Re: SDWAN Overlay-ID questions

brian.holmes · ‎05-04-2023

Does the Overlay-ID need to match between the cEdge and vSmart

Can a single vSmart support multiple Overlay-IDs?

Can a single vManage monitor multiple cEdges with differant Overay-ID's?

Brian Holmes
Verizon

Kanan Huseynli · ‎05-04-2023

Hi,

Control connection and especially OMP stay UP when Overlay-IDs are different between router and vSmart. Even if you have routers with different overlay-ID, then can establish BFD.

But domain-id must match. When domain-id is different, not only OMP but also control connection fails between router and vSmart.

What is interesting, overlay ID is one of the TLOC attributes, when device sends OMP Update, it includes this parameter (it is also informed as Capability both by router and vSmart in OMP Handshake message). However, in "show omp tlocs" it is shown as "not set".

Looks like, OMP routing (best-path) ignores this parameter and is not used in negotiation in path validity (like sanity-check) etc. Even in SD-WAN policies there is no way to match overlay-id and do action.

But even though in OMP table this parameter is marked "not set", vSmart still advertises with normal value.

From my lab, below is Site1 router TLOC on vSmart TLOC table:

tloc entries for 1.1.1.101
biz-internet
ipsec
---------------------------------------------------
RECEIVED FROM: 
peer 1.1.1.101
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 262
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 100.100.100.101
public-port 12346
private-ip 100.100.100.101
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
domain-id not set
site-id 1
overlay-id not set
preference 0
region-id None
mrf-route-originator not set
affinity-group None
tag not set
stale not set
weight 1
version 3
gen-id 0x80000001
carrier default
restrict 0
on-demand 0
groups [ 1000 ]
bandwidth 0
qos-group default-group
border not set
ipv6-strict-control 0
gre-in-udp not set
unknown-attr-len not set

Below is Update to Site2 router from vSmart about Site1 router TLOC (still informs Overlay ID value):

May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[662]: Sent UPDATE message 596 bytes: peer: 1.1.1.201
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[669]: Attribute Length 575
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[776]: Preference (5) Length: 4 Value: 0
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[792]: Weight (6) Length: 4 Value: 1
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[848]: Site-ID (9) Length: 4 Value: 1
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[750]: Overlay-ID (29) Length: 4 Value: 10
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1288]: Originator (12) Length: 4 1.1.1.101
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1011]: TLOCv4 Public (3) Length: 6 100.100.100.101:12346
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1026]: TLOCv4 Private (2) Length: 6 100.100.100.101:12346
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1042]: TLOCv6 Public (21) Length: 18 :::0
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1058]: TLOCv6 Private (20) Length: 18 :::0
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1456]: IPV6-STRICT-CONTROL (49) Length: 1 Value: 0
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[768]: Group (23) Length: 4: Value: Count: 1 List: 1000 
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[800]: Gen-ID (22) Length: 4 Value: 2147483649
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[938]: Carrier (17) Length: 1 Value: 1
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1064]: TLOC Encap (4) Length: 152 Value:
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1168]: Encap: ipsec-tunnel, SPI: 262, Integrity: ip-udp-esp esp(0x98), Encrypt: aes256 (0xc)
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1186]: Security(25): Length: 162 
May 5 04:42:35 vsmart OMPD[2163]: omp_debug_pkt_update[1196]: Inbound SA Index: 0, SPI: 262, Anti-replay: True

Still, in OMP TLOC table it is "not set" on receiving (Site2) router:

Site2_BR1#sh sdwan omp tlocs 
---------------------------------------------------
tloc entries for 1.1.1.101
biz-internet
ipsec
---------------------------------------------------
RECEIVED FROM: 
tenant-id 0
peer 1.1.1.2
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 262
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 100.100.100.101
public-port 12346
private-ip 100.100.100.101
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1
overlay-id not set
preference 0
region-id None
mrf-route-originator not set
affinity-group None
tag not set
stale not set
weight 1
version 3
gen-id 0x80000001
carrier default
restrict 0
on-demand 0
groups [ 1000 ]
bandwidth 0
bandwidth-dmin 0
bandwidth-down 0
bandwidth-dmax 0
adapt-qos-period 0
adapt-qos-up 0
qos-group default-group
border not set
extended-ipsec-anti-replay not set
ipv6-strict-control 0
gre-in-udp not set
unknown-attr-len not set

We can conclude that it is ignored and not considered (not set) in OMP best-path, in device or peer (OMP/ BFD) validity.

P.S My immediate guess was that parameter is used in Multitenancy environment, however I didn't find an info in documents. I'll check also ciscolive sessions and write here if I find something relevant

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.