Configure core routing protocols (OSPF, BGP, and EIGRP) on Catalyst 8000 platforms operating in SD-WAN mode.
Explain the distinction between service-side and transport-side routing, and how each maps to the underlay and overlay.
Describe WAN transport options including MPLS, public internet, and cellular/5G, and how each is represented as a TLOC.
Configure VRF-based segmentation using service VPNs, and reason about inter-VRF routing and route leaking.
A Catalyst 8000 edge router sits at the boundary between a branch LAN and one or more wide-area transports. To do that job it speaks two routing "languages" at once: traditional protocols toward LAN switches and provider routers, and the Overlay Management Protocol (OMP) toward the rest of the SD-WAN fabric. Think of the router as a multilingual translator at an international airport: the underlay protocols (BGP, OSPF, static routes) are the local language, while OMP is the universal language between airports. Translate too freely and you get chaos (routing loops); translate too little and travelers get stranded (unreachable subnets).
Pre-Quiz: Routing Protocols
1. On a Catalyst 8000 in SD-WAN mode, where are BGP, OSPF, and EIGRP processes configured?
In the global routing table, then mapped to VPNsInside service VPNs, scoped to each VRF's tableOnly inside VPN 0, the transport VPNInside VPN 512, the management VPN
2. A show bgp vpn 10 summary reports the neighbor as Estab, but no LAN prefixes are reaching the peer. What is the most likely cause?
The transport tunnels to vSmart are downRedistribution is missing, so LAN routes never entered BGPThe BGP router-id collides with OMPVPN 10 has not been assigned a VRF name
3. A branch LAN subnet is OSPF-learned and appears in show ip route vpn 10, but remote sites cannot see it. Only advertise connected is enabled under OMP. What fixes it?
Enable advertise ospf under OMP for VPN 10Add a static route in VPN 0Re-establish the BGP session to the PEMove the OSPF process into the global table
4. Why must you explicitly configure redistribute omp in a service VPN's OSPF or BGP process?
OMP routes are encrypted and need decoding firstOverlay (OMP) routes are not automatically pushed into local IGP/BGPIt activates the OMP control connection to vSmartIt is required to bring the tunnel interface up
5. Why is redistributing OMP into both OSPF and BGP at the same site discouraged without tags and filters?
It doubles the OMP control-plane load on vSmartAn overlay route can be re-injected back into the overlay, forming a loopBGP and OSPF cannot coexist in one VRFIt disables graceful restart on OMP
Routing Protocols
Key Points
In SD-WAN mode everything is organized around VPNs: VPN 0 is the transport underlay, VPN 512 is management, and VPN 1–511 are service VPNs where user traffic lives.
BGP, OSPF, and EIGRP are configured inside service VPNs, never the global table; each process draws from that VRF's routing table.
An "up" BGP session is necessary but not sufficient — without redistribution or neighbor activation the table can be empty. Always verify the prefix table, not just the session state.
OMP advertises connected/static/OSPF/BGP routes into the overlay only for the route types you explicitly advertise.
OMP routes reach the LAN only when you explicitly redistribute omp; doing so into two protocols at once invites loops, so pick a single direction of trust and tag routes.
The Catalyst 8000 organizes everything around VPNs, the SD-WAN term for separate routing instances. There are three roles: VPN 0 is the transport underlay, VPN 512 is management, and VPN 1 through 511 (and beyond) are service VPNs where customer traffic lives. The critical rule is that BGP, OSPF, and EIGRP are configured inside service VPNs, not in the global table. Each protocol process is scoped to a VPN/VRF and uses that VRF's routing table.
Throughout this section we use one worked scenario: a branch WAN Edge where service VPN 10 is the user LAN VRF. Interface GigabitEthernet0/0/1 lives in VPN 10 and faces a LAN switch running OSPF area 0, and the same VPN runs BGP toward an MPLS PE or data-center router (local AS 65010, neighbor 192.0.2.2 in AS 65000).
BGP on the edge
BGP (Border Gateway Protocol) is the path-vector protocol that exchanges routing information between autonomous systems. On a Catalyst 8000, BGP is most commonly used in a service VPN to peer with an MPLS provider edge (PE) router or a data-center core, while OMP carries routes between SD-WAN sites. BGP is configured per VPN (vpn 10) so it draws from that VRF's table. Inside the IPv4 address family you must explicitly activate the neighbor and configure redistribution if you want LAN prefixes advertised — without redistribute connected or redistribute ospf, the session can be established yet carry no prefixes.
That last point is the single most common BGP gotcha on these platforms. A show bgp vpn 10 summary reporting Estab looks healthy, but show bgp vpn 10 ipv4 unicast may show an empty table. Usual causes: missing redistribution, the neighbor not activated under the IPv4 AF, or an outbound route-policy filtering everything. An "up" BGP session is necessary but not sufficient.
BGP can also run on the transport side in VPN 0, peering with an ISP or MPLS provider to bring up the underlay. When it does, it uses far more restrictive advertisement, because you do not want raw transport routes leaking into the overlay.
OSPF and EIGRP service-side
OSPF (Open Shortest Path First) is a link-state IGP commonly run on the service side toward the branch LAN. The OSPF process is scoped to the service VPN. Two SD-WAN-specific habits: interfaces are attached to an area directly (the area 0 / interface block) rather than with the classic network statement, and because templates often default LAN interfaces to passive, you must explicitly passive-interface disable on any interface where you expect an adjacency.
EIGRP (Enhanced Interior Gateway Routing Protocol) is Cisco's advanced distance-vector IGP. Like OSPF and BGP, on a Catalyst 8000 in SD-WAN mode it is configured within a service VPN/VRF and reaches other sites only via OMP redistribution. The takeaway is structural: any service-side IGP lives inside its service VPN and reaches other sites only through OMP, exactly as OSPF does.
Protocol
Type
Typical service-side use
Scoped to
BGP
Path-vector
Peering with MPLS PE / DC core
Service VPN (or VPN 0 for underlay)
OSPF
Link-state
LAN/IGP toward branch core switch
Service VPN
EIGRP
Advanced distance-vector
Cisco LAN environments (less commonly templated)
Service VPN
Route redistribution with OMP
OMP (Overlay Management Protocol) runs between WAN Edges and the vSmart controller — the "universal airport language." OMP advertises connected, static, OSPF, BGP (and EIGRP) routes from service VPNs into the overlay, but only for the route types you explicitly enable. If a LAN subnet is OSPF-learned but only advertise connected is enabled, OMP never pushes that prefix into the overlay, and remote sites will not see the branch LAN — even though it appears in show ip route vpn 10. The fix is to enable advertise ospf specifically.
A LAN prefix (10.10.10.0/24) is learned service-side via OSPF into the VPN 10 VRF, then redistributed into the OMP overlay with advertise ospf — that is how remote sites learn it. The dim lower track is the transport side (VPN 0): it only provides reachability to controllers and TLOCs over plain IP, carrying encrypted packets with no awareness of VPNs or OMP.
The mirror-image problem is getting overlay routes back into the LAN. OMP routes are not automatically redistributed into local OSPF/BGP — you must explicitly configure redistribute omp per VPN. Here is where the translator must be disciplined: do not blindly redistribute OMP into both OSPF and BGP at the same site without route tags and filters. Doing so can re-inject an overlay route back into the overlay through the other protocol, creating a routing loop. The recommended discipline is to pick a single "direction of trust" per site and tag redistributed routes so they cannot loop back in. A common, low-risk pattern is to redistribute OMP into only one protocol toward the LAN (often OSPF) and keep BGP restricted to the PE/DC side.
Left: redistributing OMP into both OSPF and BGP lets each re-advertise the route back into OMP — the red dashed path is the resulting routing loop. Right: a single direction of trust (OMP → OSPF toward the LAN, with tags), while BGP stays pointed at the PE/DC and is never redistributed back. Tags stop the route from looping into the overlay.
In production you generally build vManage feature templates — a VPN template, interface template, OSPF template, BGP template, and OMP template — and attach them to a device template. The OSPF and BGP templates expose the same redistribution choices (including "Redistribute OMP" with metric/metric-type), and the OMP template exposes the per-VPN advertise checkboxes. The behavior is identical to the CLI; it is simply stored centrally and pushed consistently.
