WAN Insights Terminology and Reference

This page contains terms, acronyms, user-interface labels, and concepts that are important to understanding and using WAN Insights.



Application-Aware Routing (AAR), is the intelligent forwarding of application traffic across a WAN, but is not specific to WAN Insights. See Cisco SD-WAN: Application-Aware Routing Deployment Guide for general information on AAR.

AAR Policy

Application-Aware Routing network policy is a Cisco vManage feature. An AAR policy is only one of the many types of policies available in vManage. You don’t have to define AAR policies in vManage in order to set up your Cisco SD-WAN. However, you do need to define AAR policies if you want to automate WAN Insights recommendations.

Active Path

A path is defined as active in WAN Insights if it has carried network traffic for an application of interest for WAN Insights (e.g., Office365) at least once in the last 28 days.

Active Recommendation

A WAN Insights recommendation that is in the active state, is ready for implementation, but the recommended change hasn’t been applied.


In WAN Insights, the “App” screen label appears as an identifier for an entire application category, for example all Voice applications.


Strictly speaking an application is anything with a unique network traffic signature of server, IP address, port, and protocol (TCP, UDP, or TCP-UDP).

In more practical terms, an application refers to a line item within a WAN Insights application category, or a line item within vManage Application List. For example, the WAN Insights application category for O365 includes an entry that encompasses Sharepoint. Each specific application has unique characteristics that constitute the application’s signature.

Application Card

A WAN Insights UI term that refers to how the application categories are presented to the WAN Insights user on the summary or Home screen.

Application Category

An application category is a pre-selected bundle of applications within WAN Insights, such as Voice or Google Workspace, that share similar characteristics. Each application category includes multiple applications along with a single set of SLA quality thresholds for loss, latency, and jitter. They are shown on the user interface as an application card. The bundles are sometimes informally described as an application portfolio, or application family.

In WAN Insights, the application category includes the SLA quality thresholds for loss, latency, and jitter, which are defined for the entire bundle of applications within that category. In vManage, the application list is associated with an SLA list so they’re two separate things.

Application List

The vManage counterpart of a WAN Insights application category, as it appears in the vManage user interface.

Application Traffic

Network traffic generated by actual use of an application. Note that application traffic must exist in order for WAN Insights to show the path, but WAN Insights doesn’t use actual application traffic to determine network performance. Instead, it ingests telemetry data from vAnalytics network probes in order to establish path quality.


For the WAN Insights Capacity Planning feature, bandwidth refers to what the user configures, on the SD-WAN router itself, for example 500 Mbps.


For the WAN Insights Capacity Planning feature, capacity refers to what the user monitors for the purpose of determining if a circuit is saturated (utilization as a percentage of bandwidth).


A type of Cisco router running IOS-XE SD WAN, used with NBAR (Network-Based Application Recognition).


cFlowd is a tool for monitoring the traffic flowing through cEdge routers, ​​used to sample IPv4 and IPv6 traffic data flows. See Cisco SD-WAN Policies Configuration Guide for Cisco IOS XE Release 17.x for information on using cFlowd.


A circuit refers to the network Underlay, meaning the network’s physical infrastructure. A single circuit can span multiple sites and routers. Examples of circuit types include shared Comcast fiber, or an MPLS dedicated line. Routing can also be a differentiator. For example, below are two circuits, one is direct and one goes through a host.

  • Business internet → Office 365

  • Business internet → Host → Office 365

In WAN Insights, circuits are often equivalent to a type of connectivity service, or to a specific provider. When a recommendation suggests moving application traffic from one circuit to another, it’s because historical data analysis has indicated that doing so would result in better Path quality, i.e., network performance. Improved network performance results in an improved user experience.

Closed Loop Automation

Refers to the end-to-end workflow that allows WAN Insights users to act on recommendations by clicking through a recommendation from WAN Insights, and through vAnalytics, in order to apply the suggested path changes in vManage. See Applying WAN Insights Recommendations. The recommendations themselves are visible in both WAN Insights and in vAnalytics.


A Color is logical abstraction used to identify specific WAN transport that connects to a WAN Edge device. This term is Cisco-specific. While it doesn’t appear directly in WAN Insights, it is central to other Cisco SD-WAN products such as vManage.

Cloud OnRamp (CoR)

Cisco SD-WAN Cloud OnRamp for SaaS is a cloud networking solution that automates seamless connectivity for site-to-cloud, site-to-application, or site-to-site configurations. For WAN Insights, CoR is the engine used to configure SaaS site-to-cloud applications that users connect to using Direct Internet Access (DIA).

Current Path Quality

In WAN Insights, the current path quality refers to the path taken before the recommendation was generated, and until the recommendation is applied. It’s the quality of the current path as chosen by the SD-WAN’s existing Application-Aware Routing (AAR) policy.

Custom Application Category

In WAN Insights, a custom application category is a custom-defined bundle of applications with a shared set of custom-defined SLA quality thresholds for loss, latency, and jitter. To create one in WAN Insights, you must define an Application list and a corresponding SLA class list in vManage, and then enable it which makes it visible in WAN Insights.


A WAN Insights customer is an enterprise that uses WAN Insights. Generally the enterprise has internal users, or possibly even external users, who need access to common SaaS business applications, from enterprise-managed network sites, via an SD-WAN that is under the customer’s control. WAN Insights is accessed through the ThousandEyes user interface.


Data Lag

The difference in time between now and the last hour processed by the WAN Insights data pipeline. It is normal, for technical reasons, to have up to 3 hours of lag.

Default Application Category

Refers to the out-of-the-box application categories that are automatically included with WAN Insights: Voice, Office 365, Salesforce, Google Workspace, Webex, GoTo Meeting.


Deep Packet Inspection. DPI is one of the methods that enables WAN Insights to obtain the detailed network telemetry that it uses to evaluate Path quality and generate Recommendations. DPI is a feature of Cisco’s Viptela SD-WAN solution, which is designed for enterprise customers with complex networking needs.

Up to Cisco vManage Release 20.7.x this telemetry feature was called DPI. Starting with vManage 20.8.x, it changed to SAIE (SD-WAN Application Intelligence Engine).

In vManage, the customer must ensure that DPI/SAIE telemetry export to vAnalytics is enabled. In the device template, attach a local policy on which both Netflow and Application visibility must be enabled for vEdge. (For cEdge, Application visibility is enough.)


Direct Internet Access (DIA) refers to traffic going directly to SaaS cloud providers such as Office365, where the destination endpoint is not a site within the SD-WAN.


In general, “edge computing” and “edge devices” are generic industry terms. However, within Cisco SD-WAN, the words “Edge”, “Edge device” or “Edge router” are often used as a shorthand to refer to cEdge or vEdge routers.

Edge Device

An edge router. For example, a Cisco SD-WAN device that establishes tunnels with other SD-WAN devices to form the SD-WAN fabric. Sometimes called by the brand name: vEdge (original Viptela OS) or cEdge (Viptela SD-WAN on top of Cisco IOS-XE device).


For WAN Insights, an endpoint broadly refers to a Router located at a Site. From a data standpoint, endpoints are entities to which network traffic is routed, or which produce or consume traffic. Examples of endpoints include edge routers, SaaS data centers, and routing prefixes.

Endpoint Pair

A connection between two Routers located at different Sites. Note that an endpoint pair (routers, with IP addresses) can have multiple alternative Paths (Tunnels) via different Interfaces on each router.

Endpoint-Pair Interfaces

This is a labeled area on the WAN Insights user interface showing a graphical representation of routers, interfaces, and paths. Endpoint-pair interfaces are shown on the Path and QOS Details screen.

Evaluation Period

On the WAN Insights user interface, the evaluation period is the 7-day rolling period of historical data used to generate, or to confirm, all currently active recommendations. The evaluation period is shown on the timeline in the Recommendation Detail modal.

Expected Impact

The difference between the Default path quality and the Recommended path quality, and refers to the expected impact of network quality on the user’s experience while using critical business applications.


Flexible Netflow (FNF) is a Cisco networking feature that allows you to collect and optionally export a flow record that specifies various flow attributes.



A network host is a computer or other device that is connected to a computer network, and has at least one network address. The site-level listing in WAN Insights shows routers, which can be hosts.

Hourly Active User

Average hourly user count within the last 30 days, for unique users.


In WAN Insights, Hub is a type of site topology. A hub site serves as a central connection point for many other sites that are known as spokes.

Hub and Spoke Topology

Generic industry term for how a network is connected. In Cisco SD-WAN’s hub-and-spoke topology, all offices form 1 tunnel per transport network against 1 or multiple data centers (DCs).


For WAN Insights, the term Impact refers to site path change recommendations with “maximum impact”. Calculated as number of users * the % of quality improvement. For example, a recommendation that shows 100 impacted users and a 20% potential quality improvement would have greater impact than a similar recommendation for 50 users.

Impacted User

An end user of a business application within an enterprise network, who may be impacted by poor network performance.


Interfaces represent control points that can be used to direct network application traffic along various routes. Interfaces connect paths to endpoints. Interfaces are used by the router to send outbound traffic, and receive inbound traffic.

IPSec Tunnel

A type of secure data connection using the IPSec protocol. IPSec tunnels are used to create virtual private networks (VPNs) that extend either site-to-site, or via remote access.


A modal is a type of dialog that appears over a main page and must be dismissed in order to return to the main page. WAN Insights displays a modal to show details about a specific recommendation, with additional expansions that display after a single endpoint pair is selected.


Managed Services License Agreement, used by Cisco to implement customer licensing, onboarding, account activation, and similar.



Network-Based Application Recognition is a Cisco proprietary engine which is used on cEdge routers in vManage networks. NBAR uses deep packet inspection (DPI) to recognize types of application traffic as that traffic flows over the SD-WAN fabric.

Starting from release 20.6.1 NBAR has also been introduced on vEdge routers (https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/vedge-20-x/policies-book/deep-packet-inspection.html).


NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow. Analyzing NetFlow data, provides a picture of network traffic flow and volume.


Onboarding refers to various activities associated with activating a new WAN Insights customer account and the historical data used to generate recommendations.


The overlay is a virtual network that is built on top of an underlying network infrastructure, a virtual private WAN that interconnects all edge routers. For WAN Insights, the vManage overlay must also be enabled in vAnalytics in order for WAN Insights to work.

See the chapter in the Cisco SD-WAN Getting Started Guide titled Cisco SD-WAN Overlay Network Bring-Up Process for more information.


Peer-to-peer networking is when two or more computers or network nodes can share resources directly. Refers to networking traffic flowing through IPSec tunnels between SD-WAN sites.


A path is a network path between two Endpoints (e.g., routers) and represents a defined route through which network traffic flows. Paths are attached to routers through Interfaces, which represent control points that can be used to direct the traffic along various routes.

Path Metrics

This is a labeled area on the WAN Insights user interface, on the Endpoint-pair metrics over circuits graph, which shows breakouts for loss, latency, and jitter.

Path Quality

The path quality metric aggregates network performance measures (loss, latency, and jitter), and expresses the result as a single weighted percentage. This percentage expresses the likelihood of violating this quality threshold in the near future, which is a risk to be mitigated. The closer any one of these network metrics approaches to its threshold, the greater the risk that network performance will exceed or violate the service-level requirements.

Each type of application traffic can have its own custom-defined quality thresholds. These constitute the service-level agreement or SLA, which is the “bar” that network performance must meet.


In WAN Insights, the word policy refers to a network or data policy that is implemented on the customer’s Cisco SD-WAN. For example, an application routing policy can state how certain types of network traffic should be routed or prioritized. WAN Insights’ recommendations are essentially network policy changes. The policies themselves are configured in vManage, not WAN Insights.


Refers to “public Internet” vs a “private network” to describe who owns the path | circuit | equipment being used. Related to Colors, which is a Cisco SD-WAN term.


Refers to “public Internet” vs a “private network” to describe who owns the path | circuit | equipment being used. Related to Colors which is a Cisco SD-WAN term.



A deep packet inspection engine used to recognize types of application traffic flowing over the Cisco SD-WAN fabric. QOSMOS is a 3rd-party engine which was used in vEdge routers (original Viptela routers) up to release 20.5.x. Starting from release 20.6.x, QOSMOS engine has been replaced with NBAR2 engine on vEdges.


Quality ultimately refers to the ongoing quality of network connection as experienced by users, and as defined by loss, latency, and jitter. In WAN Insights quality means path quality.

