Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1946
Views
5
Helpful
1
Replies

Cisco SDWAN cEdges for Internet Breakout (DIA) and 4g failover

krsnadm
Level 1
Level 1

‎08-21-2019 11:45 PM

Hi ,

 

I am working with few customers who are terribly dissatisfied with the lack of ability on Cisco ISR c1111-8p routers to do the following:

 

>Direct internet breakout (which is supported through local-tloc function on vEdges but not available in cEdges) for traffic types including SaaS traffic that breaks-out/directly goes to the internet 

 

>Automatic failover to 4G (as a backup standby connection) from the primary circuit (as this is supported through last-resort in vEdges but not available in cEdges)

 

do we have tested/validated workarounds for the following on cEdges or vEdges the only way to go till when cEdges will have a new code( which i believe will be out in Mar 2020). 

 

Thanks experts!

 

Regards,

Kris

1 person had this problem
0 Helpful
1 Reply 1

rbncarvalho
Level 1
Level 1

‎08-22-2019 12:58 AM

Hi krsnadm

 

Regarding your questions here's some solutions that can adapt to your scenario

 

>Direct internet breakout (which is supported through local-tloc function on vEdges but not available in cEdges) for traffic types including SaaS traffic that breaks-out/directly goes to the internet 

For this you can configure a static default route pointing to the VPN 0, it will be something similar to route leak from vrf to global on regular IOS. This can be achieved also from the Service VPN template. The output will be similar to this

ip nat route vrf 10 0.0.0.0 0.0.0.0 global

!

router#show ip route vrf 10

Routing Table: 10
<snip>

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

n*Nd 0.0.0.0/0 [6/0], 1d17h, Null0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

 

router#ping vrf 10 google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.168.174, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp x.x.x.x:5062 x.x.x.x:59524 8.8.8.8:53 8.8.8.8:53
icmp x.x.x.x:5 x.x.x.x:5 172.217.168.174:5 172.217.168.174:5
Total number of translations: 2

 

This supports failover from the DIA to the Overlay, and follow the regular OMP routes you have on the router.

However this is for all traffic, if you need to have for example all RFC1918 routes going through the DC you'll need static routes for this. Also I've tested this but it's a nightmare, you can have instead of the default all specific public space addresses that you need local breakout.

 

Another this regarding this, is that we've this working on an ISR1111X-8P, on the 8PLTEEA it doesn't work, at least up until 16.11, I already have the solution on 16.12 but haven't tested it out yet.

 

>Automatic failover to 4G (as a backup standby connection) from the primary circuit (as this is supported through last-resort in vEdges but not available in cEdges)

This is supported since 16.11 on the cEdges, I have a solution where I have 3 TLOC, MPLS, INET and LTE as backup.

 

router#show sdwan control local-properties
personality vedge
sp-organization-name xxxxxxx,xxx
organization-name xxxxxxx.xxx
root-ca-chain-status Installed

certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Mar 23 07:55:00 2018 GMT
certificate-not-valid-after Aug 09 20:58:26 2099 GMT

enterprise-cert-status Not-Applicable
enterprise-cert-validity Not Applicable
enterprise-cert-not-valid-before Not Applicable
enterprise-cert-not-valid-after Not Applicable

dns-name xxxxxxxx.xxx
site-id xxxxxxxxxx
domain-id 1
protocol dtls
tls-port 0
system-ip x.x.x.x
chassis-num/unique-id C1111-8PLTEEA-xxxxxxxxxx
serial-num xxxxxxx
enterprise-serial-num No certificate installed
token -NA-
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:00:22:54
embargo-check success
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 x.x.x.x 12346

number-active-wan-interfaces 3


NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAST SPI TIME NAT VM
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION REMAINING TYPE CON
STUN PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cellular0/2/0 0.0.0.0 0 0.0.0.0 :: 0 0/0 biz-internet down 2 no/yes/no Yes/No 2:14:12:15 0:00:00:00 N 5
GigabitEthernet0/0/0.4030 x.x.x.x 12366 x.x.x.x :: 12366 1/1 mpls up 2 no/yes/no No/No 0:00:00:04 0:09:47:10 N 5
GigabitEthernet0/0/0.900 x.x.x.x 12366 x.x.x.x :: 12366 1/0 public-internet up 2 no/yes/no No/No 0:00:00:01 0:11:37:11 N 5

 

Regarding your last point, the main source for that will be your Cisco SE.

 

Please rate helpful posts.

Thank you

Best Regards, 

Best Regards,
Please rate helpful posts,

Ruben Carvalho CCIE#57952
Customers Also Viewed These Support Documents