Understanding Cisco SD-WAN OMP routing concept is required to  implement and troubleshoot policy-based routing or traffic engineering on SD-WAN infrastructure. Therefore, this section is dedicated to further details into SD-WAN OMP routing protocol.

SD-WAN OMP Routing Protocol

SD-WAN OMP Sessions

WAN Edge routers advertise and learn routing updates only through vSmart as a route reflector. OMP (Overlay Management Protocol) is the routing protocol which is used to advertise and receive routing updates. OMP routing updates are protected through DTLS connections which is already created between edge routers and vSmart controller. There is no OMP Session directly between WAN edge routers.

SD-WAN OMP Sessions
SD-WAN OMP Sessions

SD-WAN DTLS Connections

As you know, a separate DTLS connection is established between WAN edge router and vSmart controller for each transport, i.e. one DTLS session via the Internet and the other DTLS session via MPLS. however, there is only one OMP session between each WAN edge router and the vSmart controller with their SYSTEM-IP.

DTLS Tunnel from vEdge to vSmart
DTLS Tunnel from vEdge to vSmart

Monitor OMP Peers and DTLS Connections

The output of “show omp peers” in vSmart and “show sdwan omp peers” in edge routers, shows that there is OMP session only between WAN edge routers and vSmart and there is no OMP session directly between WAN edge routers. it also shows that, independent of the number of transport, there is only one OMP session between edge routers and vSamrt.

vsamrt# show omp peers
cEdge1# show sdwan opm peers

The output of “show control connections” in vSmart and “show sdwan control connections” in edge routers shows that there is a separate DTLS connection between edge routers and vSmart for each transport.

vsmart# show control connections
cEdge1# show sdwan control connections

what is TLOC?

There is a new concept in OMP routing protocol called TLOC (Transport Locator) that we need to know in order to understand how OMP routing works. if you are familiar with LISP, TLOC is exactly the same as LISP Location address or Routing Locator (RLOC) concept.


TLOC points to the location of each site and only locations need to be routed in transport networks. Service VPN routes or routes that point to the LAN section of the SD-WAN infrastructure are only reachable via TLOC which we will see in a few minutes.

real traffic between users and services are re-encapsulated between TLOC locations.

TLOC does not refer to the transport physical IP address of edge routers. But a mixture of system-IP, color (transport) and encapsulation type (GRE / IPSec) identifies the location of each site.

For example, if we have one edge router in one site with two WAN transport, supposing only IPSec encapsulation, we have two TLOCS or location address in the site as it is shown in the figure.

TLOC = System-IP + Color + Encapsulation

As we’ll see in a few minutes, TLOC address is finally resolved to the physical IP address of transports that the tunnels will be terminated.

With command “show sdwan omp tloc-paths” in edge routers, all TLOC locations inside SD-WAN infrastructure are shown.

cEdge1# show sdwan omp tloc-paths

Now that we know TLOC, we can start to learn how OMP routing exactly works.

OMP Routing Process

Edge routers advertise their LAN prefixes, in other words, service VPN prefixes, through the OMP session to vSmart with their own TLOC locations as next-hop address.

SD-WAN OMP Routing Protocol
SD-WAN OMP Routing Protocol

As you can see in the figure, vSmart controller learns from Site1 using next hop address from Site1 TLOCs and from Site2 using next hop address from Site2 TLOCs.

vSmart Controller reflect the routes to all other edge routers without changing the next-hop addresses. In other words, edge router in site1 learn routes related to site2, with site2 TLOCs as next-hop address and not vSmart controller.

in our topology, cEdge1 router learn the address of with cEdge2 TLOCs as next-hop address.

VPN routes, are not the only routes which are advertised through OMP. TLOC locations and their corresponding transport physical IP address are also advertised through OMP routing protocol.

in the figure, TLOC table is also shown, which vSmart controller has learned from edge routers. as you can see, TLOC locations related to Site2 locations are resolved to transport physical IP addresses, here and

TLOC routes are also reflected through vSmart to other edge routers just like VPN service routes.

TLOC table in cEdge1 router shows that TLOC locations of site2 are resolved to physical transport address over internet and over MPLS.

For routing traffic to destination in cEdge1, OMP Route table shows that it must be forwarded to cEdge2 TLOCs and then TLOC table shows that physical IP address for cEdge2 TLOC is over internet and over MPLS network.

As soon as edge routers know transport physical IP address of other edge routers, IPSec Tunnel and BFD Sessions are automatically created.

Monitor OMP and TLOC Routes

To better understand, let’s monitor was it happening inside vSmart and edge routers.

With command “show omp routes” in vSmart, the routes learned from edge routers are displayed.

vsmart# show omp routes

As you can see, routes are learned from all edge routers with their TLOC as next-hop address which is the mixture of System-IP, color and encapsulation type.

The command “show omp tlocs” in vSmart shows TLOC table. As you can see TLOC locations are resolved to transport physical IP Address.

vsmart# show omp tlocs

command “show sdwan omp routes” in edge routers , shows how prefixes behind other edge routers are routed with their TLOC as next-hop address.

vsmart# show sdwan omp routes

for example here shows that is learned through vSmart controller. what you can see as tloc is over internet and over mpls. There are some other attributes that we will learn when we want to do policy based routing or traffic engineering like what we do normally with BGP attributes.

and command “show sdwan omp tlocs”, resolve TLOC locations to transport physical IP address.

cEdge1# show sdwan omp tlocs

there are also some other attributes here that we can manipulate to do traffic engineering or policy based routing. We will explain some of these attributes in the next videos.

Monitor IPsec and BFD Sessions

Command “show sdwan ipsec inbound-connections” and “show sdwan ipsec outbound-connections” show exactly how IPsec connections are created between edge routers.

cEdge1# show sdwan ipsec inbound-connections
cEdge1# show sdwan ipsec outbound-connections
SDWAN IPsec Connections

as you can see from every transport in source edge router to every other transport in destination edge router, IPsec connections are automatically created. Between cEdge1 and cEdge2, we have four IPsec connections from-Internet-to-mpls, from internet-to-internet, from-mpls-to-mpls and from-mpls-to-internet.

For every connection, a BFD session is automatically created. When an edge-tp-edge connection fails, it is detected quickly by BFD and the traffic is rerouted automatically to other paths. With command “show sdwan bfd sessions” in edge routers, you can monitor the connectivity between every TLOCs.

cEdge1# show sdwan bfd sessions

Monitor Service VPN Forwarding (FIB) Table

Final routes can be checked with command “show sdwan ip fib vpn 10”. 

cEdge1# show sdwan ip fib vpn 10
SD-WAN Service VPN FIB Table

In cEdge1, there are four paths from cEdge1 to Services behind cEdge2 with subnet address

Back to: Implementing Cisco SD-WAN Solutions > SD-WAN OMP Routing Protocol

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment