SD-WAN

 View Only
last person joined: 9 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).

  • 1.  Central Internet access and backup DIA

    Posted 06-11-2019 09:57
    Hi:

    How can I implement the following scenario?:
    - All the branch sites must use the Internet service located at Data Center as a main Internet access.
    - All the branch sites must use DIA (Direct Internet Access, a direct connection to internet attached to the 128T router in each location) in case the main Data Center Internet service failure.

    The main internet access in Data Center is use as primary because there is a Web Content filtering appliance in the Data Center, but not in the branch offices.

    I think that the approach must be:
    - Create two services, "Main_Internet" for DC and "Local_Internet" for the branch sites.
    - In the 128T routers in the Data Center create a service route towards Internet for the "Main_Internet" service and shared this service-route with all 128T routers in the Authority.
    - In the rest of 128T routers create a service-route for the "Local_Internet" using the local internet connection. This service-route have to be done en each branch 128T router and not share with the rest of routers.

    For using the DC access as main access and the local internet connection as backup, the service-route name will be used as the tie breaker between the two service-routes.

    Make it sense?.

    ERKElPsRRkKN2o4o6mcA_2019-06-11_155548.jpg

    Best regards.

    ------------------------------
    Dani Garces
    ------------------------------


  • 2.  RE: Central Internet access and backup DIA

    Posted 06-11-2019 10:25
    Hello @Dani,

    I ran into a similar scenario while testing. For me, I had the same service being used at the datacenter (via SVR) as well as locally via DIA.

    I believe you'll need to name the service-routes on the branch  router alphabetically in order to  force your ​routing preference.

    Example:
    "Internet_Path_1" would be your peer service route to datacenter "internet" service

    "Internet_Path_2" would be you local DIA service route to "internet" service



    The naming above should pick "Path_1" first and the  "Path_2" next. 


  • 3.  RE: Central Internet access and backup DIA

    Posted 06-11-2019 11:30
    Hi @Jessie​:

    Thank you so much for your input. My case is a little bit different as I use neigborhood, so the main "Internet" service is propagated automatically from DC to Branch Offices, and do not use peer service route from branch office to DC.

    It seems that the scenario is working fine in lab.

    ================= ======= ======= ============ ========================= ==============
 IP Prefix         Port    Proto   Tenant       Service                   Next Hops
================= ======= ======= ============ ========================= ==============
 0.0.0.0/0         <any>   udp     LAN          internet                  192.168.0.34
 0.0.0.0/0         <any>   udp     bo2.LAN      internet                  192.168.0.34
 0.0.0.0/0         80      tcp     LAN          internet                  192.168.0.34
 0.0.0.0/0         80      tcp     bo2.LAN      internet                  192.168.0.34
 0.0.0.0/0         443     tcp     LAN          internet                  192.168.0.34
 0.0.0.0/0         443     tcp     bo2.LAN      internet                  192.168.0.34​

    next-hop 192.168.0.34 is the DC 128T router.

    When I disable de main "internet" service, the traffic is locally switched to the local internet provider:

    ==================== ======= ======= ============ ========================= ==============
 IP Prefix            Port    Proto   Tenant       Service                   Next Hops
==================== ======= ======= ============ ========================= ==============
 0.0.0.0/0            <any>   udp     bo2.LAN      internet-local-bo2        10.0.0.2
 0.0.0.0/0            80      tcp     bo2.LAN      internet-local-bo2        10.0.0.2
 0.0.0.0/0            443     tcp     bo2.LAN      internet-local-bo2        10.0.0.2​

    next-hop 10.0.0.2 is the gatway to the local internet provider of branch office.

    Best regards.

    ------------------------------
    Dani Garces
    ------------------------------

    Original Message


  • 4.  RE: Central Internet access and backup DIA

     
    Posted 06-13-2019 00:35
    I think you're both right :)

    @Dani when you use neighborhoods to propagate services automatically, the conductor will generate a peer service route for you. The peer service routes will have a generated name of [service-name]__[peer-name]. (You can see these in your configuration.)

    What @Jessie says is true: the system will alphabetize the service routes. You can choose  your own name for your local DIA internet breakout (e.g., zzzBreakout) to ensure it is chosen after the generated service route.

    Note that even when using neighborhoods to generate configuration, you are always free to manually configure it instead, if you wish. The config generator will not create peer service routes for you automatically if it detects that one has been configured manually already.​​

    ------------------------------
    pt.
    ------------------------------

    Original Message


  • 5.  RE: Central Internet access and backup DIA

     
    Posted 06-13-2019 11:41
    @peetee could Service Policies be used to help out here as well? ​

    ------------------------------
    Justin Melloni
    Documentation/Training Specialist
    MA
    ------------------------------

    Original Message


  • 6.  RE: Central Internet access and backup DIA

     
    Posted 06-14-2019 06:53
    Nope, not here. A service-policy allows you to prioritize the vectors for path selection, but this only applies to next-hops within a single service-route. Not which service-route takes precedence over another.

    ------------------------------
    pt.
    ------------------------------

    Original Message


  • 7.  RE: Central Internet access and backup DIA

    Posted 06-14-2019 06:00
    Hi:

    Thanks @peetee, I did not know I could manually configure the service if it already existed through neighborhoods.

    Best regards.

    ------------------------------
    Dani Garces
    ------------------------------

    Original Message


  • 8.  RE: Central Internet access and backup DIA

     
    Posted 06-14-2019 06:56
    To be clear, a service will exist on all routers already.* The config generator will create peer, adjacency, and service-route elements. The config generator will NOT create peer, adjacency, or service-route elements if it detects that they've already been manually configured.

    Think of the config generator as merely a convenience: it creates all that stuff so you don't have to. If you WANT to, you can.

    --
    * Services will (by default) be present on every router managed by a conductor. We added features in our 4.x code to let you selectively push services to routers or groups of routers.

    ------------------------------
    pt.
    ------------------------------

    Original Message