Solved: route leaking between vpn's via topology

dijix1990 · ‎12-31-2024

I have router leaking between vpn's via topology - action "export to"

leaking between VPN1 (HUB DC) and VPN's 10-11,13,15 (BRANCHES)

  vpn-list VPN-export-from-Branch-to-DC
   vpn 10-11
   vpn 13
   vpn 15

  vpn-list VPN-export-from-DC-to-Branch
   vpn 1

  vpn-list VPN-import-to-Branch
   vpn 10-11
   vpn 13
   vpn 15

  vpn-list VPN-import-to-DC
   vpn 1

 control-policy Topology-vpn-export-from-DC-to-branch
    sequence 1
     match route
      vpn-list VPN-export-from-DC-to-Branch
      prefix-list _AnyIpv4PrefixList
     !
     action accept
      export-to vpn-list VPN-import-to-Branch
     !
    !
  default-action accept
 
 control-policy Topology-vpn-export-from-branch-to-DC
    sequence 1
     match route
      vpn-list VPN-export-from-Branch-to-DC
      prefix-list _AnyIpv4PrefixList
     !
     action accept
      export-to vpn-list VPN-import-to-DC
     !
    !
  default-action accept

and it's working as usual. Some days ago I wanted to add new sequence for VPN16 but for new sequence 11 it doesn't work.

 control-policy Topology-vpn-export-from-DC-to-branch
    sequence 1
     match route
      vpn-list VPN-export-from-DC-to-Branch
      prefix-list _AnyIpv4PrefixList
     !
     action accept
      export-to vpn-list VPN-import-to-Branch
     !
    !
    sequence 11
     match route
      vpn-list VPN-export-from-DC-to-Branch
      prefix-list _AnyIpv4PrefixList
     !
     action accept
      export-to vpn-list VPN16-Branch-WiFi
     !
    !
  default-action accept
 !
 
 control-policy Topology-vpn-export-from-branch-to-DC
    sequence 1
     match route
      vpn-list VPN-export-from-Branch-to-DC
      prefix-list _AnyIpv4PrefixList
     !
     action accept
      export-to vpn-list VPN-import-to-DC
     !
    !
    sequence 11
     match route
      vpn-list VPN16-Branch-WiFi
      prefix-list _AnyIpv4PrefixList
     !
     action accept
      export-to vpn-list VPN-import-to-DC
     !
    !
  default-action accept
 !

Why it happens? can't I use some sequences for leaking? If I add vpn16 to vpn lists VPN-export-from-Branch-to-DC and VPN-import-to-Branch leaking works

M02@rt37 · ‎12-31-2024

Mmmm OK @dijix1990

So, you need to adjust the configuration to avoid overlapping matches in sequence 1 and sequence 11.

One approach is to use more specific criteria in sequence 11, such as a dedicated vpn-list or prefix-list for VPN16, ensuring it does not overlap with VPN1 routes processed in sequence 1.

Alternatively, you can split the handling of VPN1 into separate vpn-lists, one for VPN10-11,13,15 and another for VPN16, ensuring each sequence has its own distinct route set to process. This will ensure that sequence 11 gets evaluated for VPN16-specific traffic without interference from sequence 1.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎12-31-2024

Hello @dijix1990

Control policies process sequences in the order they are configured. If a route matches the criteria in an earlier sequence, the corresponding action is executed, and subsequent sequences are ignored.

So, in your case, routes matching sequece 1 in the Topology-vpn-export-from-DC-to-branch policy are handled there, so they do not reach sequence 11. This behavior is expected in policy-based configurations.

Additionally, the problem arises because vpn16 is not explicitly included in the VPN-export-from-Branch-to-DC or VPN-import-to-Branch lists. As a result, vpn16 does not match the export-to operation unless it is specifically added to the vpn-list used in sequence 1. If the VPN lists in sequence 1 already handle routes intended for vpn16, adding a new sequence for it will not work unless the sequence logic is adjusted.

When you add vpn16to existing VPN lists like VPN-export-from-Branch-to-DC and VPN-import-to-Branch, it becomes part of the matching process in sequence 1. Therefore, the export-to action works without needing a separate sequence for vpn16. This approach works because the route-leaking logic applies to all VPNs in the lists, including vpn16.

You need to adjust the matching criteria in the new sequence. This can involve using a specific vpn-list for vpn16 that does not overlap with the lists used in sequence 1. You can also modify the prefix-list or ensure that vpn16 routes do not match earlier sequences. By doing so, vpn16 can be processed independently without being handled by sequence 1.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

dijix1990 · ‎12-31-2024

it's strange logic, because it's not the same sequence

Vpn 10-11,13,15 + vpn 1

And

Vpn 16 + 1 vpn

For me it's not normal logic, matches criteria is different

For data policy I can use different sequences and it works correctly

M02@rt37 · ‎12-31-2024

Mmmm OK @dijix1990

So, you need to adjust the configuration to avoid overlapping matches in sequence 1 and sequence 11.

One approach is to use more specific criteria in sequence 11, such as a dedicated vpn-list or prefix-list for VPN16, ensuring it does not overlap with VPN1 routes processed in sequence 1.

Alternatively, you can split the handling of VPN1 into separate vpn-lists, one for VPN10-11,13,15 and another for VPN16, ensuring each sequence has its own distinct route set to process. This will ensure that sequence 11 gets evaluated for VPN16-specific traffic without interference from sequence 1.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎01-02-2025

Sorry why you use term leaking ?

leaking is done in same router, in SDWAN between two peers there is no leaking
VPN x - OMP - VPN y

OMP how can I called it universal, for which we can receive prefix from different VPN

and for issue try change the order
MHM

dijix1990 · ‎01-02-2025

It the same process, it happens on the vSmart, all prefixes from one vpn export to another vpn