cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1931
Views
0
Helpful
5
Replies

Branch Site SD-WAN using PTP and Internet link design considerations

Vinod Kumar
Level 1
Level 1

I'm designing a new branch site considering SD-WAN in a couple of months. This is what I'm planning.

EdgeRT1: Point-to-Point Link (No MPLS) to a Regional Site GW (Egress to support MPLS & Internet traffic)

EdgeRT2: Internet Link (Two Private VPN's to sites, Local Internet and O365 access). The VPN to two other sites will be initiated by VPN-FW and will use Source-NAT as whitelisted on remote sites. Internet access will be via Proxy Server.

 

If I don't consider SD-WAN this works fine without any problem and provide redundancy to each other links i.e. If Branch Internet link is down then we are learning a default route from PTP link from Regional HUB and Vice-Versa if PTP link goes down then I can have Site-to-Site VPN over an Internet link.

 

Could you please suggest a design and how it will work? One suggestion I thought of adding one more router as EdgeRT3 which will have iBGP with both the other Edge routers. And then I'll configure EdgeRT1 and EdgeRT3 as vEdge routers to run SD-WAN and keep EdgeRT2 as is so that my static VPN, Internet, and O365 can go directly but in this design, I build the redundancy for PTP link to have tunnels from vEdgeRT3 and use the Internet transport terminated on EdgeRT2 but not sure about the redundancy if the Internet link goes down then SD-WAN vEdgeRT1 will let me use PTP link to have for the traffic.

 

Please suggest the design to support my requirements.

 

P.S. We have SD-WAN enabled on the HUB Site as well as shown in the diagram.

 

 

 

5 Replies 5

ekhabaro
Cisco Employee
Cisco Employee
My 2 cents. Try to keep it as simple as possible. If you prepare greenfield deployment, try to avoid mixing legacy WAN with SD-WAN and keep your SD-WAN edge devices, no matter how obvious it sounds, on the edge of your network. Also try to keep your network modules separated from each other, e.g. your SD-WAN fabric should be separate module and treated correspondingly, from your picture it looks like there is no clear segmentation.

Also not clear why your vEdge3 does not have links with switch stack?

My apologies for the delay in response. I just updated the thread with new diagram.

Simon Ko
Level 1
Level 1

Looking at your diagram,

vEdgeRt3 has no direct internet access.

Are you planning on using vEdgert1's point to point for vpn0 traffics?

Is EdgeRt1 vEdge?

If so, are you using vEdgeRt2 for second internet path for vEdgeRt3?

 

You know, you can just do the same without vEdgeRt3.

You can connect two links between vEdgeRt1 and vEdgeRt2 and use that link to carry traffics for the other vEdge.

 It is called Extending WAN Transport VPN ( tloc-extension )

 

See if that makes sense.

Good luck.

 

Hi Simon:

 

Thank you for your reply. Here is our requirement.

Infra: 2xcEdgeRT (ISR4331), 1xInteret Link & 1xPoint-to-Point link

 

Internet Link:

1: VPN connection from VPNFW to this branch site to a Legacy Site using Internet Link

2: Internet Browsing and Microsoft Office365 using Internet Link

3: Fall-Back/Redundancy if Point-to-Point link fails using SD-WAN

 

Point-to-Point Link to Regional HUB:

1: Access to Internal Network and some RTP (Voice & Video traffic)

2: Provide redundancy to Internet link as we are receiving default route from Regional HUB

 

Questions:

1: Can I use my Internet link managed by SD-WAN to have VPN to separate legacy sites, Internet Access and SD-WAN tunnels for Internal traffic? I heard of DIA that might let me use the Internet link for Browsing but not sure if that work other traffics.

2: When Internet Link is down the PTP should allow me to access all three types of traffic for which I need to advertise Public IP’s originating from Branch office and Egress through Regional HUB?

3: I need to check either if a Link goes down or a router and network should converge to allow all three types of traffic.

4: We are fine to add more routers or more links to avoid any kind of outage.

 

PFA the updated the logical diagram and appreciate any help or pointers.

Here is what I think,

You should use vEdge1000 since it has 8 ports + management port

You need following:

1 WAN port - VPN0 - GE0/0

2 TLOC ports - one to service, one to be serviced - GE0/1, GE0/2

1 Service VPN1 - GE0/3 - EdgeVRF

1 Service VPN2 - GE0/4 - CoreVRF

1 Management - Mgmt Port

You will create a complex policy to route VPN1 and VPN2, allowing source and destination.

You will do NAT/PAT on vEdgeRT2

You will do NAT/PAT on EDGE RT and MPLS RT

You will do static NAT for vEdgeRT1 - WAN address on EDGE RT

You will share OSPF routing info with stack routing process

 

This is a rather complex for ISR, ISR has only four interface including management port. You need two more.

Outside SDWAN, routing is not a concern of SDWAN process.

As long as there is a path to vBond on the cloud, it will work.

Hope this clears up your design questions.

Review Cisco Networking for a $25 gift card