Re: SD-WAN Controller hosted On-prem - Page 2

samirshaikh52 · ‎09-30-2019

Hello

We have setup the lab with 3 controllers (vManage,vBond & vSmart) installed on Vmware ESXI host. The controllers are behind firewall. therefore what are NAT requirements to allow communication between vEdge and Controllers. Do we need to NAT all three controllers

Thanks

RohitRaj03827 · ‎11-15-2019

Hi,

sorry for the late response,

if you are using Internet only as a transport for on-prem controllers to vEdges or cEdges communication then in this case you you will have to use one public ip address for each controllers which means vManage, vBond and vSmart and you will have to configure the NAT on your firewall and when remote site vEdge or cEdge routers will communicate to on-prem controllers NAT will translate the public ip address of vManage, vBond and vSmart to private IP address.

below is the explanation for Internet as a transport :-

On-Prem Controllers Deployment:-
For Controllers Communication :-
=>vSmart and vManage point to the vBond IP address - NATed public IP address •

=>vBond learns interface private and NATed public IP address of vSmart and vManage - Private is pre-NAT, public is postNAT •

=>vSmart and vManage use interface private IP addresses for communication - vSmart and vManage use private color (non-default) - Private color to private color uses private IP address

------------------------------------------------------------------------------------
For vEdge or cEdge to Controller Communications:-

=> vEdge/cEdge points to the vBond FQDN that resolves to both public and private IP addresses
=>vEdge/cEdge communicates with vSmart and vManage NATed public IP addresses over Internet and interface private IP addresses over MPLS - Private color to private color uses private IP address, private color to public color uses public IP address

Below i have added one image for clarity:-

Kindly let me know if you have further queries for SD-WAN deployment.

Kindly hit helpful button and mark as a solve if this post has helped you.

Happy learning!!

Thanks & Regards,

Rohit Raj

Regards,
Rohit Raj

boythanhdat_2012 · ‎11-15-2019

As you posted: "vSmart and vManage use interface private IP addresses for communication - vSmart and vManage use private color (non-default) - Private color to private color uses private IP address"
>>> I dont know why we need private color for Vsmart and Vmanage here. Because We use internet only. But actually, If I use color default for Vmanage/Vsmart, the cedge/vedge from internet see Vsmart and Vmanage by private ip. And If I use private color for Vmanage/Vsmart, he cedge/vedge from internet see Vsmart and Vmanage by NATed Public ip.

RohitRaj03827 · ‎11-15-2019

Again I am answering to you, kindly read it very carefully:-

=>vSmart and vManage use interface private IP addresses for communication - vSmart and vManage use private color (non-default) - Private color to private color uses private IP address

Explanation:-we are using private ip address for communication of vManage and vSmart, so in this case we use use Private color.

Also, If you use public ip address for communication of vManage and vSmart, so in this case you use Public color.

If you use Internet as a transport vSmart and vManage do not require to talk on Public ip address to each other but for vBond to vSmart, vBond to vManage and vBond to cEdge/vEdge router communication uses NATed IP address for communication.

when Remote sites cEdge/vEdge routers provisioned , vBond is the first point of contact, and performs the initial authentication of cEdge/vEdge devices and orchestrates vSmart and cEdge/vEdge connectivity, It establishes the temporary DTLS connection with cEdge/vEdge routers and share the ip address of vSmart and vManage also at the same time vBond inform vSmart and vManage about new cEdge/vEdge is/are going to connect with them and then vManage authenticate and establishes the DTLS/TLS tunnel with cEdge/vEdge router, pushes Full configuration file of cEdge/vEdge if available and then vSmart authenticate and establishes the DTLS/TLS tunnel with cEdge/vEdge router after the OMP session establishes and exchange of routes happen.

===================================================================================

Explanation for transport color and Control connections:-

If Local color = Public, and Controllers Color = Public use Public IP

If Local color = Private, and Controllers Color = Public use Public IP

If Local color = Private, and Remote Color = Private use Private IP

======================================================================================

I hope this has answered to your question, if you think so kindly hit helpful button and mark this thread to solve so that other can get this as a solution.

Keep posting you doubts for SDWAN,

Regards,

Rohit Raj

Regards,
Rohit Raj

rudimocnik · ‎05-10-2020

Hi @RohitRaj03827

I am a bit confused about the colors of controllers. Looking at the Ciscolive BRKRST-2559 page 12 and 13 show that controllers should use PUBLIC color and private IP.

You are saying we need to use private colors on vSmart and vManage. Can you elaborate on why you use private colors. Also the vBond has no color assigned on the photos which is weird since it has tunnel-interface enabled and is using public color by default. The picture however, does not show any color.

subashchandran · ‎02-28-2022

Hi Rohit,

We are using hybrid solution setup mixed with INET and MPLS.

Controllers are deployed in DMZ firewall.

All controllers are 1 to 1 Nat and exposed to the Internet

Do i need to configure vBond Public IP in vManage/vSmart System configuration? or Private IP

Colors :- Can i use vManage/vSmart vPNO Private color

Please share Firewall matrix sheet .

stefan.radovanovici · ‎10-23-2019

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments

And yes, you do need to NAT them since the vedges will need to connect to them via internet.