Support

Support for business applications

Kaspersky SD-WAN

Managing CPE devices

Managing SD-WAN interfaces

About sending information about SD-WAN interfaces of the WAN type to the controller

Kaspersky SD-WAN
Нет результатов
Online Help
FAQ Forum Contact support Recovery tools

About sending information about SD-WAN interfaces of the WAN type to the controller

April 17, 2024

ID 261023

Save as PDF

When creating or editing SD-WAN interfaces of the WAN type, you can specify what information must be sent to the controller.

Sending public IP addresses and UDP ports of SD-WAN interfaces to the controller

To build GENEVE tunnels between CPE devices, the controller must obtain information about the public IP addresses of SD-WAN interfaces of the WAN type. By default, the controller obtains this information through a management session. In that case, the source IP address is used as the public IP address.

You can manually specify the IP addresses and UDP ports of SD-WAN interface of the WAN type. In the figure below, CPE 1 and the controller are on the same local network and gain access to the Internet through the same firewall that does IP address forwarding.

When establishing a session between the SD-WAN interface of the WAN type of CPE 1 and the public IP address of the controller (1.1.1.2), if the firewall cannot be configured in a way that would involve the Controller forwarding the private IP address to the public IP address (10.0.1.1 > 1.1.1.1), the Controller is unable to obtain information about the public IP address of the interface and provide it to other devices in the topology (CPE 2).

As a result, a GENEVE tunnel cannot be created between CPE 1 and CPE 2; CPE 1 becomes isolated and cannot be added to the common control plane.

In the diagram, CPE 1 and the controller are connected to CPE 2 through a firewall and the Internet, and NAT is used.

CPE 1 and the controller are behind NAT and are connected to CPE 2

Sending IP addresses of SD-WAN interfaces of the WAN type located in an isolated network to the controller

SD-WAN interfaces of the WAN type may be on an isolated network without the possibility of establishing a management session with the controller, but they can be used to build GENEVE tunnels. In this case, the controller cannot obtain information about the IP addresses of isolated interfaces and use it to build GENEVE tunnels between CPE devices.

In the figure below, CPE 1 and CPE 2 have two SD-WAN interface of the WAN type each, but they can establish a management session with the controller only through their wan0 interfaces because the wan1 interfaces are on an isolated network (MPLS) that does not have access to the Controller. However, both wan1 interfaces can be used to build GENEVE tunnels.

If the link used to interact with the controller fails for one of the CPE devices, all other links also cannot be used, even if they remain operational, because the Controller eliminates the device from the topology.

The IP addresses of isolated SD-WAN interfaces of the WAN type are sent to the controller through the orchestrator.

CPE 1 and CPE 2 are connected with each other through MPLS and with the controller through the Internet.

CPE 1 and CPE 2 are connected with each other through MPLS and with the controller through the Internet.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.