One of the major reasons Viptela decided to build their own routing protocol for their SD-WAN is the introduction of TLOCs. TLOCs or Transport Locators are a tuple of information that acts as the next hop of a route within the SD-WAN fabric. A TLOC simply describes the WAN interface of an edge router. TLOCs are sent to the Cisco SD-WAN Controller then reflected down to other edge devices.
As you can see from the above picture, SD-WAN edges “resolve” IP routes to TLOCs in their TLOC route table. You may notice that the TLOC has a field called preference. This field is tunable by the network operator and allows us to steer traffic. Consider the following design:
While this example shows two TLOCs on different devices at the same site, the same concept applies to multiple WAN connections on the same edge device.
In this design cEdge3 has two routes to reach the 192.168.1.0/24 segment. By default, both routes will be installed and ECMP will be enacted. There are multiple ways to make this route unique, including using OMP preference, longest match routing, and TLOC preference. Here, we will focus on TLOC preference. There are multiple ways to set TLOC Preference:
On the Edge Device (CLI)
Let’s start with the simplest method first, the good old CLI. Keep in mind that your device must not be in template mode for this method. To edit the preference in the CLI you need to drop into the interface configuration under sdwan config mode and add “preference [preference]” onto the end of the encapsulation command.
! output of show sdwan run sdwan !
sdwan
interface GigabitEthernet1
tunnel-interface
encapsulation ipsec preference 122 weight 1On the Edge Device (Interface Template)
Another method of modifying the local device applies if the device is in template mode. I will admit, this setting is definitely hidden and difficult to find. But, if you know the CLI you can think about the template hierarchy in comparison to the CLI hierarchy as they are similar. We need to modify the interface template of interest, specifically the tunnel interface section under “Advanced Options”
Some sources say this method only works on a vEdge, I have not found that to be the case. The equipment list for this post is at the end of the article.
After Applying the interface template we can see it results in the same command as we manually entered for our device that was in CLI mode:
encapsulation ipsec preference 122 weight 1Using Central Policy
Another method to modify TLOC preference is by overwriting the TLOC in the TLOC route as it traverses the controller(vSmart). Remember that all control plane data between edges is sent through vSmart, giving us a chance to modify the TLOC route in transit.
To do this, we need to create a central control policy (or modify an existing). But first under Configuration > Policies we will need to define our lists. Under Custom Options > Centralized Policy > Lists add a TLOC list with a single TLOC (the one you want to modify). You also need to add a site list for the sites you want to see this TLOC change, if you are planning to apply the policy in the outbound direction. Or inversely, you could apply the policy inbound where you would just need a site list containing just the site-id of the site you are modifying the TLOC at.
Then, you will need to create a policy with a “custom control” topology. Under Centralized Policy, add a new policy(or edit an existing). Click next to get to the “Configure topology and VPN Membership” menu. Click “Add Topology” and select “Custom Control (Route & TLOC).
In the custom control topology, you can add a TLOC entry matching your TLOC of interest. Under the action select “Accept” and add a Preference action of your desired value. Then you will need to match all and accept to prevent all other TLOCs from being dropped.
Now we need to add an accept all route policy entry. Click the “+ Sequence Type” button and add a route policy. Then add an entry changing the action to Accept.
Lastly, at the end of the wizard you will need to Apply the policy to a site list. I am choosing to apply the policy in the outbound direction. This means that I will need to make a site list of all the sites I want to see this TLOC preference change. You could also apply the policy in the inbound direction to a site list containing only the TLOC you want to change.
Verification
Then we can check the perspective from another edge (or the controller):
! output of show sdwan omp tlocs !
---------------------------------------------------
tloc entries for 10.11.254.1
biz-internet
ipsec
---------------------------------------------------
RECEIVED FROM:
! output omitted for brevity !
lost-to-path-id not set
Attributes:
! output omitted for brevity !
preference 122Now if an edge device receives two identical OMP routes with the same OMP preference, it will compare TLOC preference and our new preference of 122 will win against a lower preference.
| Cisco SD-WAN Manager (vManage) | 20.13.1 |
| Cisco SD-WAN Validator (vBond) | 20.13.1 |
| Cisco SD-WAN Controller (vSmart) | 20.13.1 |
| Cisco SD-WAN Edge (IOS-XE) | 17.13.01a |
| Cisco CML | 2.7.0+build.4 |