Configure TLOC Extension Using vManage Feature Template

Available Languages

Download Options

  • PDF     (1.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.5 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.3 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 11, 2024
Document ID:220614

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure TLOC Extension using vManage feature template.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Use of vManage Feature Template
    • Two (2) vEdge devices must be successfully onboarded on vManage

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco vManage version 20.6.3
    • vEdge 20.6.3

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Network Diagram

    Network TopologyNetwork Topology

    Configurations

    This document assumes you already have the rest of the feature templates configured. The same feature template workflow applies for Cisco IOS® XE SD-WAN devices.

    Create a total of 4 feature templates to apply to vEdge device template.

    VPN Feature Template

    This feature template includes VPN 0, VPN Interface Ethernet (Primary WAN connection), VPN Interface Ethernet (Tunnel/NoTlocExt), and VPN Interface Ethernet (TlocExt/NoTunnel):

    VPN Feature TemplatesVPN Feature Templates

    Steps to create Feature Templates:

    1. VPN 0: Select the specific device value for Transport VPN in basic configuration section and add DNS server address in DNS section:

    VPN 0 Feature Template Basic ConfigurationVPN 0 Feature Template Basic Configuration

    Add a prefix with specific device values for 2 next hop address (Primary WAN & TLOC-EXT) in IPv4 route section:

    VPN 0 Feature Template IPv4 RouteVPN 0 Feature Template IPv4 Route

    VPN 0 Feature Template IPv4 Route Next HopVPN 0 Feature Template IPv4 Route Next Hop

    2. VPN Interface Ethernet (Primary WAN Connection): Ensure interface is in no shutdown state. Select specific device values for interface name, description, and IP address:

    Primary WAN Interface Feature Template Basic ConfigurationPrimary WAN Interface Feature Template Basic Configuration

    Ensure Tunnel interface is set to ON. Select the specific device value for Primary WAN Color:

    VPN 0 Feature Template Tunnel InterfaceVPN 0 Feature Template Tunnel Interface

    Ensure NAT is set to ON for public WAN interface:

    VPN 0 Interface Template NATVPN 0 Interface Template NAT

    3. VPN Interface Ethernet (TLOC-EXT/NO Tunnel Interface): Make sure TLOC-Ext interface is in no shutdown state. Select the specific device values for interface, description, and IP address. Ensure Tunnel interface is set to Off:

    TLOC-EXT/NO Tunnel Interface Basic configurationTLOC-EXT/NO Tunnel Interface Basic configuration

    Add TLOC-Ext interface in Advanced Section:

    TLOC-Ext interfaceTLOC-Ext interface

    4. VPN Interface Ethernet (Tunnel Interface/No Tloc-ext): Ensure interface is in no shutdown state. Select the specific device values for interface, description, and IP address:

    Tunnel Interface/No Tloc-ext Basic configurationTunnel Interface/No Tloc-ext Basic configuration

    Ensure tunnel interface is set to ON. Select the specific device value for Tloc-Ext color:

    Tunnel InterfaceTunnel Interface

    Device Template

    Steps to create the device template:

    1. Create the device template from feature template:

    Device Template from Feature TemplateDevice template from Feature Template

    2. Populate all the required feature templates:

    Device Template Details with Feature Templates basic configurationDevice Template details with feature templates basic configuration

    Device Template Details with Feature Templates Transport and ManagementDevice Template details with feature templates Transport and Management

    3. Attach both devices to the device template:

    Attach Devices to TemplatesAttach devices to templates

    4. Move both devices from available devices to selected devices tab:

    Move Devices from Available to SelectedMove devices from available to selected

    5. Enter all the required details for both devices:

    Site35_vEdge1

    Update Values 1Update values 1

    Site35_vEdge2

    Update Values 2Update values 2

    6. Verify the values selected are intended for these devices:

    Site35_vEdge1

    Configuration Preview 1Configuration preview 1

    Site35_vEdge2

    Configuration Preview 2Configuration preview 2

    6. Finally, push these configuration to the device:

    Confirm ConfigurationConfim configuration

    The next output captures the running configuration for vpn 0 once template is pushed successfully:

