Solved: Viptela SDWAN - Diff between Label and VPN ID

muthumohan · ‎06-26-2019

Hello, I am a Cisco instructor and trying to understand the Viptela SDWAN Architecture. After going over a lot of documentation/videos, still have some questions. I hope to get some answers here;

1. What is the diff between Label and VPN ID? Which of these is carried in control OMP packets and where is the VPN information carried in the data packets?

2. When vSmart received multiple routes, does it only propagate the best route (after running the best path algorithm) to other vEdge/vSmart devices or does it sent all the OMP routes it learned? (in the absence of any control-policy)

Would appreciate any help.

Thanks,

Mohan

Kanan Huseynli · ‎05-21-2021

Hi,

in OMP there are 3 type of routes: OMP route, TLOC route, Service route. OMP and Service routes includes "VPN ID" field, basically means , to which VPN/VRF respective route belongs to. VPN ID is VPN/VRF number that we normally use and understand. But in service routes, there is "label" field as well (note: Cisco SD-WAN exam book and unicast-overlay routing chapter of config guides dont include "label" parameter in OMP route parameters list. Ciscolive sessions and debug outputs include). This is used for mapping of VPN-to-Label, so that remote routers can send traffic with respective label and local router can understand to which VPN data traffic is destined to. I have done simple lab with CLI config. Below output from router:

Site2-RTR1# sh run vpn 1
vpn 1
service FW
address 10.2.10.254
exit
interface ge0/0.10
ip address 10.2.10.254/24
no shutdown
!
interface ge0/0.11
ip address 10.2.11.254/24
no shutdown
!

Site2-RTR1# sh run vpn 2
vpn 2
interface ge0/0.20
ip address 10.2.20.254/24
no shutdown
!

Normally, router advertises each VPN-VRF as "service route" too. Let's check service route OMP table:

Site2-RTR1# sh omp service | begin ADDRESS
ADDRESS PATH
FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
--------------------------------------------------------------------------------
ipv4     1 VPN 1.1.2.1 0.0.0.0 68 1005 C,Red,R
            1 FW 1.1.2.1 0.0.0.0 68 1007 C,Red,R
            2 VPN 1.1.2.1 0.0.0.0 68 1006 C,Red,R

As you see, router has VPN (basically segmentation) service in VPN1 with label of 1005. It has FW (firewall) service in VPN1 too (hence 2 services in one VRF),but with different label that is 1007. It has also additional VPN service in VPN2 with label of 1006.

All these info (VPN number, label, service type) are advertised in OMP as SERVICE ROUTE. Similar output, you can see in vSmart as well, but originator will be System IP of advertising router rather than 0.0.0.0. Below output from vSmart.

FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
--------------------------------------------------------------------------------
ipv4 1 VPN 1.1.2.1 1.1.2.1 68 1005 C,I,R
1 FW 1.1.2.1 1.1.2.1 68 1007 C,I,R
2 VPN 1.1.2.1 1.1.2.1 68 1006 C,I,R

By the way, for the OMP routes (user subnets), you will have the same label that matches respective service VPN label. So, basically if you have routes in VPN1, all these routes will have label of service VPN 1 (1005) in our case. Below is output that shows local router has 2 locally generated routes (via connected which is by default redistributed in OMP) for VPN 1 and both routes have label value of 1005.

Site2-RTR1# show omp routes vpn 1 | tab
**snip**
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 10.2.10.0/24 0.0.0.0 68 1005 C,Red,R installed 1.1.2.1 biz-internet ipsec -
1 10.2.11.0/24 0.0.0.0 68 1005 C,Red,R installed 1.1.2.1 biz-internet ipsec -

Now, let's go into dataplane details and try to understand how remote nodes send traffic to proper VPN and Service. Assume that, remote wants to send traffic to 10.2.10.0/24 subnet within VPN 1. Since, this route is advertised with label of 1005, in data plane, remote router includes 1005 value into the respective field. When local router (Site2-RTR from lab) received traffic ,it sees that label is 1005 and this traffic should be considered part of VPN 1 (because VPN1 service has 1005 label) and should be routed within VPN1.

Another example: more interestingly, if policy dictates that remote router should send traffic to the FW service (in VPN1) that is advertised by SITE2-RTR, then remote router should include label of 1007, because FW service of VPN1 is advertised by 1007 label.

In dataplane, label is used, not VPN-VRF ID. VPN ID is used in control plane communications for OMP and Service routes (along with label).

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/segmentation/ios-xe-17/segmentation-book-xe/segmentation.html#c_Segmentation__VPN__Overview_12207.xml

Regarding Q2: vsmart receives routes and runs bestpath algorithm. By default, only bests are advertised to edge routers and number of bestpath routes depends on configuration (afaik, default is 4 ,maximum is 16) . If you configure send-backup-path command on vsmart, then it will send the first non-best route as well.

Kind regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

muthumohan · ‎05-21-2021

Hello Kanan,

Thank you very much for your detailed response. Really appreciate it. Your response clarifies a lot.

But one question remains. Why can't we use the VPN-ID to identify the data packets instead of using labels? Say, use label 10 for VPN 10, label 20 for VPN 20 and so on in the data packets. That way, there is only one number to deal with.

For service routes, I can see why we need different label other than the VPN-ID to differentiate the traffic that need to be sent to the service. Is this the only reason why label values are different from VPN-ID?

In MPLS, BGP assigns VPN labels for each prefix within a VRF. Does OMP also assigns different labels to different prefixes in the same VPN?

Thank you very much.

Regards,

Mohan

View solution in original post

gneslim · ‎06-27-2019

1. As an example, label allows control policy application within the VPN to have features like topologies.

2. vSmart will perform the algorithm and store the paths in "winning order". They are then propagated based on what is the configured send-path-limit. If there is policy interference, then the leftover routes in winning order will be propagated.

See reference here: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/03Routing/01Unicast_Overlay_Routing_Overview#OMP_Best-Path_Algorithm_and_Loop_Avoidance

gneslim · ‎06-27-2019

tilo.harder · ‎05-11-2021

1. The VPN ID is carried within the MPLS Label.

The MPLS L abel consists of [Label | EXP | S | TTL].

VPN ID is the Label part of the MPLS Label.

Kanan Huseynli · ‎05-21-2021