Cisco WAN Edge routers periodically send and receive OMP updates with the vSmart controllers. These OMP updates contain vRoutes, TLOC, or Service routes. When a vSmart controller receives an OMP route from a vEdge, it performs the OMP best-path algorithm and updates its own routing table. The best routes are then re-advertised to all other WAN edge routers.
IMPORTANT vSmart advertises only the best routes according to the OMP best-path algorithm.
A Control policy examines the OMP updates and can modify the attributes in an update that matches the policy. Control policies are always applied directionally to a site list.
We have seen in the previous lab lessons that Control Policies can be applied in an inbound or outbound direction. In many cases, network requirements can be fulfilled by applying a control policy in either direction. However, there is a huge difference in the outcome of an inbound control policy versus an outbound one.
In this lesson, we are going to apply a policy in the inbound direction and see the results. Then we are going to apply the same policy in the outbound direction and compare the differences.
Outbound Policy
Figure 2 shows a control policy named PREFERENCE that is applied to Site-list SITE-2 in an outbound direction. Let's break down the policy construct into bullet points and analyze every aspect of it.
- The direction of the policy is always from the perspective of the vSmart controller. Outbound means that the policy matches and modifies attributes in the OMP advertisements from vSmart to vEdges.
- The policy is applied to site-list SITE-2 means that only OMP advertisements send to WAN edge devices with Site-IDs listed in the SITE-2 list are processed against the policy.
- In the policy itself, sequence 1 match route means that this sequence matches and modifies only vRoutes (and not TLOCs or Service routes).
- The action accept means that the vRoutes that are matched in the statement will be sent out to site-2.
- Set preference 90 means that the OMP Preference attribute of the vRoutes that are matched will be changed to 90 (default is 0).
- Note that the default action is accept (it is reject by default). We do not intend to filter out any route or tlocs but to only modify route attributes.
In simple words, the policy affects the OMP advertisement to vEdge-3 (site-list SITE-2). By default, vSmart advertises the first four equal-cost best routes for a prefix. In this case, for prefix 172.16.1.0/24, from the perspective of vSmart, there are four equal-cost best routes (via T1, T2, T3, and T4). However, before vSmart sends the advertisement to vEdge-3, the policy matches the routes that originated from vEdge-2 (1.1.1.2) and sets the OMP Preference to 90 for these routes (default is 0, higher is better).
When vEdge-3 receives this OMP advertisement, it performs the OMP Best-path selection algorithm and selects the omp routes with Preference 90 as best. The first stop and most important place to check the overlay routing in Cisco SD-WAN is always on the vSmart controller because it is the only authorized device that can redistribute routing information between WAN edge routers. Let's check the OMP routing table of vSmart:
vSmart# show omp routes 172.16.1.0/24 | tab
Code:
C   -> chosen
I   -> installed
Red -> redistributed
Rej -> rejected
L   -> looped
R   -> resolved
S   -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA  -> On-demand inactive
U   -> TLOC unresolved
                                            PATH                      ATTRIBUTE                                                       
VPN    PREFIX              FROM PEER        ID     LABEL    STATUS    TYPE       TLOC IP          COLOR            ENCAP  PREFERENCE  
--------------------------------------------------------------------------------------------------------------------------------------
1      172.16.1.0/24       1.1.1.1          66     1004     C,R       installed  1.1.1.1          mpls             ipsec  -           
                           1.1.1.1          69     1004     C,R       installed  1.1.1.1          public-internet  ipsec  -           
                           1.1.1.2          66     1004     C,R       installed  1.1.1.2          mpls             ipsec  -           
                           1.1.1.2          69     1004     C,R       installed  1.1.1.2          public-internet  ipsec  -           
You can see that vSmart has four equal-cost routes for 172.16.1.0/24 via TLOCs 1,2,3 and 4. As expected, the OMP preference of all routes is 0 because the policy affect the outbound OMP advertisements from the perspective of the controller and do not affects the controller's RIB.