Figure 6.1: Route redistribution between service-side protocols and OMP
flowchart LR
LAN["Branch LAN switch OSPF area 0"] -->|OSPF routes| VRF["Service VPN 10 VRF (RIB/FIB)"]
PE["MPLS PE / DC core AS 65000"] -->|BGP routes| VRF
VRF -->|"advertise ospf / bgp"| OMP["OMP into overlay (to vSmart)"]
OMP -->|"redistribute omp"| VRF
OMP -->|vRoutes| REMOTE["Remote SD-WAN sites"]
Figure 6.2: Redistribution loop hazard versus a single direction of trust
flowchart TD
subgraph LOOP["Hazard: OMP redistributed into both protocols"]
OMP1["OMP overlay route"] --> OSPF1["OSPF (VPN 10)"]
OMP1 --> BGP1["BGP (VPN 10)"]
OSPF1 -->|"advertise ospf"| REINJECT["Re-injected into OMP"]
BGP1 -->|"advertise bgp"| REINJECT
REINJECT -->|routing loop| OMP1
end
subgraph SAFE["Discipline: one direction of trust"]
OMP2["OMP overlay route"] -->|"redistribute omp (tagged)"| OSPF2["OSPF toward LAN"]
BGP2["BGP toward PE/DC only"] -.->|"not redistributed back"| OMP2
end
Key Takeaway: BGP, OSPF, and EIGRP all run inside service VPNs, never the global table. OMP carries routes between sites, but only the route types you explicitly advertise, and OMP routes reach the LAN only when you explicitly redistribute omp. Redistributing OMP into two protocols at one site invites loops — pick one direction of trust and use route tags.
Post-Quiz: Routing Protocols
1. On a Catalyst 8000 in SD-WAN mode, where are BGP, OSPF, and EIGRP processes configured?
In the global routing table, then mapped to VPNsInside service VPNs, scoped to each VRF's tableOnly inside VPN 0, the transport VPNInside VPN 512, the management VPN
2. A show bgp vpn 10 summary reports the neighbor as Estab, but no LAN prefixes are reaching the peer. What is the most likely cause?
The transport tunnels to vSmart are downRedistribution is missing, so LAN routes never entered BGPThe BGP router-id collides with OMPVPN 10 has not been assigned a VRF name
3. A branch LAN subnet is OSPF-learned and appears in show ip route vpn 10, but remote sites cannot see it. Only advertise connected is enabled under OMP. What fixes it?
Enable advertise ospf under OMP for VPN 10Add a static route in VPN 0Re-establish the BGP session to the PEMove the OSPF process into the global table
4. Why must you explicitly configure redistribute omp in a service VPN's OSPF or BGP process?
OMP routes are encrypted and need decoding firstOverlay (OMP) routes are not automatically pushed into local IGP/BGPIt activates the OMP control connection to vSmartIt is required to bring the tunnel interface up
5. Why is redistributing OMP into both OSPF and BGP at the same site discouraged without tags and filters?
It doubles the OMP control-plane load on vSmartAn overlay route can be re-injected back into the overlay, forming a loopBGP and OSPF cannot coexist in one VRFIt disables graceful restart on OMP
Pre-Quiz: Transport Options
1. What question does transport-side routing (VPN 0) answer?
How user VPNs at different sites reach each otherHow the WAN Edge reaches the internet/MPLS and controllers so tunnels can formWhich inter-VRF leaks are permittedHow OMP advertises service prefixes between sites
2. The LAN looks healthy but the WAN Edge's control connections to the controllers never come up. Where should you look first?
