Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
2
Helpful
5
Replies

On Prem Controllers Deployment | vBond sits in DMZ with NAT 1:1 | vSmart , vManage lives in inside zone and talks to vBond in DMZ using Hairpinning

Ibrahim Jamil
Level 6
Level 6

‎12-17-2020 06:29 AM

Hi Guys
vBond sits in DMZ with NAT 1:1

vSmart , vManage lives in inside zone and talks to vBond in DMZ using Hairpinning

 

Question
========

when the cEdge Talks to vBond over INTERNET and get Authenticate then how the vBond hands the IPs of vSmart , vManage to cEdge even though vSmart , vManage controllers holds private IPs

 

thanks

Labels:
5 Replies 5

nriv
Level 1
Level 1

‎12-17-2020 10:43 AM

The vSmarts and vManage do not have a NATTED Public IP address? Then the cEdge will not be able to build control connections over the Internet transport. The vBond will only send the cEdge the IP's it knows, and they will be the private IP address of the vSmart and vManage.

 

0 Helpful

Larch
Level 1
Level 1

‎08-30-2023 07:02 AM - edited ‎08-30-2023 07:03 AM

I am also looking for an answer for that. I have been able to authenticate vedge and establish control connections. In my topology vBond is published to multiple networks. The problem is, sometimes vedge tries to connect wrong IPs of vManage and vsmart. 

0 Helpful

Kanan Huseynli
VIP
VIP

‎08-30-2023 10:51 AM

Hi,

vbond provides both public, private IP addresses and color of tunnel interface of controllers to edge devices.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#SDWANValidatorasaNATTraversalFacilitator

Based on local TLOC color and remote controller color, edge device decides it should connect to private or public IP of remote controller. If one of them is public, then public IP is used. If both private color, then private controller IP is used.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#CommunicationBetweenPrivateandPublicColors

In case of public IP, there should reach them via NAT (over internet) or you can even advertise public IPs in private networks like MPLS.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#OnPremiseControlComponentDeployment

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Larch
Level 1
Level 1
In response to Kanan Huseynli

‎08-31-2023 03:38 AM

Appreciate your effort.

Is it a requirement for all 3 controllers to have 1:1 NAT? Or can vSmart and vManage be behind NAT overload?

I have gone through the docs. But after reading few other discussions I am a bit confused. Sometimes I think all 3 must be 1:1 NAT.

 

0 Helpful

Kanan Huseynli
VIP
VIP
In response to Larch

‎08-31-2023 04:15 AM

I can not image how vsmart and vmanage behind PAT will work, even if router has pure public IP. Router can not initiate such traffic. Here I explained that point:

https://community.cisco.com/t5/sd-wan-and-cloud-networking/vmanage-dehind-a-nat/td-p/4912352

By the way, for controller design cases you can refer  "3 Steps to Design Cisco SD-WAN On-Prem" sessions in https://www.ciscolive.com/on-demand.html. Very well explained there as well.

Thus, yes, you need public IP or 1:1NAT for controllers if any node exists in internet.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card