vSmart
The vSmart is the centralized control plane of the SD-WAN deployment. It provides routing and data plane policies to the WAN Edge routers. The vSmart takes in all of the routing and topology information from the WAN Edge clients, calculates the best-path, then advertises the results back to the WAN Edge routers. The communication between WAN Edges and vSmart are encrypted and authenticated with DTLS.
Overlay Management Protocol (OMP)
OMP is pretty important, so it’s worth calling out here. OMP isn’t just a routing protocol. It handles all control plane information. It provides the best-path selection and routing policy advertisements, as well as the data plane security info (encryption keys), and more.
Administrative Distance on Cisco IOS is 251. (250 on Viptela OS)
The comparison is always made between OMP and BGP Route Reflectors. OMP Peering doesn’t happen between two WAN Edges. It only happens between a WAN Edge and the vSmart.
If connectivity is lost between the WAN Edge and vSmart, the WAN Edge router will continue to operate using it’s last know routing information and continue to try to re-establish connectivity with vSmart for the length of the graceful restart timer (default is 12 hours).
This brings up an important flaw in the design of every evil sci-fi robot. Whenever the master brain is destroyed in a Sci-fi movie, the robots just cease all functions. They’re usually poised to destroy someone and then just dramatically power down. A good design would be for the evil master brain to program the robot minions to carry out the most recent order, such as, “Destroy the Earth.” The example that comes to mind is Oblivion, the Tom Cruise movie from 2013. Not to mention the fact that there’s just one robot master brain with no redundancy…
OMP Routes: These are your router’s personal LAN prefix space. For instance, if you are the Reno, NV site and your local IP space is 10.29.5.0/24, then the OMP route could be something like, ” The 10.29.5.0/24 prefix is reachable via TLOC X, and these attributes are included.” The attributes included are:
- TLOC: As discussed above, it’s a unique identifier.
- Origin: Where’d the route come from? Static, Connected, BGP? What’s the metric. Think “redistribution.”
- Originator: The System IP of the advertiser.
- Preference: Basically the same as BGP Local Preference. Higher is better.
- Service: See Service Routes below.
- Site ID: Basically BGP ASN. All WAN Edges at the same site should have the same Site ID (loop prevention). Different sites all need unique Site IDs.
- Tag: Optional value for applying policies. “Everyone with Tag 105 gets this policy!”
- VPN (This is actually a VRF, but it’s called a VPN…)
Notice the similarity with BGP attributes.
show omp routes 191.1.1.0/24
(NEED A SCREEN CAP HERE)
But how is this TLOC reachable? I know I have to hit TLOC X to get the 10.29.5.1, but how do I get to TLOC X? That’s where TLOC Routes come in.
TLOC Routes: These routes are comprised of the WAN IP address, the corresponding TLOC, and whatever attributes. Includes:
- TLOC Private Address: The IP configured on the interface.
- TLOC Public Address: The NAT’d IP. If Public and Private are the same, then we’re pretty sure it’s not being NAT’d.
- Color: Again, a stupid name since it’s usually not an actual color. Basically an identifier of the transport type. The router might have an Internet interface and an MPLS interfaces. The color identifies which is which.
- Encapsulation Type: GRE or IPSec.
- Preference: Similar to OMP Preference, higher is more preferred.
- Site ID: Similar to OMP.
- Tag: Similar to OMP.
- Weight: Similar to BGP, locally significant only. Higher is more preferred.
show omp tlocs detail
(NEED A SCREEN CAP HERE)
Service Routes: Last one. Your WAN Edge can have some services hanging off of it, for instance, a NGFW. Your WAN Edge can then tell all his friends, “Hey, I’ve got this super NGFW in case anyone wants to use it.” That’s a Service Route. Configured using Feature Templates.
Path Selection
Another BGP knockoff. Another set of values to memorize… in order…
- Valid OMP Route: If the TLOC isn’t active, the route isn’t considered. Pretty obvious one. Uses BFD to determine if it’s active.
- Locally sourced: Routers prefer their own routes overs something learned from vSmart.
- Lower Administrative Distance: Tie breaker, pick the lower administrative distance.
- OMP Preference
- TLOC Preference
- Origin: Pretty much in AD order. First match wins…
- Connected
- Static
- EBGP
- EIGRP Internal
- OSPF intra-area
- OSPF inter-area
- OSPF external
- EIGRP external
- IBGP
- Unknown
- Lowest Origin Metric: If there are two routes both from EIGRP, compare metrics.
- Highest System IP: Now we’re into the annoying arbitrary tie-breakers.
- Highest TLOC Private Address: … so annoying.
Loop Prevention
Redistributing routes from OMP to and from other protocols can inadvertently cause loops. There are a couple built in prevention methods.
OSPF: Uses the down bit to prevent a route from going back up toward the OMP routers.
If two WAN Edges learn the same route, they’ll both redistribute it into OSPF. Then the OSPF neighbors will share it back and forth to each other, and then try to share it back up to the other WAN Edge. The down bit prevents this from happening.
BGP: You need to enable extended communities. Also, here’s where the Site ID comes into play again. BGP advertises the Site ID as site of origin. If the Site ID matches it’s own Site ID, the BGP router will drop the update.
EIGRP: Since XE SD-WAN routers can do EIGRP, it had to be enhanced for loop prevention. When redistribution happens from OMP to EIGRP, the External Protocol field is set to OMP-Agent. This doesn’t cause the route to be dropped, but sets the AD to 252.
Oscorp Labs 