SD-WAN

In release 3.2.1 ¾ ""I95-14820 The 128T now has a signaled mechanism for establishing inbound flows to systems behind firewalled or LTE environments."" ¾ Can someone explain what mechanism is used and the steps this requires to establish inbound flows. Pretty much I‚m looking to understand how this works. ¾ Thanks in advance.

Hi Adriˆn, thanks for the question!

 

When a router interface is behind a NAT or on a network that disallows inbound connections (such as LTE), then it must be the initiator for all traffic to its peers. To describe this topology, we added a new configuration item within a neighborhood (on a network-interface) to indicate that a network-interface is outbound only -- i.e., it must originate requests:

 

admin@labsystem1.fiedler (network-interface[name=wan0])# show name wan0 global-id 5 ¾ neighborhood beacon-wan name beacon-wan peer-connectivity outbound-only topology spoke external-nat-address 44.33.22.11 exit inter-router-security 128t-hq source-nat true ¾ address 11.22.33.44 ip-address 11.22.33.44 prefix-length 24 gateway 11.22.33.45 ¾ host-service ssh service-type ssh exit exit

Here you can see I've indicated that this network-interface should be treated as outbound-only. (Any peers for this router will reflect this in the adjacency that is created.)

 

When a peer wants to send to an adjacency that is outbound-only, what it will do is ""NAT"" the packet it is going to send just prior to sending it on the wire, and re-uses the ports for BFD (1280). Because BFD connectivity is a prerequisite for sending traffic to a peer, this path will be known to be up and working a priori.

 

When the router receives this ""BFD"" packet, it will detect that there is 128T metadata inside, hand it up to the service processing logic, and allocate SVR flows (and waypoint addresses) for itself and its peer, and forward the packet as it would normally. When packets go back in the reverse direction, it will punch a hole in the NAT (or create an outbound LTE connection, etc.) and ""initiate"" the flows from the outbound-only side. All subsequent packets will use these allocated waypoint addresses.

 

Two other notes about outbound-only:

1. When a router has a peer that is designated as outbound-only, it will not proactively send BFD to it... it waits to hear from its peer, then uses the source of those packets as the destination for its BFD in the reverse direction. (So-called ""latching"" onto the source address.)
2. When two routers are both configured as outbound-only, they will (obviously) not be able to talk to one another.

 

I hope this helps!

Thank you Patrick A Timmons for the info provided this helps a lot.