Showing results for 
Search instead for 
Did you mean: 

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.


SD-WAN Real world problem (DMVPN would do better?..)

Hi dears,

we have production environment where we have deployed cool technology SDWAN (it indeed cool).

Attached you will find topology which illustrates our network.  As you see, there are 2 main sites where 2 routers are deployed and both have connections to both transport (mpls/biz-internet). Branch has only one connection which is MPLS. 
We get default route and site1 aggregated route from site1 routers via vSmart. We get 2 aggregated routes from site2 routers via vSmart - as in normal deployments. (note: ignore aggregated routes while thinking,let's take it easy:just default route from site1).
But if site1 loses its mpls transport (if SP links goes down,both site1 routers lose MPLS tranport), then branch can't access internet (no default route).
So, to make redundancy (somehow) we want to send traffic to site2 (via mpls) and it will send to site1(via biz-internet) -- this is when failure occurs on site1 mpls tranport.
Actually, I have tried (in lab) to do centralized policy via vSmart. Policy is applied in outbound direction to branch and changes default route TLOC to site2 mpls tlocs with backup tloc-action.
So,basically traffic should be send to site1 and if it is down, traffic will be sent to site2. However, this seems does not work due to different TLOC colors (from branch to site2 (intermediate node) color is "mpls", from site2 (intermediate) to site1 (ultimate) color is "biz-internet). This is described in this documentation: 
"Note: tloc-action is only supported end-to-end if the transport color is the same from a site to the intermediate hop and from the intermediate hop to the final destination. If the transport used to get to the intermediate hop from a site is a different color than the transport used from the intermediate hop to get to the final destination, then this will cause an issue with tloc-action."
Does anyone have another way to implement policy to overcome this issue? Honestly, I have read several docs/seen ciscolive session, it seems our way is only one. And disappointing point is that , there is such restriction (and technically why it is ,I can't understand). Despite SDWAN having excellent techniques (cloud based, application based routing), it lacks simple TE feature. We opened case and TAC approved that this way of implementation will work work. Since, TAC does not give design solution, I decided to ask here.
Btw and honestly, by implementing DMVPN we would get better TE options.  ;))
If anyone has suggestion, kindly ask to note it. Thanks in advance!



This is one of reasons I would personally prefer good old BGP MPLS (over DMVPN if encryption is required) which does not have such strict limitation.


Even after creating this topic , I have played a bit. And found solution.

Solution is simple, not to use any tloc-action (which results strict tloc-action),but in TLOC list add all TLOCs (both intermediate and ultimate destination). Preference will be based on TLOC preference value which is sent while route is advertised.

Sorry, SDWAN, you indeed better than DMVPN


Kindly ask to moderators not delete topic, may be it will be useful for someone else.


Hi Kanan, 


Sorry I've noticed your post too late. Indeed "set tloc-list" is an option here for your task. Just want to ask you to be careful with "set tloc-list", typical pitfall is also described in our SD-WAN troubleshooting tech notes: 


Hi ekhabaro,

thank you for your comment. Kindly ask to re-read the topic. I already described that tloc-action with backup will not work due to different colors from source to intermediate and from intermediate to ultimate nodes.

Link provided by you describes another case where both devices announce route. In our case only one site announces route.


Btw, I already shared solution I found.




Hi Kanan, yes I understand, I was rather referring to the following:


but in TLOC list add all TLOCs (both intermediate and ultimate destination)


I haven't seen your policy, just guessing, but "set tloc-list" usually considered dangerous if improperly applied, this is the key message.

Content for Community-Ad
This widget could not be displayed.