Hello @kevin.charron 

I have seen a similar behavior during migration between legacy solutions and SD-WAN, it was related to ARP cache not being flushed in the 3850 switch and IP redirects configured under the VLAN. The VRRP virtual IP was the same between devices so failover could be performed minimizing impact to the users. 

We had to involve TAC as it was quite an atypical behavior. The initial recommendation was to reboot the boxes due to time constraints. Later investigation revealed ARP was handled in different ways between viptela and the catalyst switch.

Hope that helps!

Thanks for the feedback. Are you saying to issue the command "no ip redirects" on the Client VLAN, the interface to the vEdge (which is an L3 /30 link by the way) or both?

Also, arp timeout is on a per interface level. Should I reduce the timeout on the L3 interface of the vEdge?

And to my disappointment, a reboot of the device last night did not resolve the issue this time. I'm going to try and get a packet capture from vManage to see if I can get any useful data.

The change must be done in the legacy infra (non-SD-WAN).

We got this when TAC got involved:

Prior to SD-WAN cut-over:

1. Execute “no ip redirect” on LAN port of legacy CE routers
2. Execute “no ip redirect” on VLAN interface of core switch 
3. Run “sh ip redirects” then “clear ip redirect” and “sh ip redirects” again on all access switches. Validate before/after output as ip redirect table should be empty in the end.

Hope it helps

Hello @joshua-network-guy 

Viptela supports route leaking between VPNs, but its intended for services VPNs, not transport and services. They are kept separate as the services VPNs are an overlay using transport VPN.

The following document explains route leaking: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.3/04Segmentation/03Segmentation_(VPN)_Configuration_Examples

Thanks!

Thanks David.

Yup understand what the original intention was.

But we have someone who has a requirement to access provider services via the MPLS underlay.

So unfortunately it is a needed.

I've seen it discussed here that the recommended solution is to have logical connections in the MPLS WAN via a services VPN.

Which we may end up doing but just exploring this option first.

For Local break-out MPLS, there is not feature as such, but this can be achieved by design 

You can have one of the interfaces ge0/2 (or sub-interface) on the vEdge/XE-SDWAN device connected to the underlay and place it in Service VPN n. This service VPN n will learn underlay routes via BGP. Use same VPN tag n for all the LAN segments that need access to the underlay sites. 

Traffic entering the router on the LAN interface in VPN n, if destined for an underlay site, will exit from ge0/2 and head to the PE router. Traffic destined for overlay sites should see a valid route through OMP and use the overlay path through VPN0 (Ge0/0 or Ge0/1)

HTH

Thank you.

But would we still need to have 2 logical connections into the MPLS WAN.

One for underlay and one for overlay?

Yes, you would. If the provider supports subinterfaces, you could use a single physical link but have two logical interfaces to the SP. You could then put one of them in VPN 0 and the other in the service VPN of choice.

Hello @lishengtao 

The notifications are generated for a plethora of events, see the following URL for more details: https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Troubleshooting/Monitor_Event_Notifications

Quoting:

When something of interest happens on an individual device in the overlay network, the device reports the event in the following ways:

Send a notification to the vManage NMS. The vManage NMS filters the event notifications and correlates related events, and it consolidates major and critical events into alarms.
Send an SNMP trap to the configured trap target. For each SNMP trap that a device generates, the device also generates a corresponding notification message.
Generate a system logging (syslog) message and place it in a syslog file in the /var/log directory on the local device and, if configured, on a remote device.

Notifications are messages that the device sends to the vManage NMS server.

Also, alarms can be monitored, this link also provides more information: https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Troubleshooting/Monitor_Alarms

Using vManage REST APIs: https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Command_Reference/vManage_REST_APIs/vManage_REST_APIs_Overview/Using_the_vManage_REST_APIs

Events: https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Command_Reference/vManage_REST_APIs/Alarms_Audit_Log_and_Events_APIs/Events

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Command_Reference/vManage_REST_APIs/Bulk_APIs/Overview_of_Bulk_API_Operations

Thank you David for the info! For the SLA specific events, I got the following from our Cisco support team and it works for me.

For Alarm event use POST API request to this below link

https://vmanage/dataservice/event  

use below payload

{

  "query": {

    "condition": "AND",

    "rules": [

      {

        "value": [

          "3"

        ],

        "field": "entry_time",

        "type": "date",

        "operator": "last_n_hours"

      },

                  {"value": ["major"], "field": "severity_level", "type": "string", "operator": "in"},

                  {"value": ["App-Route"], "field": "component", "type": "string", "operator": "in"},

                  {"value": ["100.90.3.4"], "field": "system_ip", "type": "string", "operator": "in"},

                  {"value": ["sla-change","sla-violation","sla-violation-pkt-drop"],"field": "eventname","type": "string","operator": "in"}

    ]

  },

  "size": 10000

}