Solved: Re: SDWAN traffic engineering/steering

maxnpj · ‎12-15-2020

Looking for opinions and suggestions here.

Sites have either one vEdge with broadband and MPLS or two vEdges; one with broadband and the other with MPLS, and those devices are connected by TLOC extension. I currently have an SLA used for VoIP traffic and is applied to all sites. I now want to steer Oracle traffic over a particular transport (MPLS), but if MPLS fails then let that traffic go over any available transport. I believe I can have only one AAR applied to a site and I need the VoIP SLA, so if I understand correctly I cannot use another AAR to steer the Oracle traffic.

Should I use a data policy for this, a control policy? or am I missing some other simpler way of doing this? My apologies up front if this is a far more complicated question than I think. Feel free to say so and move on from this one.
A quick data policy looks like this:

policy
data-policy Oracle_MPLS
vpn-list Corp-VPN
sequence 10
match
destination-data-prefix-list Oracle_resources
!
action accept
set
local-tloc color private1 encap ipsec
!
!
!
default-action accept
!
!
This would seems to work as follows: From the "Corp-VPN" (Service VPN) match on the destination prefixes in the list "Oracle_prefixes" and then set the local tloc to "private1". This policy would seem to work until "private1" (MPLS) fails and then would the traffic get black-holed?
*********************************
*********************************

A quick control policy looks like this:

policy
control-policy Oracle_MPLS
sequence 10
match route
prefix-list Oracle_resources
color private1
!
action accept
set
preference 200
!
!
!
default-action accept
!
Assuming that the preference is being set on the OMP route, this would seem to work as follows: Match the routes in the Oracle_resources list AND match the tloc "private1" and then set the preference to 200. This would seem to be dynamic because if "private1" (MPLS) were down the "match color" part of the policy would fail, right?

*********************************
*********************************

brselzer · ‎12-15-2020

Hello,

Why don't you just add to your AAR policy? You can have more than one SLA

policy
sla-class ORACLE <-----Oracle traffic will be sent over MPLS as long as it meets these characteristics
loss 2
latency 200
jitter 20
!
sla-class VOICE <-----Voice traffic will be sent over MPLS as long as it meets these characteristics
loss 1
latency 100
jitter 10
!
app-route-policy EXAMPLE_AAR_POLICY
vpn-list ALL_VPNS
sequence 1
match
dscp 46 <----Match EF traffic
!
action
sla-class VOICE preferred-color mpls <----Send it over MPLS as long as SLA is met
!
!
sequence 11
match
source-data-prefix-list ORACLE_IPS <---Match Oracle traffic
!
action
sla-class ORACLE preferred-color mpls <---Send it over MPLS as long as SLA is met
!
!
!
!
lists
vpn-list ALL_VPNS
vpn 1-500
!
data-prefix-list ORACLE_IPS
ip-prefix 10.1.1.0/24
!
!
!

Let me know if that makes sense. Thanks!

-Bradley Selzer
CCIE# 60833

View solution in original post

brselzer · ‎01-21-2021

Hello maxnpj,

You are correct. One option would be to apply the policy everywhere and match on source prefix to only match traffic coming from that site.

The other option is to create two site-lists and two AAR policies and only apply the VOICE plus ORACLE policy to those sites.

site-list VOICE_ORACLE_SITES

sites 1-5

site-list ORACLE_ONLY_SITES

sites 6-10

policy VOICE_AND_ORACLE

#sequences doing both voice and oracle

policy ONLY_ORACLE

#sequences doing only ORACLE

apply-policy

sites VOICE_ORACLE_SITES

policy VOICE_AND_ORACLE

sites ORACLE_ONLY_SITES

policy ONLY_ORACLE

Obviously my syntax is a little off but hopefully you get the idea. It is a little redundant because both policies will have sequences matching the oracle traffic but it is better than keeping a prefix-list of all your source prefixes.

Hope that helps!

