4221 SDWAN and traditional VPN

talalmakki · ‎08-29-2021

Good day,

My company is considering migrating from 1921-SEC/K9 to the new ISR4000 series (4221 model to be specific).

Our current setup includes site-to-site IPVPN (a mix of IKEv1 and IKEv2) along with HSRP and static routing/DHCP server functions.

We were considering also adding some SDWAN boxes from another vendor but it came to my attention that the ISR4000 series can also do SDWAN.

My question is this: can both functions (SDWAN VPN and l2l IPVPN) coexist on the same router? if so, what license and software is required?

What are the limitations?

PS. I have no experience with IOS-XE so for someone coming from a world of traditional IOS, what surprises and difficulties should I expect along the way?

Best regards,

Talal

Kanan Huseynli · ‎08-29-2021

Hi,

SD-WAN in general not technology that can be run between different vendors,hence you should not mix your network with SDWAN from different vendors. Even using one ISR4k in IOS XE SDWAN mode (controller mode) will note give you anything, but add more overhead (because you need to install,configure at least 3 controllers for SDWAN that are vbond/vsmart/vmanage).

You can read about SDWAN for example from design guide:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html

In your case, it is better to use ISR4k in traditional way (autonomous mode). ISR4k supports what you mentioned (IKEv1/v2 IPSec/ DHCP Server/ HSRP/ Routing etc). By the way, you can do these features in SDWAN mode (controller mode) as well.

Below datasheet for ISR4:

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/data_sheet-c78-732542.html

Regarding licensing, for traditional ISR4k you need at least Sec technology package for IPSEC. Additionally, you may need BOOST or PERFORMANCE or HSEC licenses if you channel bandwidth on WAN will be higher (read datasheet for details).

IOS XE is 95% the same with IOS (ISR1900/2900/3900 are IOS). So, no problem to use it.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

talalmakki · ‎08-30-2021

Good day Kanan,

Thank you for your efforts but I am trying to find simple answers at this stage as I need to give a go or no-go to my company.

Scenario is simple:

two sites that have 4221/k9 routers need to communicate using SDWAN VPN. R1 is in the HQ, R2 is in site. R2 also needs to have traditional IPVPN to another Cisco box (a 1921-sec/k9 for example) that doesn't support SDWAN.

Will a single 4221 at the remote site be able to do this?

If yes, then what license/part number should I order for both locations (HQ and remote).

Design consideration/recommendations and why we need it this way is (at this point) mute.

best regards,

Talal

Kanan Huseynli · ‎08-30-2021

Hi,

you are giving question that cant be answered without design, additional notes.

But anyway, two cisco routers ISR4221 can be in SDWAN mode and connect each other over SDWAN overlay.

Yes, the second router can have legacy IPSEC to 3rd party routers/firewalls.

But again, SDWAN is not simple 2 routers in SDWAN mode..

regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.