Latest

Cisco SDWAN : Layer 3 TLOC Extension

Cisco SDWAN : Layer 3 TLOC Extension

A feature called TLOC extension enables a WAN Edge router to communicate with the neighboring WAN Edge router via a TLOC-extension interface through the WAN transport. Without requiring to be directly attached to both service provider clouds, the TLOC-extension capability enables the WAN transports to be extended to both SD-WAN routers.

The capability offers transparent connectivity from one interface (referred to as a TLOC extension interface) to a certain WAN transport and is configured per-interface. 

There are two ways we can configure the TLOC extension in Cisco SDWAN fabric

  • L2 when you connect another SDWAN router on the same site
  • L3 when you connect through the non SDWAN router, needs L3 capabilities and GRE tunnel to extend the TLOC

Let's take an scenario where we have a site-2 with two cEdges (cEdge 01 and cEdge 02) connected to the MPLS and biz-internet circuits respectively. What does that means ?
Well if you see, cEdge 01 is only connected to the internet and cEdge 02 is only connected to MPLS.

Cisco SDWAN : Layer 3 TLOC Extension
Fig 1.1- Cisco SDWAN : Layer 3 TLOC Extension

So now we are going to use the tloc-extension between cEdge 01 and cEdge 02 in order to extend the tunnel for MPLS and internet (biz-internet). As we see on cEdge 02 we have only mpls tunnel on the interface Gi0/0/1 as shown below

Extending "biz-internet" to cEdge 02 router which only has MPLS 


cEdge 02 Router
Interface Gi0/0/1 is connected to MPLS service provider with the IP address and color MPLS restrict.

Note : We are using the CLI mode configuration, we will come up with another article where we will use feature templates.

!
interface GigabitEthernet0/0/1
 description MPLS
 ip address 10.20.10.2 255.255.255.252
 no ip redirects
 ip tcp adjust-mss 1360
 load-interval 30
 negotiation auto
 arp timeout 1200
 service-policy output shape_GigabitEthernet0/0/1
end
!
interface GigabitEthernet0/0/1
  tunnel-interface
   encapsulation ipsec 
   no border
   color mpls restrict
   allow-service all
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
   allow-service https
   no allow-service snmp
   no allow-service bfd
  exit
!
Now Let's configure Gi0/0/2 for the "tloc-extension" to extend the internet on cEdge 02 through cEdge 01 to the internet. We are using the color "biz-internet" for internet.

Step 1: Identify the color and the interface you are extending to and connect physical link between them on the interface Gi0/0/2 on both sides.

Step 2: Now you should have reachability between cEdge01 and cEdge 02. For that you need to add the configurations on the interface 
Gi0/0/2 on both sides.

Let's start with cEdge 01

NDNA-cEdge01# Config-transaction
NDNA-cEdge01(config)# vpn 0 
NDNA-cEdge01(config-vpn-0)# interface GigabitEthernet0/0/2
NDNA-cEdge01(config-interface-gi0/0/2)# ip address 10.10.10.15 255.255.255.0
NDNA-cEdge01(config-interface-gi0/0/2)# no shut
NDNA-cEdge01(config-interface-gi0/0/2)# exit
NDNA-cEdge01(config-vpn-0)#commit 
NDNA-cEdge01#
Now with cEdge 02

NDNA-cEdge02# Config-transaction
NDNA-cEdge02(config)# vpn 0 
NDNA-cEdge02(config-vpn-0)# interface GigabitEthernet0/0/2
NDNA-cEdge02(config-interface-gi0/0/2)# ip address 10.10.10.16 255.255.255.0
NDNA-cEdge02(config-interface-gi0/0/2)# no shut
NDNA-cEdge02(config-interface-gi0/0/2)# exit
NDNA-cEdge02(config-vpn-0)#commit 
NDNA-cEdge01#
Step 3: Extend the biz-internet from cEdge 02 to cEdge 01, If you see below the interface Gi0/0/2 which is connected to the cEdge 02 will be now using "tloc-extension" towards the internet service provider interface Gi0/0/0

NDNA-cEdge01# Config-transaction
NDNA-cEdge01(config)# vpn 0 
NDNA-cEdge01(config-vpn-0)# interface GigabitEthernet0/0/2
NDNA-cEdge01(config-interface-gi0/0/2)# tloc-extension GigabitEthernet0/0/0
NDNA-cEdge01(config-interface-gi0/0/2)# exit
NDNA-cEdge01(config-vpn-0)#commit 
NDNA-cEdge01#
Its not end,  we need to create an tunnel interface on the cEdge 02 in order to make a BFD tunnel starting from cEdge 02 directly extended to internet over the cEdge and biz internet circuit from cEdge 01. We also need to add the static route on cEdge 02 pointed to the cEdge interface Gi0/0/2

NDNA-cEdge02# Config-transaction
NDNA-cEdge02(config)# vpn 0 
NDNA-cEdge02(config-vpn-0)# interface GigabitEthernet0/0/2
NDNA-cEdge02(config-interface-gi0/0/2)# tunnel-interface
NDNA-cEdge02(config-tunnel-interface)# allow service all
NDNA-cEdge02(config-tunnel-interface)# color biz-internet
NDNA-cEdge02(config-tunnel-interface)# encapsulation ipsec
NDNA-cEdge02(config-tunnel-interface)# exit
NDNA-cEdge02(config-vpn-0)# ip route 0.0.0.0/0 10.10.10.15
NDNA-cEdge02(config-vpn-0)#commit 
NDNA-cEdge02#
So still you will have the issue, Why ? your internet service provider don't know where this 10.10.10.16 exist which we put that on the interface Gi0/0/2 on cEdge 02 router. How to overcome that ?

In the case of directly connected interface or static routing, you need to tell your service provider to put a static route on their router pointing towards your cEdge 01 router as below. We are assuming that internet service provider router name is "INET" 

INET # conf t
INET(config)# ip route 10.10.10.16 255.255.255.255 10.40.10.2
With the above static route on the Internet service provider router (INET) pointing towards your cEdge 01 router interface Gi0/0/0 will help to send back the traffic over the cEdge 01 and eventually to cEdge 02. 

In scenario-2, we are going to extend the "MPLS" to cEdge 01 router which only has biz-internet.

Continue Reading...
Cisco SDWAN