Solved: SDWAN networking TLOC-EXT traffic path problem

haininghuang3185 · ‎11-10-2023

The topology diagram is as follows. Two Cedges at the DC site have TLOC-EXT, and two Cedges at the Spoke site have TLOC-EXT. The DC site is connected to two ISP links. Both ISP links are behind the firewall. Will there be asymmetric traffic problems in such a network? That is, the traffic from the Spoke site to the DC site comes in from ISP1 and then goes out from ISP2. Is it considered asymmetric traffic by ISP2's firewall and discarded?

Kanan Huseynli · ‎11-15-2023

Hi,

in general, it is asymmetric traffic. But in SD-WAN router to router traffic is encapsulated, so firewall (if it inspects only L3/L4) will see UDP traffic from cEdge IP to another cEdge IP.

If it also inspects upper layer protocols depending on behavior may or may not block. Generally, you should allow router to router traffic (by IP) and you are OK.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎11-15-2023

Hi,

in general, it is asymmetric traffic. But in SD-WAN router to router traffic is encapsulated, so firewall (if it inspects only L3/L4) will see UDP traffic from cEdge IP to another cEdge IP.

If it also inspects upper layer protocols depending on behavior may or may not block. Generally, you should allow router to router traffic (by IP) and you are OK.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

MHM Cisco World · ‎11-19-2023

It asymmetric you can use

FW HW

Or

Tcp bypass (since tcp is most traffic face issue with asymmetric routing)

Note:- vrrp preference make traffic only via one cedge but in case the vrrp status change then traffic will drop.