Support

Support for business applications

Kaspersky SD-WAN

Managing CPE devices

SD-WAN interfaces

Providing information about WAN interfaces to the SD-WAN Controller

Kaspersky SD-WAN
Online Help
FAQ Forum Contact support Recovery tools

Providing information about WAN interfaces to the SD-WAN Controller

April 9, 2024

ID 261023

Get as PDF

Providing public IP addresses and UDP ports of WAN interfaces to the SD-WAN Controller

To build GENEVE tunnels between CPE devices, the SD-WAN Controller must obtain information about the public IP addresses of the WAN interfaces of these devices. By default, the controller receives this information through an OpenFlow TCP session that is established between the device and the Controller. In that case, the source IP address is used as the public IP address.

If the SD-WAN Controller is unable to obtain the information it needs, you can manually specify the IP addresses and UDP ports of the WAN interfaces of CPE devices. In the figure below, CPE 1 and the SD-WAN Controller are on the same local network and gain access to the Internet through the same firewall that does IP address forwarding. When establishing a session between the WAN interface of CPE 1 and the public IP address of the SD-WAN Controller (10.0.1.1 > 1.1.1.2), if the firewall cannot be configured in a way that would involve the Controller forwarding the private IP address to the public IP address (10.0.1.1 > 1.1.1.1), the Controller is unable to obtain information about the public IP address of the WAN interface and provide it to other devices in the topology (CPE 2). As a result, a GENEVE tunnel cannot be created between CPE 1 and CPE 2; CPE 1 becomes isolated and cannot be added to the common control plane.

In the diagram, CPE 1 and the Controller are connected to CPE 2 through a firewall and the internet, and NAT is used.

CPE 1 and the Controller are behind NAT and are connected to CPE 2

Providing IP addresses of WAN interfaces from an isolated network to the SD-WAN Controller

Some of the WAN interfaces of a CPE device may be on an isolated network without the possibility of establishing a TCP session with the SD-WAN Controller, but they can be used to build GENEVE tunnels. In this case, the Controller cannot obtain information about the IP addresses of isolated WAN interfaces and use it to build GENEVE tunnels between CPE devices.

In the figure below, CPE 1 and CPE 2 have two WAN interfaces each, but they can establish communication with the SD-WAN Controller only through their wan0 interfaces because the wan1 interfaces are on an isolated network (MPLS) that does not have access to the Controller. However, both wan1 interfaces can be used to build GENEVE tunnels.

Please note that if the communication channel used to interact with the SD-WAN Controller fails for one of the CPE devices, all other communication channels also cannot be used, even if they remain operational, because the Controller eliminates the device from the topology.

The IP addresses of the isolated WAN interfaces can be provided to the SD-WAN Controller through the orchestrator.

CPE 1 and CPE 2 are connected with each other through MPLS and with the Controller through the Internet.

CPE 1 and CPE 2 are connected with each other through MPLS and with the SD-WAN Controller through the Internet.

You can configure the sending of the necessary information when creating or editing the SD-WAN interface.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.