TLOC Color vs Tunnel Group

By default in Cisco SD-WAN, vEdges will try to build a full-mesh overlay by establishing tunnels to all other TLOCs, regardless of their color. This behavior was explained in detail in our lesson for TLOC colors. For scenarios, where a full-mesh is not the desired overlay topology, there is an option called restrict, that allows only tunnels to TLOCs marked with the same color. Typically, this feature is configured on transports marked with private colors because a private cloud usually does not have reachability to public ones such as the Internet. However, the TLOC color-restrict option is not flexible enough because of the following limitation - only one interface can be marked with a particular color per WAN edge router.

IMPORTANT TOPIC  A WAN edge router can't have multiple interfaces marked with the same color, because it breaks the uniqueness of the TLOC route! A TLOC is uniquely represented by a three-tuple (System-IP, Color, Encap). The system IP makes the route unique to a particular WAN edge device that has this system-IP address and the color makes the route unique to a particular interface on this exact WAN edge router.

If we look at the example shown in figure 1, vEdge-2 has one connection to the MPLS cloud that is marked with the mpls color. Therefore, different private color has to be assigned to the second interface (metro-ethernet).

Use Case 1: Grouping different interfaces to the same transport

If we want to have two overlay tunnels to vEdge-2 over the same MPLS transport, we can not use the restrict option on the mpls color. But then, if the private colors do not have the restrict option configured, they will try to establish tunnels to all other public colors that exist. 

Multiple interfaces to the same transport (no restrict option used)
Figure 1. Multiple interfaces to the same transport (no restrict option used)

The tunnel-group feature is designed to give more flexibility and granular control over the overlay tunnel establishments irrespective of the TLOC color. It works by assigning a tunnel group ID under a tunnel. Once the group-ID is configured under the TLOC, it obeys the following rules:

  • TLOCs can only establish tunnels with remote TLOCs with the same tunnel-group IDs irrespective of the TLOC color.
  • TLOCs with any tunnel-group ID will also form tunnels with TLOCs that have no tunnel-group IDs assigned.
  • If the restrict-option is configured in conjunction with the tunnel-group option, then TLOCs will only form an overlay tunnel to remote TLOCs having the same tunnel-group ID and TLOC color

So if we go back to the example shown in figure 1, all interfaces attached to the MPLS cloud can be configured with the same tunnel-group 1 without the restrict feature. In this way, vEdge-1 will form an overlay tunnel to both interfaces of vEdge-2 but at the same time, tunnels to other public colors/tunnel-groups will not be attempted. 

Use Case 2: Grouping different colors

Another typical use case that is illustrated in figure 2 is when a remote site (vEdge-3) uses different colors compared to the rest of the sites. In a typical real-world deployment, you would like to configure the private colors to only form tunnels over the private MPLS cloud and the same for the public colors of the Internet. This exact setup is only possible using tunnel-groups. By assigning all private colors to one tunnel-group (for example 2) and assigning all public colors with different tunnel group (for example 1), we will prevent the forming of overlay tunnels between the public and private transports while still allowing different private colors to form tunnels (which would not be possible if we use the restrict-option).

Multiple colors combined in two tunnel groups (no restrict option used)
Figure 2. Multiple colors combined in two tunnel groups (no restrict option used)

Use Case 3: Grouping different meshes

Another typical use-case would be if we like to achieve groupings of meshed tunnels as it is illustrated in figure 3. All interfaces in the left tunnel-mesh are configured with group-id 10 and all interfaces in the right tunnel-mesh are assigned a group-id of 20. However, the key point of this example is that the hub routers don't have tunnel-group IDs configured on their interfaces, so they will form overlay tunnels with all other tunnel-group IDs.

Grouping different meshes (no restrict option used)
Figure 3. Grouping different meshes (no restrict option used)

Configuring Tunnel-Groups

Configuring this feature is very straight-forward. You just enter in the tunnel configuration mode of a particular interface and enter a group value as is shown in the example below.

vpn 0
 interface ge0/0
  ip address
  ipv6 address 2001:AB44:15F:A332::1/64
   encapsulation ipsec
   group 10
   color public-internet
   allow-service all
  no shutdown

The tunnel group is advertised as an attribute in the TLOC route. The possible values for tunnel groups are between 0 and 4294967295.

vEdge-5# show omp tlocs
tloc entries for
            RECEIVED FROM:                   
status          C,Red,R
loss-reason     not set
lost-to-peer    not set
lost-to-path-id not set
     attribute-type    installed
     encap-key         not set
     encap-proto       0
     encap-spi         258
     encap-auth        sha1-hmac,ah-sha1-hmac
     encap-encrypt     aes256
     public-port       12346
     private-port      12346
     public-ip         2001:ab44:15f:a332::1
     public-port       12346
     private-ip        2001:ab44:15f:a332::1
     private-port      12346
     bfd-status        up
     domain-id         not set
     site-id           80
     overlay-id        not set
     preference        0
     tag               not set
     stale             not set
     weight            1
     version           2
    gen-id             0x80000013
     carrier           default
     restrict          0
     groups            ( 10 )
     border             not set
     unknown-attr-len  not set