Solved: Re: Cisco SD-WAN DIA with Centralized Data Policy and Static Route Tra

Dapsy2000 · ‎09-06-2023

The last few days/weeks I've tried to solve an issue with the DIA feature in combination with centralized data policy and static route tracker. The setup is really simple, just one Hub Site, one Spoke Site and a centralized data policy.

The requirements are:
- NAT DIA with NAT Interface tracker on Hub and Spoke
- additional service-side Static Route (0.0.0.0/0) tracker on Hub Site
- if DIA on Spoke Site is not available fallback to Hub via service-side VPN only if DIA on Hub Site is availaible (-> 0.0.0.0/0 via service-side VPN)

Controller Version is 20.9.1 for vManage, vSmart and vBond.
vEdge Cloud Version is 20.9.1 and C8000V Version is 17.07.01a.
I've also tested various other versions like 20.11.1, 20.12.1, 17.11.01a and 17.12.01a with same results.

The setup works with Viptela OS (vEdge Cloud) - Hub (Site-ID: 49002) and Spoke (Site-ID: 49012) but not with IOS XE (C8000V) - Hub (Site-ID: 49001) and Spoke (Site-ID: 49011).

All configs are attached. I also found this Cisco document, updated on July 24, 2023, but still no success.
https://www.cisco.com/c/en/us/support/docs/routers/xe-sd-wan-routers/220613-implement-direct-internet-access-dia-f.html#toc-hId-1879199158

If you run both Hubs (vEdge Cloud and C8000V) at the same time, shutdown transport interface ge0/0 on vEdge Cloud, otherwise you'll receive the VPN 10 default route (0.0.0.0/0) from vEdge Cloud on C8000V and the static route tracker is working.

Hope anybody can give me a hint why it's not working on C8000V.

hassahme · ‎09-08-2023

Your use case is to advertise NAT DIA default route FROM HUB/DC to SPOKE Edge routers only when DIA in HUB/DC is UP. For this you could configure a DIA NAT route under VRF of HUB/DC router and use "advertise network 0.0.0.0/0" command inside the intended vrf address-family under OMP section . This will ensure to advertsie NAT DIA default route from HUB/DC to SPOKE Edge routers only when NAT DIA tracker is UP in the HUB/DC sites.

The use case and command is documented here.

View solution in original post

Dapsy2000 · ‎09-07-2023

By the way, it looks like the policy isn't being applied correctly. As soon as I configure a static NAT route (ip nat route vrf 10 0.0.0.0 0.0.0.0 global) the static-route tracker is UP and the default route is sent to the spoke via VPN/VRF 10.

The same result should nat use-vpn 0 in sequence 30 of the data policy deliver.

hassahme · ‎09-08-2023

Your use case is to advertise NAT DIA default route FROM HUB/DC to SPOKE Edge routers only when DIA in HUB/DC is UP. For this you could configure a DIA NAT route under VRF of HUB/DC router and use "advertise network 0.0.0.0/0" command inside the intended vrf address-family under OMP section . This will ensure to advertsie NAT DIA default route from HUB/DC to SPOKE Edge routers only when NAT DIA tracker is UP in the HUB/DC sites.

The use case and command is documented here.

Dapsy2000 · ‎09-11-2023

Thanks Hassaan for your great help and that you took the time via a WebEx session to have a deep look into my use case. I really appreciate it.

ekhabaro · ‎09-11-2023

Can you try to adjust your data policy seq 30 as below (to have something like "match any")?

sequence 30
match
destination-ip 0.0.0.0/0

Cisco SD-WAN DIA with Centralized Data Policy and Static Route Tracker