     Site35_vEdge1

    Site35_vEdge1# show run vpn 0
    vpn 0
    interface ge0/0
    ip address 10.201.237.120/24
    ipv6 dhcp-client
    nat
    !
    tunnel-interface
    encapsulation ipsec
    color private1
    max-control-connections 1
    no allow-service bgp
    allow-service dhcp
    allow-service dns
    allow-service icmp
    allow-service sshd
    no allow-service netconf
    no allow-service ntp
    no allow-service ospf
    no allow-service stun
    allow-service https
    !
    no shutdown
    !
    interface ge0/1
    description TunnelInterface_NoTLOCExt
    ip address 192.168.30.4/24
    tunnel-interface
    encapsulation ipsec
    color private2
    max-control-connections 1
    no allow-service bgp
    allow-service dhcp
    allow-service dns
    allow-service icmp
    no allow-service sshd
    no allow-service netconf
    no allow-service ntp
    no allow-service ospf
    no allow-service stun
    allow-service https
    !
    no shutdown
    !
    interface ge0/2
    description TLOC_NoTunnelInterface
    ip address 192.168.40.4/24
    tloc-extension ge0/0
    no shutdown
    !

    ip route 0.0.0.0/0 10.201.237.1
    ip route 0.0.0.0/0 192.168.30.5
    !
    Site35_vEdge1#

    Site35_vEdge2

    Site35_vEdge2# 
    Site35_vEdge2# 
    Site35_vEdge2# 
    Site35_vEdge2# sh run vpn 0
    vpn 0
    interface ge0/0
    ip address 10.201.237.66/24
    ipv6 dhcp-client
    nat
    !
    tunnel-interface
    encapsulation ipsec
    color private2
    max-control-connections 1
    no allow-service bgp
    allow-service dhcp
    allow-service dns
    allow-service icmp
    allow-service sshd
    no allow-service netconf
    no allow-service ntp
    no allow-service ospf
    no allow-service stun
    allow-service https
    !
    no shutdown
    !
    interface ge0/1
    description TLOC_NoTunnelInterface
    ip address 192.168.30.5/24
    tloc-extension ge0/0
    no shutdown
    !
    interface ge0/2
    description TunnelInterface_NoTLOCExt
    ip address 192.168.40.5/24
    tunnel-interface
    encapsulation ipsec
    color private1
    max-control-connections 1
    no allow-service bgp
    allow-service dhcp
    allow-service dns
    allow-service icmp
    no allow-service sshd
    no allow-service netconf
    no allow-service ntp
    no allow-service ospf
    no allow-service stun
    allow-service https
    !
    no shutdown
    !
    ip route 0.0.0.0/0 10.201.237.1
    ip route 0.0.0.0/0 192.168.40.4
    !
    Site35_vEdge2#

    Verification

    1. The template is successfully attached to both devices:

    Template Push SuccessTemplate push success

    2. Control connection is up via Primary WAN and TLOC-Ext Interface:

    Control Connection Verification 1Control connection verification 1

    Control Connection Verification 2Control connection verification 2

    Use Cases

    Depending on local site design, TLOC Extension can also be implemented using L2 or L3 TLOC Extension. 

    1. L2 TLOC Extension: These extensions are in same broadcast domain or in same subnet.

    2. L3 TLOC Extension: These extensions are separated by a L3 device and can run any routing protocol (is only supported on Cisco IOSXE SD-WAN devices)

    note-icon

    Note: See the TLOC Extension section in the WAN Edge Deployment chapter of Cisco SD-WAN Design Guide.

    Limitations

    ●  TLOC and TLOC extension interfaces are supported only on L3 routed interfaces. L2 switchports/SVIs cannot be used as WAN/Tunnel interfaces and can only be used on the service side.

    ●  LTE also is not used as a TLOC extension interface between WAN Edge routers.

    ●  L3 TLOC extension is only supported on Cisco IOSXE SD-WAN routers and they are not supported on vEdge routers.

    ●  TLOC extension does not work on transport interfaces which are bound to loopback tunnel interfaces.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    11-Sep-2024
    Alt text, formatting, grammar
    1.0
    24-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jay Sumedh Kharwadkar
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products