Solved: How MPLS only sites having private IPs establishes contol connection to vSmart hosted on Internet cl...

muthumohan · ‎12-08-2019

Hello,

If there is a MPLS only site with private IP addresses connected over MPLS/L3VPN to other sites. If I put vEdge on this site, how will this site reach the SDWAN controllers such as vBond, vManage and vSmart that are hosted on the Internet (or at Cisco DC)?

This site has Internet connectivity only via DC/Campus site and there is no direct Internet access at this site.

Also, how will this site (MPLS only site) establish IPSec connectivity with sites that only have Internet connectivity? Is it possible to establish single IPSec tunnel between these two sites via DC/Campus site? Or the connectivity is established by having two IPSec tunnels, one between MPLS and DC and another between DC and Internet only site?

This scenario is something I could not find any documentation. Any help in right direction would be appreciated.

Thank you,

Mohan

@confignetworks · ‎12-09-2019

Hello,

When you have MPLS only sites and control part hosted on Internet, you have 2 solutions:

Solution 1: Try to have Internet access via MPLS network (not always accepted by security teams)
Solution 2: Have Internet Access via Datacenter

For the second solution, you have to route Internet trafic to your Datacenter (Coming from vEdge for control part), and from Datacenter go to Internet without going through vEdge of Datacenter. NAT should be done also on your datacenter to NAT private IPs of vEdges of all the branches. DNS request from vEdges should be answered also via DC

"Also, how will this site (MPLS only site) establish IPSec connectivity with sites that only have Internet connectivity? Is it possible to establish single IPSec tunnel between these two sites via DC/Campus site? Or the connectivity is established by having two IPSec tunnels, one between MPLS and DC and another between DC and Internet only site?"

==> My opinion is 2 IPSEC tunnels, one Between DC and MPLS branch, and another one between DC and internet Only site. You can have direct IPSEC Tunnel if you have Internet exit on MPLS network.

View solution in original post

@confignetworks · ‎12-09-2019

Hello,

When you have MPLS only sites and control part hosted on Internet, you have 2 solutions:

Solution 1: Try to have Internet access via MPLS network (not always accepted by security teams)
Solution 2: Have Internet Access via Datacenter

For the second solution, you have to route Internet trafic to your Datacenter (Coming from vEdge for control part), and from Datacenter go to Internet without going through vEdge of Datacenter. NAT should be done also on your datacenter to NAT private IPs of vEdges of all the branches. DNS request from vEdges should be answered also via DC

"Also, how will this site (MPLS only site) establish IPSec connectivity with sites that only have Internet connectivity? Is it possible to establish single IPSec tunnel between these two sites via DC/Campus site? Or the connectivity is established by having two IPSec tunnels, one between MPLS and DC and another between DC and Internet only site?"

==> My opinion is 2 IPSEC tunnels, one Between DC and MPLS branch, and another one between DC and internet Only site. You can have direct IPSEC Tunnel if you have Internet exit on MPLS network.

kurtish99 · ‎12-16-2019

I had the same question about establishing connectivity between two sites that don't share an underlay (one site is MPLS, the other biz-internet). I followed the instructions in this article https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214148-configure-connectivity-between-different.html and it didn't work still. The routes show "Inv, U" on the cEdges in question.

Surjeet Singh · ‎12-25-2019

Establish control connection(dtls) to controllers and establishing ipsec tunnels(bfd) are different two different thing in your case i am assuming you are able to establish control connection from both mpls and biz-internet to controllers but when it comes BFD and installing route they are not able to resolve each other TLOC IP address and core reason of that is on MPLS we use private IP address, however on public internet side we use public IP, so these IP address are not reachable to each other from TLOC point of view. infect in ideal world which should not have bfd session between mpls and internet.

Regards,
Surjeet Singh

muthumohan · ‎04-20-2020

Thank you, @confignetworks. Appreciate your clear reply.

Regards,

Mohan

yashpancholi02 · ‎05-10-2020

Thank you for the explanation. I have a similar scenario but a different query,

In my case remote site with single vedge has two links:-

MAN link to the data center color- private1 and

Broadband Internet with color - biz-internet

Site vedge router is only setup to form control connections to controllers (hosted in Cisco Cloud Internet) over biz-internet and private1 tloc interface is set with "control-connections 0" command.

Now, if the internet link goes down, how long can router continue forwarding data traffic over MAN link, without any control connection based on cached OMP routes in the route table?

OMP graceful restart is enabled which is by default*

Thanks!

How MPLS only sites having private IPs establishes contol connection to vSmart hosted on Internet cloud?