Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
4
Replies

SDWAN Question with 1 WAN interface

cxo-179682
Level 1
Level 1

‎11-12-2020 04:56 PM - edited ‎11-12-2020 11:54 PM

Hi Experts,

 

New in SDWAN, and trying to figure out whether the below will be achievable with our environment :

- Branches (2 sites) will have only 1 WAN-Internet cloud for connectivity to both DC/Hub and Internet 

- Hub and Spoke topology (all branches traffic will traverse via DC only) 

- Only 1 Service VPN created (small branch)

 

My questions are with only 1 uplink (Internet) :

1- Is there a possibility for Branches Internet (public) based traffic to go direct without via the DC/Hub ?

2- And other traffic (private) to go through to the DC ?

 

I know the above can be achieve with a creation of a 2nd Service VPN (VPN2) for connectivity to the Internet directly if no connectivity to the DC/Hub required (if im not wrong)

 

TIA

0 Helpful
4 Replies 4

Saji Samuel
Level 1
Level 1

‎11-12-2020 10:49 PM - edited ‎11-12-2020 11:12 PM

Hi,

 

This is achievable in the current design which you have shared. i.e with one Service VPN . 

In addition to the Hub and Spoke Topology you just need to create a Policy which will pass private Traffic as is ( To the Hub/DC) and then another sequence which will divert all the other Traffic to Internet DIA . i.e. in Actions you specify NAT VPN . 

 

Hope this solves.

 

Rgds,

Saji 

 

0 Helpful

cxo-179682
Level 1
Level 1
In response to Saji Samuel

‎11-12-2020 11:54 PM

Hi,

 

Thanks for your reply.

 

I did read on the DIA docs and can i confirm the below data policy would suffice :

1- Source (Branches), Dst (DC) > Accept

2- Source (Branches) > NAT VPN 0

3- Default action > Accept 

 

Rgds

0 Helpful

Saji Samuel
Level 1
Level 1
In response to cxo-179682

‎11-13-2020 12:53 AM - edited ‎11-13-2020 01:02 AM

Hi Carole,

 

In Point 1 since you will need Branch to Branch Traffic , it would be nice to include Branches also in the DST .i.e Spoke to Spoke.  This will take care of your Branch to Branch Traffic via DC which you might need.

Point 3 - Since your Branches to Branches is taken care of and Branches to Internet ( DIA) is taken care of , maybe a default action of Drop might be better  .

 

So this should help you to achieve the desired results. 

 

Rgds,

Saji Samuel 

0 Helpful

cxo-179682
Level 1
Level 1
In response to Saji Samuel

‎11-13-2020 01:24 AM

Thanks for your prompt response.

 

Apology for not clarifying.. 

1- There wont be any Branch to Branch traffic, only Branch to DC (and vice versa)

2- Both Branch and DC are in the range of RFC 1918 

3- Only Default route (to DC) are in the Service VPN (VPN1) 

4- Do we need 1 data policy for each branch ?

 

Data Policy :

1- Source: RFC 1918, Dst: RFC 1918, Action: Accept (Branch to DC traffic)

2- Source: Branches Prefix, Action: NAT VPN 0 (Branch to Internet traffic)

3- Default Accept 


Just want to ensure the data policy is correct before applying and bringing down the site (as we do not have any local console on the branch)

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card