Professional Documents
Culture Documents
Sdwan
Sdwan
Sdwan
Figures
Figure 1 Overview Cisco SDWAN Control Plane works .................................................................................................. 2
Figure 2 Cisco SDWAN Policy Types ............................................................................................................................... 3
Figure 3. Inbound & Outbound Centralized Control Policies ........................................................................................ 4
Figure 4. Centralized Control Policy's use case .............................................................................................................. 5
Figure 5. Centralized Control Policy is applied to list of sites ........................................................................................ 6
Figure 6. Mismatch site-id between cEdge and Policy .................................................................................................. 7
Figure 7. Mismatch system-ip ........................................................................................................................................ 8
1|Page www.itbase.tv
Control Plane works
vSmart Controllers receive the OMP updates from vEdges and distribute them to other ones.
Figure 1 is an example showing that vEdge at site-20 sends OMP updates to vSmart and vSmart
distributes to site-10 and site-30.
An OMP update includes OMP routes, TLOC routes, Service Routes, and some information like
encryption keys, etc.
2|Page www.itbase.tv
Cisco SDWAN uses the NMS vManage to manage the Policies and their histories.
There are two main types of policies that Cisco SDWAN is using:
▪ Localized Policy
▪ Centralized Policy
▪ Control Policy
▪ Data Policy
The Centralized Control Policy manipulates the TLOC and ROUTE information between cEdges
and vSmarts. It decides how the IPsec tunnel topologies establish in SDWAN fabric and also
controls the routing paths.
3|Page www.itbase.tv
Centralized Policy
▪ Control Policy
▪ Topology
▪ VPN Membership
Topology policy controls the OMP routes, TLOC routes, and Service Routes which will be
redistributed to a list of sites. It’s usually used for controlling the tunnel topologies in SDWAN
fabric.
VPN Membership policy controls particular VPN’s route tables will be distributed to particular
vEdges. By default, without a VPN Membership policy, vSmart will distribute all routes from all
of VPNs to all vEdges in fabric.
The centralized control policy is a directional policy including inbound and outbound direction.
And the OMP updates will go through the inbound policies before arriving at vSmart and through
the outbound policy before being distributed out to cEdges.
Network Admin is able to apply inbound or/and outbound policy to a list of sites.
4|Page www.itbase.tv
Common Failure Scenarios
Mismatch Basic Info between cEdge and Centralized Policy
Overview
By default, without policy restriction, cEdges will establish full-mesh tunnels to others.
Figure 4 shows that Centralized Control Policy on vSmart is applied to prevent cEdge#1 from
establishing IPSec tunnel to cEdge#4 for some business or design reason.
Furthermore, Network Admin is able to apply the Centralized Control Policies to the list of site
as below Figure 5.
5|Page www.itbase.tv
Figure 5. Centralized Control Policy is applied to list of sites
The result of applying policy to list of sites (site 30,40) is showed in Figure 5.
cEdge#1 is prevented from establishing tunnels to cEdge#3 (site-30) and cEdge#4 (site-40).
1. Mismatch site-id
Problem
One of common scenarios is the site-id mismatch between cEdges and Centralized Control
Policy.
6|Page www.itbase.tv
Figure 6. Mismatch site-id between cEdge and Policy
The above Figure 5 is our required design, and in Figure 6, the cEdge#3 is accidentally
configured with incorrect site-id (300 instead of 30).
2. Mismatch system-ip
Problem
The above Figure 5 is our required design, and in below Figure 7, the new policy is
accidentally configured with incorrect tloc system-ip.
7|Page www.itbase.tv
It leads to the Overlay Topology (Tunnels) is established unexpectedly as following Figure 7.
Troubleshooting tips
8|Page www.itbase.tv
cEdge3,4# show sdwan running-configs
To confirm the current configuration on cEdge compared with Centralized policy.
To be continued ...
9|Page www.itbase.tv