Can I ask someone with better understanding of sad-wan help on following confusion points?
Does service VPN# have to match between sites? For example, there is one DC and one branch connected by the SD-WAN fabric. DC vedge is configured with VPN 10 represents the DC LAN. In order for branch to access DC lan over SD-WAN, is branch vedge must be configured with service VPN 10 as well?
Marketing material emphasizes the traffic segregation feature in the viptela SD-WAN solution. But this segregation is only applicable within the SD-WAN fabric, right? Once traffic exits out vedge on LAN side, the segregation would depend on LAN setup (whether firewall or ACL on core device) if any, right? If LAN side just provides plain routing/switching, then traffic would be able to communicate...Am I wrong?
Comparing with the traditional IPSec site to site VPN tunnel, what would be the benefit of SD-WAN, assuming there is only one Internet transport link per site/location and no office365/Azure?
1. If both are using same VPN they will communicate by default. If not, you need to create an extranet policy (similar to vrf route leaking) to communicate between DC and Branch.
2.Your understanding is correct.
3. You would get the benefit of FEC and packet duplication feature (check 19.1 release notes below)
3. Don't forget that with SD-WAN you can also build arbitrary topology over one WAN link. e.g. traffic engineering over particular site and service chaining. It's not possible or will be too complicated with just traditional ipsec.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