VPN 0 underlay routing (default route, BGP, next-hop)The OSPF area assignment in the service VPNThe inter-VRF route-leaking policyThe VPN 512 management ACLs
3. How does cellular/5G connectivity appear to the SD-WAN overlay?
As a special protocol that bypasses OMPAs just another TLOC with its own color (e.g., lte)As a service VPN with its own VRFAs a global-table static route
4. What exactly is advertised into the overlay for a WAN-facing interface?
The raw VPN 0 routes and the ISP default routeOnly the TLOC: system-IP + color + encapsulationThe full underlay BGP tableThe interface MAC address and ARP cache
5. In TLOC extension, which VRF must the extension link reside in?
A dedicated service VPN for transport sharingVPN 0, the same VRF as the original TLOCVPN 512, the management VPNWhichever service VPN carries the user traffic
Transport Options
Key Points
Transport-side routing lives in VPN 0 (the underlay) and answers "how does this WAN Edge reach the internet/MPLS and controllers so tunnels can form?"
Service-side routing lives in service VPNs (the overlay) and answers "once tunnels exist, how do user VPNs at different sites reach each other?"
The underlay uses ordinary IP routing, has no awareness of SD-WAN VPNs or OMP, and sees only encrypted packets between transport IPs.
MPLS, public internet, and cellular/5G are each just a TLOC color; only TLOCs (system-IP + color + encapsulation) are advertised into the overlay, never raw VPN 0 routes.
TLOC extension lets one router borrow another's circuits over an intra-site link, but that link must stay strictly inside VPN 0.
Routing protocols decide what to advertise; transports decide how the bits physically move. The Catalyst 8000 separates two routing problems beginners often conflate. Transport-side routing lives in VPN 0 and answers: "How does this WAN Edge reach the internet/MPLS and the controllers so tunnels can form?" Service-side routing lives in the service VPNs and answers: "Once tunnels exist, how do user VPNs at different sites reach each other?"
This maps onto two more terms. The underlay is the physical IP network carrying the SD-WAN tunnels — internet, MPLS, LTE. It uses ordinary IP routing and has no awareness of SD-WAN VPNs or OMP; it sees only encrypted IP packets between transport addresses. The overlay is the logical fabric on top, carrying OMP control traffic and segmented user data. In short: underlay ≈ transport-side (VPN 0); overlay ≈ service-side plus OMP control.
Figure 6.3: Underlay (transport-side, VPN 0) versus overlay (service-side plus OMP)
flowchart LR
subgraph OVERLAY["Overlay (service-side + OMP)"]
SVPN_A["Site A: VPN 10 users"] -. "OMP / segmented data" .- SVPN_B["Site B: VPN 10 users"]
end
subgraph UNDERLAY["Underlay (transport-side, VPN 0)"]
EDGE_A["WAN Edge A VPN 0 transport IP"] -->|encrypted IPsec/GRE| NET["Internet / MPLS / LTE (plain IP routing)"]
NET --> EDGE_B["WAN Edge B VPN 0 transport IP"]
end
SVPN_A --- EDGE_A
SVPN_B --- EDGE_B
A common branch pattern places each WAN circuit in VPN 0: Gig0/0/0 to the internet (color public-internet, often DHCP + ISP default route), and Gig0/0/1 to the MPLS PE (color mpls, often running BGP with the provider). The router installs the internet default and BGP-learned MPLS prefixes in VPN 0 only. With that reachability it reaches the controllers (vBond, vSmart, vManage), brings up DTLS/TLS control connections, and builds IPsec/GRE data tunnels. If VPN 0 routing is wrong, the tunnels and controllers never come up, and the service VPNs see no OMP routes even though the LAN looks fine.
The classic transport-side mistakes all stem from putting things in the wrong VPN: the ISP default route in a service VPN instead of VPN 0, forgetting NAT on an internet-facing VPN 0 interface, or using one physical interface in both VPN 0 and a service VPN. Each can break the control and data tunnels while LAN routing appears healthy — which is exactly why the underlay/overlay split is such a powerful troubleshooting lens.
Cellular and 5G connectivity
The underlay does not have to be wired. WAN transport options include MPLS, public internet, and cellular/LTE/5G, each surfaced into the overlay as a TLOC with its own color. A cellular interface in VPN 0 behaves like any other underlay link: it obtains IP connectivity from the carrier and is assigned a color such as lte, so the overlay can build tunnels across it and prefer or avoid it via policy. This makes cellular/5G attractive both as a primary transport where wired circuits are impractical and as a resilient backup. From the overlay's perspective the cellular path is just another TLOC color competing for traffic.
