Port 2426: VCMP — Where SD-WAN Sees Around Corners

Port 2426 UDP is registered with IANA for VeloCloud MultiPath Protocol (VCMP), the data-plane tunnel used by VMware SD-WAN (now under Broadcom, formerly VeloCloud). It registered in 2014, when SD-WAN was still a novel idea — that enterprises shouldn't need to lease expensive MPLS circuits when cheap Internet connections, intelligently combined, could do the same job better.

What Runs Here

VCMP is the tunnel that makes SD-WAN's core promise real. An SD-WAN Edge device at a branch office maintains simultaneous paths to a Gateway — over broadband, fiber, LTE, whatever circuits are available. Port 2426 carries all of it.

The protocol does more than move data. It continuously measures each path — latency, jitter, packet loss — and makes real-time steering decisions. When the primary link degrades, traffic shifts to a healthier path mid-flow, often before a human would notice anything had changed. This is Dynamic Multipath Optimization (DMPO).¹

Why It Uses IPsec Over Already-Encrypted Traffic

VCMP has a particular quirk worth understanding. It wraps traffic in IPsec transport mode, with NAT traversal (NAT-T) forced on — always, unconditionally. This means VCMP re-encrypts traffic that may already be encrypted with TLS.

That's not redundancy for its own sake. The SD-WAN needs to observe and steer individual flows. Without its own encryption layer, the tunnel couldn't reliably traverse NAT devices or differentiate flows across paths. The extra encryption is infrastructure overhead, not a security feature — though it does provide defense-in-depth for unencrypted legacy traffic that might cross the same tunnel.²

Packet overhead from VCMP is 31 bytes per packet, accounting for the resequencing headers, error-correction metadata, and network segmentation identifiers the protocol needs to function.³

Who Uses This Port

If you see port 2426 UDP traffic in your network, you're almost certainly looking at VMware/Broadcom SD-WAN infrastructure. It appears between:

• Branch Edge devices and datacenter or cloud Gateways
• Hub sites communicating with other hubs
• Any site participating in an SD-WAN overlay

The SANS Internet Storm Center logs regular scanning against port 2426 — mostly reconnaissance, likely probing for exposed SD-WAN edge devices.⁴

What Range This Port Lives In

Port 2426 is a registered port (1024–49151). This range is managed by IANA, where vendors and organizations can formally claim a port number for a specific protocol. Registered doesn't mean universally deployed — most networks will never see VCMP traffic — but it does mean the use is documented and intentional, not squatted.

Checking What's Using This Port

If port 2426 shows up in your environment and you're not running SD-WAN:

# macOS / Linux — show what process owns the port
sudo lsof -i UDP:2426

# Linux alternative
sudo ss -ulnp | grep 2426

# Windows
netstat -aon | findstr :2426
# Then cross-reference the PID:
tasklist | findstr <PID>

Unexpected UDP traffic on 2426 from unknown processes warrants investigation — though it's more likely to be mislabeled SD-WAN infrastructure than anything malicious.