SD-WAN Transport Color Explained: Master Cisco SD-WAN Colors, Use Cases & CLI [2025 Guide] [CCNP ENTERPRISE]

Over the past few years, I’ve helped many enterprises migrate to Cisco SD-WA, and a recurring point of confusion has been around Transport Colors. If you’ve ever looked at a vEdge or cEdge configuration and wondered what “mpls”, “biz-internet” or “public-internet” actually mean—this blog is for you.

When used correctly, transport colors are not just labels, but critical tools for identifying and controlling WAN traffic across multiple circuits (MPLS, LTE, Broadband, etc.). By the end of this blog, you’ll understand how to apply them, see them in action via CLI and EVE-NG lab, and confidently answer CCNP/SD-WAN questions on the topic.

---

Theory in Brief – What Are SD-WAN Transport Colors?

Transport Colors are identifiers used in Cisco SD-WAN (Viptela architecture) to tag and classify WAN interfaces (TLOCs – Transport Locators). Think of them as labels that help vSmart and vEdge devices understand the type of WAN transport being used.

There are two main color categories:

• Private Colors: Used for non-NAT or MPLS environments (e.g., mpls)
• Public Colors: Used for NATed networks like broadband or LTE (e.g., biz-internet, public-internet, lte)

Transport colors are configured under the Tunnel Interface, and they affect how data plane tunnels are built, how policy is applied, and even how preferred traffic paths are selected.

Transport colors are also used in:

• Control Plane restrictions
• TLOC extension
• Traffic steering

---

Summary – Common SD-WAN Colors & Their Properties

Color	NATed	Description	Typical Use Case
mpls	NO	Private WAN without NAT	MPLS circuit
private1-6	NO	Reserved private lines	Enterprise Leased Line
biz-internet	YES	Business-class internet with NAT	Broadband internet
public-internet	YES	General public internet access	Backup links, failover
lte	YES	Cellular or 4G LTE backup links	Remote or portable deployments
metro-ethernet	NO	Metro-E private link	Local enterprise fiber
custom1-8	Depends	User-defined color	Advanced design scenarios

Note: All public transport colors require NAT enabled, while private colors should not be NATed.

---

Essential CLI Commands

Purpose	Command	Description
View tunnel interface config	show running-config interface	Displays color assignment
View TLOC details	show sdwan tloc	Lists local TLOCs with color, IP, etc.
Check control connection status	show control connections	Shows active BFD tunnels per color
See BFD session per color	show bfd sessions	Verifies color reachability
Check data policy per color	show policy from-vsmart	View policy based on color
Tunnel statistics	show tunnel statistics	Tracks traffic per color/TLOC
Debug NAT or color-related issues	debug tunnel / debug control	Advanced troubleshooting

---

Real-World Use Cases

Scenario	Primary Color	Backup Color	Benefit
Dual ISP branch site	biz-internet	lte	Low cost + 4G failover
MPLS + broadband hybrid site	mpls	biz-internet	High performance + low cost
Public cloud access optimization	public-internet	lte	Better SaaS experience
Critical app over private WAN only	mpls	–	Control policy using color-based route
Retail outlet with only LTE	lte	–	Fast deployment without cabling

---

EVE-NG LAB – SD-WAN Transport Color Demonstration

Lab Objective:

• Configure multiple WAN interfaces with different transport colors.
• Observe tunnel behavior and TLOC establishment.

---

Topology Diagram

---

Basic Configuration Snippet

Step 1: MPLS Interface Configuration

interface Gig0/0
 description MPLS Transport
 ip address 10.1.1.1/30
 tunnel-interface
  color mpls
  encapsulation ipsec
  no allow-service all
!

Step 2: Internet Interface (NATed)

interface Gig0/1
 description Broadband Internet
 ip address 192.168.1.1/24
 tunnel-interface
  color biz-internet
  encapsulation ipsec
  allow-service all
!

Configure NAT on edge router for biz-internet. Use color to control which transport participates in control plane.

---

Step 3: Validation Commands

vEdge# show control connections
vEdge# show sdwan tloc
vEdge# show bfd sessions

---

Troubleshooting Tips

Issue	Cause	Fix
Tunnels not forming on internet link	Missing NAT config	Verify NAT, ACLs, and IP reachability
MPLS tunnels not up	Wrong color or no matching color at peer	Ensure peer device has matching color
Traffic not using preferred color	Policy misconfigured	Recheck data-policy using show policy
Device not advertising color	Incorrect tunnel-interface setup	Ensure color is configured under tunnel
High latency over LTE	LTE network constraints	Use it only for backup / failover

---

FAQ – SD-WAN Transport Color

1. What is a “transport color” in Cisco SD-WAN?

Answer:
In Cisco SD-WAN, a transport color is a logical label applied to a WAN interface in VPN 0 to identify the type of transport it uses (e.g., MPLS, Internet, LTE). It doesn’t refer to an actual color but helps vEdge or C8000v routers distinguish between different underlay transports and apply policies and SLA tracking accordingly.

---

2. What are the commonly used Cisco SD-WAN transport colors?

Answer:
Some of the most commonly used colors include:

Color	Typical Use
mpls	Private WAN (MPLS)
biz-internet	Business broadband
public-internet	General public internet
lte	4G/5G cellular backup
metro-ethernet	Metro ethernet service
private1-6	Custom private paths

Each color defines characteristics and control plane behavior in the fabric.

---

3. What is the difference between private and public colors in SD-WAN?

Answer:

• Private colors (e.g., mpls, metro-ethernet) do not use NAT traversal and expect direct communication between SD-WAN nodes.
• Public colors (e.g., biz-internet, public-internet) require NAT traversal (DTLS or TLS) and assume the underlying network may not support direct reachability.

This distinction is crucial during control plane bring-up and tunnel establishment.

---

4. Can I assign any name as a transport color?

Answer:
No. Cisco SD-WAN supports a fixed set of predefined colors. You must choose from the list Cisco provides, such as:

• public-internet
• mpls
• biz-internet
• metro-ethernet
• lte
• private1 to private6

These values are case-sensitive and must match across vEdge/C8000v configurations and templates.

---

5. How are transport colors used in policy configuration?

Answer:
Transport colors are referenced in control and data policies to:

• Enforce traffic steering (e.g., use mpls for voice, internet for web)
• Define TLOC preferences and backup paths
• Match App-Aware Routing (AAR) conditions
• Control failover behaviors

Example:

match tloc-color mpls

This lets the router steer specific traffic based on the transport label.

---

6. Can I use multiple transport colors on a single SD-WAN device?

Answer:
Yes. Devices can have multiple interfaces in VPN 0, each assigned a different transport color—e.g., one interface using mpls, another using public-internet. This supports dual transport, providing redundancy and intelligent path selection via App-Aware Routing and TLOC extensions.

---

7. What is TLOC and how does it relate to transport color?

Answer:
A TLOC (Transport Locator) is a unique identifier for a WAN interface in SD-WAN, made of:

• System IP
• Color
• Encapsulation (IPSec, GRE)

TLOCs define how and where traffic is forwarded across the SD-WAN fabric. The color helps determine routing, preference, and control plane reachability across different transports.

---

8. How do I configure a transport color on a vEdge router (CLI)?

Answer:
Example CLI:

vpn 0
 interface ge0/0
  ip address 192.0.2.2/30
  tunnel-interface
   encapsulation ipsec
   color mpls
   allow-service all
  no shutdown

This sets the color to mpls and enables the interface to participate in SD-WAN fabric.

---

9. What happens if two TLOCs have the same color but different ISPs?

Answer:
Cisco SD-WAN supports multiple TLOCs with the same color, especially in public internet use cases. If they’re on different ISPs, you can use:

• TLOC extensions for redundancy
• Performance SLAs to select the best path
• App-aware policies to route traffic dynamically

But ensure unique IPs and NAT detection are handled properly for public transports.

---

10. How does transport color impact control plane connectivity?

Answer:
The color setting influences how control plane tunnels (DTLS/TLS/IPSec) are built:

• Public colors require NAT traversal and certificate-based DTLS/TLS
• Private colors allow direct reachability without NAT

Controllers (vBond, vSmart) use this info to decide how to build secure overlay tunnels, so an incorrect color can break the fabric.

---

YouTube Link

Watch the Complete CCNP Enterprise: SD-WAN Transport Color Explained: Master Cisco SD-WAN Colors, Use Cases & CLI Lab & Real-World Use Cases Lab Demo & Explanation on our channel:

---

Final Note

Understanding how to differentiate and implement SD-WAN Transport Color Explained: Master Cisco SD-WAN Colors, Use Cases & CLI is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.

If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:

CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!

Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.

Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

Upskill now and future-proof your networking career!

---