Interfaces with SD-WAN setup

Author
phowardmhm
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/19 13:10:11
  • Status: offline
2019/10/15 14:26:55 (permalink) 5.6
0

Interfaces with SD-WAN setup

Hello,
     I have a customer that has added another internet connection to the firewall and I want to build out SD-WAN with failover.  I get the setup part but how do I deal with the interfaces.  What do I do with all tunnels off the interface?  

Attached Image(s)

#1
sw2090
Gold Member
  • Total Posts : 468
  • Scores: 23
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Interfaces with SD-WAN setup 2019/10/16 00:12:49 (permalink)
0
VPN Tunnels and I guess also vlans on the wan interfaces are not affected by sdwan. They still use the physical interface.  I just can't say for sure concernign vlans as I don't have vlans on the wan interfaces here. You will just have to replace your wan interfaces by the sdwan interface in your internet policies.
#2
phowardmhm
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/19 13:10:11
  • Status: offline
Re: Interfaces with SD-WAN setup 2019/10/16 08:28:56 (permalink)
0
Thanks for the comment.
 
This had been built out by someone else and quite a while ago so looking at this more I've decided to essentially peel everything off WAN1 and rebuild it out with the SD-WAN.  It has a secondary internet connection being feed via WAN1 along with the primary internet connection so that doesn't really give me the redundancy I'm looking for.
 
With configurations that have two ISPs w/ VPN tunnels and no SD-WAN I would have a tunnel off WAN1 and "backup" tunnel off WAN2 so would I not need both with SD-WAN?  One VPN tunnel for the SD-WAN interface?
#3
sw2090
Gold Member
  • Total Posts : 468
  • Scores: 23
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Interfaces with SD-WAN setup 2019/10/16 23:28:23 (permalink)
0
At least IPSEC cannot use a dynamic interface because you must give a specific remote gw on the tunnel's opposite end. You could only have one FQDN per interface in sdwan. Sdwan itself is not an option here because it depends on your rules and setings which interface in sdwan is used at which time. If you used FQDN on SDWAN as remote gw this would cause a load of drop outs or Flickering on the tunnels I guess.
I however prefer having one tunnel per wan for redundancy. I cope this with priority based routing. this works fine, has defined ends for remote gw and  does tunnel fallback when the primary wan goes down to the second tunnel and back again.
 
#4
Jump to:
© 2019 APG vNext Commercial Version 5.5