Over the past few years, I’ve helped many enterprises migrate to Cisco SD-WA, and a recurring point of confusion has been around Transport Colors. If you’ve ever looked at a vEdge or cEdge configuration and wondered what “mpls”, “biz-internet” or “public-internet” actually mean—this blog is for you.
When used correctly, transport colors are not just labels, but critical tools for identifying and controlling WAN traffic across multiple circuits (MPLS, LTE, Broadband, etc.). By the end of this blog, you’ll understand how to apply them, see them in action via CLI and EVE-NG lab, and confidently answer CCNP/SD-WAN questions on the topic.
Table of Contents
Theory in Brief – What Are SD-WAN Transport Colors?
Transport Colors are identifiers used in Cisco SD-WAN (Viptela architecture) to tag and classify WAN interfaces (TLOCs – Transport Locators). Think of them as labels that help vSmart and vEdge devices understand the type of WAN transport being used.
There are two main color categories:
- Private Colors: Used for non-NAT or MPLS environments (e.g.,
mpls
) - Public Colors: Used for NATed networks like broadband or LTE (e.g.,
biz-internet
,public-internet
,lte
)
Transport colors are configured under the Tunnel Interface, and they affect how data plane tunnels are built, how policy is applied, and even how preferred traffic paths are selected.
Transport colors are also used in:
- Control Plane restrictions
- TLOC extension
- Traffic steering
Summary – Common SD-WAN Colors & Their Properties
Color | NATed | Description | Typical Use Case |
---|---|---|---|
mpls | NO | Private WAN without NAT | MPLS circuit |
private1-6 | NO | Reserved private lines | Enterprise Leased Line |
biz-internet | YES | Business-class internet with NAT | Broadband internet |
public-internet | YES | General public internet access | Backup links, failover |
lte | YES | Cellular or 4G LTE backup links | Remote or portable deployments |
metro-ethernet | NO | Metro-E private link | Local enterprise fiber |
custom1-8 | Depends | User-defined color | Advanced design scenarios |
Note: All public transport colors require NAT enabled, while private colors should not be NATed.
Essential CLI Commands
Purpose | Command | Description |
---|---|---|
View tunnel interface config | show running-config interface | Displays color assignment |
View TLOC details | show sdwan tloc | Lists local TLOCs with color, IP, etc. |
Check control connection status | show control connections | Shows active BFD tunnels per color |
See BFD session per color | show bfd sessions | Verifies color reachability |
Check data policy per color | show policy from-vsmart | View policy based on color |
Tunnel statistics | show tunnel statistics | Tracks traffic per color/TLOC |
Debug NAT or color-related issues | debug tunnel / debug control | Advanced troubleshooting |
Real-World Use Cases
Scenario | Primary Color | Backup Color | Benefit |
---|---|---|---|
Dual ISP branch site | biz-internet | lte | Low cost + 4G failover |
MPLS + broadband hybrid site | mpls | biz-internet | High performance + low cost |
Public cloud access optimization | public-internet | lte | Better SaaS experience |
Critical app over private WAN only | mpls | – | Control policy using color-based route |
Retail outlet with only LTE | lte | – | Fast deployment without cabling |
EVE-NG LAB – SD-WAN Transport Color Demonstration
Lab Objective:
- Configure multiple WAN interfaces with different transport colors.
- Observe tunnel behavior and TLOC establishment.
Topology Diagram

Basic Configuration Snippet
Step 1: MPLS Interface Configuration
interface Gig0/0 description MPLS Transport ip address 10.1.1.1/30 tunnel-interface color mpls encapsulation ipsec no allow-service all !
Step 2: Internet Interface (NATed)
interface Gig0/1 description Broadband Internet ip address 192.168.1.1/24 tunnel-interface color biz-internet encapsulation ipsec allow-service all !
Configure NAT on edge router for
biz-internet
. Usecolor
to control which transport participates in control plane.
Step 3: Validation Commands
vEdge# show control connections vEdge# show sdwan tloc vEdge# show bfd sessions
Troubleshooting Tips
Issue | Cause | Fix |
---|---|---|
Tunnels not forming on internet link | Missing NAT config | Verify NAT, ACLs, and IP reachability |
MPLS tunnels not up | Wrong color or no matching color at peer | Ensure peer device has matching color |
Traffic not using preferred color | Policy misconfigured | Recheck data-policy using show policy |
Device not advertising color | Incorrect tunnel-interface setup | Ensure color is configured under tunnel |
High latency over LTE | LTE network constraints | Use it only for backup / failover |
FAQ – SD-WAN Transport Color
1. What is a “transport color” in Cisco SD-WAN?
Answer:
In Cisco SD-WAN, a transport color is a logical label applied to a WAN interface in VPN 0 to identify the type of transport it uses (e.g., MPLS, Internet, LTE). It doesn’t refer to an actual color but helps vEdge or C8000v routers distinguish between different underlay transports and apply policies and SLA tracking accordingly.
2. What are the commonly used Cisco SD-WAN transport colors?
Answer:
Some of the most commonly used colors include:
Color | Typical Use |
---|---|
mpls | Private WAN (MPLS) |
biz-internet | Business broadband |
public-internet | General public internet |
lte | 4G/5G cellular backup |
metro-ethernet | Metro ethernet service |
private1-6 | Custom private paths |
Each color defines characteristics and control plane behavior in the fabric.
3. What is the difference between private and public colors in SD-WAN?
Answer:
- Private colors (e.g., mpls, metro-ethernet) do not use NAT traversal and expect direct communication between SD-WAN nodes.
- Public colors (e.g., biz-internet, public-internet) require NAT traversal (DTLS or TLS) and assume the underlying network may not support direct reachability.
This distinction is crucial during control plane bring-up and tunnel establishment.
4. Can I assign any name as a transport color?
Answer:
No. Cisco SD-WAN supports a fixed set of predefined colors. You must choose from the list Cisco provides, such as:
- public-internet
- mpls
- biz-internet
- metro-ethernet
- lte
- private1 to private6
These values are case-sensitive and must match across vEdge/C8000v configurations and templates.
5. How are transport colors used in policy configuration?
Answer:
Transport colors are referenced in control and data policies to:
- Enforce traffic steering (e.g., use mpls for voice, internet for web)
- Define TLOC preferences and backup paths
- Match App-Aware Routing (AAR) conditions
- Control failover behaviors
Example:
match tloc-color mpls
This lets the router steer specific traffic based on the transport label.
6. Can I use multiple transport colors on a single SD-WAN device?
Answer:
Yes. Devices can have multiple interfaces in VPN 0, each assigned a different transport color—e.g., one interface using mpls
, another using public-internet
. This supports dual transport, providing redundancy and intelligent path selection via App-Aware Routing and TLOC extensions.
7. What is TLOC and how does it relate to transport color?
Answer:
A TLOC (Transport Locator) is a unique identifier for a WAN interface in SD-WAN, made of:
- System IP
- Color
- Encapsulation (IPSec, GRE)
TLOCs define how and where traffic is forwarded across the SD-WAN fabric. The color helps determine routing, preference, and control plane reachability across different transports.
8. How do I configure a transport color on a vEdge router (CLI)?
Answer:
Example CLI:
vpn 0 interface ge0/0 ip address 192.0.2.2/30 tunnel-interface encapsulation ipsec color mpls allow-service all no shutdown
This sets the color to mpls
and enables the interface to participate in SD-WAN fabric.
9. What happens if two TLOCs have the same color but different ISPs?
Answer:
Cisco SD-WAN supports multiple TLOCs with the same color, especially in public internet use cases. If they’re on different ISPs, you can use:
- TLOC extensions for redundancy
- Performance SLAs to select the best path
- App-aware policies to route traffic dynamically
But ensure unique IPs and NAT detection are handled properly for public transports.
10. How does transport color impact control plane connectivity?
Answer:
The color setting influences how control plane tunnels (DTLS/TLS/IPSec) are built:
- Public colors require NAT traversal and certificate-based DTLS/TLS
- Private colors allow direct reachability without NAT
Controllers (vBond, vSmart) use this info to decide how to build secure overlay tunnels, so an incorrect color can break the fabric.
YouTube Link
Watch the Complete CCNP Enterprise: SD-WAN Transport Color Explained: Master Cisco SD-WAN Colors, Use Cases & CLI Lab & Real-World Use Cases Lab Demo & Explanation on our channel:
Final Note
Understanding how to differentiate and implement SD-WAN Transport Color Explained: Master Cisco SD-WAN Colors, Use Cases & CLI is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.
If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:
CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!
Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088
Upskill now and future-proof your networking career!