Solved: SDWAN OMP Mutual Route Leaking Issue

spenc02 · ‎04-05-2024

I am attempting to leak routes from my employee VPN to the IOT VPN and vice versa. It is working without issue on the first sequence; however, I cannot get the second sequence (IOT to EMP) to function. I've tried to simply leak routes from IOT to EMP using the same logic as EMP to IOT, but for some reason it fails. I have tried with and without a prefix-list to the same result.

control-policy leak-routes-v12

sequence 1

match route

prefix-list DC-SERVICES

vpn-list EMP

!

action accept

export-to

vpn-list IOT

sequence 11

match route

prefix-list IOT-SEGMENTS

vpn-list IOT

!

action accept

export-to

vpn-list EMP

default-action accept

!

apply-policy

site-list DC

control-policy leak-routes-v12 in

Kanan Huseynli · ‎04-06-2024

Are your IOT routes originated from DC or what?

Reversing match and export does not mean that it will work. Important point here to which updates you do export. Based on your policy, vsmart does export for routes coming from DC. From DC you have only DC prefixes, not IOT, havent you?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

MHM Cisco World · ‎04-05-2024

Show omp route <- share this and point whcih subnet you leaking between two vpn

MHM

spenc02 · ‎04-05-2024

I couldn't paste the relevant output in the reply for some reason, but have attached it here.

Kanan Huseynli · ‎04-05-2024

Hi,

share below outputs from vSmart:

show omp routes vpn 10
show omp routes vpn 20

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

spenc02 · ‎04-05-2024

The routes to be leaked are present in their native VPN on the vSmart controller; however, they are not present in the destination VPN not present in the "show omp routes vpn 20 advertised" output.

Kanan Huseynli · ‎04-05-2024

You should have three control policy:

DC-IN , this should match VPN10/ DC services prefixes > export to VPN20

DC-OUT, this should match VPN20/ IOT prefixes > export to VPN10
HQ-OUT, this should match VPN20/ IOT prefixes > export to VPN10

The problem is even though you have route in VPN 20 on DC, vSmart does exporting only if they received from DC routers, however these IOT routes are coming from other sites. Your policy dictates to vSmart that if you receive routes matching IOT prefixes from DC, then export to VPN10 (however, there is no such route).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

spenc02 · ‎04-05-2024

The control policy always has to be inbound to the DC site (or more accurately where vSmart resides) for route leaking unless I’m missing something?

It also doesn’t work when I setup a single leak policy to leak from IOT to EMP but the other direction works without issue. In the topology policy I’m just reversing the “match” and “export to” VPNs yet it doesn’t work when I try IOT to EMP but works fine from EMP to IOT.

MHM Cisco World · ‎04-06-2024

Inter-Service VPN leaking in same Site

Try

Vpn 10

Route-import-service from vpn20

If not work open TAC

MHM

Kanan Huseynli · ‎04-06-2024

Are your IOT routes originated from DC or what?

Reversing match and export does not mean that it will work. Important point here to which updates you do export. Based on your policy, vsmart does export for routes coming from DC. From DC you have only DC prefixes, not IOT, havent you?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

spenc02 · ‎04-06-2024

The IOT VPN does not exist on the DC cEdges so there are no routes from that site. Only branches and HQ site have IOT routes.

policy
lists
vpn-list vpn-list-emp
vpn 10
!
vpn-list vpn-list-iot
vpn 20
!
site-list DC
site-id 2
!
site-list NONDCSITES
site-id 1
site-id 4
site-id 5
!
prefix-list iot-prefixes
ip-prefix 10.1.101.0/24
ip-prefix 10.4.101.0/24
ip-prefix 10.5.101.0/24
!
control-policy iot-to-emp-leak-v1
sequence 1
match route
prefix-list iot-prefixes
vpn-list vpn-list-iot
!
action accept
export-to
vpn-list vpn-list-emp
!
default-action accept
!
apply-policy
site-list DC
control-policy iot-to-emp-leak-v1 in

spenc02 · ‎04-06-2024

I now understand what you were saying and found some additional insights on a blog post. It's now working. Thanks for your assistance!

For anyone who stumbles upon this, this is the working policy:

policy
lists
vpn-list vpn-list-emp
vpn 10
!
vpn-list vpn-list-iot
vpn 20
!
site-list NONDCSITES
site-id 1
site-id 4
site-id 5
!
!
prefix-list default-only
ip-prefix 0.0.0.0/0
!
prefix-list iot-prefixes
ip-prefix 10.1.101.0/24
ip-prefix 10.4.101.0/24
ip-prefix 10.5.101.0/24
!
!
control-policy iot-to-emp-leak-v1
sequence 1
match route
prefix-list iot-prefixes
vpn-list vpn-list-iot
!
action accept
export-to
vpn-list vpn-list-emp
!
!
!
default-action accep
!
!
apply-policy
site-list NONDCSITES
control-policy iot-to-emp-leak-v1 in

MHM Cisco World · ‎04-06-2024

That why I mentioned in inter-service VPN in same site (DC)

Now ot clear and your solution is OK

You apply this policy to all site with direction IN

The prefix is export in vsmart from VPN-x to VPN-y.

Glad issue solved

Have a nice weekend

MHM