Use these scenarios to understand how transport gateway and Multi-Region Fabric deployments maintain symmetric routing through route re-origination and path-preference attributes across complex, multi-hop topologies and data centers.
An overview of the configuration workflow helps you understand the scenarios in which Cisco Catalyst SD-WAN supports symmetric routing. The figures below shows
a transport gateway scenario, and
a Multi-Region Fabric scenario.
Transport gateway scenario
In the transport gateway scenario, the goal is to ensure symmetric routing between the spoke devices (E1 and E2 in the illustration) and the data center router (DC1).
Figure 1. Transport gateway scenario with a data center LAN
Multi-region fabric scenario
In the Multi-region fabric scenario, the goal is to ensure symmetric routing between the PC devices served by edge router ER11 in Region 1, and the PC devices served by ER21 in Region 2.
Figure 2. Multi-region fabric scenario
Configuration overview
The steps below provide an overview of the configuration required for symmetric routing.
Configuration step
Devices
Description
1. Configure affinity group preference
Spoke routers
Edge routers in a multi-region fabric scenario
To ensure traffic symmetry within the overlay network, configure spoke routers (or edge routers in a multi-region fabric scenario) in the network with an affinity group preference. This can be a manually configured order of preference or automatic preference.
With automatic affinity preference order, a spoke device or edge router prefers paths tagged with a lower affinity group number.
To ensure traffic symmetry within the overlay network, configure border routers and transport gateways with (a) an affinity group number, or (b) affinity groups per VRF for some or all VRFs that the devices handle. You can configure both (a) and (b) together.
For example, if a device has a VRF range of 1 to 10, you can configure a device as follows:
System-level affinity group 10
Affinity groups per VRF: Affinity group 20 for VRF6 through VRF 10
The result is that vRoutes in the range 1 to 5 are tagged with affinity group 10 (from the system-level affinity group), and vRoutes in the range of 6 to 10 are tagged with affinity group 20.
To enable symmetric routing between the overlay network and a LAN, on the border routers or transport gateways that conduct traffic with a LAN, enable translation of RIB metrics for redistribution of OMP routes to LAN routing protocols.
Example configurations for symmetric routing in transport gateway and multi-region fabric deployments
The illustrations below show the two scenarios described earlier, with an example configuration for each router, in accordance with the steps described here to ensure symmetric routing.
Figure 1. Transport gateway scenario with a data center LAN, showing a configuration for symmetric routing
Figure 2. Multi-region fabric scenario, showing a configuration for symmetric routing
Example of configuration for symmetric routing and the mechanism
This comprehensive example describes how to configure border routers and edge routers in a Multi-Region Fabric (MRF) environment to achieve symmetric routing between PC devices behind ER11 (Region 1) and ER21 (Region 2).
The example focuses specifically on traffic between PC10 and PC20.
The step-by-step illustrations show how route re-origination and path preference ensure that traffic in both directions follows the same path across multiple hops.
Multi-region fabric scenario: configuration for symmetric routing
Figure 1. Multi-region fabric scenario, configuration for symmetric routing
Advertising P1 routes
Edge router ER11 advertises P1 routes. These routes are re-originated as they move from Region 1 toward Region 2, passing through border routers that assign affinity groups and derived affinity groups (DAG).
Routers select preferred routes based on:
Outside the core region: Affinity group preference
Inside the core region: Lowest derived affinity group (dag) value
Figures:
Figure 2. Edge router ER11 advertises P1 routes
Figure 3. Border routers BR11 and BR12 re-originate the P1 routes
Figure 4. Border routers BR21 and BR22 re-originate the P1 routes
Figure 5. Route preference according to affinity group and derived affinity group
Figure 6. Resulting path of traffic to P1
Advertising P2 routes
Edge routers ER21 and ER22 advertise P2 routes. These routes are re-originated from Region 2 back toward Region 1, with border routers again assigning affinity groups and derived affinity groups during the process.