Loopback TLOCs and TLOC extension
A TLOC (Transport Location) is the unique identity of a WAN attachment point: the tuple of system-IP, color, and encapsulation (ipsec or gre). Every WAN-facing VPN 0 interface participating in SD-WAN becomes a TLOC, and only the TLOCs — not the raw VPN 0 routes — are advertised into the overlay. OMP's overlay routes (vRoutes) point at TLOCs as next-hops rather than at raw IP next-hops. Other airports learn the gates (TLOCs) you can be reached through, not your internal taxiway map (the underlay routes).
In dual-router or dual-transport designs, TLOC extension lets one router "borrow" another router's transport circuits over an intra-site link. The canonical scenario: Router A owns two underlay circuits (MPLS and Internet); Router B has only a LAN link to Router A. TLOC extension lets Router B's overlay traffic exit through Router A's TLOCs, so both routers share the transports without each needing its own physical circuit.
Router B has no WAN circuits of its own. Over the TLOC-extension link (which lives strictly in VPN 0), its overlay traffic crosses to Router A and exits through Router A's borrowed TLOCs — the Internet (public-internet) and MPLS (mpls) circuits. Both routers share the transports without duplicate physical links.
The non-negotiable rule: the TLOC extension link must live in VPN 0 (the same VRF as the original TLOC) and must not carry service VPN user traffic. Placing a TLOC-extension interface into a user service VRF mixes transport and user data and creates hard-to-debug routing overlaps. Keep these links on dedicated VPN 0 subinterfaces or VLANs.
Figure 6.4: TLOC extension sharing transport circuits between two routers
flowchart LR
INET["Internet (color: public-internet)"]
MPLS["MPLS PE (color: mpls)"]
RA["Router A owns both TLOCs (VPN 0)"]
RB["Router B no direct circuits"]
INET --- RA
MPLS --- RA
RB -->|"TLOC-extension link (VPN 0 only)"| RA
RA -->|"borrowed TLOCs"| INET
RA -->|"borrowed TLOCs"| MPLS
This split gives a sharp troubleshooting heuristic: if you see TLOC loss alarms, suspect a transport-side issue in VPN 0 (underlay reachability, or a color/tunnel misconfiguration). If TLOCs are up but applications are unreachable, the problem is on the service side — OMP, VPN IDs, or LAN routing.
Key Takeaway: Transport-side routing (VPN 0, the underlay) brings up tunnels to controllers and remote TLOCs; service-side routing (service VPNs, the overlay) connects users across sites. Only TLOCs — system-IP + color + encapsulation — are advertised into the overlay; the underlay sees only encrypted packets. MPLS, internet, and cellular/5G are each just a TLOC color, and TLOC extension shares circuits but must stay strictly inside VPN 0.
Post-Quiz: Transport Options
1. What question does transport-side routing (VPN 0) answer?
How user VPNs at different sites reach each otherHow the WAN Edge reaches the internet/MPLS and controllers so tunnels can formWhich inter-VRF leaks are permittedHow OMP advertises service prefixes between sites
2. The LAN looks healthy but the WAN Edge's control connections to the controllers never come up. Where should you look first?
VPN 0 underlay routing (default route, BGP, next-hop)The OSPF area assignment in the service VPNThe inter-VRF route-leaking policyThe VPN 512 management ACLs
3. How does cellular/5G connectivity appear to the SD-WAN overlay?
As a special protocol that bypasses OMPAs just another TLOC with its own color (e.g., lte)As a service VPN with its own VRFAs a global-table static route
4. What exactly is advertised into the overlay for a WAN-facing interface?
The raw VPN 0 routes and the ISP default routeOnly the TLOC: system-IP + color + encapsulationThe full underlay BGP tableThe interface MAC address and ARP cache
5. In TLOC extension, which VRF must the extension link reside in?
A dedicated service VPN for transport sharingVPN 0, the same VRF as the original TLOCVPN 512, the management VPNWhichever service VPN carries the user traffic
Pre-Quiz: VRFs and Segmentation
1. On IOS-XE SD-WAN, what is the relationship between a service VPN and a VRF?
A VPN spans many VRFs for redundancyEach service VPN is implemented as a separate VRF (VPN = VRF)VRFs exist only in VPN 0; service VPNs have noneA VRF is a vSmart-only construct with no device equivalent
2. Why can two different service VPNs reuse the same overlapping IP range?
OMP performs NAT on overlapping prefixesEach VRF has its own table and OMP tags every route with its VPN IDVPN 0 deduplicates the addresses centrallyOverlapping ranges are silently dropped, so there is no conflict
3. By default, does a route in VPN 10 appear in VPN 20 anywhere in the fabric?
Yes, OMP shares all routes across VPNs automaticallyNo — vSmart keeps a separate per-VPN topology; crossing requires deliberate leakingOnly if both VPNs are below ID 511Yes, but only on the same physical router
4. Users in VPN 10 and voice in VPN 20 both need to reach shared DNS/AD in VPN 30, fabric-wide. Which mechanism fits best?
Centralized route leaking via vSmart policyLocal VRF Route Sharing on each deviceMerging VPN 10, 20, and 30 into one VPNPlacing VPN 30 routes into VPN 0
5. What is the recommended discipline for VPN 0 and VPN 512?
VPN 0 carries management; VPN 512 carries user LANsVPN 0 carries transport only; VPN 512 carries management onlyBoth should carry a mix of transport and user traffic for efficiencyVPN 0 and VPN 512 should be merged into one VRF
VRFs and Segmentation
Key Points
On IOS-XE SD-WAN, every service VPN is literally implemented as a separate VRF in the data plane — the practical equation is VPN = VRF.
Each VRF has its own RIB/FIB; an interface belongs to exactly one VRF; packets switch only within the same VRF unless inter-VRF routing is explicitly configured.
Because VRFs are genuinely separate tables, you can reuse overlapping IP ranges in different VPNs — OMP tags every route with its VPN ID.
Segmentation is enforced at two levels: VRF (per-device data plane) and VPN ID (fabric-wide via OMP). A VPN 10 route never automatically appears in VPN 20.
Inter-segment traffic requires deliberate leaking — centralized vSmart policy for fabric-wide consistency, or local VRF Route Sharing for site-local relationships — always scoped with prefix lists and tags.
The final piece is keeping different kinds of traffic separated end to end. On IOS-XE SD-WAN, including the Catalyst 8000 and virtual C8000V, each service VPN is literally implemented as a separate VRF in the data plane. vManage shows you "VPN 10," but the device enforces it as a VRF (e.g., vrf definition SDWAN-10 with an interface bound via vrf forwarding SDWAN-10).
So the practical equation is VPN = VRF. Each VRF has its own RIB and FIB; an interface belongs to exactly one VRF; and packets are switched only within the same VRF unless you explicitly configure inter-VRF routing. The VRF name is an IOS-XE artifact, but the VPN ID is what OMP and vSmart use to enforce segmentation across the fabric. A pleasant consequence: because the VRFs are genuinely separate tables, you can reuse overlapping IP ranges in different VPNs, since OMP tags every route with its VPN ID.
Global VRF and transport VPN
Segmentation is enforced at two levels simultaneously. On each device, the VRF level isolates the data plane: separate RIB/FIB per VRF, no switching between VRFs without explicit configuration. Across the fabric, the VPN level enforces it through OMP: OMP advertises vRoutes tagged with a VPN ID, vSmart maintains a separate topology per VPN, and a route in VPN 10 never automatically appears in VPN 20 anywhere in the fabric.
VPN
Role
What lives here
Advertised into overlay?
VPN 0
Transport / underlay
WAN interfaces to ISP/MPLS/cellular; TLOC-extension links
Only TLOCs, not raw routes
VPN 512
Management
Out-of-band SSH/NETCONF/SNMP/vManage access
No (kept off the data-plane overlay)
VPN 1–511+
Service VPNs
User, voice, IoT, shared-services LAN interfaces
Yes, per-VPN via OMP advertise
VPN 512 is reserved by default as the management VPN for out-of-band management — SSH, NETCONF, SNMP, vManage CLI — and is segmented like any other VRF. The discipline that keeps designs sane is keeping roles clean by VPN ID: VPN 0 carries transport only (no user LAN interfaces), VPN 512 carries management only (ideally truly out-of-band), and service VPNs carry user and tenant traffic. Critically, segmentation exists only in the overlay — the underlay sees encrypted traffic with no segmentation context.
