11-09-2020 09:37 AM
Hello Friends ,
In one our customer SD-WAN environment they have all controllers on Clouds. In their DC SD-WAN router they have configured max-control-connections 2 on MPLS tunnel. If we change it to max-control-connections 0 in live environment, will this change impact live traffic of remote site reaching to DC, can we do this without taking maintenance windows. Kindly share your experience.
Regard
Amit
11-10-2020 04:22 PM
Hi,
I have tested in my lab environment:
BR1 router has 2 TLOCs (mpls&biz-internet).
BR1-RTR1# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 172.16.1.2 1 1 100.100.100.2 12446 100.100.100.2 12446 mpls No up 0:00:00:57 0
vsmart dtls 172.16.1.2 1 1 100.100.100.2 12446 100.100.100.2 12446 biz-internet No up 0:00:00:58 0
vbond dtls 0.0.0.0 0 0 100.100.100.1 12346 100.100.100.1 12346 mpls - up 0:00:00:58 0
vbond dtls 0.0.0.0 0 0 100.100.100.1 12346 100.100.100.1 12346 biz-internet - up 0:00:00:58 0
vmanage dtls 172.16.1.3 1 0 100.100.100.3 12646 100.100.100.3 12646 biz-internet No up 0:00:01:01 0
I have service VPN number 20 and this is its RIB. One of other site's route is 10.100.2.0/29 and it is reachable over mpls TLOC (and only over it).
BR1-RTR1# sh ip route vpn 20
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive, L -> import
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
20 10.10.20.0/24 connected - ge0/2.20 - - - - - F,S
20 10.20.20.0/24 omp - - - - 172.16.20.1 biz-internet ipsec F,S
20 10.100.2.0/29 omp - - - - 172.16.100.1 mpls ipsec F,S
I have changed interface template config for only this branch (BR1) where max-control connections is 0 for mpls TLOC.
vpn 0
interface ge0/1
ip address 150.150.150.11/24
tunnel-interface
encapsulation ipsec
group 200
color mpls
max-control-connections 0
Before changing template settings I run ping from this router to remote subnet and subnet was reachable before change/while processing change/after change.
BR1-RTR1# ping vpn 20 10.100.2.1 source ge0/2.20
Ping in VPN 20
PING 10.100.2.1 (10.100.2.1) from 10.10.20.254 : 56(84) bytes of data.
64 bytes from 10.100.2.1: icmp_seq=1 ttl=64 time=47.9 ms
64 bytes from 10.100.2.1: icmp_seq=2 ttl=64 time=14.3 ms
[others omitted]
^C
--- 10.100.2.1 ping statistics ---
235 packets transmitted, 235 received, 0% packet loss, time 234322ms
rtt min/avg/max/mdev = 12.091/40.535/70.548/8.119 ms
As you see, packet loss is 0%, so this configuration does not influence on data-plane.
I use 20.3.1 version vEDGE and controllers. Most probably in all versions it acts like this, even doc doesn't note that it may be traffic interruption while changing this value to 0. Below is document link:
HTH,
11-11-2020 10:39 AM
Hey Kanan,
First thanxs for replying.. Just little more to update in my case i have "max control connection 2" already configured in DC and i want to change it to "max control connection 0" in DC. i am little worry in respect to traffic coming to DC from remote site , as remote to DC internet "public internet" is also up .. changing in DC hope wont effect internet tunnel which are already form from remote to DC through which user traffic is reaching DC.
Thanxs & Regards
Amit.
11-11-2020 12:12 PM
Hi,
Just one question: you have only one TLOC and that' is internet? If yes, why do you want to max-control-connections to be 0?
Regards,
11-11-2020 11:21 PM
No Kanan , it is not like that. let me brief you about setup:-
1- Every remote site have 1 mpls tunnel and 1 or 2 internet tunnel.
2- In DC we have dual SD-WAN router on which both TLOC are terminated. (On DC-RTR1=1-MPLS & 1-Public-Internet and On DC-RTR2=1-MPLS & 1-Public-Internet), through vlans, and all wan redundancy is taken care on ISP level.
3- Somehow on DC SD-WAN routers on MPLS tunnel max control connection is set to 2 and i have to change it to 0.
4- Our controllers are on cloud and accessible through internet.
5- I want to change max control connection configured on DC sd-wan router MPLS tunnel from 2 to 0.
6- Just want to know changing max control connections on DC MPLS tunnel wouldn't impact traffic coming from internet tunnel from remote site and site wouldn't get isolated.
Regards
Amit
11-12-2020 08:42 AM
Hi,
in my lab: I had 2TLOCs at one side (mpls&internet) and one TLOC (mpls) at another site. I have changed mpls TLOC's control-connection value to 0 and traffic was still flew. Looks like this value does not have impact on tunnels' dataplane. In general, if there may be traffic interruption after applying command, cisco notes this in command documentation. If you have still doubts, better to open support case to Cisco.
HTH,
11-12-2020 11:45 PM
Kanan, i have asked for schedule DT from client for changing max control connection. thanks for your concern & support, will update you accordingly.
Regards
Amit
11-27-2020 10:46 AM
since it is control connection, it will not affect any of your (IPSEC) tunnel data plane traffic. so don't worry about it user connectivity.
Secondly, you have MPLS and Internet, I assume, control connections are up on both TLOCs, if so, there will not be any impact for control connections as well. So, you can declare it as non impact change and proceed your activity.
Once, you made max control connection 0 on MPLS interface, it will not form control connection to SDWAN controllers via MPLS TLOC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide