TLOC Color vs Tunnel Group
By default in Cisco SD-WAN, vEdges will try to build a full-mesh overlay by establishing tunnels to all other TLOCs, regardless of their color. This behavior was explained in detail in our lesson for TLOC colors. For scenarios, where a full-mesh is not the desired overlay topology, there is an option called restrict, that allows only tunnels to TLOCs marked with the same color. Typically, this feature is configured on transports marked with private colors because a private cloud usually does not have reachability to public ones such as the Internet. However, the TLOC color-restrict option is not flexible enough because of the following limitation - only one interface can be marked with a particular color per WAN edge router.
IMPORTANT TOPIC A WAN edge router can't have multiple interfaces marked with the same color, because it breaks the uniqueness of the TLOC route! A TLOC is uniquely represented by a three-tuple (System-IP, Color, Encap). The system IP makes the route unique to a particular WAN edge device that has this system-IP address and the color makes the route unique to a particular interface on this exact WAN edge router.
If we look at the example shown in figure 1, vEdge-2 has one connection to the MPLS cloud that is marked with the mpls color. Therefore, different private color has to be assigned to the second interface (metro-ethernet).
Use Case 1: Grouping different interfaces to the same transport
If we want to have two overlay tunnels to vEdge-2 over the same MPLS transport, we can not use the restrict option on the mpls color. But then, if the private colors do not have the restrict option configured, they will try to establish tunnels to all other public colors that exist.
The tunnel-group feature is designed to give more flexibility and granular control over the overlay tunnel establishments irrespective of the TLOC color. It works by assigning a tunnel group ID under a tunnel. Once the group-ID is configured under the TLOC, it obeys the following rules:
- TLOCs can only establish tunnels with remote TLOCs with the same tunnel-group IDs irrespective of the TLOC color.
- TLOCs with any tunnel-group ID will also form tunnels with TLOCs that have no tunnel-group IDs assigned.
- If the restrict-option is configured in conjunction with the tunnel-group option, then TLOCs will only form an overlay tunnel to remote TLOCs having the same tunnel-group ID and TLOC color
So if we go back to the example shown in figure 1, all interfaces attached to the MPLS cloud can be configured with the same tunnel-group 1 without the restrict feature. In this way, vEdge-1 will form an overlay tunnel to both interfaces of vEdge-2 but at the same time, tunnels to other public colors/tunnel-groups will not be attempted.
Use Case 2: Grouping different colors
Another typical use case that is illustrated in figure 2 is when a remote site (vEdge-3) uses different colors compared to the rest of the sites. In a typical real-world deployment, you would like to configure the private colors to only form tunnels over the private MPLS cloud and the same for the public colors of the Internet. This exact setup is only possible using tunnel-groups. By assigning all private colors to one tunnel-group (for example 2) and assigning all public colors with different tunnel group (for example 1), we will prevent the forming of overlay tunnel between the public and private transports while still allowing different private colors to form tunnels (which would not be possible if we use the restrict-option).
Use Case 3: Grouping different meshes
Another typical use-case would be if we like to achieve groupings of meshed tunnels as it is illustrated in figure 3. All interfaces in the left tunnel-mesh are configured with group-id 10 and all interfaces in the right tunnel-mesh are assigned a group-id of 20. However, the key point of this example is that the hub routers don't have tunnel-group IDs configured on their interfaces, so they will form overlay tunnels with all other tunnel-group IDs.
Configuring this feature is very straight-forward. You just enter in the tunnel configuration mode of a particular interface and enter a group value as is shown in the example below.
vpn 0 interface ge0/0 ip address 126.96.36.199/30 ipv6 address 2001:AB44:15F:A332::1/64 tunnel-interface encapsulation ipsec group 10 color public-internet allow-service all ! no shutdown !
The tunnel group is advertised as an attribute in the TLOC route, as demonstrated in Example 3-10. The possible values for tunnel groups are between 0 and 4294967295.
vEdge-5# show omp tlocs --------------------------------------------------- tloc entries for 188.8.131.52 public-internet ipsec --------------------------------------------------- RECEIVED FROM: peer 0.0.0.0 status C,Red,R loss-reason not set lost-to-peer not set lost-to-path-id not set Attributes: attribute-type installed encap-key not set encap-proto 0 encap-spi 258 encap-auth sha1-hmac,ah-sha1-hmac encap-encrypt aes256 public-ip 184.108.40.206 public-port 12346 private-ip 220.127.116.11 private-port 12346 public-ip 2001:ab44:15f:a332::1 public-port 12346 private-ip 2001:ab44:15f:a332::1 private-port 12346 bfd-status up domain-id not set site-id 80 overlay-id not set preference 0 tag not set stale not set weight 1 version 2 gen-id 0x80000013 carrier default restrict 0 groups [ 10 ] border not set unknown-attr-len not set