Re: Tloc extension function

Anwar Safian · ‎04-13-2019

Hi experts

I am just wondering why vEdge router need to access the opposite transport through a TLOC-extension interface on the neighboring vEdge router?
Why do we need Tloc extension actually?

ekhabaro · ‎04-16-2019

Short answer is for redundancy since you may want to have not only uplink redundancy, but box redundancy as well and second box should be able to utilise uplink connected to the first box (in most simple case in case of failure of it's own uplink, on more complicated case you may prefer certain link for some traffic for whatever reason)

Anwar Safian · ‎04-16-2019

Hi Ekhabaro

Thanks for your reply.
But I am still not clear for this.

For traditional router, by using FHRP and IP Sla, R1 can switch to R2 if R1(uplink or downlink) fail, though there are no cable connected between them.

My question is

1) Why traditional router doesn't need TLOC extension?
2) Why second box need to utilise uplink connected to the first box? For what purpose?

3) What will happen to SD Wan if we dont use TLOC extension?

ekhabaro · ‎04-17-2019

> For traditional router, by using FHRP and IP Sla, R1 can switch to R2 if R1(uplink or downlink) fail, though there are no cable connected between them

For TLOC extension you can use indirect connection via switch as well. There is no such requirement as direct cable connection for TLOC-extension.

> 1) Why traditional router doesn't need TLOC extension?

Because there is no TLOC concept in traditional world :)

> 2) Why second box need to utilise uplink connected to the first box? For what purpose?

It depends on your business requirements. e.g. you may prefer only voice traffic via mpls link connected to second router, but most of traffic you want to steer via internet uplink connected to first router that is master for VRRP group.

> 3) What will happen to SD Wan if we dont use TLOC extension?

You will lose benefits of SD-WAN like ability to reroute traffic based on SLA requirements (AAR) and so on.

EAStevenson · ‎12-01-2019

Shame that the answers are not more detailed. Still not fully clear.

David Aicher · ‎12-05-2019

ok so there are a few things here.

in a traditional design with FHRP you would have an active/standby setup. in this case if your transport is connected directly to the FHRP routers this means your transport is only being utilized on one device. you can do manual load balance by setting priorities for different HSRP groups. alternatively you can use an aggregator that would terminate multiple transports and connect the fhrp routers this leads to a single point of failure but allows the use of both transports. the third method would be to have a connection to both transports connected to each FHP router. this may incur extra costs for a third IP address .

with sdwan you can use the same methods as above but aggregator is not recommended due to the single point of failure and lack of ability to split traffic dynamically such as AAR. tloc-extension allows the addition of the peers transport to avoid the extra cost of additional ip and allows the use of dynamic load balance across multiple transports.

so to answer your questions

1) Why traditional router doesn't need TLOC extension?

- this requires a different design using routing to allow utilization of multiple transports. Iwan used some trickery with GRE tunnels between dual hub or or dual branch routers to achieve a similar effect for example. allowing the use of multiple transports

2) Why second box need to utilise uplink connected to the first box? For what purpose?

- to allow the use and load balance traffic across multiple transports instead of having an idle or "backup" link that you are paying for but not using. Also as mentioned it avoids the issues with aggregator and with paying for extra ip addresses from your ISP.

3) What will happen to SD Wan if we dont use TLOC extension?

- not using tloc-extension would prevent the benefits mentioned above including idle link, aggregator issues or paying for extra ip addresses. it will not allow the full use of the benefits of sdwan which include load balance and AAR to start. You may also have a private transport (IE MPLS) which may not be able to directly reach the controllers or may have restrictions for internet access which would change your design. For example DIA may not be viable on a private circuit. A single transport connected to the vedge/cedge would not really be a good use of sdwan and misses the concept of load balance or application aware routing taking the "best" path

hopefully this makes sense.

masahmed · ‎04-12-2020

Please take a look at the use case of TLOC, it should be really clear by taking a look at the attached picture it shows TLOC extension vs legacy way of providing redundancy, for configuration please take a look at the following configuration

https://www.networkingwithehsan.com/tloc-extension-or-transport-redundancy

For selecting different types of network for TLOC extension please take a look at this Cisco community post i.e. Option1 vs Option2 vs Option 3
https://community.cisco.com/t5/sd-wan/tloc-extension-design/td-p/3908618

I always suggest going with a direct physical link between SDWAN edges, in order to avoid adding additional point of failures

Anton Kistruga · ‎08-03-2021

Not clear answers at all...

Well the reason is that interface in VPN0 waits for encrypted traffic or split-tunneled traffic. And just to say to the device that there can be IPSec traffic that is not addressed to this device and it can pass through it we can add something like "permission" that on this interface traffic of other SD-WAN device can pass, and this permission is actually TLOC-extension that you can configure on interface. This configuration just says "Ok, IPSec traffic which will pass this interface belongs to other SD-WAN device and there is no need to verify various policies for IPSec encapsulation. Just pass it as is."

That my guess, may be I'm wrong...