Tunnel Groups

TLOC Color vs Tunnel Group

By default in Cisco SD-WAN, vEdges will try to build a full-mesh overlay by establishing tunnels to all other TLOCs, regardless of their color. This behavior was explained in detail in our lesson for TLOC colors. For scenarios, where a full-mesh is not the desired overlay topology, there is an option called restrict, that allows only tunnels to TLOCs marked with the same color. Typically, this feature is configured on transports marked with private colors because a private cloud usually does not have reachability to public ones such as the Internet. However, the TLOC color-restrict option is not flexible enough because of the following limitation - only one interface can be marked with a particular color per WAN edge router.

IMPORTANT TOPIC A WAN edge router can't have multiple interfaces marked with the same color, because it breaks the uniqueness of the TLOC route! A TLOC is uniquely represented by a three-tuple (System-IP, Color, Encap). The system IP makes the route unique to a particular WAN edge device that has this system-IP address and the color makes the route unique to a particular interface on this exact WAN edge router.

If we look at the example shown in figure 1, vEdge-2 has one connection to the MPLS cloud that is marked with the mpls color. Therefore, different private color has to be assigned to the second interface (metro-ethernet).

Use Case 1: Grouping different interfaces to the same transport

If we want to have two overlay tunnels to vEdge-2 over the same MPLS transport, we can not use the restrict option on the mpls color. But then, if the private colors do not have the restrict option configured, they will try to establish tunnels to all other public colors that exist.

Figure 1. Multiple interfaces to the same transport (no restrict option used)

The tunnel-group feature is designed to give more flexibility and granular control over the overlay tunnel establishments irrespective of the TLOC color. It works by assigning a tunnel group ID under a tunnel. Once the group-ID is configured under the TLOC, it obeys the following rules:

TLOCs can only establish tunnels with remote TLOCs with the same tunnel-group IDs irrespective of the TLOC color.
TLOCs with any tunnel-group ID will also form tunnels with TLOCs that have no tunnel-group IDs assigned.
If the restrict-option is configured in conjunction with the tunnel-group option, then TLOCs will only form an overlay tunnel to remote TLOCs having the same tunnel-group ID and TLOC color

So if we go back to the example shown in figure 1, all interfaces attached to the MPLS cloud can be configured with the same tunnel-group 1 without the restrict feature. In this way, vEdge-1 will form an overlay tunnel to both interfaces of vEdge-2 but at the same time, tunnels to other public colors/tunnel-groups will not be attempted.

Use Case 2: Grouping different colors

Another typical use case that is illustrated in figure 2 is when a remote site (vEdge-3) uses different colors compared to the rest of the sites. In a typical real-world deployment, you would like to configure the private colors to only form tunnels over the private MPLS cloud and the same for the public colors of the Internet. This exact setup is only possible using tunnel-groups. By assigning all private colors to one tunnel-group (for example 2) and assigning all public colors with different tunnel group (for example 1), we will prevent the forming of overlay tunnels between the public and private transports while still allowing different private colors to form tunnels (which would not be possible if we use the restrict-option).

Figure 2. Multiple colors combined in two tunnel groups (no restrict option used)

Use Case 3: Grouping different meshes

Another typical use-case would be if we like to achieve groupings of meshed tunnels as it is illustrated in figure 3. All interfaces in the left tunnel-mesh are configured with group-id 10 and all interfaces in the right tunnel-mesh are assigned a group-id of 20. However, the key point of this example is that the hub routers don't have tunnel-group IDs configured on their interfaces, so they will form overlay tunnels with all other tunnel-group IDs.

Figure 3. Grouping different meshes (no restrict option used)

Configuring Tunnel-Groups

Configuring this feature is very straight-forward. You just enter in the tunnel configuration mode of a particular interface and enter a group value as is shown in the example below.

vpn 0
 interface ge0/0
  ip address 80.1.1.1/30
  ipv6 address 2001:AB44:15F:A332::1/64
  tunnel-interface
   encapsulation ipsec
   group 10
   color public-internet
   allow-service all
  !
  no shutdown
 !

The tunnel group is advertised as an attribute in the TLOC route. The possible values for tunnel groups are between 0 and 4294967295.

vEdge-5# show omp tlocs
---------------------------------------------------
tloc entries for 80.80.80.80
                 public-internet
                 ipsec
---------------------------------------------------
            RECEIVED FROM:                   
peer            0.0.0.0
status          C,Red,R
loss-reason     not set
lost-to-peer    not set
lost-to-path-id not set
    Attributes:
     attribute-type    installed
     encap-key         not set
     encap-proto       0
     encap-spi         258
     encap-auth        sha1-hmac,ah-sha1-hmac
     encap-encrypt     aes256
     public-ip         80.1.1.1
     public-port       12346
     private-ip        80.1.1.1
     private-port      12346
     public-ip         2001:ab44:15f:a332::1
     public-port       12346
     private-ip        2001:ab44:15f:a332::1
     private-port      12346
     bfd-status        up
     domain-id         not set
     site-id           80
     overlay-id        not set
     preference        0
     tag               not set
     stale             not set
     weight            1
     version           2
    gen-id             0x80000013
     carrier           default
     restrict          0
     groups            ( 10 )
     border             not set
     unknown-attr-len  not set

Comments

duanbm

Fri, 08/06/2021 - 11:16

This leson is very easy to understand, thank you

afridishah27606

Thu, 10/28/2021 - 00:25

Thank you for such a crispy lessons

kaps16

Sat, 02/26/2022 - 14:40

Lucid explanation.

Mmgsunny

Wed, 05/11/2022 - 19:58

In which scenario Hub create overlay tunnel with Spoke site by taking different color, tunnel-group.

mohanmuthu178

Sat, 05/28/2022 - 10:19

Very Nice. Keep it up!!!

R.K

Sun, 06/05/2022 - 12:28

In "Use Case 3", Can they reach "Tunnel Group 10" to "Tunnel Group 20" via "No Tunnel Group"?

Ivan.Ivanov

Sun, 06/05/2022 - 12:38

Hello R.K,
Sites within the left mesh won't be able to reach the right mesh by default (with no policy applied on vSmart). However, this can easily be achieved with a Centralized Control Policy on vSmart. The next-hop tlocs to remote mesh's destinations must be changed to point to the HUB (no tunnel group).
HTH, Ivan

mohanmuthu178

Mon, 06/20/2022 - 13:33

Hi Ivan, Is it possible to mix private and public colors within the same tunnel-group?
In Fig-2, you are having a tunnel-group 1 for Public colors and tunnel-group 2 for Private colors. Is it possible to have another tunnel-group 3 with a mix of private and public colors?
Your work is much appreciated. Keep it up!!!

Ivan.Ivanov

Wed, 06/22/2022 - 04:56

Yes, it's possible. The tunnel group id isn't related to the color.

Us@hbw

Mon, 07/31/2023 - 02:06

In case 1, rule 2 means the tunnel group number won't impact the tunnel between the same color TLOC, right? It looks to conflict with rule 1.