Understanding Cisco SD-WAN OMP routing concept is required to implement and troubleshoot policy-based routing or traffic engineering on SD-WAN infrastructure. Therefore, this section is dedicated to further details into SD-WAN OMP routing protocol.
SD-WAN OMP Routing Protocol
SD-WAN OMP Sessions
WAN Edge routers advertise and learn routing updates only through vSmart as a route reflector. OMP (Overlay Management Protocol) is the routing protocol which is used to advertise and receive routing updates. OMP routing updates are protected through DTLS connections which is already created between edge routers and vSmart controller. There is no OMP Session directly between WAN edge routers.
SD-WAN DTLS Connections
As you know, a separate DTLS connection is established between WAN edge router and vSmart controller for each transport, i.e. one DTLS session via the Internet and the other DTLS session via MPLS. however, there is only one OMP session between each WAN edge router and the vSmart controller with their SYSTEM-IP.
Monitor OMP Peers and DTLS Connections
The output of “show omp peers” in vSmart and “show sdwan omp peers” in edge routers, shows that there is OMP session only between WAN edge routers and vSmart and there is no OMP session directly between WAN edge routers. it also shows that, independent of the number of transport, there is only one OMP session between edge routers and vSamrt.
vsamrt# show omp peers cEdge1# show sdwan opm peers
The output of “show control connections” in vSmart and “show sdwan control connections” in edge routers shows that there is a separate DTLS connection between edge routers and vSmart for each transport.
vsmart# show control connections cEdge1# show sdwan control connections
what is TLOC?
There is a new concept in OMP routing protocol called TLOC (Transport Locator) that we need to know in order to understand how OMP routing works. if you are familiar with LISP, TLOC is exactly the same as LISP Location address or Routing Locator (RLOC) concept.
TLOC points to the location of each site and only locations need to be routed in transport networks. Service VPN routes or routes that point to the LAN section of the SD-WAN infrastructure are only reachable via TLOC which we will see in a few minutes.
real traffic between users and services are re-encapsulated between TLOC locations.
TLOC does not refer to the transport physical IP address of edge routers. But a mixture of system-IP, color (transport) and encapsulation type (GRE / IPSec) identifies the location of each site.
For example, if we have one edge router in one site with two WAN transport, supposing only IPSec encapsulation, we have two TLOCS or location address in the site as it is shown in the figure.
TLOC = System-IP + Color + Encapsulation
As we’ll see in a few minutes, TLOC address is finally resolved to the physical IP address of transports that the tunnels will be terminated.
With command “show sdwan omp tloc-paths” in edge routers, all TLOC locations inside SD-WAN infrastructure are shown.
cEdge1# show sdwan omp tloc-paths
Now that we know TLOC, we can start to learn how OMP routing exactly works.
OMP Routing Process
Edge routers advertise their LAN prefixes, in other words, service VPN prefixes, through the OMP session to vSmart with their own TLOC locations as next-hop address.
As you can see in the figure, vSmart controller learns 172.16.1.0/24 from Site1 using next hop address from Site1 TLOCs and 172.16.2.0/24 from Site2 using next hop address from Site2 TLOCs.
vSmart Controller reflect the routes to all other edge routers without changing the next-hop addresses. In other words, edge router in site1 learn routes related to site2, with site2 TLOCs as next-hop address and not vSmart controller.
in our topology, cEdge1 router learn the address of 172.16.2.0/24 with cEdge2 TLOCs as next-hop address.
VPN routes, are not the only routes which are advertised through OMP. TLOC locations and their corresponding transport physical IP address are also advertised through OMP routing protocol.
in the figure, TLOC table is also shown, which vSmart controller has learned from edge routers. as you can see, TLOC locations related to Site2 locations are resolved to transport physical IP addresses, here 192.168.1.102 and 192.168.2.102.
TLOC routes are also reflected through vSmart to other edge routers just like VPN service routes.
TLOC table in cEdge1 router shows that TLOC locations of site2 are resolved to physical transport address 192.168.1.102 over internet and 192.168.2.102 over MPLS.
For routing traffic to destination 172.16.2.0/24 in cEdge1, OMP Route table shows that it must be forwarded to cEdge2 TLOCs and then TLOC table shows that physical IP address for cEdge2 TLOC is 192.168.2.101 over internet and 192.168.2.102 over MPLS network.
As soon as edge routers know transport physical IP address of other edge routers, IPSec Tunnel and BFD Sessions are automatically created.
Monitor OMP and TLOC Routes
To better understand, let’s monitor was it happening inside vSmart and edge routers.
With command “show omp routes” in vSmart, the routes learned from edge routers are displayed.
vsmart# show omp routes
As you can see, routes are learned from all edge routers with their TLOC as next-hop address which is the mixture of System-IP, color and encapsulation type.
The command “show omp tlocs” in vSmart shows TLOC table. As you can see TLOC locations are resolved to transport physical IP Address.
vsmart# show omp tlocs
command “show sdwan omp routes” in edge routers , shows how prefixes behind other edge routers are routed with their TLOC as next-hop address.
vsmart# show sdwan omp routes
for example here shows that 172.16.2.0/24 is learned through vSmart controller. what you can see as tloc is 18.104.22.168 over internet and 22.214.171.124 over mpls. There are some other attributes that we will learn when we want to do policy based routing or traffic engineering like what we do normally with BGP attributes.
and command “show sdwan omp tlocs”, resolve TLOC locations to transport physical IP address.
cEdge1# show sdwan omp tlocs
there are also some other attributes here that we can manipulate to do traffic engineering or policy based routing. We will explain some of these attributes in the next videos.
Monitor IPsec and BFD Sessions
Command “show sdwan ipsec inbound-connections” and “show sdwan ipsec outbound-connections” show exactly how IPsec connections are created between edge routers.
cEdge1# show sdwan ipsec inbound-connections cEdge1# show sdwan ipsec outbound-connections
as you can see from every transport in source edge router to every other transport in destination edge router, IPsec connections are automatically created. Between cEdge1 and cEdge2, we have four IPsec connections from-Internet-to-mpls, from internet-to-internet, from-mpls-to-mpls and from-mpls-to-internet.
For every connection, a BFD session is automatically created. When an edge-tp-edge connection fails, it is detected quickly by BFD and the traffic is rerouted automatically to other paths. With command “show sdwan bfd sessions” in edge routers, you can monitor the connectivity between every TLOCs.
cEdge1# show sdwan bfd sessions
Monitor Service VPN Forwarding (FIB) Table
Final routes can be checked with command “show sdwan ip fib vpn 10”.
cEdge1# show sdwan ip fib vpn 10
In cEdge1, there are four paths from cEdge1 to Services behind cEdge2 with subnet address 172.16.2.0/24.