Cisco SDWAN

Failure Scenarios with

Centralized Policy

Credits: Nam Nguyen

Website: www.itbase.tv
Version: 1.0
Contents
Control Plane works ....................................................................................................................................................... 2
Centralized Control Policies Overview ........................................................................................................................... 2
Common Failure Scenarios ............................................................................................................................................ 5
Mismatch Basic Info between cEdge and Centralized Policy .................................................................................... 5
Overview ................................................................................................................................................................ 5
1. Mismatch site-id ........................................................................................................................................... 6
Problem .............................................................................................................................................................. 6
2. Mismatch system-ip ..................................................................................................................................... 7
Problem .............................................................................................................................................................. 7
Troubleshooting tips .............................................................................................................................................. 8

Figures
Figure 1 Overview Cisco SDWAN Control Plane works .................................................................................................. 2
Figure 2 Cisco SDWAN Policy Types ............................................................................................................................... 3
Figure 3. Inbound & Outbound Centralized Control Policies ........................................................................................ 4
Figure 4. Centralized Control Policy's use case .............................................................................................................. 5
Figure 5. Centralized Control Policy is applied to list of sites ........................................................................................ 6
Figure 6. Mismatch site-id between cEdge and Policy .................................................................................................. 7
Figure 7. Mismatch system-ip ........................................................................................................................................ 8

1|Page www.itbase.tv
Control Plane works

Figure 1 Overview Cisco SDWAN Control Plane works

vSmart Controllers receive the OMP updates from vEdges and distribute them to other ones.

Figure 1 is an example showing that vEdge at site-20 sends OMP updates to vSmart and vSmart
distributes to site-10 and site-30.

An OMP update includes OMP routes, TLOC routes, Service Routes, and some information like
encryption keys, etc.

Centralized Control Policies Overview

2|Page www.itbase.tv
 Cisco SDWAN uses the NMS vManage to manage the Policies and their histories.

Figure 2 Cisco SDWAN Policy Types

There are two main types of policies that Cisco SDWAN is using:

▪ Localized Policy
▪ Centralized Policy
▪ Control Policy
▪ Data Policy

The Centralized Control Policy manipulates the TLOC and ROUTE information between cEdges
and vSmarts. It decides how the IPsec tunnel topologies establish in SDWAN fabric and also
controls the routing paths.

3|Page www.itbase.tv
 Centralized Policy

▪ Control Policy
▪ Topology
▪ VPN Membership

Topology policy controls the OMP routes, TLOC routes, and Service Routes which will be
redistributed to a list of sites. It’s usually used for controlling the tunnel topologies in SDWAN
fabric.

VPN Membership policy controls particular VPN’s route tables will be distributed to particular
vEdges. By default, without a VPN Membership policy, vSmart will distribute all routes from all
of VPNs to all vEdges in fabric.

Figure 3. Inbound & Outbound Centralized Control Policies

The centralized control policy is a directional policy including inbound and outbound direction.

And the OMP updates will go through the inbound policies before arriving at vSmart and through
the outbound policy before being distributed out to cEdges.

Network Admin is able to apply inbound or/and outbound policy to a list of sites.

For more detailed demonstrations, visit here.

4|Page www.itbase.tv
Common Failure Scenarios
Mismatch Basic Info between cEdge and Centralized Policy
Overview

Figure 4. Centralized Control Policy's use case

By default, without policy restriction, cEdges will establish full-mesh tunnels to others.

Figure 4 shows that Centralized Control Policy on vSmart is applied to prevent cEdge#1 from
establishing IPSec tunnel to cEdge#4 for some business or design reason.

Furthermore, Network Admin is able to apply the Centralized Control Policies to the list of site
as below Figure 5.

5|Page www.itbase.tv
 Figure 5. Centralized Control Policy is applied to list of sites

The result of applying policy to list of sites (site 30,40) is showed in Figure 5.

cEdge#1 is prevented from establishing tunnels to cEdge#3 (site-30) and cEdge#4 (site-40).

1. Mismatch site-id

Problem
One of common scenarios is the site-id mismatch between cEdges and Centralized Control
Policy.

6|Page www.itbase.tv
 Figure 6. Mismatch site-id between cEdge and Policy

The above Figure 5 is our required design, and in Figure 6, the cEdge#3 is accidentally
configured with incorrect site-id (300 instead of 30).

It leads to the Overlay Topology (Tunnels) is established unexpectedly as following Figure 6.

2. Mismatch system-ip

Problem
The above Figure 5 is our required design, and in below Figure 7, the new policy is
accidentally configured with incorrect tloc system-ip.

7|Page www.itbase.tv
 It leads to the Overlay Topology (Tunnels) is established unexpectedly as following Figure 7.

Figure 7. Mismatch system-ip

Troubleshooting tips

The below commands and actions will be useful in this case.

cEdge3,4# show sdwan bfd sessions

cEdge3,4# show sdwan ipsec inbound-connections
To confirm the current IPSEC tunnels status with other sites.

8|Page www.itbase.tv
 cEdge3,4# show sdwan running-configs
To confirm the current configuration on cEdge compared with Centralized policy.

To be continued ...

9|Page www.itbase.tv