Solved: SD-WAN Centralized policy force the source path

StingShadow · ‎09-20-2024

Hello,

I am trying to find out via the topology of a centralized policy how to force the source of the traffic and not the destination. I have two VPNs 10 and 20 and I would like VPN 10 to go out on my spoke via the interface in private 1 color as a priority and VPN 20 as a priority on private 2. How can I achieve this? Gui solution in Vmanage not CLI. Vmanage version 20.12.3.1 Thanks in advance

Kanan Huseynli · ‎09-28-2024

You can't force exit-interface (i.e transport i.e local TLOC) without data policy. Routing can select remote TLOC, not local TLOC.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

StingShadow · ‎09-29-2024

Yes in the topology this is not possible. I used the AAR policy in the traffic policy in a centralized policy. There, You can match a subnet (including your entire VRF) and an application or specific DSCP then in the action you specify a preferred color (corresponding to an outgoing interface) and a backup color if the SLA is broken. Thank you for your comments and researchs.

View solution in original post

MHM Cisco World · ‎09-20-2024

Check

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/epbr-cisco-sdwan.html

MHM

StingShadow · ‎09-20-2024

Thank you but it is not helpful here: " You can create ePBR policies using CLI add-on templates in Cisco SD-WAN Manager."

And :"It supports matching prefixes, applications, Differentiated Services Code Point (DSCP), Security Group Tags (SGT), and so on. With ePBR, based on match conditions, you can configure a single or multiple next hops for traffic forwarding. You also have the option to configure Internet Protocol Service Level Agreement (IP SLA) tracking. If a configured next hop is unavailable, traffic is routed to the next available hop through dynamic probing enabled by the IP SLA tracker."

It doesn't help me or solve this issue. I want a source preference per Service VPN.

Thanks

MHM Cisco World · ‎09-23-2024

Any routing protocol check only destiantion only PBR or AAR (as @Kanan Huseynli mention) use source

MHM

Kanan Huseynli · ‎09-20-2024

Hi,

in centralized data policy you can archive this. Centralized data policy can be applied per VPN per direction (from service VS from tunnel, in your case it is from server). Inside policy you match source data prefix and set local-TLOC to be respective color.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

StingShadow · ‎09-23-2024

Thank you but it does not resolve. I don't want to play with subnets being part of my different VRF and use AAR or Data Traffic. I want that in the topology i can say this VRF/VPN goes out by this TLOC on my spokes. How can you do that with an inside or outside topology policy ?

Thank you

Kanan Huseynli · ‎09-28-2024

You can't force exit-interface (i.e transport i.e local TLOC) without data policy. Routing can select remote TLOC, not local TLOC.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

StingShadow · ‎09-29-2024

Yes in the topology this is not possible. I used the AAR policy in the traffic policy in a centralized policy. There, You can match a subnet (including your entire VRF) and an application or specific DSCP then in the action you specify a preferred color (corresponding to an outgoing interface) and a backup color if the SLA is broken. Thank you for your comments and researchs.