Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
5
Helpful
1
Replies

SD-WAN desing/implementation questions

Malik222
Level 1
Level 1

‎04-25-2021 12:24 PM

Hello Guys!

I'm a newbie strugling with our company new PoC for SD-WAN.... I have a couple of questions somebody can hopefully answer:

1. ) I have a VPN segment for users that is full mesh between branches, I want to add a new VPN that for security reasons cannot communicate between branches but all communication has to go through firewalls in DC, how do I solve this? Can I block the sites from learning each other TLOCs? Or do I direct the TLOCs for this VPN to DC?
2.) I want my guest VPN to have only internet access and no access to DC. I read that I create DIA. Is it possible to create a centralized policy to do the NAT of guest VPN to vpn 0 and another that would block the guest to be advertised in OMP?

 

Thank you!
Malik

Labels:
0 Helpful
1 Reply 1

Kanan Huseynli
VIP
VIP

‎05-02-2021 04:54 AM

Hi,

 

1) if you block learning TLOC in one branch for another, they you will never have bfd/ipsec toward that branch from local one. So, all VPN traffic will go to HQ. In general, if you need full mesh design, but filtering spoke to spoke for certain VPN, then you need simple not advertise branch routes toward branches in vsmart. For your case, it is not mandatory actually. Because ,as I understand, you still need branch to branch connectivity but via DC firewall, yes? If yes, then you need to advertise FW (service routes) in that VPN. Then use centralized data policy to send traffic to "FW" that exists in that VPN for certain traffic flows. By this way, you simple override normal routing even Branch_A has routes toward Branch_B. Br_A will send traffic to "FW" that is advertised by HQ devices or in simple words, it will send traffic to HQ. HQ devices will see that traffic should path service "FW" and they will send to FW. After receiving filtered traffic from Firewall node, HQ device will route traffic toward Br_B.

 

Btw, there is new feature "service insertion tracker" . You can track inserted service node to eliminate any type of black holing, when node is not available.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/vedge-20-x/policies-book/service-chaining.html

 

2) If you need DIA in all sites (branches), then you need simple not advertise routes from one site to another using central control policy in vsmart. Then there is simple solution NA DIA route. In respective VRF just create default route in VPN template and point NAT VPN0. You should have NAT configuration in interface templates of transport interface (internet).

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2020aug.pdf

 

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents