Showing results for 
Search instead for 
Did you mean: 

Ask Me Anything- Cisco SD-WAN Policies: Leveraging the Full Power of Cisco SD-WAN

Community Manager
Community Manager
This topic is a chance to clarify your questions about Cisco’s SD-WAN technical terms such as Transport Locators (TLOCs) and routes, and the best practices to benefit from the full power of Cisco SD-WAN by leveraging policies. The session will address questions such as; How do you stitch together Multiprotocol Label Switching (MPLS) and Internet-only branches? How do you prefer one Data Center (DC) over another? How do you build hub and spoke topologies? What are the trade-offs in the implementation? And What is the difference between a centralized and a localized policy?

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Friday, March 20 to Friday, April 3, 2020

Featured Experts
daniel.jpgDaniel Dib is a Senior Network Architect at Conscia. He works with creating scalable, modular, and highly available network designs that meet business needs. He started out his career in the implementation and operations field. Daniel obtained his CCIE certification in 2012 and in May 2016 he became the second person in Sweden to get CCDE certified. Daniel has been recognized as a Cisco Designated VIP by the Cisco Learning Network. He often acts as a subject matter expert for his customers with deep expertise in routing, switching, multicast, and fast convergence. Daniel holds a CCIE Enterprise (#37149) and a CCDE (#20160011).

david.pngDavid Samuel Peñaloza Seijas works as a Senior Network Consulting Engineer at Verizon Enterprise Solutions in the Czech Republic. Previously, he worked as a Network Support Specialist in the IBM Client Innovation Center in the Czech Republic. David is an expert interested in all topics related to networks. However, he focuses mainly on data centers, enterprise networks, and network design, including software-defined networking (SDN). David has a long relationship with Cisco. He has been a Cisco Instructor for the Cisco Academy and was recognized as a Cisco Champion and a Cisco Designated VIP for 2017, 2018, 2019 and 2020. David holds CCNP R&S, CCDP, CCNA Security, CCNA CyberOps, and CCNA SP certification. Currently, he is pursing a CCDE.
Daniel & David might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the SD-WAN category.

Do you know you  can get answers before opening a TAC case by visiting the Cisco Community.  

Slides FAQ Slides

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

20 Replies 20

Community Manager
Community Manager

Hi Daniel and David

Thanks you so much for delivering quite an amazing session this past Tuesday.

These are some of the questions that were not covered during the live session:


  • Is this available in Cisco VIRL? My company has not implemented this yet, but they will in future so I would like to be ready when they do so where we can learn more about SD-WAN. Any comments?

Hopefully it will be included in VIRL2 when released but haven't seen any definite information on it. It's also possible to use various virtual platforms to setup your own lab.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

Community Manager
Community Manager

I need to use a tracker in the DIA route in the cEdge, so if this internet link fails, it can use the MPLS tunnel to DC and start using internet from DC. Sis there a workaround to solve this?

Currently trackers aren't supported on cEdge but it's coming. I don't know of a workaround so far. Might be able to find one when there is support to have device managed by vManage and add CLI templates, which isn't supported today.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

Hi, you can have CLI based templates sure managed by vManage. Just the latest vManage doesnt support it (19.3), 19.2x does support it. Option may be service insertion via local service. That one If I'm right check reachability of next hop.

Community Manager
Community Manager

Does the destination NAT is supported so the vEdge internet underlay can reach my inet fws in the data center?



Destination-based NAT is supported in service VPNs:


Would you mind elaborating more your query so we can pinpoint your requirement?





For the HA (high availabilty) for the vmanage and using the concept of disaster recovery, is necessary have cluster of vmanage en both sites (in the hub central and the secondary) or we can enable only with 2 vManages (on both sites + 1 for the arbitrator)?? 


We have the solution on-premise and have 3 + 3  + 1 vManages is too much consumption of resources





You dont necessarily need the arbitrator (if you try to reduce resource usage) as it can be done manually specifying a switching threshold.