-Bradley Selzer
CCIE# 60833

View solution in original post

brselzer · ‎12-15-2020

Hello,

Why don't you just add to your AAR policy? You can have more than one SLA

policy
sla-class ORACLE <-----Oracle traffic will be sent over MPLS as long as it meets these characteristics
loss 2
latency 200
jitter 20
!
sla-class VOICE <-----Voice traffic will be sent over MPLS as long as it meets these characteristics
loss 1
latency 100
jitter 10
!
app-route-policy EXAMPLE_AAR_POLICY
vpn-list ALL_VPNS
sequence 1
match
dscp 46 <----Match EF traffic
!
action
sla-class VOICE preferred-color mpls <----Send it over MPLS as long as SLA is met
!
!
sequence 11
match
source-data-prefix-list ORACLE_IPS <---Match Oracle traffic
!
action
sla-class ORACLE preferred-color mpls <---Send it over MPLS as long as SLA is met
!
!
!
!
lists
vpn-list ALL_VPNS
vpn 1-500
!
data-prefix-list ORACLE_IPS
ip-prefix 10.1.1.0/24
!
!
!

Let me know if that makes sense. Thanks!

-Bradley Selzer
CCIE# 60833

maxnpj · ‎12-17-2020

Bradley;

That makes complete sense. I hadn't put together that I could use different SLA's in the same AAR policy...dang....now it looks easy!!

For the record...the control policy and data policy I put in the original question....would either of those work as I described? I'm thinking about putting backup traffic onto a certain transport and thought the data-policy would work for that but not sure if the control policy is a better idea. (Instead of "Oracle_resources" the list would be "Backup_resources").

Thank you very much for the (quick) reply.... I learn something new every day.

brselzer · ‎12-18-2020

Hello maxnpj,

I believe either of those would work. However, you will lose your link monitoring ability if you use data-policy. Meaning, as long as BFD is up, you will send traffic over that link even if there is 20% on the link. AAR is recommended because it will essentially treat a bad link and a down link the same.

Hope that helps!

-Bradley Selzer
CCIE# 60833

maxnpj · ‎01-21-2021

Bradley;

Follow on question (I'm now being greedy with your knowledge); say I have 10 sites; site id 1 through 10. I want sites 1-5 to use the VOICE part and the ORACLE part of the AAR policy but I want sites 6-10 to use only the ORACLE part of the policy. I know I have to apply the AAR policy called "EXAMPLE_AAR_POLICY" to a site list, but how can I ensure that sites 1-5 use both parts of the AAR and sites 6-10 only use the ORACLE part since there's only one AAR policy?

A quick guess is that in the "ORACLE" part of the AAR policy (under sequence 11 in your example) I would have to match on both a destination prefix-list AND a source prefix-list, and the source prefix list would only contain the prefixes of sites 6-10. In this example, I'm guessing that would work but in our (real-world) global environment that doesn't scale well as the source prefix-list would be fairly long. So I'm wondering if there's a better way.

If the answer is too much for a community post feel free to say so.

Thanks

--maxnpj

brselzer · ‎01-21-2021

Hello maxnpj,

You are correct. One option would be to apply the policy everywhere and match on source prefix to only match traffic coming from that site.

The other option is to create two site-lists and two AAR policies and only apply the VOICE plus ORACLE policy to those sites.

site-list VOICE_ORACLE_SITES

sites 1-5

site-list ORACLE_ONLY_SITES

sites 6-10

policy VOICE_AND_ORACLE

#sequences doing both voice and oracle

policy ONLY_ORACLE

#sequences doing only ORACLE

apply-policy

sites VOICE_ORACLE_SITES

policy VOICE_AND_ORACLE

sites ORACLE_ONLY_SITES

policy ONLY_ORACLE

Obviously my syntax is a little off but hopefully you get the idea. It is a little redundant because both policies will have sequences matching the oracle traffic but it is better than keeping a prefix-list of all your source prefixes.

Hope that helps!

-Bradley Selzer
CCIE# 60833

sdipippo · ‎12-16-2020

I agree with Bradley