Route preference is determined using the same rules:
Outside the core region: Affinity group preference
Inside the core region: Lowest derived affinity group (dag) value
Figure 7. Edge router ER21 advertises P2 routes
Figure 8. Border routers BR21 and BR22 re-originate the P2 routes
Figure 9. Border routers BR11 and BR12 re-originate the P2 routes
Figure 10. Route preference according to affinity group and derived affinity group
Figure 11. Resulting path of traffic to P2
Result
The following figure shows that the result of the configuration is symmetric routing for flows between, in this example, PC10 and PC20:
Figure 12. Result is symmetric routing
Supported scenarios
The symmetric routing configuration method described in this document applies to the following deployment scenarios:
Hub-and-spoke topology with multiple hub routers: includes deployments where the hub router provides connectivity to a multi-homed data center.
Multi-region fabric with multiple border routers: Covers scenarios where an MRF region contains a multi-homed data center, requiring consistent bidirectional path selection across regions.
Multi-region fabric with transport gateways serving subregions: Applies to MRF deployments where transport gateways (TGWs) connect subregions and influence route propagation.
Scenario: Hub-and-spoke topology, multiple hubs serving a data center, active/active
In this scenario, two hubs serve a data center. The two hubs are both active, for an active/active arrangement.
The data center LAN is not part of the Cisco Catalyst SD-WAN overlay network.
Scenario: Hub-and-spoke topology, multiple hubs serving a data center, active/passive
In this scenario, two hubs serve a data center. Only one hub is typically active, and the other is stand-by, in case the active hub becomes unavailable. This is an active/passive arrangement.
The data center LAN is not part of the Cisco Catalyst SD-WAN overlay network.
Figure 1. Data center, two hubs, active/passive
Scenario: Hub-and-spoke topology, multiple hubs serving a data center, active/active by VRF
In this scenario, two hubs serve a data center. The two hubs are both active, for traffic in one of the two VRFs. This is an active/active arrangement, segregated by VRF. The hub TGW1 is active for VRF1 and the hub TGW2 is active for VRF2. Both hubs can operate as stand-by for the other VRF.
The data center LAN is not part of the Cisco Catalyst SD-WAN overlay network.
Figure 1. Data center, two hubs, active/active, segregated by VRF
Scenario: Multi-region fabric, transport gateways serving subregions
Similarly to the border routers in the comprehensive example, transport gateways assign a derived affinity group (dag) to routes that they re-originate to other transport gateways. As described in the illustration:
When transport gateways re-originate routes, they assign derived affinity group (dag) values to the routes.
Routers choose a preferred route as follows:
Between edge routers and transport gateways: According to affinity group preference
Between transport gateways in different subregions: According to the lowest derived affinity group value
Figure 1. Multi-region fabric with transport gateways serving subregions
Similarly to the border routers in the comprehensive example, transport gateways assign a derived affinity group (dag) to routes that they re-originate to other transport gateways. This scenario is similar to the one described in Scenario: Multi-Region Fabric, Transport Gateways Serving Subregions, but with route leaking. As described in the illustration:
When transport gateways re-originate routes, they assign derived affinity group (DAG) values to those routes.
Routers select a preferred route in the following ways:
Between edge routers and transport gateways: They use affinity group preference.
Between transport gateways in different subregions: They choose the route with the lowest derived affinity group value.
In this scenario, a control policy on the Cisco SD-WAN Controllers leaks routes from VRF1 to VRF2 and from VRF2 to VRF1. This route leaking enables endpoints in different VRFs to communicate.
This route-leaking scenario clearly shows how transport gateways (or border routers) assign a derived affinity group (DAG) when they re-originate routes. The logic works subtly, but this example highlights it well.
Default behavior
In this example, the edge routers and transport gateway routers operate as follows:
ER11 subscribes only to VRF1 and advertises prefix P1 in VRF1.
ER21 subscribes only to VRF2 and advertises prefix P2 in VRF2.
All transport gateway routers handle traffic for both VRF1 and VRF2, so they re-originate both P1 (in VRF1) and P2 (in VRF2).
By default, the network enforces VRF isolation. When a device advertises routes in different VRFs, the Cisco SD-WAN Controllers filter those routes before sending them to other devices. A controller advertises a VRF x route only to devices that subscribe to VRF x.
Therefore, in this example:
ER11, which subscribes only to VRF1, does not receive P2 routes from VRF2.
ER21, which subscribes only to VRF2, does not receive P1 routes from VRF1.
As a result, VRF isolation blocks traffic between ER11 and ER21 because each router subscribes exclusively to a different VRF.
Route leaking
Route leaking allows devices to advertise routes across VRFs by exporting (“leaking”) a route from one VRF into another.
