09-06-2019 11:56 AM
For cEdge routers that are connected to MPLS and need to establish control connections to the Cisco Cloud, these connections will back haul over MPLS and exit onto the internet via centralised hub firewalls.
What NAT solution is recommended at the hub, for example:
Is there a NAT solution that scales well for this?
Thanks in advance.
09-06-2019 11:06 PM
I would prefer a design with local internet access, but if that's not possible, then your design is valid. As long as there is connectivity between the routers and the controllers, it shouldn't matter what type of NAT you are using. It should be fine to use PAT.
Routers will form different number of control connections depending on how many transports they have. Normally, unless you restrict it, they form control connections over each transport but only one towards vManage. In my setup, with two vSmarts, for a router with a single transport, 3 control connections are used. For a site with dual transports, 5 control connections are used.
The scaling here for your PAT would be based on the number of available ports. Let's say that you have 65000 ports available and each router needs 4 ports on average, that would mean that you could have over 16000 devices using this single IP, if this IP was dedicated for just this use, and not normal users exiting the internet utilizing that IP address.
09-08-2019 08:02 AM
- 1-to-1 is a best practice for controllers if they are behind NAT.
- PAT would work fine.
It is better if you can get an internet connection locally rather back-hauling. The problem with back-haul for control connections is, if you lose connection at HUB, then you will lose visibility for all of your branches.
Thanks,
Srikanth
09-08-2019 12:18 PM
Thanks for your thoughts.
95% of branch offices will have 1 x MPLS & 1 x DIA, therefore local internet access will be available. However, considering that control connections will still get built of over MPLS, plus also to cope with a DIA failure, then a NAT (or PAT) solution at the hub is still required.
I believe any of the above solutions would work, but still not clear on the best practise.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide