Ip addressing of On-perm controllers

TCPuniverse · ‎11-07-2019

Hi;

i need to know the mechanism of the connectivity between the controllers, specially on public and private IP addresses and the colors. I have read design and deployment documents available on Cisco website but all of them are based on one case only, which is cloud-based controllers. But what is most important in most countries, specially in governmental vector is on-perm controllers. These kind of organizations don’t and won’t want cloud-managed or Cisco-owned devices because of their strict security and regulatory policies. There is no any guide for these situations which explains kind of IP addresses (public or private) and effect of NAT on their IP addresses while there are mixture of MPLS-like circuits and Internet lines. Adding the color concept to this blind spot makes this spot even more difficult to understand.
so any guides or small white paper on this issue will be greatly appropriated.

HashamM · ‎11-07-2019

On

https://community.cisco.com/t5/networking-documents/sd-wan-community-resources/ta-p/3745752#Design%20and%20Migration

See document

https://community.cisco.com/t5/networking-documents/sd-wan-controller-setup-guide-on-prem-non-cloud-managed/ta-p/3921360

Also, see below document. There is great detail for Color and Design options from slide 67 on wards

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKRST-2559.pdf

TCPuniverse · ‎11-08-2019

Thank you for the reply. I had read related pages in the deployment and design guides but they only showed the principals and the commands. What is needed is a scenario showing on-prem controllers with their real pre-NAT and post-NAT IPs and reachability between ios-xe vEdge and controllers through Internet and MPLS lines. All of the related documents on cisco website either show cloud-based controllers or only display commands (without using IPs). I already know the commands and need to find complete & detailed resolved examples.

As an example we have this topology:

IP addresses of controllers are (192.168.1.10 = vBond)(192.168.1.11 = vSmart)(192.168.1.12 = vManege). These addresses will be 1-to-1 NATed respectively to 5.5.1.10 , 5.5.1.11 and 5.5.1.12. We don’t use any NAT on MPLS line. Now the questions:

1) which IP address of vBond will be used on vManage and vSmart?

2) what will be the color of each controller?

3) two IOS-XE sd-wan routers in HQ site have links to both of Internet and MPLS lines. Which IP address of the vBond should be configured on these 2 routers? What will be color of each interface on these routers?

4) sd-wan branch routers will use which IP as vBond? What will be color of each interface on these branch routers?

G

RohitRaj03827 · ‎11-12-2019

First of all i would like to know ,

1. Are you using MPLS as a transport for you sdwan controllers to vEdges or cEdges communication?

Ans:- if you are using MPLS only as a transport for on-prem controllers to vEdges or cEdges communication then in this case you dont have use NAT, you can use private IP for controllers and vEdges/cEdges will communicate to on-prem controllers. In this case you have to use vBond ip address which private ip address on All controllers(vM, vB, and vS) and cEdge/vEdge routers.

==================================================================================

2. Are you using internet as a transport for you sdwan controllers to vEdges or cEdges communication?
Ans:- if you are using Internet only as a transport for on-prem controllers to vEdges or cEdges communication then in this case you you will have to use one public ip address for each controllers which means vManage, vBond and vSmart and you will have to configure the NAT on your firewall and when remote site vEdge or cEdge routers will communicate to on-prem controllers NAT will translate the public ip address of vManage, vBond and vSmart to private IP address.

================================================================================

Note:- In case of hybrid deployment :-

Hybrid means if you are using MPLS and Internet both as a transport then in this case, again you have to use NAT and one public ip address for each controllers.

below is the explanation for hybrid deployment:-

On-Prem Controllers Hybrid Deployment:-
For Controllers Communication :-
=>vSmart and vManage point to the vBond IP address - NATed public IP address •

=>vBond learns interface private and NATed public IP address of vSmart and vManage - Private is pre-NAT, public is postNAT •

=>vSmart and vManage use interface private IP addresses for communication - vSmart and vManage use private color (non-default) - Private color to private color uses private IP address

------------------------------------------------------------------------------------
For vEdge or cEdge to Controller Communications:-

=> vEdge/cEdge points to the vBond FQDN that resolves to both public and private IP addresses
=>vEdge/cEdge communicates with vSmart and vManage NATed public IP addresses over Internet and interface private IP addresses over MPLS - Private color to private color uses private IP address, private color to public color uses public IP address

Below i have added one image for clarity:-

That answer your all questions. If you still have any doubts you can ask your questions will answer.

Again:-

if you are going with the design you are using it (however i could suggest different and better than your design), in this case , its hybrid deployment use vBond NATed ip address for all (controllers and routers).

======================================================================================

Kindly let me know if you have further queries for SD-WAN deployment.

Kindly hit helpful button and mark as a solve if this post has helped you.

Happy learning!!

Thanks & Regards,

Rohit Raj

Regards,
Rohit Raj

TCPuniverse · ‎11-14-2019

@RohitRaj03827 Hi and thank you for this detailed answer.

I'm testing the solution following your recommendations. in the meantime, I have some minor questions too:

- DNS address is written in the global configuration mode of the ISR SD-WAN routers (for the sake of resolving vBond name to its public and private IP addresses). So should it reachable through the global routing table or there is any rule here? For exaample is it possible to use a DNS server resifing inside the mgmt network?

- You have mentioned that the design I'm using is not preferred by you. What would be your preferred basic design providing that I'm restricted to use the on-perm controllers and have both of MPLS and Internet lines.

Regards;

RohitRaj03827 · ‎11-14-2019

DNS address is written in the global configuration mode of the ISR SD-WAN routers (for the sake of resolving vBond name to its public and private IP addresses). So should it reachable through the global routing table or there is any rule here? For exaample is it possible to use a DNS server resifing inside the mgmt network?

