07-30-2024 01:56 PM - edited 07-30-2024 01:57 PM
I am looking at a breakout session from Cisco Live that discussed Internet breakout and DIA where NAT is required to enable local breakout. However, it also mentions that service-side breakouts can be provided in case NAT is not needed or special care is
needed for public addressing. I have a use-case where a.) I don't need NAT enabled as the firewall behind the SD-WAN routers are handling the NAT services and b.) I have a /24 block from two different providers for this location.
The traffic flow goes from:
The end-user device ->
Firewall (which does the security and NAT) ->
SD-WAN routers
(which either forwards the traffic to SD-WAN fabric to another site or sends the traffic locally over the Internet directly.)
Can anyone point me to documentation that this breakout session is referring to. The deck is https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKRST-2791.pdf and I am looking at slide 84.
Thanks.
Solved! Go to Solution.
08-01-2024 01:51 PM
Good real world case.
I'll test in lab as well, but technically I see one option: route leaking between global and VRF which can be done via feature template or cli template.
07-31-2024 12:01 AM
See below guide give you direction to start - this covers how to setup DIA.
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2020aug.pdf
Most use cases are - Office to Office uses the SD-WAN, Dia used for any Internet access where you do not like to go via transit hub router for Internet access - That is the use case.
07-31-2024 07:25 AM
Unfortunately, I read that document. Nothing in that document shows how to setup the router as a non-NAT device which is what my use case is.
07-31-2024 09:44 AM
Nothing in that document shows how to setup the router as a non-NAT device which is what my use case is.
That is the concent of the document how dia works, as i mentioned before you need provide some example ?
how to setup the router as a non-NAT device which is what my use case is. - as you see your flow - then you need to check and route the traffic where you like to send them over SD-WAN Link or directly internet.
i suggested to spend some time make small diagram so you will understand the concept mentioned on the document, same for us to know post your scenarios to understand. (there are different ways to do, but again let we wait for your diagram of flows and IP subnet information.)
07-31-2024 10:02 AM - edited 07-31-2024 10:09 AM
I attached my use case. Edge1 and Edge2 represents my SD-WAN routers at the remote locations. Edge3 represents my SDCI router that attaches to my Cloud provider. Svr1 is my production application in the cloud. Svr2 is my SaaS application (let assume Office365) FW1 and FW2 are my firewalls which are doing the security and the NAT.
For Internet traffic for Office 365, it flows from the PC to the firewalls, which allows the traffic via its ruleset and performs a source NAT to my public IP. The firewall then forwards the traffic to Edge1 and Edge2 who uses the local Internet circuit to send it to my SaaS. For production traffic, it's the same flow but in this case the firewalls do not perform a source NAT. They simply forward the traffic to Edge routers and they forward the traffic over the SD-WAN fabric to Edge3.
Simply stated, I have a pair of firewalls, so I don't want Edge1 and Edge2 to be involved with NAT in any form or fashion. I would think that this is a normal use case as most people have firewalls and routers as separate devices in a remote location.
08-01-2024 01:51 PM
Good real world case.
I'll test in lab as well, but technically I see one option: route leaking between global and VRF which can be done via feature template or cli template.
08-01-2024 04:19 PM
Thank you for trying to lab this up. I am using CSR1000v running 17.3.8a in my lab to test but in production I am using Catalyst 8300s and 8500s running 17.9.4a.
I will try do the route leaking in my lab as well.
08-01-2024 09:29 PM
Try to lab with C8000V, CSR1K will not have features from latest releases.
08-02-2024 10:18 AM
Okay, with C8000v, the route-leaking from the service vpn to global vpn works.
Here is part of the working configuration:
vrf definition 40
description WHSE
rd 1:40
!
address-family ipv4
route-replicate from vrf global unicast static route-map Leak-Default-Route
route-target export 65006:40
route-target import 65006:40
exit-address-family
!
address-family ipv6
exit-address-family
!
global-address-family ipv4
route-replicate from vrf 40 unicast static route-map SITE6-Leak
!
router bgp 65006
bgp log-neighbor-changes
neighbor 100.0.6.1 remote-as 100
!
address-family ipv4
redistribute vrf 40 static
neighbor 100.0.6.1 activate
neighbor 100.0.6.1 send-community both
distance bgp 20 200 20
exit-address-family
!
ip route vrf 40 (nat prefix) 255.255.255.0 172.31.6.2
ip prefix-list PL_Site6_Routes seq 5 permit (nat prefix)
route-map SITE6-Leak permit 1
match ip address prefix-list PL_Site6_Routes
!
route-map SITE6-Leak deny 65535
!
Thank you for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide