In the previous lab lesson, we have seen how we can connect a vEdge router to the WAN transport attached to the adjacent vEdge router using a feature called TLOC Extension. After we have extended vEdge-1 and vEdge-2 to both WAN providers, all routers in the topology now have two local TLOCs each - one marked with “biz-internet” color and another one marked with the “mpls” color.
In this lab lesson, the Internet and MPLS clouds are interconnected and there is full any-to-any IP reachability in the underlay. Therefore, the default behavior of vEdges results in a full mesh of overlay tunnels between all TLOCs as illustrated in figure 1 below.
Recall that vEdges attempt to form a tunnel to every remote TLOC over each local color. For example, vEdge-1 attempts to form an overlay tunnel to every remote TLOC over its biz-internet interface (T11) and then again over its mpls interface (T12). This results in three different types of tunnels based on the combination of colors at both ends:
- biz-internet <-> biz-internet
- biz-internet <-> mpls
- mpls <-> mpls
In real-world deployments, it is far more likely that an MPLS cloud is not reachable from the Internet and there is no any-to-any reachability between all available WAN transports in the underlay. In such cases, we typically want to configure the interfaces connected to a WAN cloud that is not reachable from the outside, with an additional TLOC Color parameter called Restrict.
What is a TLOC Color Restrict
By default, WAN edge routers try to form overlay tunnels to every received TLOC from a different site using every available local color. That is usually the desired behavior in scenarios with multiple Internet connections from various ISPs because the Internet provides any-to-any reachability irrespective of the particular ISP. However, this behavior might not be desirable in scenarios where we have private transports alongside the Internet. For example, an MPLS cloud is typically not reachable through the Internet. Therefore, we would like to stop the establishment of overlay tunnels between the Internet and MPLS TLOCs. Even though IP reachability between the clouds may exist, the tunnels might be established over paths that are inefficient or unintended.
Cisco SD-WAN allows us to restrict attempts to establish tunnels to TLOCs with different colors (TLOCs from different transports) using the ‘restrict’ keyword under the TLOC color configuration, as shown in the output below.
vpn 0 interface ge0/0 ip address 10.1.1.43/24 tunnel-interface encapsulation ipsec color mpls restrict !
When a TLOC is marked as restricted, a WAN edge route router will attempt to establish an overlay tunnel to a remote TLOC only via its transport interfaces marked with the same color. For example, when a vEdge router receives a TLOC marked with the color “mpls” - it will only attempt to form a tunnel over its interfaces marked with the “mpls” color (if any). This behavior is demonstrated in the second part of figure 2. vEdge-1 will never try to establish an IPsec tunnel from T1 to T4 or T2 to T3 because the TLOCs are not marked with the same color.
In real-world deployments, private colors such as MPLS are typically configured as restricted, while public colors such as biz-internet are generally unrestricted.
Configuring TLOC Color Restrict
Configuring a TLOC color as restricted is as simple as adding one additional parameter, “restrict,” alongside the color keyword. In our lab topology, let’s log into every vEdge router and configure the mpls color as restricted.
Configure this on all vEdges vEdge-1# conf t vEdge-1(config)# vpn 0 int ge0/1 vEdge-1(config-interface-ge0/1)# tunnel-interface vEdge-1(config-tunnel-interface)# color mpls restrict vEdge-1(config-tunnel-interface)# commit and-quit Commit complete.
Once the configuration is committed, we can see that now there are only two combinations of tunnels:
Notice that there aren’t any biz-internet <--> mpls tunnels because the mpls color is now restricted, and vEdges would not form a tunnel to an MPLS TLOC over their local biz-internet TLOCs.
vEdge-1# show bfd sessions | t #some columns are omitted for clarity SYSTEM SITE SRC IP DST IP PROTO IP ID LOCAL COLOR COLOR STATE ----------------------------------------------------------------------------- 10.10.1.1 10.10.0.3 ipsec 220.127.116.11 3 mpls mpls up 18.104.22.168 22.214.171.124 ipsec 126.96.36.199 3 biz-internet biz-internet up 10.10.1.1 10.10.0.4 ipsec 188.8.131.52 4 mpls mpls up 184.108.40.206 220.127.116.11 ipsec 18.104.22.168 4 biz-internet biz-internet up 10.10.1.1 10.10.0.5 ipsec 22.214.171.124 5 mpls mpls up 126.96.36.199 188.8.131.52 ipsec 184.108.40.206 5 biz-internet biz-internet up 10.10.1.1 10.10.0.6 ipsec 220.127.116.11 6 mpls mpls up 18.104.22.168 22.214.171.124 ipsec 126.96.36.199 6 biz-internet biz-internet up
Now compare the overlay topology of tunnels shown in figure 3 below with the full-mesh that the vEdges had formed initially.
In the common section for Centralised Data Policies, we are going to see that there are other methods that we can use to control the overlay fabric topology. However, the TLOC color is one of the simplest and most efficient ways to forbid the cross transport tunnels between WAN clouds.