By improving path quality, network owners reduce the chances of providing poor service to their end users. Users whose application traffic is flowing over paths that are showing high path quality for that application, will have a higher Quality of experience (QoE).

Quality of Experience (QoE) score

The quality of experience score is a calculated score based on aggregated quality of service (QoS) measurements for loss, latency, and jitter. The QoE score is the final rollup that displays on the WAN Insights user interface as Default path quality and Recommended path quality.

Quality of Service (QoS) score

Quality of Service refers to network performance at the circuit level, which is then evaluated against the application-specific quality thresholds defined for each Application category.

Quality of service is measured separately for loss, latency, and jitter, as a weighted percentage that expresses how close the performance measure is to the threshold.

For example, if the latency threshold is 300ms, and actual latency is observed to be 299ms, that’s not good enough. Ideally, the latency should be well below 300ms. Even if it’s below the threshold, there could still be room for improvement. In this case, a latency of 300ms would have a path quality of 50%, whereas a latency of 250ms would have a path quality of 80%, and a latency of 200ms would be around 95%.

The QoS scores for loss, latency, and jitter are rolled up into the aggregated Path quality percentage, as shown on the WAN Insights user interface.

Predictive Path Recommendation

This is the name of WAN Insights as it appears in vAnalytics.


One of several possible WAN Insights Recommendation states.


Edge router, in WAN Insights. The routers that are shown in the WAN Insights UI when expanding Sites are edge routers.


A recommendation from WAN Insights is for a particular site, and refers to making network path or traffic routing changes in order to improve performance for a particular application category. Corresponds to a network policy change. Sometimes referred to as a forecast or a prediction.

Recommendation State

Refers to the status of a WAN Insights recommendation, for example Ready or Past. The state indicates whether the recommendation should be acted upon.

Refers to the Path quality that would be observed if the recommendation were to be acted upon, i.e., applied as a policy change in the SD-WAN.


SD-WAN Application Intelligence Engine. Replaces DPI and FNF, starting from vManage 20.8.x. In vManage, the customer must ensure that DPI/SAIE telemetry export to vAnalytics is enabled. In the device template, they must attach a local policy on which both Netflow and Application visibility must be enabled for vEdge (for cEdge, Application visibility is enough).

SD-WAN Appliance

Any device with the capability to work with Cisco SD-WAN, such as a router or a controller.

SD-WAN Fabric

Refers to the combined underlay and overlay in a Cisco SD-WAN. The underlay is the physical network, while the overlay is a virtual private WAN that interconnects all edge routers. The SD-WAN fabric is formed by a number of IPSec tunnels interconnecting those edge routers.

SIG Tunnel

Cisco's Secure Internet Gateway (SIG) is a cloud-delivered security service that connects to a network via a secure tunnel. SIG is a component of SASE (Secure Access Service Edge). SIG is a type of direct internet access (DIA) traffic that is encapsulated into an IPSec tunnel connected to a remote SIG location. Cisco Umbrella and Zscaler are two types of SIG traffic that are supported in Cisco SD-WAN.


A site is a physical site with one or more Cisco routers that are part of the SD-WAN. A site is typically a building, such as a customer’s branch office or data center. Sites include the end users of business applications. Each site contains one or more Routers which in turn contain one or more Interfaces.


In many common industry contexts, SLA stands for Service-Level Agreement. In WAN Insights, it refers to the quality thresholds for loss, latency, and jitter that are used to generate path change recommendations.

SLA Class

The vManage version of the quality thresholds (loss, latency, jitter) that are, in WAN Insights, associated with an application category. A WAN Insights application category consists of the vManage application list + the vManage SLA class.

SLA violation

Service-Level Agreement violation. A network performance issue identified by WAN Insights, based on aggregated 10-minute increments of network telemetry data.

Smart Account Admin

A type of vAnalytics user account.


In WAN Insights, Spoke refers to a type of site topology. Spokes connect to hub sites.



Technical Assistance Center (TAC). Refers to Cisco’s Worldwide Customer Service and Support Operations.


A template refers to a single set of hard-coded quality thresholds for loss, latency, and jitter that apply to all traffic for a given application category. (Sometimes referred to as an application template or an SLA template.)


