What is TLOC Color?
TLOC Color is a logical abstraction used to identify specific WAN transport that connects to a WAN Edge device. The color is a statically defined keyword that distinguishes a particular WAN transport as either public or private and is globally significant across the Cisco SD-WAN fabric. If you think about it, there is no automatic way for a vEdge router to understand which interface is connected to which transport cloud. If we look at the example in figure 1, vEdge-1 has three interfaces connected to three different providers. From the perspective of vEdge-1, the only way to distinguish which interface is connected to which cloud is through the concept of colors that would be externally defined by the controller or locally via CLI.
The TLOC color is configured per interface under the transport vpn0/ interface / tunnel-interface settings as in is shown below:
vpn 0 interface ge0/0 ip address 10.1.1.43/24 tunnel-interface encapsulation ipsec color mpls
As of now, there are 22 pre-defined color keywords that are summarized in Table 1 below. They are divided into two main categories - public and private colors. The public colors are designed to distinguish connections to public networks such as the Internet where typically the attachment interface has an RFC1918 address that is later translated to a publicly routable address via NAT. On the other hand, private colors are intended for use on connections to clouds where NAT is not utilized. On WAN Edge routers, each Transport Locator is associated with a private-public IP address pair. The TLOC color dictates whether the private or public IP address will be used when attempting to form a data plane tunnel to a remote TLOC.
|Public Colors||Private Colors|
Communication Between Colors
During the authentication process with the vBond orchestrator, WAN edge devices learn whether they sit behind a NAT device and what is their NATed address and port. This is done using the STUN protocol and the process is explained in further detail in our lesson about TLOCs and NAT. In the end, each TLOC contains a pair of private/public addresses and ports. If there is no NAT, both the private and public addresses are the same, if there is a NAT device along the path, the private address represents the native interface IP and the public address represents the post-NAT address. When two Cisco SD-WAN devices attempt to form an overlay tunnel between each other, they look at the colors at both ends in order to decide which IP address to use.
If the TLOC color at both ends is a Public one, the WAN edge devices attempt to form the data plane tunnel using their public IP addresses.
Even if only one of the colors is public, the WAN edge devices will also attempt to form the data plane tunnel using the public IP addresses.
However, If the TLOC color at both ends is a Private one, the WAN edge devices attempt to form the data plane tunnel using their private IP addresses.
This is particularly important in cases where WAN edge devices communicate directly with their native address over a private cloud such as MPLS but at the same time, they access the control plane through the same cloud via Network Address Translation. That is why data plane tunnels between TLOCs marked with private colors are formed using the private IP addresses as is demonstrated in figure 5.
However, specific scenarios might occur where using the public IP addresses between private colors is the desired behavior. An example would be having two MPLS clouds that are interconnected using NAT. For such cases, there is a particular TLOC attribute called carrier that changes this behavior - if the carrier setting is the same in the local and remote TLOCs, the WAN edge device attempts to form a tunnel using the private IP address, and if the carrier setting is different, then the WAN edge device attempts to form a tunnel using the public IP address. The diagram below visualizes this:
TLOC Color Restrict
By default, WAN edge routers try to form overlay tunnels to every received TLOC from a different site using every available color. This is usually the desired outcome in scenarios where we have two Internet connections from two different providers. Although we typically mark them with different colors in order to treat them separately as shown in figure 7, we would like to have a full mesh of tunnels because there is IP reachability between the clouds.
However, this behavior might not be desirable in scenarios where we have one private transport alongside an Internet cloud, as it could lead to inefficient routing—such as WAN edge routers trying to build tunnels through the MPLS cloud to Internet TLOCs. Even though the IP reachability between the clouds may exist, the tunnels might be established over paths that are inefficient or unintended. This behavior can be changed with the restrict keyword or by using tunnel groups.
vpn 0 interface ge0/0 ip dhcp-client tunnel-interface encapsulation ipsec color mpls restrict
When a TLOC is marked as restricted, a WAN edge route router will attempt to establish a data plane tunnel to a remote TLOC only via WAN connections marked with the same color. This behavior is demonstrated in figure 8. vEdge-1 will never try to establish an IPsec tunnel from T1 to T4 because TLOC1 and TLOC4 are not marked with the same color.
The restrict attribute can be verified using the following show command
vEdge-1# show omp tlocs --------------------------------------------------- tloc entries for 126.96.36.199 mpls ipsec --------------------------------------------------- RECEIVED FROM: peer 0.0.0.0 status C,Red,R loss-reason not set lost-to-peer not set lost-to-path-id not set Attributes: attribute-type installed encap-key not set encap-proto 0 encap-spi 256 encap-auth sha1-hmac,ah-sha1-hmac encap-encrypt aes256 public-ip 188.8.131.52 public-port 12366 private-ip 192.168.1.2 private-port 12366 public-ip :: public-port 0 private-ip :: private-port 0 bfd-status up domain-id not set site-id 60 overlay-id not set preference 0 tag not set stale not set weight 1 version 2 gen-id 0x80000013 carrier default restrict 1 groups [ 0 ] border not set unknown-attr-len not set
Another option to achieve the same goal of restricting the data plane connectivity between the same colors is by using tunnel groups. Only tunnels with matching tunnel groups will form a data plane connection (regardless of the color).
vpn 0 interface ge0/0 ip dhcp-client tunnel-interface encapsulation ipsec group 199