LAB 3 - Controlling the topology with Tunnel Groups

In the previous lab example, we saw how to control the overlay topology using restricted TLOC colors. In this example, we will see how to use tunnel-groups in conjunction with the restrict parameter to break up the overlay fabric into two separate meshes of tunnels.

In real-world deployments, it is pretty standard for organizations to have a group of branches in close geographical proximity, such as stores on the east coast and another faraway group, for example, on the west coast.

We will make a mesh of overlay tunnels between vEdges 1,2,3 and 4 (highlighted in yellow) and another mesh of tunnels between vEdges 1,2,5,6 (highlighted in purple). To achieve that, we will configure the TLOCs of vEdge-3 and 4 with the tunnel-group id 1. On the opposite side, we will configure the TLOCs of vEdge-5 and 6 with the tunnel-group id 2.

Recall that a local TLOC will only form an overlay tunnel to remote TLOCs that have the same tunnel-group-id or no tunnel-group-id. Tunnel groups work in conjunction with the color restrict option. If a color is restricted, a local TLOC with that color will only form a tunnel to remote TLOCs with the same tunnel-group ID and the same TLOC color.

Therefore, to achieve the topology shown in figure 1, we must configure the local TLOCs of vEdge-3 and 4 with tunnel-group id 1 and the ones of vEdge-5 and 6 with group id 2. The key point here is that the local TLOCs of vEdges 1 and 2 must be configured with no group id so they can make tunnels to all tunnel-group ids.

Configuring tunnel-groups on vEdges 3,4,5 and 6

Configuring tunnel groups is as simple as adding one parameter to the local TLOC configuration on a transport interface in vpn 0. Just go ahead and configure the local TLOCs of vEdges 3 and 4 with group id 1 as shown in the output below.

Configure this on vEdge-3 and vEdge-4
vpn 0
 interface ge0/0
  tunnel-interface
   group 1
 !
 interface ge0/1
  tunnel-interface
   group 1
!

When we apply and commit this configuration, nothing will change yet because all other TLOCs in the environment will still have no group-id configured. (any group-id forms a tunnel to no group-id). However, let’s go ahead and configure the local TLOCs of vEdges 5 and 6 with a different group-id 2.

Configure this on vEdge-5 and vEdge-6
vpn 0
 interface ge0/0
  tunnel-interface
   group 2
 !
 interface ge0/1
  tunnel-interface
   group 2
!

Once we apply this configuration, we can see that vEdges 3 and 4 no longer form overlay tunnels to vEdges 5 and 6 because their TLOCs have different tunnel-group id.

Let’s verify the topology by checking the BFD sessions on vEdge-3 and vEdge-6.

Full Content Access is for Registered Users Only (it's FREE)...

Learn any CCNA, DevNet or Network Automation topic with animated explanation.
We focus on simplicity. Networking tutorials and examples written in simple, understandable language for beginners.