.e (WAN Edge Deployment — cEdge onboarding).
Ready to build your SD-WAN lab and crush the CCIE EI exam? Contact us on Telegram @phil66xx for a free assessment — I’ll help you design a lab environment tailored to your hardware and study timeline.