In the previous lab lesson, we have seen how we can connect a vEdge router to the WAN transport attached to the adjacent vEdge router using a feature called TLOC Extension. After we have extended vEdge-1 and vEdge-2 to both WAN providers, all routers in the topology now have two local TLOCs each - one marked with “biz-internet” color and another one marked with the “mpls” color.

In this lab lesson, the Internet and MPLS clouds are interconnected and there is full any-to-any IP reachability in the underlay. Therefore, the default behavior of vEdges results in a full mesh of overlay tunnels between all TLOCs as illustrated in figure 1 below. 

A full-mesh of overlay tunnels
Figure 1. A full-mesh of overlay tunnels

Recall that vEdges attempt to form a tunnel to every remote TLOC over each local color. For example, vEdge-1 attempts to form an overlay tunnel to every remote TLOC over its biz-internet interface (T11) and then again over its mpls interface (T12). This results in three different types of tunnels based on the combination of colors at both ends: 

  • biz-internet <-> biz-internet
  • biz-internet <-> mpls
  • mpls <-> mpls

In real-world deployments, it is far more likely that an MPLS cloud is not reachable from the Internet and there is no any-to-any reachability between all available WAN transports in the underlay. In such cases, we typically want to configure the interfaces connected to a WAN cloud that is not reachable from the outside, with an additional TLOC Color parameter called Restrict.

What is a TLOC Color Restrict

By default, WAN edge routers try to form overlay tunnels to every received TLOC from a different site using every available local color. That is usually the desired behavior in scenarios with multiple Internet connections from various ISPs because the Internet provides any-to-any reachability irrespective of the particular ISP. However, this behavior might not be desirable in scenarios where we have private transports alongside the Internet. For example, an MPLS cloud is typically not reachable through the Internet. Therefore, we would like to stop the establishment of overlay tunnels between the Internet and MPLS TLOCs. Even though IP reachability between the clouds may exist, the tunnels might be established over paths that are inefficient or unintended. 

TLOC Color Restrict
Figure 2. TLOC Color Restrict

Cisco SD-WAN allows us to restrict attempts to establish tunnels to TLOCs with different colors (TLOCs from different transports) using the ‘restrict’ keyword under the TLOC color configuration, as shown in the output below.

vpn 0
 interface ge0/0
  ip address 10.1.1.43/24
  tunnel-interface
   encapsulation ipsec
   color mpls restrict
!

When a TLOC is marked as restricted, a WAN edge route router will attempt to establish an overlay tunnel to a remote TLOC only via its transport interfaces marked with the same color. For example, when a vEdge router receives a TLOC marked with the color “mpls” - it will only attempt to form a tunnel over its interfaces marked with the “mpls” color (if any). This behavior is demonstrated in the second part of figure 2. vEdge-1 will never try to establish an IPsec tunnel from T1 to T4 or T2 to T3 because the TLOCs are not marked with the same color. 

In real-world deployments, private colors such as MPLS are typically configured as restricted, while public colors such as biz-internet are generally unrestricted. 

Configuring TLOC Color Restrict

Configuring a TLOC color as restricted is as simple as adding one additional parameter, “restrict,” alongside the color keyword. In our lab topology, let’s log into every vEdge router and configure the mpls color as restricted.

Configure this on all vEdges
vEdge-1# conf t
vEdge-1(config)# vpn 0 int ge0/1
vEdge-1(config-interface-ge0/1)# tunnel-interface
vEdge-1(config-tunnel-interface)# color mpls restrict
vEdge-1(config-tunnel-interface)# commit and-quit
Commit complete.

Once the configuration is committed, we can see that now there are only two combinations of tunnels:

  • biz-internet<->biz-internet
  • mpls<->mpls

Notice that there aren’t any biz-internet <--> mpls tunnels because the mpls color is now restricted, and vEdges would not form a tunnel to an MPLS TLOC over their local biz-internet TLOCs. 

vEdge-1# show bfd sessions | t
#some columns are omitted for clarity
                             SYSTEM   SITE                                   
SRC IP     DST IP     PROTO  IP       ID    LOCAL COLOR   COLOR         STATE
-----------------------------------------------------------------------------
10.10.1.1  10.10.0.3  ipsec  3.3.3.3  3     mpls          mpls          up     
39.3.0.1   39.3.0.3   ipsec  3.3.3.3  3     biz-internet  biz-internet  up   
10.10.1.1  10.10.0.4  ipsec  4.4.4.4  4     mpls          mpls          up    
39.3.0.1   39.3.0.4   ipsec  4.4.4.4  4     biz-internet  biz-internet  up   
10.10.1.1  10.10.0.5  ipsec  5.5.5.5  5     mpls          mpls          up   
39.3.0.1   39.3.0.5   ipsec  5.5.5.5  5     biz-internet  biz-internet  up   
10.10.1.1  10.10.0.6  ipsec  6.6.6.6  6     mpls          mpls          up     
39.3.0.1   39.3.0.6   ipsec  6.6.6.6  6     biz-internet  biz-internet  up 

Now compare the overlay topology of tunnels shown in figure 3 below with the full-mesh that the vEdges had formed initially. 

A partial-mesh of overlay tunnels
Figure 3. A partial-mesh of overlay tunnels

In the common section for Centralised Data Policies, we are going to see that there are other methods that we can use to control the overlay fabric topology. However, the TLOC color is one of the simplest and most efficient ways to forbid the cross transport tunnels between WAN clouds.