Source VRF: the route’s original VRF
Current VRF: the VRF into which the route was exported
When routers advertise exported routes, they track both the source VRF and the current VRF, preserving the background of each route. This tracking becomes important in the logic described later.
In this example, the following route-leaking policies apply:
An inbound control policy for ER11 instructs it to receive VRF1 routes and export them into VRF2.
Result: ER11 advertises prefix P1 in both VRF1 and VRF2 to its transport gateways, TGW11 and TGW12.
An inbound control policy for ER21 instructs it to receive VRF2 routes and export them into VRF1.
Result: ER21 advertises prefix P2 in both VRF2 and VRF1 to its transport gateways, TGW21 and TGW22.
As mentioned earlier, after leaking routes, devices continue to track each route’s source VRF and current VRF.
Calculating the derived affinity group (DAG)
A transport gateway device or a border router in a similar scenario assigns a derived affinity group (DAG) to any route it re-originates using the following logic:
If the originating router is configured with affinity group preference auto (see ER11 in the example), then the re-originating device (for example, TGW11) determines the dag according to its own (TGW11's) affinity group configuration, as follows:
For the leaked route, consider its source VRF and current VRF. Choose the numerically lower of the two values. Call this x.
Do one of the following:
If the re-originating device only has a system-level affinity group, not VRF-specific affinity groups, then:
Use the system-level affinity group number for the dag. Assign a dag of that number when re-originating the route.
If the re-originating device has a VRF-specific affinity group configured for VRF x described in step a, then:
Use this VRF-specific affinity group number for the dag. Assign a dag of this number when re-originating the route.
If the originating router is not configured with affinity group preference auto (see ER21 in the example), then the re-originating device (for example, TGW21) must consider the affinity preference order configured on the originating device when determining the dag for re-originated routes, as follows:
For the leaked route, consider its source VRF and current VRF. Choose the numerically lower of the two values. Call this x.
Do one of the following
If the re-originating device only has a system-level affinity group, not VRF-specific affinity groups, then:
Check the affinity group preference order of the originating device (see ER21). Determine the item number of where the system-level affinity group number occurs in the preference order (item 1, 2, 3, and so on, in the preference order list). Assign a dag of this item number when re-originating the route.
In the example of TGW21 and ER21, determine where affinity group 2 occurs in the preference order of ER21, which is (1, 2). It is item 2 in the list. So assign a dag of 2 when re-originating the route.
If the re-originating device has a VRF-specific affinity group configured for VRF x described in step a, then:
Using this VRF-specific affinity group, check the affinity group preference order of the originating device. Determine the item number of where the VRF-specific affinity group number occurs in the preference order (item 1, 2, 3, and so on, in the preference order list). Assign a dag of this item number when re-originating the route.
Hypothetically, in the example, if TGW21, in addition to having a system-level affinity group of 2, also had a VRF-specific affinity group of 1 for VRF1, then when TGW21 received from ER21 a P2 route leaked to VRF1, it would consider the preference order of the originating device (ER21). In this hypothetical example with a VRF-specific affinity group of 1, for a route received from ER21, it would check where affinity group 1 occurs in the preference order of ER21, which is (1, 2). It is item 1 in the list. So TGW2 would assign a dag of 1 when re-originating the route.
Example
In the scenario shown in the illustration, a route leaked from VRF2 to VRF1 has a source VRF value of 2 and a current VRF value of 1. When a transport gateway re-originates this route, it assigns a DAG based on the number 1, which is the lower of the two VRF numbers. For example, if TGW12 re-originates a route with a source VRF value of 1 and a current VRF value of 2, it chooses 1 because it is the lower of the two VRF numbers. It therefore calculates the DAG according to VRF1. TGW12 has a system-level affinity group of 1 and a VRF-specific affinity group of 2 for VRF1. Since it calculates the DAG according to VRF1, it assigns the re-originated route a DAG value of 2, taken from the VRF-specific affinity group.
In a hypothetical scenario, if TGW12 had a system-level affinity group of 5 and a VRF1-specific affinity group of 7, then for a route with source VRF 1 and current VRF 2, TGW12 would assign a DAG of 7, taken from the VRF-specific affinity group of 7 for VRF1.
Figure 1. Multi-region fabric with subregions, route leaking