Inter-VRF routing
Because the default is total isolation, any communication between segments must be deliberately enabled through route leaking. A worked example anchors the choice: VPN 10 (corporate users), VPN 20 (voice or OT/IoT), and VPN 30 (shared services such as DNS and Active Directory). By default, users in VPN 10 reach only other VPN 10 routes, voice reaches only VPN 20, and nobody reaches the DC services in VPN 30. To let users and voice reach shared services, you leak selected prefixes from VPN 30 into VPNs 10 and 20.
Figure 6.5: VRF segmentation with selective route leaking to shared services
Centralized route leaking via vSmart policy (recommended for fabric-wide consistency). You define source and destination VPNs, match routes from the source, and have vSmart clone those vRoutes into the destination VPN(s) by changing the VPN ID before advertising. A host in VPN 10 then sees the DC services as routes in its own VRF, while the DC stays in VPN 30. Use this when the inter-segment relationship must be consistent across many sites.
Route leaking between the global/transport VRF and service VPNs. Cisco documents controlled leaking between the global/VPN 0 context and service VPNs — useful when a service VPN needs reachability to something in the global/transport VRF, such as a shared NAT device or OOB management.
Local VRF Route Sharing on the Catalyst 8000 (device-local). The C8000V and Catalyst 8000 support sharing routes between VRFs through local import/export — for instance between a "User" VRF and a local "Firewall" VRF for service chaining. This is device-local; it does not alter how vSmart/OMP sees the VPNs. Use it for site-local relationships.
The guiding rule: for any segmentation that must hold across many sites, prefer vSmart route-leaking policies; reserve local VRF Route Sharing for relationships local to a single site. In all cases be conservative — use prefix lists and tags so you never accidentally leak a default route or an overly broad network between segments.
Key Takeaway: Every service VPN on a Catalyst 8000 is a real IOS-XE VRF (VPN = VRF), giving each segment its own table, allowing overlapping IP ranges, and keeping VPN 10 routes out of VPN 20 by default. Inter-segment traffic requires deliberate route leaking — centralized vSmart policy for fabric-wide consistency, or local VRF Route Sharing for site-local service chaining — always scoped tightly with prefix lists and tags.
Post-Quiz: VRFs and Segmentation
1. On IOS-XE SD-WAN, what is the relationship between a service VPN and a VRF?
A VPN spans many VRFs for redundancyEach service VPN is implemented as a separate VRF (VPN = VRF)VRFs exist only in VPN 0; service VPNs have noneA VRF is a vSmart-only construct with no device equivalent
2. Why can two different service VPNs reuse the same overlapping IP range?
OMP performs NAT on overlapping prefixesEach VRF has its own table and OMP tags every route with its VPN IDVPN 0 deduplicates the addresses centrallyOverlapping ranges are silently dropped, so there is no conflict
3. By default, does a route in VPN 10 appear in VPN 20 anywhere in the fabric?
Yes, OMP shares all routes across VPNs automaticallyNo — vSmart keeps a separate per-VPN topology; crossing requires deliberate leakingOnly if both VPNs are below ID 511Yes, but only on the same physical router
4. Users in VPN 10 and voice in VPN 20 both need to reach shared DNS/AD in VPN 30, fabric-wide. Which mechanism fits best?
Centralized route leaking via vSmart policyLocal VRF Route Sharing on each deviceMerging VPN 10, 20, and 30 into one VPNPlacing VPN 30 routes into VPN 0
5. What is the recommended discipline for VPN 0 and VPN 512?
VPN 0 carries management; VPN 512 carries user LANsVPN 0 carries transport only; VPN 512 carries management onlyBoth should carry a mix of transport and user traffic for efficiencyVPN 0 and VPN 512 should be merged into one VRF