Re: Why is match TLOC required in vSmart Policy?

bmcgahan · ‎05-15-2024

I have a basic Centralized Policy (listed below) attached to vSmart - it matches & accepts Routes & TLOCs from Site 1, and then rejects everything else out to all other Sites (2-999).

Everything is working as expected, with Spokes only seeing DC routes. My question is why is sequence 11 needed to match Site 1 TLOCs? If I remove sequence 11, and match only the Site 1 routes, vSmart drops them in the outbound advertisement to the other sites. Only if the Routes and TLOCs are matched will the advertisements be sent.

Does anyone know why - or have a documentation link with more details as to why - you need to match the TLOCs separately from the Routes?

I would have assumed that the TLOC is a function of the Route, and that matching the Route would implicitly match its TLOC, but that is not the case.

TIA!

policy
 lists
  site-list DC
   site-id 1
  !
  site-list SPOKES
   site-id 2-999
  !
  prefix-list _AnyIpv4PrefixList
   ip-prefix 0.0.0.0/0 le 32
  !
 !
 control-policy filter-spoke-to-spoke
  sequence 1
   match route
    prefix-list _AnyIpv4PrefixList
    site-list   DC
   !
   action accept
   !
  !
  sequence 11
   match tloc
    site-list DC
   !
   action accept
   !
  !
  default-action reject
 !
!
apply-policy
 site-list SPOKES
  control-policy filter-spoke-to-spoke out
 !
!

MHM Cisco World · ‎05-15-2024

you use Hub and spoke
and you make all traffic pass to Hub and there is no traffic spoke to spoke

MHM

Kanan Huseynli · ‎05-15-2024

Hi,

OMP routes (vRoutes) and TLOC routes as routing information are separate.

With your policy, you have default reject action.

If you don't allow TLOC routes then there will not be any BFD and OMP routes with that(those) TLOC(s) will not be installed since next-too (TLOC) is unreachable (no BFD due to missing TLOC route).

Due to default action drop(reject) you need to advertise TLOCs route explicitly.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

bmcgahan · ‎05-16-2024

Correct. I understand that is the behavior, that if you do not match the TLOC & the Route, then the routes will not be advertised. My question is why is that the behavior?

Does anyone have a documentation link that explains why TLOCs must be matched separately in the policy logic?

MHM Cisco World · ‎05-16-2024

I Will assume Your bgp background is prefect

Any routr-map there is AND abd OR between match

You can specify

Match 1

Match 2

Since each one of match in different line then there is AND between match'

That meaning if prefix is match1 it mandatory to match 2 to take effect of Set

But

These tow match inbetween AND have one important rule' both must check same prefix (which send via one update) not prefix 1 match 1 and prefix 2 match 2

And here it come OMP and TLOC

We can not use both match OMP AND TLOC since both send in different update.

That why route-map of policy separate the match in two different seq

Hope this clear to you

Goodluck

MHM

bmcgahan · ‎05-17-2024

@MHM Cisco World wrote:
We can not use both match OMP AND TLOC since both send in different update.

This might be the answer I'm looking for. Do you know any documentation links that talk about this in more detail?

Kanan Huseynli · ‎05-16-2024

The reason is policy structure. You have separate block for "TLOC match" , "Route match" and default action. There is no separate default action for each TLOC/Route blocks, you one one default action for routes (vRoute or TLOC route).

Default Action

If a selected route or TLOC does not match any of the match conditions in a centralized control policy, a default action is applied to it.
 By default, the route or TLOC is rejected.

Search default action from below link:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/centralized-policy.html#Cisco_Concept.dita_d31f22cb-f54f-41df-966a-0ae1ca3c398a

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.