Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About Luggage
Luggage
Comes here often
Member since Jun 25, 2024
a week ago
Community Record
5
Posts
0
Kudos
0
Solutions
Badges
a week ago
Thanks both @ww and @GreenMan . That architecture change more or less worked. Maybe a different thread for this but I noticed with this method I can no longer then do Local Internet Breakout (eg, for some traffic I want to break out locally on the VLANs where source based default route -> Hub has been applied) any solution to this?
... View more
3 weeks ago
Ahh this is the response I was looking for and makes sense to flip that logic around. One final question, how does the next hop monitoring work for a VPN Hub Appliance as the next hop? If I enable this, would an AutoVPN / Hub failure mean traffic routes via the local default route instead? While next hop responds to ping When next hop does not respond to ping this traffic will go out the WAN appliance's default routes.
... View more
3 weeks ago
For what seems like pretty basic SD-WAN feature on other platforms that I can't figure out here, I have a Hub and Spoke AutoVPN with Site-Site-VPN setting Spokes configured to obtain the IPv4 default route via the Hub appliance. VPN enabled VLAN at spokes obtain this as expected, plus the DC Prefixes I specify on the hub - that all fine I have a VPN Disabled VLAN that I want for local internet access only (guest) - that's fine I have another VLAN that I want to be VPN enabled - so device on here can be in-band managed from across the WAN (AutoVPN) but that I require to *not* obtain the default ipv4 route from the Hub Appliance, I want the default route to NAT out via via local internet, same as as if it were VPN disabled, or have the entire spoke not receive the default route from HUB Appliance. I can use VPN exclusions for specific prefixes and FQDNs and do local breakout... sometimes this works but it's high maintenance, prone to breaking and is a mammoth config for the requirements of the devices on this vlan. I don't want to have to deploy a separate gateway device and add a static default route to it... for 120 spokes. Source based routes... would be nice if they would let you route + NAT out your local WAN interface. Anyone been able to accomplish this in a way I've missed?
... View more
Jun 26 2024
4:42 PM
So the VPN Hub has a static IP (VIP) and there will be NAT (SNAT/DNAT) to/from the VIP via a public IP from ISP X. I figure I will need to resolve the unfriendly NAT situation upstream with the static SNAT/DNAT so that works. May have figured this out myself - I will try creating two SNAT/DNAT rules upstream (Mapping to the MX VIP) one for ISP A and one for ISP B, with the outside interface specified per ISP, so that when the route fails over to ISP B, SNAT rule for ISP B will be followed. I just need to make sure I can resolve unfriendly NAT so I don't need to use Manual NAT traversal.
... View more
Jun 26 2024
12:16 AM
We are planning to deploy ISP redundancy (currently single ISP... ISP X... with multiple uplinks via our Firewall) and need MX Concentrator traffic to failover between ISPs upon failure of ISP X We are not using our own public IPv4 allocation (expensive) and thus relying on ISP allocated prefixes on both links. We had/have issues with unhealthy NAT via our Firewalls, largely relating to tunnels failing to re-establish cleanly after failover. Manual NAT config has prevented this issue from happening since implemented. How are we able to deploy a dual ISP solution in this manner while still retaining Manual NAT Config, one for each ISP Address used? Do we need our own /24 public address allocation to use this or to somehow fix our unclean NAT issue? If we were able to set a separate Manual Port Forwarding NAT Traversal Config on the Warm Standby MX, that may help, or a Dual WAN (Dual VIP + Dual Manual Port Forwarding NAT Traversal config, that could work. In the Attached Diag, ISP Y is the service we need to be able to failover to. Has anyone done this without Auto NAT Traversal and their own portable public IPv4 prefix?
... View more
© 2024 Cisco Systems, Inc.