Refers to a WAN Insights customer.


A system action that can be taken on a WAN Insights Recommendation. WAN Insights will mark an active recommendation as terminated if network conditions change so that the recommendation is no longer the best path.


One of several possible Recommendation states.

ThousandEyes Platform

The ThousandEyes Platform is the way customers access WAN Insights. ThousandEyes is an Internet and cloud intelligence platform that helps visualize the routing, availability, and performance of critical network and application providers. ThousandEyes is a Cisco-owned company.


For the Traffic & Quality Analysis feature, throughput refers to actual traffic volume.


Transport Location, needed for Cloud onRamp (CoR). A TLOC is a type of tunnel interface that represents the attachment point where a WAN Edge router connects to the WAN transport network. A TLOC is uniquely identified and represented by a three-tuple, consisting of system IP address, link Color, and Generic Routing Encapsulation (GRE or IPsec).

Top Talkers

For capacity planning, top talkers are the application categories consuming the most bandwidth on a particular device and interface. For example the router called HOST 1234 on site New York over the biz-internet interface. A top talker is not a user, or group of users. It’s application-based and refers to a type of traffic.


In WAN Insights, Topology is a filter that refers to the site type: Hub or Spoke.


Unidirectional forwarding detection. Part of vAnalytics network telemetry.


The underlay refers to the physical infrastructure of a network.


The word user has two meanings relative to WAN Insights:

User can refer to a user of the WAN Insights platform. A WAN Insights user could be a network administrator or network engineer responsible for network policies or end-user digital experience. WAN Insights users can also include infrastructure decision-makers who are seeking to compare the performance of different connectivity providers.

Relative to the WAN Insights platform, the word user also describes an end user within a business organization where the organization is a WAN Insights customer. These end users need to have a good quality digital experience in order to perform their work tasks effectively. They’re sometimes referred to as impacted users because they are directly impacted by poor network performance. They are not directly using WAN Insights themselves. These users are depicted on the WAN Insights screens under hourly user counts.

Utilization Aggregate

For capacity planning, the utilization aggregate is a setting that lets you exclude one-time outliers from the top-level saturation metric shown on the Capacity list screen by choosing a user-selectable percentile. See Capacity Planning for more information.


Cisco vAnalytics is a cloud-based service that offers insights into the performance of applications and the underlying SD-WAN network infrastructure. WAN Insights relies upon historical data from vAnalytics in order to generate recommendations and show drill-down quality of service (QoS) network metrics. Cisco vAnalytics must be activated before WAN Insights can be used.

vAnalytics Admin

A type of vAnalytics user account.


A type of Viptela router that uses a third-party tool called QOSMOS to recognize different types of application traffic. (Viptela is a Cisco SD-WAN product.)


A networking product which was acquired by Cisco, and which is now known as Cisco SD-WAN. Viptela is distinct from Meraki, another Cisco network solution. (Meraki is currently not used with WAN Insights.)

Virtual Account Admin

A type of vAnalytics user account.


Cisco’s vManage is the central tool for managing a Cisco Viptela SD-WAN network, for example making routing or policy changes based on WAN Insights recommendations.

vManage Policy

Policies in vManage determine how traffic is routed. Examples include data policies, Application-Aware Routing (AAR) policies, as well as localized vs centralized policies.


A Cisco SD-WAN component that manages the network controllers. vSmart manages all the routers in the SD-WAN network, using Overlay Management Protocol (OMP) to communicate with Cisco Edge devices.


WAN Insights

ThousandEyes WAN Insights uses Cisco SD-WAN data to make predictions about a customer's networks and generate recommendations for path changes to optimize the customer’s end-user experience when using critical business applications.

WAN Insights Data Pipeline

The chain of data processing jobs that produces all information required to power the product: recommendations, metrics, telemetry, history, application updates, etc.

Warning Thresholds

The warning thresholds defined on the capacity planning Settings tab are used in the color-coding on the Capacity list tab to indicate higher than desired saturation levels. Levels are Severe and Moderate and are user-defined. These same settings also inform the heatmap on the capacity detail calendar page, which shows Moderate as the very start of the gradient.

Note: WAN Insights is known as Predictive Path Recommendations in vAnalytics.

Last updated