Documentation for high availability does not state that they should be running, only that the cluster must have three nodes:


"Prior to configuring disaster recovery, make sure you have met the following requirements:

  • You must have two vManage clusters with three nodes in each cluster. If automated recovery option is selected, then another vManage node is required."

If you define the services to be enabled in every vManage node, your would have to worry about the services enabled for all of them:


Select the services to run on the vManage server:

  • Application Server— Each vManage NMS in the cluster must be a web application server, which is an HTTP or HTTPS web server for user sessions to the vManage NMS. Through these sessions, a logged-in user can view a high-level dashboard summary of networks events and status, and can drill down to view details of these events. A user can also manage network serial number files, certificates, software upgrades, device reboots, and configuration of the vManage cluster itself from the vManage application server.

  • Statistics Database—Stores all real-time statistics from all Cisco vEdge devices in the network. These are the statistics that are displayed on the various vManage screens. You can run up to three iterations of the statistics database in a vManage cluster.

  • Configuration Database—Stores the inventory and state and the configurations for all Cisco vEdge devices. You can run up to three iterations of the configuration database in a vManage cluster.

  • Messaging Server—Each vManage NMS in the cluster must be a messaging server. The messaging server provides a communication bus among all the vManage servers in the cluster. This bus is used to share data and to coordinate operations among the vManage instances in the cluster.

I would not recommend to running less than 3 vManage instances per cluster. But you can definitely reduce compute resources by not using the arbitrator.



Thanks for this opportunity of policy discussion.


I am trying to build a control policy for my customer. Setup is as follows -


Central Hub (CH) -->MPLS(blue)--> Regional Hub (RH) -->INTERNET(biz/public-internet) Multiple Spokes (MS)


CHs & RHs are connected via MPLS using color blue. While RHs & MSs are connected via internet.


***There is also a direct internet based tunnel from CH to MS (this is to be less preferred & only in case of RH failure)


I've explored the Cisco doc & discovered the feature 'tloc-action' to suite my needs. Kindly let me know how i can use this. For now, ive designed my CH policy as below & it seems to always prefer direct internet based tunnel instead of going via RH -


sequence 300
match route
site-list sl-MS_ALL  <-- All site-id of MS routers
action accept
tloc-action primary
tloc-list tl-RH _SDWGW_SITE_MPLS_TLOCS <-- mpls tlocs of RHs


Logs -


From CH to MS


CH# sh ip rou vpn 2
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
2 omp - - - - biz-inte
rnet ipsec F,S
CH# show omp routes vpn 2 | tab
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
U -> TLOC unresolved
----------------------------------------------------------------------------------------------------------- 1264593 1002 C,I,R installed biz-internet ipsec - 1267090 1003 Inv,U installed blue ipsec - <-- This is RH 1264980 1002 C,R installed biz-internet ipsec - 1267497 1003 Inv,U installed blue ipsec -


Please let me know if you need more logs

To me tloc action is good feature If you have the same color in whole path. You are doing routing to destination via different SDWAN box, this feature checks If end to end tunnel is available. Becuase If you are doing TLOC rewrite but box in the middle doesnt have route via needed color/transport it may cause traffic is sent to the box in the middle even it shouldnt be sent there. TLOC action solve this problem. But to me, in most cases not usable as I have much more transports and colors. I would love to match TLOC - but not TLOC for route, but general If TLOC exists. If Exists TLOC I do checking, I assume that SDWAN box has route to destination BOX over color I need(matched in my TLOC) and I can do TLOC rewrite. Such feature doesnt exists can match TLOC but just for specific route/site. These days I have to do TLOC remaps around more HUBS, matching TLOCs, also have to fix opposite direction - quite nightmare.

Community Manager
Community Manager
  • Is there a way to use routes from 1 vSmart over the another?

They definitely can have different configuration and therefore be selected as a "better" option, but its highly advised to not do it. The recommended approach is to let vManage push the configuration to both and it will make sure it is consistent between them.

Community Manager
Community Manager
  • Can you please elaborate more on the 1:1 Nat Transversal function of vBond?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers