Thanks for the info. I don't recall exactly where I read it and im sure its documented. The SD-Branch design guide hints strongly at policy based routing for sending the branches default route to datacenter vpnc. I will add a screenshot below. I have heard there could be some enhancements in CNX with SD-Branch routing, for this time I am only going to speak of classic central
Overlay routes will use the metric based on the topology order of the vpnc's. If you have 2 or 3 vpnc's they will be in a list and increment with a cost of 10 on each. {ie. 10, 20, 30}. DPS rules will favor more then 1x WAN interface on the branch. If you only have a single WAN interface on the branch then there is nothing for DPS to optimize with vpnc's for path selection. At that point the vpnc's are more of an active / passive setup. I think you would gain more with bringing both ISP's into each vpnc. I would have to go back and take a 2nd look at some design concepts as PBR follows a few different concepts.
The default is for each WAN interface on branch will build a vpn tunnel to each WAN interface on vpnc. With having 2 vpnc's and 2 ISP's {one in each}. The branch will build a vpn tunnel to both with costs of 10, and 20. You can look on branch the routes you are getting with following command.
If you want to use PBR for what ever reason. There are enhancements from 8.x to 10.x. You can have multiple vpnc's in a next-hop list and you can use your wan health check rules to make calculations on which path is preferred. If you wanted to do load balancing between both vpnc's you have to use a PBR at this time. I personally dont think there is a need to use vrrp on the vpnc's at this time. Just by the order of your devices in toplogy list will determine the routing priority. DPS is not applicable to PBR, so your wan health checks applied in next-hop list will be the best option to pick the best path. If you want your PBR to be active/passive, that can also be accomplished fairly easy.
- next-hop priority the same for each entry = load balance
- next-hop priority different for each entry = order of operations
- next-hop health check rules = use logic to bring out of service.
Your next-hop list with logic will then go into a simple PBR that will point all traffic to the next-hop list.
- any, any, any - route next-hop-list [xxxxx]
- any, any, any - forward - ** anything that does not match above statement will use routing table. Its a safety measure, not required in pbr.
The PBR then can be applied to a vlan, or a role. If you have a vlan for guest, and vlan for corp. You can apply the PBR to vlan corp and anyone on that vlan will get the pbr. If you want more granular control, you can apply it to user roles.
I have included some helpful commands you may want to use.
- show ip oap [route / advertise]
- show ip nexthop-list
- show ip health-check
- show wan nexthop-list || show wan threshold-stats
- show acl hits
- show ip access-group || show route-access-list
- show datapath route
There are some other commands I can provide if needed.
-------------------------------------------
Original Message:
Sent: May 28, 2026 04:46 AM
From: stevenIspnet.com.au
Subject: BGP Default Route not being Preferenced
The hardware setup is 9106 at the Hub and 9004 at the spoke. The plan is to run 2x9106 for the VPNC end with VRRP and each with seperate layer 3 ISP links. The branch's use a single L3 ISP uplink with LTE as the backup.
thanks.
Original Message:
Sent: May 27, 2026 07:01 PM
From: justink
Subject: BGP Default Route not being Preferenced
Can you validate the hardware series you are using. Also how many ISP links are you using and how many vpnc's are you using?