In this case, controllers are deployed on the private, MPLS network and control connections are established only through the MPLS network. An additional vBond is set up on the Internet so that Internet-connected devices can form data plane (IPSec and BFD sessions) with other devices over that transport.
The Validator on the Internet acts as a STUN server, which allows the WAN Edge router to discover its mapped, public IP address and port number on the Internet transport. This TLOC information (including the mapped public/private IP addresses) is exchanged over the private transport, which is then distributed to other WAN Edge routers, and data plane BFD sessions can be established to other WAN Edge routers over the Internet transport. No control traffic is sent or IPSec keys are exchanged over the Internet.
Note: This option requires at least a control connection to a vSmart controller over a single, separate transport, otherwise TLOC information cannot be exchanged in order to bring up IPSec and tunnels and BFD sessions with other WAN Edge routers over the Internet transport.
The WAN Edge device first sends a DNS request to resolve the Validator hostname. Both the publicly routable and private (RFC 1918) IP addresses are returned. The WAN Edge router will try both, but only the Validator on the Internet will be reachable via the publicly routable IP address and the Validator on the MPLS will be reachable via the private (RFC 1918) address.
The WAN Edge router on the Internet transport establishes a DTLS connection to the publicly routable IP address of the Validator and sends a STUN request to discover the WAN Edge post-NAT IP address. The WAN Edge device on the MPLS transport establishes a DTLS connection to the private, pre-NAT address of the vBond. The WAN Edge router then connects to the Manager and Controller using their private addresses because private color is used on the tunnels on both ends of the communication.
In this use case, the command vbond-as-stun-server is configured on the WAN Edge Internet tunnel interface. This option also requires the Validator domain name in the Validator configuration under system settings in the WAN Edge router to be translated by DNS into both a public and private IP address. Only the private IP address will be reachable on the MPLS side, and only the public IP address will be reachable on the Internet side. This can be done through a DNS server, or IP host names can be configured on the WAN Edge router under VPN 0 that translates the Validator hostname into multiple addresses, which includes both the public and private IP addresses.
#cisco
#sdwan
#vbond
#1toops