cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2663
Views
2
Helpful
26
Replies

SD WAN Route leaking on WAN edge routers

Kenneth Goh
Level 1
Level 1

 

KennethGoh_1-1689245403577.png

 

Currently both cEdge and vEdge are to be able to access to internet, where both vEdge and cEdge is able to ping to 8.8.8.8 sourcing from 172.16.10.10 and 172.16.10.30 respectively. But hosts facing vEdge VPN 10 and cEdge vrf 1 are not able to route to transit router and to internet router. 

I believe there is a need to leak routes to global routing table, please help with the needed commands. Thanks in advanced!

26 Replies 26

Kenneth Goh
Level 1
Level 1

I am trying to Leak Routes between Global VRF and Service VPNs

I notice both route-replicate and global-address-family ipv4 command is missing?

cEdge(config-ipv4)# vrf definition 1
cEdge(config-vrf)# address-family ipv4
cEdge(config-ipv4)# route-replicate from vrf global unicast connected
-----------------------^
syntax error: unknown argument
cEdge(config-ipv4)#

What do you use? CLI based configuration or vManage feature template? I believe routers are in controller mode or they are autonomous?

What is cEdge and vManage version?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

I want to configure it via CLI and cEdge is in CLI mode

vManage, vEdges all on version 20.3.1 and is in CLI mode

cEdge-30#sh version
Cisco IOS XE Software, Version 16.12.04a

Correct me if I am wrong, Isn’t route leaking part of the requirement for client in service vpn / vrf to be able to route traffic to transport vpn, so why is this feature not available in earlier version? 
Any working template for cEdge & vEdge for this requirement? There are many on boarding guide online but i didn’t manage to find one that cover routes from service vpn to transport vpn

Normally, you don't need route leaking. It is not natively "must have" feature. Below is explanation:

This is because if traffic is from local service VPN to any OMP destination (which means remote service VPN), then traffic is encapsulated in tunnel headers and sent to remote TLOC. For this examples can be branch to HQ/DC or branch to branch traffic etc.

But if you need direct internet access for internet traffic (example from branch to direct internet), then you will need direct route towards VPN0 next-hop and obviously NAT. Besides, NAT interface and default route in VPN0, for service VPN you will need to have either NAT DIA route (for cEdge you have shared it and for vEdge I have shared it in below comments) or centralized data policy (match condition and set NAT VPN 0).

Route leaking between transport (VPN0) and service VPN is just additional feature, enhancement to have ability to import some VPN0 routes to service VPN.

Suppose, you have internet and MPLS services on site. Internet is just default route based and MPLS service advertises MPLS sites underlay (TLOC) IP addresses so local site routers can build tunnel/bfd to remote MPLS sites.
But also there is service (e.g DNS) is provided by MPLS provider. If the users need to access to this service (without NAT) then you need to leak this service information - route (static route or BGP or OSPF - depending on PE-CE protocol) to service VPN, so user traffic coming in service VPN and going to MPLS service must be routed towards MPLS provider directly (VPN0)

For this kind of cases, you may need route leaking which is added from 17.3/20.3 to make more features in Cisco SD-WAN and to fulfill previously available legacy routing features.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Two points answer you 

OMP automatically redistrubte static and connect subnet 

If you run IGP in service you need redistrubte between IGP and OMP

For cEdge I added, what would be the equivalent command for vEdge using CLI?

ip route vrf 1 0.0.0.0 0.0.0.0 172.16.10.1 global
ip route vrf 1 0.0.0.0 0.0.0.0 172.16.20.1 global

Equivalent is:

vpn1
ip route 0.0.0.0/0 vpn0

vpn0
ip route 0.0.0.0/0 [next-hop]

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Friend' you need NATing as I mention above 

Or staitc route (leak route) in cEdge 

And staitc route in transit router.

I prefer first solution.

NATing, I think you are referring to Direct Internet access, which is another option to allow traffic to route directly to the Internet, but for this case I will still want the traffic to route via existing biz-internet link where it passes through the transit router and internet router.

Transit router  know vpn0 IP (transport) 

So we can NAT service to vpn0 or make transit router know service route.

I prefer first one as I mention before. Because it more secure and you need only NAT in cEdge not admin to transit each time there are service route want to connect to.

Review Cisco Networking for a $25 gift card