Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
0
Replies

SD-WAN positioning in the topology

RobinsonCoeur79538
Level 1
Level 1

‎06-02-2021 10:57 PM - edited ‎06-03-2021 10:44 PM

They would sit directly connected to your service providers circuit. I believe that the vEdge devices use a white list model though, with IP tables, and only allow connections from the other vEdges and the controllers. This is because vBond is responsible for authentication of vEdges joining the overlay and once they're authenticated by vBond the can contact vSmart to exchange OMP routes. It's these routes that I believe each vEdge would build is whitelist off of.

 

This doesn't necessarily help you with a DoS attack, the vEdge still needs to recieved and block the traffic, but I would be more concerned about the vBond/vSmart/vManage. I believe these controllers can sit behind a firewall with 1:1 NAT. You can also technically out the vEdge behind a firewall with PAT, because the vBond will facilitate NAT traversal, but you're not really going to be inspecting much other than DTLS or IPSec which you're probably not going to decrypt.

 

If you're doing direct internet access at a site with a vEdge, the environment I support has placed firewalls just inside of the vEdges. All traffic, no matter if it's destined internally across the overlay, or going DIA, routes through the firewalls. I don't see every environment requiring this, but we are getting a single IP from the internet providers. You would need multiple IP's to have each device sitting on the edge of the internet.

 

 

Target Pay and Benefits

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents