cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
287
Views
1
Helpful
4
Replies

Question about using colours for our WAN circuits

Mitrixsen
Level 1
Level 1

Hello, everyone.

I am studying SD-WAN for my ENCOR exam and I have a question. I understand that TLOCs and TLOC routes in general will contain a color for the transport that the edge router is connected to.

My question is, what exactly is the significance of this color? Do the colors need to match on the routers? Say that I decide to color an MPLS circuit as “RED” on the advertising router. The receiving router will eventually receive the TLOC and see “RED” there. If the colors match, would it know that it needs to route the traffic via MPLS? Or how exactly do the colors and exit interfaces work?

My book says

By default, WAN Edge routers attempt to connect to every TLOC over each WAN transport,
including TLOCs that belong to other transports marked with different colors.

So what is the significance of this color then?

Thank you
David

1 Accepted Solution

Accepted Solutions

Royalty
Level 1
Level 1

Hi @Mitrixsen,

As we know, a TLOC contains three pieces of information

  • System IP
  • Transport Color
  • Encapsulation Type

The System IP is used to identify each OMP speaker, or more simply, a WAN Edge. It is also 'used' as the next-hop address for OMP routes from the service side VPNs (LAN). TLOC routes map system IPs to transport IPs amongst other info. The TLOC color identifies the transport IP address, which is the IP address that other WAN Edges (and itself) use as the destination to form the overlay data plane tunnels (IPsec tunnels with BFD sessions) and advertise in the TLOC routes. A large part of SD-WAN is the ability to perform extensive Traffic Engineering. Traffic Engineering is done in SD-WAN Policies, e.g. application-aware routing (AAR), application pinning and DIA. TLOC colors are used as action/match criteria to define which WAN transports are used under certain network conditions. In the event that a given WAN Edge has dual WAN links for redundancy, an example may be something like “send data traffic over GOLD (broadband), send VoIP over RED (MPLS), avoid RED when latency > 150ms,” etc.

So, the significance of the TLOC color is the identification of which transport IP addresses that other WAN Edges should use to form tunnels and forward traffic, how tunnels are built, which tunnels are allowed to be built, as well as being used to create traffic engineering policies.

Theoretically speaking, you could have two WAN Edge routers at two different buildings (say site 1 and site 2) that are connected through an MPLS WAN. Each of the routers could have an MPLS transport with a tunnel interface color of 'RED' and be able to forward traffic between them. In another case, the WAN Edge at site 1 could have a TLOC color of 'RED' and the WAN Edge at site 2 could have a TLOC color of 'GOLD'. Assuming the connectivity is in place, this could work.

TLOC colors are split into two types: Private colors and Public colors. If a WAN Edge's TLOC Color is a public color then the result of this is that other WAN Edges will try and form IPsec data plane tunnels towards the Public IP address of the aforementioned WAN Edge, and from their own public IP address. Basically, if a tunnel is being formed from one color to another color, and one of those colors is public, both sides will try and use the public IP address. If there is no NAT detected on a particular WAN Edge then the TLOC route attributes for the private IP address and public IP address are the same. It is the Catalyst SD-WAN Validator (formerly vBond) that helps WAN Edges detects their public and private IP addresses through STUN and this is why there are important design considerations for deploying SD-WAN Control Components that are hosted on-premises, as the SD-WAN Validator must be able to detect the post-NAT IP addresses of any WAN Edge. For devices at the same physical location, or other SD-WAN Control Components, this could involve hairpin NAT and placing the Validator in a DMZ, it having a public IP address, etc. All colors aside from 'mpls', 'metro-ethernet', and 'private*' are public colors. Generally, the public colors would not be used over your MPLS transport.

As an example, if you are using Cisco cloud hosted controllers, if a WAN Edge has an MPLS WAN transport with an IP address of 172.16.1.1 and joins the SD-WAN Fabric over the internet after being NAT'd, STUN will be used for the WAN Edge to detect it is behind NAT. It will advertise TLOC routes containing attributes of both its public and private IP addresses. If the MPLS WAN transport is using a public color then other WAN Edges will both try to form the data plane towards the public IP address. Of course this is usually not desirable; you would usually want to build tunnels between two sites on an MPLS WAN using the private IP address. If there is a use case two WAN Edges each using a private color to form tunnels using a public IP addresses, the TLOC carrier option can be used, so there is not really a case for using a public color for an MPLS WAN transport. If using an MPLS WAN in a hub and spoke topology the public IP address would likely reside at the DC internet edge, and making this work would require some form of hairpin and possibly firewall rules at the DC etc. But that all depends on the topology.

If you have multiple sites each with a single WAN Edge router and two WAN circuit connections, you may want to use the TLOC restrict option which means that a WAN Edge can only establish a tunnel to another WAN Edge if the colors match. You can also use tunnel groups or a combination of both. This comes back to traffic engineering and topology/flow enforcement.

My post is a bit all over the place and has gone on wild tangents, but hopefully it just gives some pointers on what to read further on, or at least sparks some further questions perhaps.

View solution in original post

4 Replies 4

You have two vedge each one have two WAN 

Sdwan build ipsec between these two vedge how can you control that 

Mpls wan only build ipsec with mpls wan of remote peer?

Here come benefits of color' it make you control which WAN can build ipsec with other WAN

MHM

Colours are just a tag, which you apply to your interface, such as mpls, internet etc. the do not need to match between routers for the basic connectivity, but this said - say you have two routers and they want to form a dtls/tls tunnel over a specific transport, they must be able to resolve each others tloc routes with matching colours. The colour helps in path selection when applying policies like prefer the mpls over the biz-internet. 

ref: https://www.networkacademy.io/ccie-enterprise/sdwan/tloc-color-and-carrier and https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html

 

 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Royalty
Level 1
Level 1

Hi @Mitrixsen,

As we know, a TLOC contains three pieces of information

  • System IP
  • Transport Color
  • Encapsulation Type

The System IP is used to identify each OMP speaker, or more simply, a WAN Edge. It is also 'used' as the next-hop address for OMP routes from the service side VPNs (LAN). TLOC routes map system IPs to transport IPs amongst other info. The TLOC color identifies the transport IP address, which is the IP address that other WAN Edges (and itself) use as the destination to form the overlay data plane tunnels (IPsec tunnels with BFD sessions) and advertise in the TLOC routes. A large part of SD-WAN is the ability to perform extensive Traffic Engineering. Traffic Engineering is done in SD-WAN Policies, e.g. application-aware routing (AAR), application pinning and DIA. TLOC colors are used as action/match criteria to define which WAN transports are used under certain network conditions. In the event that a given WAN Edge has dual WAN links for redundancy, an example may be something like “send data traffic over GOLD (broadband), send VoIP over RED (MPLS), avoid RED when latency > 150ms,” etc.

So, the significance of the TLOC color is the identification of which transport IP addresses that other WAN Edges should use to form tunnels and forward traffic, how tunnels are built, which tunnels are allowed to be built, as well as being used to create traffic engineering policies.

Theoretically speaking, you could have two WAN Edge routers at two different buildings (say site 1 and site 2) that are connected through an MPLS WAN. Each of the routers could have an MPLS transport with a tunnel interface color of 'RED' and be able to forward traffic between them. In another case, the WAN Edge at site 1 could have a TLOC color of 'RED' and the WAN Edge at site 2 could have a TLOC color of 'GOLD'. Assuming the connectivity is in place, this could work.

TLOC colors are split into two types: Private colors and Public colors. If a WAN Edge's TLOC Color is a public color then the result of this is that other WAN Edges will try and form IPsec data plane tunnels towards the Public IP address of the aforementioned WAN Edge, and from their own public IP address. Basically, if a tunnel is being formed from one color to another color, and one of those colors is public, both sides will try and use the public IP address. If there is no NAT detected on a particular WAN Edge then the TLOC route attributes for the private IP address and public IP address are the same. It is the Catalyst SD-WAN Validator (formerly vBond) that helps WAN Edges detects their public and private IP addresses through STUN and this is why there are important design considerations for deploying SD-WAN Control Components that are hosted on-premises, as the SD-WAN Validator must be able to detect the post-NAT IP addresses of any WAN Edge. For devices at the same physical location, or other SD-WAN Control Components, this could involve hairpin NAT and placing the Validator in a DMZ, it having a public IP address, etc. All colors aside from 'mpls', 'metro-ethernet', and 'private*' are public colors. Generally, the public colors would not be used over your MPLS transport.

As an example, if you are using Cisco cloud hosted controllers, if a WAN Edge has an MPLS WAN transport with an IP address of 172.16.1.1 and joins the SD-WAN Fabric over the internet after being NAT'd, STUN will be used for the WAN Edge to detect it is behind NAT. It will advertise TLOC routes containing attributes of both its public and private IP addresses. If the MPLS WAN transport is using a public color then other WAN Edges will both try to form the data plane towards the public IP address. Of course this is usually not desirable; you would usually want to build tunnels between two sites on an MPLS WAN using the private IP address. If there is a use case two WAN Edges each using a private color to form tunnels using a public IP addresses, the TLOC carrier option can be used, so there is not really a case for using a public color for an MPLS WAN transport. If using an MPLS WAN in a hub and spoke topology the public IP address would likely reside at the DC internet edge, and making this work would require some form of hairpin and possibly firewall rules at the DC etc. But that all depends on the topology.

If you have multiple sites each with a single WAN Edge router and two WAN circuit connections, you may want to use the TLOC restrict option which means that a WAN Edge can only establish a tunnel to another WAN Edge if the colors match. You can also use tunnel groups or a combination of both. This comes back to traffic engineering and topology/flow enforcement.

My post is a bit all over the place and has gone on wild tangents, but hopefully it just gives some pointers on what to read further on, or at least sparks some further questions perhaps.

AIG
Level 1
Level 1

I recall when I wanted to extend my SD-WAN fabric on EVE-NG to the cloud, where I had to assign a public IP address to each controller because they were behind a NAT device. The WAN Edge on-premises failed to establish a DTLS connection with the Azure virtual router because I was using the wrong colours. I was able to solve it only when I changed the colour to biz-internet and public-internet accordingly.