TLOC Extension: Explore Cisco SD-WAN

TLOC Extension

Sometime it may not be possible to connect two transport to WAN edge routers and it is necessary to connect each WAN edge router to a single transport. An alternative solution would be to connect a switch to each transport and have the SD-WAN routers connect to the transports via the switches. However, this option is typically not recommended for branches as it can increase the overall solution cost and add an extra device to manage.

Using TLOC extensions, each WAN Edge router can establish connectivity with the opposite transport by utilizing the TLOC-extension interface on the neighboring WAN Edge router. In the diagram provided, WAN Edge 1 directly connects to the MPLS transport and establishes a connection to the INET transport by utilizing the TLOC extension interface on WAN Edge 2. On the other hand, WAN Edge 2 connects directly to the INET transport and utilizes the TLOC extension interface on WAN Edge 1 to connect to the MPLS transport. When using a TLOC extension interface to establish connectivity with a transport, the connection is seamless and transparent. As per the diagram, the WAN Edge 1 router still maintains two physical interfaces with configured tunnels - one to the MPLS and another to the Internet, and remains unaware that the tunnel to the Internet is passing through another SD-WAN router.

TLOC Extension Types

There are various ways to connect TLOC extensions on SD-WAN routers. The connections can be established directly between SD-WAN routers, or through an L2 or L3 switch/router. L2 TLOC extensions refer to extensions between two routers that are L2-adjacent to each other, and the links are within the same subnet. On the other hand, L3 TLOC extensions describe TLOC extensions between two routers that are separated by an L3 switch or router, and the links are within different subnets. In L3 TLOC extensions, GRE tunnels are utilized for implementation. It is worth noting that TLOC extensions can be separate physical interfaces or subinterfaces, depending on the available bandwidth.

While TLOC extensions can be useful, there are some limitations to their use:
● TLOC and TLOC extension interfaces are only compatible with L3 routed interfaces. L2 switchports/SVIs cannot serve as WAN/Tunnel interfaces and can only be utilized on the service side. Additionally, LTE cannot be used as a TLOC extension interface between WAN Edge routers.
● L3 TLOC extension is only supported on IOS XE SD-WAN routers and is not supported on vEdge routers.
● TLOC extension does not function on transport interfaces that are associated with loopback tunnel interfaces.

LOC Extension Routing

The TLOC extension interface needs to be configured by assigning it an IP address and binding it to the appropriate WAN interface in VPN 0. In the diagram below, WAN Edge 1's TLOC extension interface is ge0/7 and is bound to the MPLS transport through ge0/2. WAN Edge 2's TLOC extension interface is also ge0/7 and is bound to the INET transport through ge0/4.

To enable controller reachability and establish IPsec tunnels and BFD sessions with other sites over the TLOC extension interfaces, certain routing considerations must be made. Static default routes should be configured in the underlay (transport VPN 0) on each WAN Edge router, pointing to the Service Provider router as the next hop.

In order to reach the INET transport, a default route should be configured on WAN Edge 1's INET interface (ge0/4) pointing to WAN Edge 2's ge0/7 IP address. If subnet A is in a private address space, NAT should be configured on WAN Edge 2's ge0/4 transport interface to ensure traffic can be routed back from the Internet to WAN Edge 1 over the TLOC extension.

To reach the MPLS transport, a default route should be configured on WAN Edge 2's MPLS interface pointing to WAN Edge 1's ge0/7 IP address. To ensure traffic can be routed back to the TLOC extension interface, a routing protocol (usually BGP or OSPF) can be run in the transport VPN (VPN 0) of WAN Edge 1 to advertise subnet B so that the MPLS provider has a route to subnet B through WAN Edge 1. It's recommended to apply a route map inbound to deny all incoming dynamic routes from the service provider since the static default route is used in the transport VPN for control plane and IPsec tunnel establishment.

Alternatively, the MPLS PE router can implement a static route to subnet B through WAN Edge 1, which can then be redistributed through the service provider network. However, static routes are not recommended when there is a large number of sites since it's not as manageable or scalable as using a dynamic routing protocol.

Recently I delivered a live session on Cisco SDWAN TLOC extension where I briefly covered on theoretical concepts of TLOC and configured it on a  lab environment in a systematic and step by step approach. Here is the video link for TLOC Extension.