Cisco SD-WAN vEdge Onboarding

Hello Mathias

This looks like a high availability configuration that you’re setting up. You can take a look at this Cisco documentation that gives you detailed information about HA deployments:

From this document, I can give you a high level summary of how you can proceed:

Cisco SD-WAN’s affinity feature allows vEdge devices to intelligently manage control connections to multiple vSmart controllers deployed across different data centers. This ensures optimized connectivity, load balancing, and redundancy within a distributed network architecture.

Controller Group Identifiers
Each vSmart controller is assigned a controller group identifier using the controller-group-id command. These IDs, ranging from 0 to 100, categorize vSmarts by location or function—for example, assigning group 1 to controllers in Data Center 1 (DC1) and group 2 to those in Data Center 2 (DC2). This distinction forms the basis for affinity-based connection preferences on the vEdges.

Configuring Affinity on vEdge
On the vEdge device, the system controller-group-list command defines which vSmart groups the device is permitted to connect to, and the order sets the preference. For example, listing 1 2 means the vEdge will prefer group 1 over group 2. By default, each tunnel interface aims to establish two control connections, but this behavior can be tailored using max-omp-sessions and max-control-connections. Additionally, you can fine-tune connections by using exclude-controller-group-list on specific interfaces, effectively preventing them from connecting to certain controller groups.

I hope this has been helpful!

Laz

Hello, everyone.

I am very early into SD-WAN for ENCOR and Rene + my other resource mention that the vBond Orchestrator needs to have a public IP address.

I’ve asked some people regarding this and I just end up getting more and more confused.

The Cisco Learning Network says

vBond is the only SD-WAN component really need to be reachable with public IP address directly , other controllers such as vManage , vSmart, or even WAN Edges (vEdge & cEdge) can be in private networks.

vBond is responsible to provide public to private IP address mapping to all other components using STUN

What is a STUN server & client?

A STUN (Session Traversal Utilities for NAT) server

allows NAT clients (i.e. IP Phones behind a firewall) to set up phone calls to a VoIP provider hosted outside of the local network.

The STUN server allows clients to find out their public address, the type of NAT they are behind, and the Internet side port associated by the NAT with a particular local port.

This information is used to set up UDP communication between the client and the VoIP provider to establish a call.

The STUN protocol is defined in RFC 3489

The STUN server is contacted on UDP port 3478, however, the server will hint clients to perform tests on alternate IP and port numbers too (STUN servers have two IP addresses). The RFC states that this port and IP are arbitrary.

STUN is enabled on vBond to allow the tunnel interface to discover its public IP address and port number when the vEdge router is located behind a NAT (on vEdge routers only).

It’s not quite clicking for me here. I asked someone personally and they told me thisd:

Public IP address is a bit of a misnomer, there’s quite a few terms that don’t mean what you think they mean in the SDWAN architecture. There can’t be any NAT because the vBond is responsible for performing STUN operations to aid in NAT traversal for the other components and having any kind of address translation in the middle would mess with that process up. vBond doesn’t care whether an IP is public or not, we can run it over private if we have a routable private IP like with MPLS.

The bottom line is, that STUN is there to help the NATed devices figure out what their real IPs are.

ENCOR OCG

NAT detection: The vBond can detect when devices are being placed behind NAT
devices using Session Traversal Utilities for NAT (STUN) [RFC 5389] mechanisms.
Placing a vBond behind a NAT device is not recommended but requires a 1:1 static
NAT if it is placed behind a NAT device

The more I read this, the more confused I get. There aren’t many images regarding this online. Why exactly is NAT problematic here? That’s the first question, which leads to many more.

1. Why would a vEdge router even be behind NAT
2. What exactly is STUN and Traversal and how is it relevant here? I’ve read about this online but I don’t think I get it.
3. The vBond device contains some public to private IP mappings?

I’m not sure if I am going too deep here, I just need a basic understanding for ENCOR. The vBond can probably detect when devices are being placed behind NAT devices? How does all of this work and come together?

Thank you.
David