Let's now check the routing information on vEdge-3.
vEdge-3# show omp routes 172.16.1.0/24 | tab
Code:
C   -> chosen
I   -> installed
Red -> redistributed
Rej -> rejected
L   -> looped
R   -> resolved
S   -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA  -> On-demand inactive
U   -> TLOC unresolved
                                            PATH                      ATTRIBUTE                                                       
VPN    PREFIX              FROM PEER        ID     LABEL    STATUS    TYPE       TLOC IP          COLOR            ENCAP  PREFERENCE  
--------------------------------------------------------------------------------------------------------------------------------------
1      172.16.1.0/24       1.1.1.30         11     1004     C,I,R     installed  1.1.1.2          mpls             ipsec  90          
                           1.1.1.30         12     1004     C,I,R     installed  1.1.1.2          public-internet  ipsec  90          
                           1.1.1.30         13     1004     R         installed  1.1.1.1          mpls             ipsec  -           
                           1.1.1.30         14     1004     R         installed  1.1.1.1          public-internet  ipsec  -           
You can see that the routes via vEdge-2 are chosen as best. They have the C (chosen) and I (installed) flags set, because of the higher OMP Preference value of 90.
However, if we check the omp routing table of any other WAN edge router, we will see that they have chosen and installed all four equal-cost routes for 172.16.1.0/24.
vEdge-4#  show omp routes 172.16.1.0/24 | tab
                                            PATH                      ATTRIBUTE                                                       
VPN    PREFIX              FROM PEER        ID     LABEL    STATUS    TYPE       TLOC IP          COLOR            ENCAP  PREFERENCE  
--------------------------------------------------------------------------------------------------------------------------------------
1      172.16.1.0/24       1.1.1.30         5      1004     C,I,R     installed  1.1.1.2          mpls             ipsec  -           
                           1.1.1.30         6      1004     C,I,R     installed  1.1.1.2          public-internet  ipsec  -           
                           1.1.1.30         7      1004     C,I,R     installed  1.1.1.1          mpls             ipsec  -           
                           1.1.1.30         8      1004     C,I,R     installed  1.1.1.1          public-internet  ipsec  -           
We can see that when the control policy shown in figure 2 is applied in the outbound direction to a site list (in our case to vEdge-3), it only affects the WAN edge routers listed in the applied site list. It does not affect the OMP best-path selection algorithm on vSmart nor the one on any other vEdge routers in different sites.
Let's now see what will be the results if we apply the same policy in the inbound direction.
Inbound Control Policy
Figure 3 shows a control policy named PREFERENCE that is applied in an inbound direction to Site-list SITE-1. Let's break down the policy construct into bullet points and analyze every aspect of it.
- The direction of the policy is always from the perspective of the vSmart controller. Inbound means that the policy matches and modifies attributes in OMP updates before the information enters the OMP RIB (routing information base) of the controller.
- The policy is applied to site-list SITE-1 means that only OMP updates with Site-IDs listed in the SITE-1 list are processed against the control-policy.
- In the policy itself, sequence 1 match route means that this sequence matches and modifies only vRoutes (and not TLOCs or Service routes)
- The action accept means that the vRoutes that are matched in the statement will be inserted in the RIB of the controller
- Set preference 90 means that the OMP Preference attribute of the vRoutes that are matched will be changed to 90 (default is 0) before the vRoutes are inserted in the RIB of the controller.
In simple words, the policy matches the omp advertisements for 172.16.1.0/24 (SUBNET-1) coming from vEdge-2 (1.1.1.2) to vSmart and sets the OMP Preference to 90 to these vRoutes. This happens before the OMP routing information is inserted in the controller's RIB. Therefore, when vSmart runs the OMP best path algorithm against the vRoutes for 172.16.1.0/24, it will select the vroutes via vEdge-2's TLOCs as best because they have a higher OMP Preference (90) than the vroutes via vEdge-1's TLOCs (0).
Full Content Access is for Subscribed Users Only...
- Learn any CCNA, CCIE or Network Automation topic with animated explanation.
- We focus on simplicity. Networking tutorials and examples written in simple, understandable language.