Multi-Region Fabric Management Region

Multi-Region Fabric Management Region


Note

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a and Cisco Catalyst SD-WAN Control Components Release 20.15.1 are the last releases to support these features:

  • Secondary regions

  • Subregions

  • Management regions

From Cisco IOS XE Catalyst SD-WAN Release 17.15.1a and Cisco Catalyst SD-WAN Control Components Release 20.15.1, configuration of secondary regions and subregions is possible only by API. Because later releases do not support these features, we advise you to update your network design and configuration to use alternative solutions where possible.

Table 1. Feature History

Feature Name

Release Information

Feature Description

Management Region

Cisco IOS XE Catalyst SD-WAN Release 17.3.1a

Cisco Catalyst SD-WAN Control Components Release 20.13.1

A management region is a specialized region that can span all access regions in a Multi-Region Fabric architecture. A management region enables hub-and-spoke connectivity between any router in the network and one or more management gateways.

Connectivity between a router and a management gateway uses access region transport services. The connectivity does not use the core region transport service, even when the router and management gateway are in different access regions.

Information About Management Regions

Some organizations employ management gateways, which are devices that connect to all or a subset of the routers in a network, and provide a point of connectivity to another device or network. Management gateways carry only management traffic, not user data traffic.

Challenge

In a Multi-Region Fabric scenario, the separation of edge routers into separate access regions presents a connectivity challenge for management gateways. All edge routers in the network can, in fact, connect to a management gateway, regardless of its location. If the management gateway is within the same access region, then connectivity is simple within an access region, and if the management gateway is in a different access region, a router can reach it by connecting through the core region.

However, the transport service used for the core region may be a higher-cost premium service, employed to optimize network performance for performance-sensitive traffic. Traffic to the management gateway is not performance-sensitive, so it is helpful to be able to separate that management traffic from the core region pathways, and use a lower-cost transport service.

Management Region

To provide the routers in a Multi-Region Fabric network with connectivity to one or more management gateways, configure a management region. The management region provides an overlay that connects the various routers in the network to the management gateways. The connectivity between network routers and the management gateways follows a hub-and-spoke pattern, where each management gateway is a hub connecting to the various routers in the network as spokes. However, the management region overlay is separate from the access region overlay, so the use of hub-and-spoke connectivity within the management region has no bearing on the connectivity architecture of the rest of the network.

To use a management region, do the following:

  • Designate one or more Cisco SD-WAN Controllers to manage the management region.

  • On these Cisco SD-WAN Controllers, enable the management region.

  • On the management gateways, configure the management region and a VRF for management region traffic, and enable the devices as management gateways.

  • The management region uses a hidden region ID and does not consume a region ID from the user-configurable range (1 through 63).

  • On each device that connects to the management gateway, configure the management region and the VRF used for management region traffic.

Benefits of Management Regions

A management region provides easily configured hub-and-spoke connectivity between network routers and one or more management gateways, without requiring use of the core region.

Restrictions for Management Regions

  • A Cisco SD-WAN Controller that is managing an access region cannot also manage the management region. We recommend dedicating one or more Cisco SD-WAN Controllers to exclusively manage the management region. Alternatively, you can use one or more Cisco SD-WAN Controllers that are managing the core region.

  • You cannot configure a router to serve as a management gateway and also a transport gateway simultaneously.

  • Use the same VRF for the management region across all the devices, including the management gateways. This ensures that all management region traffic uses the same VRF, as required.

Configure a Management Region

Use the following workflow to configure a management region. The steps include links to the relevant procedures.

  1. As a planning step, designate one or more Cisco SD-WAN Controllers to manage the management region.


    Note

    We recommend dedicating one or more Cisco SD-WAN Controllers to exclusively manage the management region. As noted in Restrictions for Management Regions, you can use one or more Cisco SD-WAN Controllers that are managing the core region. A Cisco SD-WAN Controller that is managing an access region cannot also manage the management region.

  2. On the designated Cisco SD-WAN Controllers, enable the management region:

    Configure a Cisco SD-WAN Controller to Support a Management Region, Using CLI Commands

  3. On each of the one or more management gateways, configure the management region, and assign a single VRF to use, using one of the following procedures:

  4. On each device that connects to the management gateway, configure the management region, using one of the following procedures. In case there are multiple management gateways, you can configure an order of preference among them.

Configure a Cisco SD-WAN Controller to Support a Management Region, Using CLI Commands

Configure a Cisco SD-WAN Controller to support a management region, using a CLI Profile in a configuration group or using a CLI template:

  1. Enter system configuration mode.

    system

  2. Enable support for a management region. 

    management-region

Example 1

The following sample configuration configures a Cisco SD-WAN Controller that is dedicated to managing the management region. Note that the example does not include configuration of a core region (region 0). 

system
  host-name controller01
  system-ip 10.100.1.1
  site-id 100
  management-region
  no daemon-restart
  admin-tech-on-failure
  !

Example 2

The following sample configuration configures a Cisco SD-WAN Controller that is managing the core region, to also support a management region.

system
  host-name controller01
  system-ip 10.100.1.1
  site-id 100
  region 0
  management-region
  no daemon-restart
  admin-tech-on-failure
  !

Enable the Management Region for a Management Gateway, Using a Configuration Group

Before You Begin

Create a configuration group for Cisco IOS XE Catalyst SD-WAN devices. For information about creating configuration groups and applying them to devices, see the Using Configuration Groups section of Cisco Catalyst SD-WAN Configuration Groups, Cisco IOS XE Catalyst SD-WAN Release 17x.

Configure a Router to Support a Management Region

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

  2. Click adjacent to a configuration group for a Cisco IOS XE Catalyst SD-WAN device and choose Edit.

  3. Open the System Profile section and add or edit the Multi Region Fabric feature.

  4. In the Advanced section, do the following:

    1. For the Management Region field, choose Global and enable the management region.

    2. For the Enable as Management Gateway field, choose Global and enable the device as a management gateway.

    3. For the Management VPN field, choose Global and enter a VRF to use for the management region traffic.


      Note

      Configure the same VRF number on the management gateway and on the routers in the network that communicate with the management gateway. This ensures that all management region traffic uses the same VRF, as required.

  5. Click Save.

Enable the Management Region for a Management Gateway, Using CLI Commands

Enable the management region for a management gateway, using a CLI Profile in a configuration group or using a CLI template:

  1. Enter system configuration mode.

    system

  2. Enter the access region ID in which the management gateway is located.

    region region-id

  3. Configure the region as a management region and configure the VRF to use exclusively for management region traffic.

    Configure the same VRF number on the management gateway and on the routers in the network. Use this VRF only for management region traffic, not for any other network traffic.


    Note

    After you enable the use of a management region with a specific VRF, OMP sends only the management VRF routes into the management region; it does not send routes of other VRFs to the management region. 

    management-region
vrf vrf-id

  4. Enable the management-gateway functionality for the router. 

    management-gateway enable

Example 1

The following sample configuration enables the management region for a management gateway, configures access region 5 (meaning that the device is located in access region 5), and designates VRF 3 for the management traffic.

Configuring an affinity group number is optional, but when you are configuring a router in the network, you can configure a preference order among multiple management gateways, according to their affinity group numbers. This configuration assigns a system-level affinity group number of 1. 

system
  system-ip 10.1.1.1
  domain-id 1
  site-id 100
  region 5
    management-region
      vrf 3
      !
    !
  !
management-gateway enable
affinity-group affinity-group-number 1

Example 2

The following sample configuration enables the management region for a management gateway, configures access region 5 (meaning that the device is located in access region 5), and designates VRF 3 for the management traffic.

Configuring an affinity group number is optional, but when you are configuring a router in the network, you can configure a preference order among multiple management gateways, according to their affinity group numbers. This configuration assigns a system-level affinity group number of 1, and an affinity group number of 2 specifically for VRF 3 traffic. 

system
  system-ip 10.1.1.1
  domain-id 1
  site-id 100
  region 5
    management-region
      vrf 3
      !
    !
  !
management-gateway enable
affinity-group affinity-group-number 1
affinity-per-vrf 2
  vrf-range 3

Configure a Router to Support a Management Region, Using a Configuration Group

Before You Begin

Create a configuration group for Cisco IOS XE Catalyst SD-WAN devices. For information about creating configuration groups and applying them to devices, see the Using Configuration Groups section of Cisco Catalyst SD-WAN Configuration Groups, Cisco IOS XE Catalyst SD-WAN Release 17x.

Configure a Router to Support a Management Region

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

  2. Click adjacent to a configuration group for a Cisco IOS XE Catalyst SD-WAN device and choose Edit.

  3. In the System Profile add or edit the Multi Region Fabric feature.

  4. In the Advanced section, do the following:

    1. For the Management Region field, choose Global and enable the management region.

    2. For the Management VPN field, choose Global and enter a VRF to use for the management region traffic.


      Note

      Configure the same VRF number on the management gateway and on the routers in the network that communicate with the management gateway.


      Note

      You can also choose Device Specific and provide a variable to define at the time of deployment.

  5. (Optional) Enter affinity group numbers, separated by commas with no spaces, to configure a preference order among management gateways, according to the affinity group number of the management gateways.

    Maximum number of preference numbers: 12


    Note

    To enable use of a preference order, configure an affinity group number on each management gateway.

  6. Click Save.

Configure a Router to Support a Management Region, Using CLI Commands

Configure a router to support a management region, using a CLI Profile in a configuration group or using a CLI template:

  1. Enter system configuration mode.

    system

  2. Enter the access region number of the region where the device is located.

    region region-id

  3. Configure the region as a management region and configure the VRF to use for management region traffic. Configure the same VRF number on the management gateway and on the routers in the network. 

    management-region
vrf vrf-id

Example

The following sample configuration configures a border router to use the management region, using VRF 3 for management traffic. 

system
  system-ip 10.1.1.2
  domain-id 1
  site-id 100
  region 1
    management-region
      vrf 3
      !
    !
  !
role border-router

Verify the Management Region Configuration

Use the show sdwan omp summary command to view the details of the management region configuration.

Example

Device#show sdwan omp summary
…
region-id                       1,0,Mgmt
management-gateway              disabled
management-region               enabled
management-region-vpn           3
management-gateway-preference   52