SD- Branch

Hi.
Assisting a customer on SD-Branch.

2 x 90xx as VPNC. One VPNC (VPNC1) with main internet circuit and one VPNC (VPNC2) with backup ciruit.
Can we setup this to use main internet circuit on VPNC1 and only fail over to backup circuit on VPNC2 when main internet circuit goes down?

From SD-Branch documentation this is for me not clear, as in mention this only at the Branch side.

My proposed solution

VPNC1 with WAN main internet line.
VPNC2 with WAN backup internet line.


VRRP on LAN interface on VPNC1 and VPNC2, with VRRP IP as gateway ip from LAN. Then have VPNC1 as VRRP  Master with tracking on WAN interface.
Then VPNC2 will one be used for out traffic when VPNC1 internet line is down.

Do we need VRRP also on WAN interfaces?

On the branch side, I think we can have SD WAN overlay to have DC preference to go to VPNC1 and secondary to VPNC2.
Or, two DC prefence groups, first with VPNC 1 only , and second with VPNC 2 only.

Any comments on this?










------------------------------
Ole Morten Kårbø
ACCA ACSA
Netnordic Norway
------------------------------

Probably a bit late, but if you are still working through this....

Sounds like you are looking to connect the internet circuits directly to the VPNCs?  It's more common to have the VPNCs deployed in a DMZ off the firewall(s) and have the firewall terminate the Internet connections, and NAT the inbound IKE-natt (udp/4500) traffic through to the VPNCs.

On the 'internal' side of the VPNC, where redundancy is called for, OSPF or BGP is a better fit than VRRP, as DC preference on the BGWs affects the OSPF preference or BGP as-prepend at the head end.

In summary, VPNCs are used to terminate the VPNs from BGWs, not really be a 'Gateway' for the Hub site.

Hope this helps.

-Rhys
Melbourne/Australia

------------------------------
Rhys Bailey
------------------------------

Original Message:
Sent: Jan 31, 2022 04:04 AM
From: Ole Morten Kårbø
Subject: Dual VPNC with dual internet

Hi.
Assisting a customer on SD-Branch.

2 x 90xx as VPNC. One VPNC (VPNC1) with main internet circuit and one VPNC (VPNC2) with backup ciruit.
Can we setup this to use main internet circuit on VPNC1 and only fail over to backup circuit on VPNC2 when main internet circuit goes down?

From SD-Branch documentation this is for me not clear, as in mention this only at the Branch side.

My proposed solution

VPNC1 with WAN main internet line.
VPNC2 with WAN backup internet line.


VRRP on LAN interface on VPNC1 and VPNC2, with VRRP IP as gateway ip from LAN. Then have VPNC1 as VRRP  Master with tracking on WAN interface.
Then VPNC2 will one be used for out traffic when VPNC1 internet line is down.

Do we need VRRP also on WAN interfaces?

On the branch side, I think we can have SD WAN overlay to have DC preference to go to VPNC1 and secondary to VPNC2.
Or, two DC prefence groups, first with VPNC 1 only , and second with VPNC 2 only.

Any comments on this?










------------------------------
Ole Morten Kårbø
ACCA ACSA
Netnordic Norway
------------------------------