Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
1
Replies

Control Connections from private transport via NAT through another vEdge Router

thomas.busse
Level 1
Level 1

‎11-29-2020 01:56 AM

Hello, 

 

I do have a relatively simple SDWAN fabric that includes a public-internet line and a private line for all sites in the transport VPN0.

 

The controllers are cloud hosted from Cisco within Azure DC and the private line does not have a connection to the public-internet, this means per default there won't be any control connections from the private TLOCs to the controllers in the cloud.

 

I was wondering if one vEdge router, eg. in the datacenter could be used as a "bridge" between the private line and the public-internet by pointing the branches with a default route to the next-hop IP (private line IP) of the vEdge router in the datacenter and doing NAT from private line to the public-internet?

I have tried to set it up in a sandbox environment, but could not get the vEdge router in the DC doing the NAT, an ASA Firewall inserted as the "bridge device" doing NAT & routing was working without any trouble.

 

Disabling the "control connections" within the private line interfaces is no option, since these should also be used as a backup one the public-internet interface fails.

 

Any Ideas, feedback are highly welcome.

 

Thank you and best regards,

Thomas

 

 

0 Helpful
1 Reply 1

Kanan Huseynli
VIP
VIP

‎12-05-2020 08:16 AM

Disabling the "control connections" within the private line interfaces is no option, since these should also be used as a backup one the public-internet interface fails.


Hi,

 

confirm if I understand correctly. You want control connection redundancy, yes? Then you have to have some kind of connection to controllers. This can be done via central device in DC as you said. I don't know , what type of configuration you have done in lab, but central device with one interface in service VPN (connected to private line) and dynamic NAT over internet interface (VPN0) should work.

 

But iff your redundancy requirement is only for dataplane, then max-control-connections 0 should help. Regarding this command you can find relevant section in SD-WAN CVD.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html

 

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents