Re: vBond IP Addressing in Hybrid SD-WAN Deployment with MPLS and Inte

vin.marco · ‎09-19-2025

Hi everyone,
I’m working on a hybrid SD-WAN solution where all controllers are deployed on-prem, behind a firewall.
I have two types of connectivity available MPLS and Internet.

During the device onboarding process:
Devices using MPLS will have the vBond configured with a private IP,
While devices using Internet will need to use a public IP, which will then be NATed to the private one.
My questions are:

Is everything I’ve described above correct?
How can I change the vBond IP, since when I generate the bootstrap template, it always inserts the system vBond defined during installation?

Thanks!

Torbjørn · ‎09-19-2025

You should configure them to use the public IP/a DNS record pointing to the public IP of the vBond regardless of where they establish connectivity from. Advertise the public IP of the vBond into the MPLS network as well so that devices attached to the MPLS network also can reach it by that address. Depending on the specifics of your network you will probably have to configure hairpin NAT for this to work.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

vin.marco · ‎09-19-2025

Ok, this could be a viable solution, but if I map the vBond name to two IPs — one public and one private — in the Host Mapping field of the template, how would it behave?

Torbjørn · ‎09-19-2025

It will try one first, then fall back to the other if the first is unreachable. Just like it would if you listed multiple A records for the hostname in DNS. I don't believe that the order of priority is deterministic but it should work fine AFAIK.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

balaji.bandi · ‎09-19-2025

You can have Local DNS with Local IP address, and Public DNS with Public IP to mitigate this kind of issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

vin.marco · ‎09-19-2025

So, in my template, I would configure two DNS entries: the public one as primary and the private one as secondary. Both DNS entries should have the same vBond name

balaji.bandi · ‎09-21-2025

you can have one DNS for both external and internal

you can have internal same DNS entry on your DNS Server to resolve local IP

external with Public IP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

vin.marco · ‎09-21-2025

Ok, everything’s clear, but I think I messed up the topology.
After checking some docs and presentations, I guess I need to rethink it.

I should split the controllers into two DMZs and expose them with NATted IPs. That way, the Internet onboarding works fine.
But I’m not sure how to deal with the MPLS part:

Should the firewall handle routing towards MPLS?
Do the controllers need two interfaces, one for Internet and one for MPLS?

Still quite a few doubts here

Dan Frey · ‎09-21-2025

The controllers can only have one interface in VPN0. I usually put a C8kv in front of the controllers to steer the routing between the different transport networks. The controllers do not do routing and typically need a single default route. If the controllers have private IP the CAT8kv can also be used to do hairpin NAT for public IP discovery.

vin.marco · ‎09-21-2025

Ok, but I still have some doubts about the routing.

If I do the onboarding over MPLS, the vBond will be resolved through the private DNS, which points to a private IP connected to the firewall. In that case, the firewall would handle the routing.

vBond IP Addressing in Hybrid SD-WAN Deployment with MPLS and Internet