Hi tzarski,

Thanks for the reply. With your email below i have modified my diagram at the HO which is attached. This is the end state which we are proposing. If you see below the branch site does not have a voice router. SD-WAN at branch is connected to Internet and IPVPN. Customers voice infrastructure is centralised that's why there is a voice router in HO. At HO the SD-WAN is connected to voice router via transport VPN (for tunnel creation) and service VPN (your email gave me this idea). The idea is to use IPVPN (overlay) only for voice and data traffic via Internet (Overlay). The voice traffic flow from branch will be:

Branch Phone->LAN switch->Branch SD-WAN->Overlay (IPVPN)------>HO SD-WAN (Overlay)->Voice router via Service VPN->Voice router

Do you think this is a workable design? Of course during this flow voice traffic may go to call manager in HO LAN but that should not be an issue. Any caveats or gotchas here?

The Voice/IPVPN cloud is also advertising some voice subsets to voice router in HO which will get advertised to HO SD-WAN via service VPN (underlay). By default the HO SD-WAN will advertise those voice subnets to branch sites via the Overlay to branch SD-WAN.

The service VPN between SD-WAN and Voice router at HO will also be used for communication between SD-WAN and non SD-WAN sites, ill share that diagram once we confirm the end state. 

At first look it seems ok, but routing needs to be carefully planned. Especially on hub side when you need to make sure things like:

- hub SD-WAN edge and voice router will not learn branch prefixes via underlay. This is required so that overlay is used for communication (remember OMP admin distance is higher than any service VPN routing and I would not advise to change it)

- in this design there's no way for traffic to flow from hub LAN to voice router and then back to WAN edge to overlay. I understand it's not required here.

Hi tzarski ,

First of apologies i may have tried to discuss end state and transition state in the same email. For now lets just finalize the end state discussion for which i sent the attached diagram before. Attaching it again for reference. This is the network architecture when all sites are fully migrated to SD-WAN. Before that i want to ask one technical question for confirmation:

1) When an uplink is part of transport VPN my understanding is that SD-WAN cannot do underlay routing as everything has to go via the tunnel even if BGP is enabled on that uplink? 

Now to the end state discussion:

In the end state the branch sites will only have SD-WAN with overlay so i guess by default they will not have any underlay routing or even if BGP is enabled they wont participate in underlay routing. In HO the SD-WAN will only learn some subnets from voice routers (via service VPN) which are coming from the service provider (mainly for some voice services hosted in SP cloud) which the SD-WAN will push it down to branch sites via overlay. Does that sound ok?

In this setup the Hub LAN will go to voice router via SD-WAN service VPN and then out to IPVPN to SP cloud to access some voice services or from Hub LAN to branch site via overlay in case of phone extension to extension calls. If this seems all good then we can discuss how the transition to SD-WAN should work.

Thanks,

Aamir