Re: Cisco SD-WAN traffic flow

Newbie..9109 · ‎10-11-2024

Hi,

Based on picture above, assuming that's cisco SD-WAN in DC. How cisco SD-WAN in DC serve the traffic from sd-wan branch? Will both device in DC be active-active? or only one will serve the traffic from branch?

If the answer is active-active, how to ensure symmetric traffic? I mean traffic from branch towards WAN edge A DC, the return traffic will also come towards WAN Edge A DC, not WAN Edge B DC.

MHM Cisco World · ‎10-11-2024

It can work as active/passive or active/active

This depends if you use preference or not with OMP route / TLOC

If you dont use preference then you will get load balance.

MHM

Newbie..9109 · ‎10-11-2024

If active active, how sd wan DC advertise branch prefix to campus LAN? Will both sdwan router advertise the same branch prefix (potentially asymmetric)? Or both sdwan router will advertise different branch prefix (symmetric)?

MHM Cisco World · ‎10-12-2024

Case of using VRRP and use active/passive (symmetric)
LAB 1 - Service side redundancy using VRRP | NetworkAcademy.io

VRRP master vEdge send TLOC with preference this make traffic symmetric Inbound/Outbound via same vEdge

MHM

MHM Cisco World · ‎10-12-2024

Case of load balance to both hub's (asymmetric can happened here)

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/216012-why-traffic-is-not-load-balanced-over-ec.html

So again it depends on your config' but as rule when you use FW in edge try use symmetric when you dont have FW abd both path have same delay/jitter try use load balance (asymmetric)

MHM

balaji.bandi · ‎10-11-2024

Its all depends on how you configure - what route you like to use (here we call colors in sd-wan terminology)

check below some examples provide you that information.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Kanan Huseynli · ‎10-12-2024

Hi,

this totally depends on how did you configure overlay network (OMP) and LAN network in DC side.

If you use VRRP based approach (active/standby) on DC LAN then traffic will leave active VRRP (master) router. The return traffic can be any type (primarily A or primarily B or ECMP) depending on OMP result of the remote branch. Here, tloc-change-pref can be used where TLOC preference is increased automatically on master router.

If you use routing protocol on DC LAN and select primary router via routing protocol techniques (e.g cost/metric or any respective in BGP), then you need to configure centralized control design to select primary router's prefixises best path based on metric or protocol attribute (which is translated to another OMP value).

If you use ECMP on DC LAN, you can use ECMP on overlay as well. Here important point is, on DC LAN you use either central device (HA-based core switch) which is then connected to DC Firewall or your DC Firewall understands asymmetric traffic. On the overlay you need to ensure traffic ingress and egress transport network (regardless of router) is the same or they have the same level SLA to avoid application impact (or you simple use AAR).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Newbie..9109 · ‎10-12-2024

Is it common (best practice) for having active active sd wan router (using ECMP on DC LAN)? This could lead to asymmetric traffic. Or it is better if i use active/passive (VRRP)? this ensure symmetric traffic.

Please advise

Kanan Huseynli · ‎10-13-2024

If you use pure routing then you can use active/active on DC side. Just behind routers you may need "centralized" device like HA-Core to pass traffic and then easily send to FW/NGFW to avoid asymmetric flow with respect to security device.

In general, service insertion (like firewall insertion) is not easy when you have active/active router and any type of HA based security system.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.