Solved: Re: SD-WAN Routing for reachability end-to-end between two locations

Fabot · ‎12-17-2023

Dear Cisco Community,

Consider the SD-WAN Topology diagram attached here. I need to configure reachability end-to-end between the referred locations. Basically, in site-id 10, it has service VPN 10, and on the other side, on site 20, it has VPN 20. I need configure routing over MPLS and Internet, in such way that users from site-id 10 can communicate with users on site site-id 20.

Therefore, I would like to understand which configuration is missing to achive such goal.

Follow in attachment WAN Edges running-config and some output commands.

Kanan Huseynli · ‎12-18-2023

Hi,

there is an option, but before it I'd like to ask, why you dont put to the same VPN? The same service should be in the same VPNs.

On the other hand, what is meaning to have separate VPN for the same type users, then doing additional technique to connect them?

Indeed, site-id should be different, but VPN ID can be (and should be) the same for the same type users (like corporate to corporate)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎12-18-2023

Hi,

there is an option, but before it I'd like to ask, why you dont put to the same VPN? The same service should be in the same VPNs.

On the other hand, what is meaning to have separate VPN for the same type users, then doing additional technique to connect them?

Indeed, site-id should be different, but VPN ID can be (and should be) the same for the same type users (like corporate to corporate)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

MHM Cisco World · ‎12-18-2023

the SITE-ID use to make the policy simple (use same Site-ID)
for VPN from VPN10 to VPN20 that need some work
you can config centralize policy to config route leaking between the VPN
https://thetechguy.it/post/09-sdwan-route-leaking/

MHM

Kanan Huseynli · ‎12-18-2023

When site-id is the same, there is no BFD between routers, by default. So, you need different site-ID for different locations /branches etc.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

MHM Cisco World · ‎12-18-2023

get your point thanks
MHM

Fabot · ‎12-18-2023

Solved... Thanks for your assistance!
I just used same VPN service on both sites. Different Site-IDs but the same VPN service (VPN 1).

cEdge-ADM-1# show ip route | begin VPN
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0 static - ge0/3 192.168.18.1 - - - - F,S
0 10.10.10.10/32 connected - system - - - - - F,S
0 172.16.0.0/24 ospf IA ge0/2 - - - - - -
0 172.16.0.0/24 connected - ge0/2 - - - - - F,S
0 192.168.18.0/24 ospf IA ge0/3 - - - - - -
0 192.168.18.0/24 connected - ge0/3 - - - - - F,S
1 10.10.10.0/24 ospf IA ge0/1 - - - - - -
1 10.10.10.0/24 connected - ge0/1 - - - - - F,S
1 10.11.11.0/24 ospf IA ge0/1 10.10.10.2 - - - - F,S
1 10.12.12.0/24 ospf IA ge0/1 10.10.10.2 - - - - F,S
1 10.20.20.0/24 omp - - - - 20.20.20.20 public-internet ipsec F,S
1 10.21.21.0/24 omp - - - - 20.20.20.20 public-internet ipsec F,S
1 10.22.22.0/24 omp - - - - 20.20.20.20 public-internet ipsec F,S
65528 192.168.0.0/24 connected - loopback65528- - - - - F,S
65530 192.168.0.0/24 connected - loopback65530- - - - - F,S
65530 192.168.1.0/24 connected - loopback65531- - - - - F,S

ADM-1> trace 10.21.21.1
trace to 10.21.21.1, 8 hops max, press Ctrl+C to stop
1 10.11.11.254 0.656 ms 0.979 ms 0.556 ms
2 10.10.10.1 0.989 ms 1.109 ms 1.497 ms
3 10.20.20.1 8.518 ms 1.350 ms 4.079 ms
4 10.20.20.2 2.393 ms 1.335 ms 4.392 ms
5 *10.21.21.1 7.138 ms (ICMP type:3, code:3, Destination port unreachable)

ADM-1>

MHM Cisco World · ‎12-18-2023

Same site-Id

If there is DC with two edge router then both routers use same site-id but these edge routers not interconnect via sdwan' since it in same DC then both interconnect and advertise same service prefix.

Just to clear this point

MHM

Kanan Huseynli · ‎12-18-2023

Yes, that is clear, actually. Site means site, if you have multiple devices if the same site / localtion/branch then they need to have the same site ID.

"allow-same-site-tunnels" under system allows BFD between the same site ID devices, but used only if there is specific reason.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.