Yes in the case cEdge routers you will have to use following two command for vBond DNS resolutions if you are using two vbond,

Commands are:-

ip domain lookup
ip name-server 10.10.41.189 10.10.41.190

10.10.41.189(vBond1 dns address) and 10.10.41.190(vBond2 dns address)

and this command is for Global configuration mode.

You will need to make an entry that is "A" record for both vBonds on DNS server, both dns addresses should be reachable from remote sites. thats the only requirement.

==========================================

For design kindly create a new thread and will discuss there or you can message me i will explain all the possibilities for design.

Kindly hit helpful button and mark as a solve if this post has answer your query.

Regards,

Rohit Raj

Regards,
Rohit Raj

TCPuniverse · ‎11-15-2019

and this command is for Global configuration mode.
You will need to make an entry that is "A" record for both vBonds on DNS server, both dns addresses should be reachable from remote sites. thats the only requirement.

@RohitRaj03827 Do I need to create DNS "A" record for both of the IP addresses of a vBond (one A record for vBond Public/NATed address and one "A" for same vBond's private/Pre-NAT address? From your text this was what I understood.

You've said "vBond learns interface private and NATed public IP address of vSmart and vManage - Private is pre-NAT, public is postNAT". Does this learning occurs automatically? So why does the following command on the devices display only private IP addresses of controllers under "Peer Private IP" and "Peer Public IP" columns?

Device	Private IP (Pre-NAT)	Public IP (NATed)
vManage	172.16.10.3	172.16.20.3
vSmart 1	172.16.10.4	172.16.20.4
vSmart 2	172.16.10.5	172.16.20.5
vBond	172.16.11.2	172.16.21.2

on vBond:

vbond# show orchestrator connections
                                               PEER                   PEER  
PEER     PEER     PEER           PEER          PRIVATE  PEER          PUBLIC
TYPE     PROTOCOL SYSTEM IP      PRIVATE IP    PORT     PUBLIC IP     PORT  
----------------------------------------------------------------------------
vsmart   dtls     10.255.255.82  172.16.10.4   12346    172.16.10.4   12346 
vsmart   dtls     10.255.255.82  172.16.10.4   12446    172.16.10.4   12446 
vsmart   dtls     10.255.255.83  172.16.10.5   12346    172.16.10.5   12346 
vsmart   dtls     10.255.255.83  172.16.10.5   12446    172.16.10.5   12446 
vmanage  dtls     10.255.255.81  172.16.10.3   12346    172.16.10.3   12346 
vmanage  dtls     10.255.255.81  172.16.10.3   12446    172.16.10.3   12446

on one of cEdges:

r90#sh sdwan control connections
                                     PEER                  PEER               
PEER     PEER           PEER         PRIV    PEER          PUB                
TYPE     SYSTEM IP      PRIVATE IP   PORT    PUBLIC IP     PORT    LOCAL COLOR
---------------------- -------------------------------------------------------
vsmart   10.255.255.82  172.16.10.4  12346   172.16.10.4   12346   default    
vsmart   10.255.255.83  172.16.10.5  12346   172.16.10.5   12346   default    
vsmart   10.255.255.82  172.16.10.4  12346   172.16.10.4   12346   mpls       
vsmart   10.255.255.83  172.16.10.5  12346   172.16.10.5   12346   mpls       
vmanage  10.255.255.81  172.16.10.3  12346   172.16.10.3   12346   default

Thanks.

RohitRaj03827 · ‎11-15-2019

Hello TCPuniverse,

Sorry for the late response.

Kindly share vManage, vBond, vSmart and cEdge router configurations and if possible come online with me and share you screen i will help you to resolve and will give you understanding how it work, also will resolve this problem.

Regards,

Rohit Raj

Regards,
Rohit Raj

TCPuniverse · ‎11-19-2019

Hi @RohitRaj03827

This is my new topology which is a little bit different from the previous one. In this topology I've put vBond on the separate network from other controllers.

I attached controllers and one of IO-XE SDWAN routers config to this post as ZIP file. This is dashboard screenshot of the vManage:

I've created two AAA records for vBond (one for its private address and one for its public address) on the DNS server ( is this correct? ). I have also configured NAT only on the Internet lines. The IP address of the Controllers are the same as mentioned on previous post but I wrote them down on the topology above again.

I think there is an issue regarding DNS; Routers shouldn't reach vBond public server through MPLS, but due to MPLS static route configured on them, sometime they use that route toward vBond which they shouldn't. I will check the NAT config on the DC router but in the meantime you can take a look at what I have done till that point.

Regards;

TCPuniverse · ‎11-25-2019

Hi; @RohitRaj03827 Did you find chance of looking at the configs?

TCPuniverse · ‎11-12-2019

Hello guys! Any word on this?

HashamM · ‎11-12-2019

Are controllers connected on the LAN side of SD-WAN Edge routers? Edge devices use Transport side interfaces to connect to the controllers. Typically on-prem controllers are in DMZ. If Controllers need to be on LAN side then VPN0 must be extended to LAN side and controllers deployed in VPN0.

Controllers are not configured with any Color. You'll need only tunnel-interface command on vManage and vSmarts to initiate the tunnel connections to vBond.

To have reachability to controllers over both internet and private transports, the public NATed IPs can be advertised on MPLS network. The FQDN of vBond should resolve to the public NATed IP of the vBond.

faisal.memon · ‎08-06-2020

Hi @TCPuniverse

Did you got this working. If yes can you share config details?

Thanks & Regards

Faisal