What is TLOC Color?

TLOC Color is a logical abstraction used to identify specific WAN transport that connects to a WAN Edge device. The color is a statically defined keyword that distinguishes a particular WAN transport as either public or private and is globally significant across the Cisco SD-WAN fabric. If you think about it, there is no automatic way for a vEdge router to understand which interface is connected to which transport cloud. If we look at the example in figure 1, vEdge-1 has three interfaces connected to three different providers. From the perspective of vEdge-1, the only way to distinguish which interface is connected to which cloud is through the concept of colors that would be externally defined by the controller or locally via CLI.

What is TLOC Color?
Figure 1. What is TLOC Color?

The TLOC color is configured per interface under the transport vpn0/ interface / tunnel-interface settings as in is shown below:

vpn 0
 interface ge0/0
  ip address 10.1.1.43/24
  tunnel-interface
   encapsulation ipsec
   color mpls

As of now, there are 22 pre-defined color keywords that are summarized in Table 1 below. They are divided into two main categories - public and private colors. The public colors are designed to distinguish connections to public networks such as the Internet where typically the attachment interface has an RFC1918 address that is later translated to a publicly routable address via NAT.  On the other hand, private colors are intended for use on connections to clouds where NAT is not utilized. On WAN Edge routers, each Transport Locator is associated with a private-public  IP address pair. The TLOC color dictates whether the private or public IP address will be used when attempting to form a data plane tunnel to a remote TLOC.

Table 1. Cisco SD-WAN TLOC Colors
Public Colors Private Colors
public-internet mpls
biz-internet metro-ethernet
3g private1
lte private2
blue private3
green private4
red private5
bronze private6
silver  
gold  
custom1  
custom2  
custom3  

Communication Between Colors

During the authentication process with the vBond orchestrator, WAN edge devices learn whether they sit behind a NAT device and what is their NATed address and port. This is done using the STUN protocol and the process is explained in further detail in our lesson about TLOCs and NAT. In the end, each TLOC contains a pair of private/public addresses and ports. If there is no NAT, both the private and public addresses are the same, if there is a NAT device along the path, the private address represents the native interface IP and the public address represents the post-NAT address.  When two Cisco SD-WAN devices attempt to form an overlay tunnel between each other, they look at the colors at both ends in order to decide which IP address to use. 

If the TLOC color at both ends is a Public one, the WAN edge devices attempt to form the data plane tunnel using their public IP addresses.

Overlay tunnel between public colors
Figure 2. Overlay tunnel between public colors

Even if only one of the colors is public, the WAN edge devices will also attempt to form the data plane tunnel using the public IP addresses.

Overlay tunnel between public and private colors
Figure 3. Overlay tunnel between public and private colors

However, If the TLOC color at both ends is a Private one, the WAN edge devices attempt to form the data plane tunnel using their private IP addresses.

Overlay tunnel between private colors
Figure 4. Overlay tunnel between private colors

This is particularly important in cases where WAN edge devices communicate directly with their native address over a private cloud such as MPLS but at the same time, they access the control plane through the same cloud via Network Address Translation. That is why data plane tunnels between TLOCs marked with private colors are formed using the private IP addresses as is demonstrated in figure 5.

Why private clouds use private IPs?
Figure 5. Why private clouds use private IPs?

TLOC Carrier

However, specific scenarios might occur where using the public IP addresses between private colors is the desired behavior. An example would be having two MPLS clouds that are interconnected using NAT. For such cases, there is a particular TLOC attribute called carrier that changes this behavior - if the carrier setting is the same in the local and remote TLOCs, the WAN edge device attempts to form a tunnel using the private IP address, and if the carrier setting is different, then the WAN edge device attempts to form a tunnel using the public IP address. The diagram below visualizes this:

Overlay tunnels when using the Carrier settings
Figure 6. Overlay tunnels when using the Carrier settings

TLOC Color Restrict

By default, WAN edge routers try to form overlay tunnels to every received TLOC from a different site using every available color. This is usually the desired outcome in scenarios where we have two Internet connections from two different providers. Although we typically mark them with different colors in order to treat them separately as shown in figure 7, we would like to have a full mesh of tunnels because there is IP reachability between the clouds.

Default overlay fabric without Restrict keyword
Figure 7. Default overlay fabric without Restrict keyword

However, this behavior might not be desirable in scenarios where we have one private transport alongside an Internet cloud, as it could lead to inefficient routing—such as WAN edge routers trying to build tunnels through the MPLS cloud to Internet TLOCs. Even though the IP reachability between the clouds may exist, the tunnels might be established over paths that are inefficient or unintended. This behavior can be changed with the restrict keyword or by using tunnel groups.

vpn 0
 interface ge0/0
  ip dhcp-client
  tunnel-interface
   encapsulation ipsec
   color mpls restrict

When a TLOC is marked as restricted, a WAN edge route router will attempt to establish a data plane tunnel to a remote TLOC only via WAN connections marked with the same color. This behavior is demonstrated in figure 8. vEdge-1 will never try to establish an IPsec tunnel from T1 to T4 because TLOC1 and TLOC4 are not marked with the same color. 

Overlay fabric using Restrict keyword
Figure 8. Overlay fabric using Restrict keyword

The restrict attribute can be verified using the following show command

vEdge-1# show omp tlocs
---------------------------------------------------
tloc entries for 1.1.1.1
                 mpls
                 ipsec
---------------------------------------------------
            RECEIVED FROM:                   
peer            0.0.0.0
status          C,Red,R
loss-reason     not set
lost-to-peer    not set
lost-to-path-id not set
    Attributes:
     attribute-type    installed
     encap-key         not set
     encap-proto       0
     encap-spi         256
     encap-auth        sha1-hmac,ah-sha1-hmac
     encap-encrypt     aes256
     public-ip         60.1.1.1
     public-port       12366
     private-ip        192.168.1.2
     private-port      12366
     public-ip         ::
     public-port       0
     private-ip        ::
     private-port      0
     bfd-status        up
     domain-id         not set
     site-id           60
     overlay-id        not set
     preference        0
     tag               not set
     stale             not set
     weight            1
     version           2
    gen-id             0x80000013
     carrier           default
     restrict          1
     groups            [ 0 ]
     border             not set
     unknown-attr-len  not set

Another option to achieve the same goal of restricting the data plane connectivity between the same colors is by using tunnel groups. Only tunnels with matching tunnel groups will form a data plane connection (regardless of the color). 

vpn 0
 interface ge0/0
  ip dhcp-client
  tunnel-interface
   encapsulation ipsec
   group 199