Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
0
Replies

On Prem SD-WAN validated design

williamae
Level 1
Level 1

‎01-13-2022 02:12 PM

Hi folks, 

 

I am trying to understand what is the best way to deploy Cisco SD-WAN modules (On Prem) so that I don't expose vManage and vSmart to the internet unnecessarily. My preference would be the following and this is based on my understanding from Cisco Press SD-WAN book:

 

vManage: 192.168.1.100 > Dynamic NAT to a public IP address /* Do I have to? I am under the impression that vBond will do the talking and vSmart will communicate to the vEdges via OMP. Do I still need vManage to talk directly to vEdges?

vSmart: 192.168.1.101 > Dynamic NAT to a public IP address

vBond: 192.168.2.100 > Static 1:1 NAT to another public IP

vManage,vSmart and vBond in CLI and GUI is set to 192.168.2.100

 

IP address of vBond that I enter in vManage CLI and GUI, as well as vSmart CLI should be 192.168.2.100 - technically. 

 

I have setup with this design however vEdge does not register in vManage. I see that it tries to reach vManage on 192.168.1.100 from a public network which is not right. My understanding is that this should not happen at all because vBond is acting as a relay. 

 

***Please note that a Cisco ASA is taking care of the zones*** I also tried with a Cisco router with no zoning or firewall capability and no joy.

 

My second attempt was to assign each controller, a static public IP (again just to get things to work but really don't like this idea. I still prefer to lock vManage completely down with no Internet access except for license renewal from time to time). 

 

vManage: 192.168.1.100 > Static 1:1 NAT to public IP X.X.X.100

vSmart: 192.168.1.101 > Static 1:1 NAT to public IP X.X.X.101

vBond: 192.168.2.100 > Static 1:1 NAT to public IP X.X.X.102

vManage,vSmart and vBond in CLI and GUI is set to 192.168.2.100

 

Result of this test was also a failure. I see vEdge is still trying to reach to vManage on random ports on UDP with 192.168.1.100 address which is wrong. 

 

Third attempt was a not-so-lovely combination of Public IP addresses and NAT with Cisco ASA.

 

vManage: 192.168.1.100 > Dynamic NAT to a public IP address IP X.X.X.101

vSmart: 192.168.1.101 > Dynamic NAT to a public IP address IP X.X.X.101

vBond: 192.168.2.100 > Static 1:1 NAT to public IP X.X.X.102

vBond in CLI and GUI of the whole setup is set to public IP X.X.X.102

 

I NATed outbound vManage and vSmart traffic to reach vBond with a Public IP address and vBond also responds with a Public IP address to vManage. Again not desired at all but this test also failed. 

 

The only time I got the result was to place the vEdge in the same broadcast domain as vManage, vBond and vSmart. 

 

Now I am trying to understand, the logic behind on premise. Reading Cisco official book doesn't exactly say what is the validated design. Should I let the controllers to talk to each other with Public IP addresses? Should I translate them and if I should, what will be the correct IP for vBond in the setup? Private or the public IP?

 

Could anyone help me understand the concept a little better?

 

Thanks.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents