cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
605
Views
0
Helpful
4
Replies

SDWAN Question with 1 WAN interface

cxo-179682
Level 1
Level 1

Hi Experts,

 

New in SDWAN, and trying to figure out whether the below will be achievable with our environment :

- Branches (2 sites) will have only 1 WAN-Internet cloud for connectivity to both DC/Hub and Internet 

- Hub and Spoke topology (all branches traffic will traverse via DC only) 

- Only 1 Service VPN created (small branch)

 

My questions are with only 1 uplink (Internet) :

1- Is there a possibility for Branches Internet (public) based traffic to go direct without via the DC/Hub ?

2- And other traffic (private) to go through to the DC ?

 

I know the above can be achieve with a creation of a 2nd Service VPN (VPN2) for connectivity to the Internet directly if no connectivity to the DC/Hub required (if im not wrong)

 

TIA

4 Replies 4

Saji Samuel
Level 1
Level 1

Hi,

 

This is achievable in the current design which you have shared. i.e with one Service VPN . 

In addition to the Hub and Spoke Topology you just need to create a Policy which will pass private Traffic as is ( To the Hub/DC) and then another sequence which will divert all the other Traffic to Internet DIA . i.e. in Actions you specify NAT VPN . 

 

Hope this solves.

 

Rgds,

Saji 

 

Hi,

 

Thanks for your reply.

 

I did read on the DIA docs and can i confirm the below data policy would suffice :

1- Source (Branches), Dst (DC) > Accept

2- Source (Branches) > NAT VPN 0

3- Default action > Accept 

 

Rgds

Hi Carole,

 

In Point 1 since you will need Branch to Branch Traffic , it would be nice to include Branches also in the DST .i.e Spoke to Spoke.  This will take care of your Branch to Branch Traffic via DC which you might need.

Point 3 - Since your Branches to Branches is taken care of and Branches to Internet ( DIA) is taken care of , maybe a default action of Drop might be better  .

 

So this should help you to achieve the desired results. 

 

Rgds,

Saji Samuel 

Thanks for your prompt response.

 

Apology for not clarifying.. 

1- There wont be any Branch to Branch traffic, only Branch to DC (and vice versa)

2- Both Branch and DC are in the range of RFC 1918 

3- Only Default route (to DC) are in the Service VPN (VPN1) 

4- Do we need 1 data policy for each branch ?

 

Data Policy :

1- Source: RFC 1918, Dst: RFC 1918, Action: Accept (Branch to DC traffic)

2- Source: Branches Prefix, Action: NAT VPN 0 (Branch to Internet traffic)

3- Default Accept 


Just want to ensure the data policy is correct before applying and bringing down the site (as we do not have any local console on the branch)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco