Cisco SD-WAN Traffic Engineering, route traffic on a different path than routing table, without changing routing table, exactly like PBR (Policy Based Routing) in traditional Cisco routers.
Cisco SD-WAN Traffic Engineering Overview
Traffic engineering is another data plane policy implemented in a centralized policy in vSmart controller. However, it is implemented centrally, but final policy is pushed from the vSmart controller to WAN edge routers. Otherwise, it is not possible to implement a data plane policy in vSmart controller since data traffic never goes through vSmart controller.
currently there is a direct connection between site2 and site3. As an example of traffic engineering, let’s change the path of traffic between these two sites in a way that it goes through hub site without manipulating any routes in routing table. in other words, we will change path of the traffic between site2 and site3 with changing next-hop address but in data plane and routing table will not be changed.
Ciscoo SD-WAN Traffic Engineering Configuration
Before starting configuration, let’s check how is the connection between site2 and site3 as an example.
cEdge2#traceroute 172.16.3.1 source 172.16.2.1 % Invalid source address- IP address not on any of our up interfaces cEdge2#traceroute vrf 10 172.16.3.1 source 172.16.2.1 Type escape sequence to abort. Tracing the route to 172.16.3.1 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.3.1 7 msec * 3 msec
as you can see, at the moment we have a direct connections between site2 and site3. We will change the path in a way that it goes through hub site.
In the previous section, we implemented data plane access list and application firewall in centralized policy. Since it is not possible to apply more than one data plane policy to vSmart controller, I will edit this policy also to include our new traffic engineering policy.
I change the Name and Description from ACL_from_Services to ACL_ENG_from_Services to show that it includes both policies.
If you remember, in addition to application firewall, there are some other data plane policies that can be implemented in the vSamrt controller. with clicking on sequence type, you see that QoS and Traffic Engineering are some of these policies. We choose Traffic Engineering to implement our new data plane policy.
The most important point in implementing traffic engineering is to change TLOC for our target traffic. We change TLOC to hub site for any traffic between WAN sites.
CONFIGURATION -> POLICIES -> Centralized Policy -> Custom Options -> Traffic Policy -> Traffic Data -> ACL_from_Services -> Edit Name: ACL_ENG_from_Services Description: ACL_ENG_from_Services Sequence Type -> Traffic Engineering sequence 1: Match: Source Data Prefix: 172.16.0.0/24 Destination Data Prefix: 172.16.0.0/24 Actios: Accept TLOC: HUB_LOCATION (created in previous sections) VPN: 10 Default Actioon: Accept
Then we have to activate our new policy.
If we check the configuration difference, it is clear that our previous vSmart data plane policy is edited and new traffic engineering rules are added.
Just to review, remember that this policy is already applied to all spokes in direction from service VPN to WAN infrastructure.
CONFIGURATION -> POLICIES -> Centralized Policy -> vSmart_Policy -> Edit -> Policy Application -> Traffic Data ACL_ENG_from_Services Site List: SPOKES VPN List: VPN 10 Direction: service
We can also review the configuration by clicking preview button.
viptela-policy:policy data-policy _VPN10_ACL_ENG_from_Services vpn-list VPN10 ... sequence 31 match source-ip 172.16.2.0/24 destination-ip 172.16.3.0/24 ! action accept set vpn 10 tloc-list HUB_LOCATION ! ! ! default-action accept ! lists ... tloc-list HUB_LOCATION tloc 220.127.116.11 color public-internet encap ipsec tloc 18.104.22.168 color mpls encap ipsec ! ! ! apply-policy ... site-list SPOKES data-policy _VPN10_ACL_ENG_from_Services from-service ! ...
Now we can check again the connectivity from site2 to site3 to see if traffic engineering works and traffic goes through hub site.
cEdge2#traceroute vrf 10 172.16.3.1 source 172.16.2.1 Type escape sequence to abort. Tracing the route to 172.16.3.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.101 1 msec 14 msec 2 msec 2 172.16.3.1 2 msec * 3 msec cEdge2# cEdge2#traceroute vrf 10 172.16.3.1 source 172.16.2.1 Type escape sequence to abort. Tracing the route to 172.16.3.1 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.2.101 1 msec 1 msec 2 msec 2 172.16.3.1 3 msec 2 msec * cEdge2#
We can trace multiple times. As you can see traffic is load shared between internet and mpls path since there are multiple path to reach hub location.