How is data secured in transit in Cisco SD-WAN, including control and data planes?

• A. Data plane tunnels use TLS encryption.
• B. Control plane uses IPsec; data plane uses TLS.
• C. The control plane tunnel uses TLS for vEdge-to-vSmart/vBond; data plane uses IPsec; devices authenticate via certificates; encryption keys rotated regularly.
• D. No encryption is used

Answer: (C)

In Cisco SD-WAN, data in transit is protected with two complementary mechanisms: TLS for control-plane signaling and IPsec for data-plane tunnels. The control-plane communications between the edge devices (vEdges) and the orchestrators (vSmart/vBond) are carried over TLS, which provides mutual authentication and encryption of the control messages that manage the fabric. The actual user traffic, or data plane, travels through IPsec tunnels between devices, delivering encryption, integrity, and anti-replay protection for the data as it traverses the WAN. Devices authenticate using certificates issued by a trusted authority, and encryption keys are rotated regularly to limit exposure if a key is compromised. This combination ensures both the control messages and the data payload are protected in transit. The other options misstate which plane uses TLS versus IPsec, or claim no encryption at all, which does not align with how Cisco SD-WAN secures the network.