Cisco Catalyst SD-WAN Network Configuration Guide, Releases 26.x and Later

PDF

Configure on-demand tunnels

Want to summarize with AI?

Log in

Guides configuration of dynamic on-demand tunnels, including setup using control policies, centralized control policy methods, and configuration via transport gateways, covering both group and template-based approaches.


The following procedures describe how to configure on-demand tunnels using different methods, including using control policy, or a simpler method using a transport gateway as a hub.

Configure on-demand tunnels using control policy

To configure on-demand tunnels using the control policy method, do the following:

Procedure

1.

Configure a control policy, as described in Configure a centralized control policy for on-demand tunnels.

2.

Enable on-demand tunnels n spoke devices, as described in Enable on-demand tunnels on a spoke device using a template and Enable on-demand tunnels using a CLI template.


Configure a centralized control policy for on-demand tunnels

Before you begin

This procedure configures a centralized control policy on a Cisco Catalyst SD-WAN Controller to enable on-demand tunnels.

  • The Cisco Catalyst SD-WAN Controller centralized control policy must include the tloc-action backup action.

    This ensures that the backup path through the hub for communication between all of the spoke devices.

  • The Cisco Catalyst SD-WAN Controllerr centralized control policy must accept all spoke prefix routes.

  • The Cisco Catalyst SD-WAN Controller centralized control policy must accept TLOCs of all spokes.

    For information about configuring a Cisco Catalyst SD-WAN Controller centralized control policy, see the policies configuration guides on the Cisco Catalyst SD-WAN Configuration Guides page.

  • When configuring on-demand tunnels using a transport gateway, do not use the control policy procedure described here. For information, see Configure On-Demand Tunnels Using a Transport Gateway.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.

  1. Select Centralized Policy.

  2. Click Add Policy.

  3. In the left pane, click Site.

  4. Click Next.

  5. Click Add Topology and select Custom Control (Route & TLOC).

  6. Enter a name and description for the topology.

  7. Click Sequence Type.

  8. In the Add Control Policy pop-up window, choose Route.

  9. Click Sequence Rule to create a sequence.

2.

Click Match.

  1. Among the match conditions, click Site.

  2. In the Match Conditions area, click the Site List menu and choose a site list.

  3. Click Actions, and then Accept.

3.

Among the actions, click TLOC Action.

  1. In the Actions area, click the TLOC Action menu and choose Backup.

  2. Among the actions, click TLOC.

  3. In the Actions area, click the TLOC List menu and choose or create a TLOC list.

  4. Click Save Match and Actions.

4.

Click Default Action.

  1. In the Default Action area, click the pencil icon to edit.

  2. Near the Actions label, click Accept.

  3. Click Save Control Policy.

  4. Click Next twice.

  5. In the Topology tab, click New Site/WAN Region List.

  6. Click Outbound Site List and choose a site list that defines the sites at which you are enabling on-demand tunnels.

  7. Adjacent to the site list, click Add.

  8. Enter a name and description for the policy.

  9. Click Save Policy.


Configure centralized control policy for on-demand tunnels using a CLI policy

Before you begin

The Cisco Catalyst SD-WAN Controller must be managed by Cisco SD-WAN Manager.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Classic > Policies.

2.

Open Centralized Policy.

3.

From Custom Options, choose Centralized Policy > CLI Policy.

4.

Click Add Policy.

5.

Enter the CLI commands for the policy.

Example:

control-policy Dynamic-Tunnel-Control-Policy
    sequence 100
     match route
      site-list Branches
     !
     action accept
      set
       tloc-action backup
       tloc-list Hub-TLOCs
      !
     !
     sequence 200
      match tloc 
     !
     action accept 
    !
  default-action accept
 !
 lists
  site-list Branches
   site-id 200 
   site-id 300
  !
  tloc-list Hub-TLOCs
   tloc 10.0.0.1 color mpls encap ipsec
   tloc 10.0.0.1 color public-internet encap ipsec 
!
!
apply-policy
 site-list Branches
  control-policy Dynamic-Tunnel-Control-Policy out
 !
!

Configure on-demand tunnels using a transport gateway

Before you begin

  • On Cisco SD-WAN Controllers, configure the send path limit, as described in Prerequisites: OMP settings.

  • On spoke devices, configure the ECMP limit, as described in Prerequisites: Spoke Device ECMP Limit.

  • When using a transport gateway as a hub to support on-demand tunnels, there is no need to create or modify a control policy.

    Do not use the procedure described in Configure a Centralized Control Policy for On-Demand Tunnels.

Procedure

1.

Enable transport gateway functionality on a router serving as the hub, providing a backup route between spokes, as described in the Transport Gateway section of the Cisco Catalyst SD-WAN Routing Configuration Guide.

2.

Enable on-demand tunnels and configure the idle timeout on spoke devices as described in Enable on-demand tunnels on a spoke device using a template.


Enable on-demand tunnels on a spoke device using a configuration group

Before you begin

On the Configuration > Configuration Groups page, choose the SD-WAN solution type.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

2.

Do one of these:

  • Edit a profile directly:

    In the System Profile tab, create (Add New) or edit a System profile.

  • Edit a profile in a configuration group:

    Open a configuration group and edit the System profile.

3.

In the System profile, create (Add New) or edit a Basic feature.

4.

In the Advanced section, use the On Demand Tunnel control to enable on-demand tunnels.


Enable on-demand tunnels on a spoke device using a template

Before you begin

  • See the Prerequisites for On-Demand Tunnels.

  • Do not enable on-demand on the hub device.

  • On the spoke devices, enable on-demand at the system level. In the case of multi-homed sites, enable on-demand on all systems at the site.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates

2.

Click Feature Templates.

Note

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.

3.

Click Add Template.

4.

Select a device.

5.

From Basic Information, select Cisco System.

6.

Click Advanced.

7.

Enable On-demand Tunnel.

8.

(optional) Configure the On-demand Tunnel Idle Timeout time. The default idle timeout value is 10 minutes. Range: 1 to 65535 minutes

9.

Attach the System feature template to the device template for the spoke device.


Enable on-demand tunnels using a CLI template

For more information about using CLI templates, see CLI Add-On Feature Templates and CLI Templates.

By default, CLI templates execute commands in global configuration mode.

Before you begin

  • See Prerequisites for On-Demand Tunnels.

  • Do not enable on-demand on the hub device

Procedure

On the spoke devices, enable on-demand tunnels at the system level. In the case of multi-homed sites, enable on-demand on all systems in the site.

The default idle timeout value is 10 minutes. Range: 1 to 65535 minutes

Example:

system 
     on-demand enable
     on-demand idle-timeout 10