Seems NAT Fallback assumes internet traffic will go via overlay. What about a site with broadband and LTE for local internet breakout where broadband is primary for internet and if goes down then all internet bound traffic from service vpn go via LTE transport locally. Is this possible in cEdge 17.3.2?
Yes you are right. NAT fallback is the feature used to failover the traffic through an overlay tunnel incase the DIA tracker goes down. By default, if you have two DIA circuits, it will load balance the traffic on both circuits. In the event, when one DIA circuit is down, the other DIA cirucit can still carry the DIA traffic out. Same goes for the scenario where data-policy action of "local-tloc" is set to prefer one circuit over the other. If the primary DIA circuit fails then traffic will still go out through another DIA circuit.
The choice totally depends on a use case. For example, if you have Servers hosted in network, then maybe you could utilize different public IP for that and for DIA you could still overload on interface IP address.
As of today DIA tracker can be applied to a physical interface only. Future releases will provide support to bind a DIA tracker to logical interface as well.
No, Fallback will not work in this case. As long as WAN interface remains up where NAT is configured, DIA NAT will NOT get disabled. So, if DIA tracker is not configured and if the the WAN interface remains up but the DIA path is down, this will defintely blackhole the traffic. DIA tracker is used to track things beyond the next-hop (path to internet). NAT fallback only works when NAT DIA gets disabled which in this case would be taken care internally by the DIA tracker.
Yes, DIA tracker is supported on vManage controller version 20.3.1 onwards. The NAT fallback feature is supported in Cisco IOS XE Release 17.3.2 and later releases. For more information, please refer to the documentation: www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/dia-tracker-ios-xe.html
With DIA you can directly go to internet by locally breaking out to Internet path provided by your ISP, thus getting natted locally on the Edge router to access the internet . If the tracker along the DIA path goes down, with the Fallback feature enabled, it will allow the internet traffic to be routed across the overlay BFD tunnel to another site which has internet path. Service side NAT is a concept used to NAT the traffic sourced from one SD-WAN branch site and destined to another SD-WAN branch site through the overlay (BFD tunnels). This is not related to DIA NAT.
![Дон ДОН, Алаудинов и СБЕЖАВШИЕ из под Курска ахматовцы 😁 [Пародия]](http://i.ytimg.com/vi/dEfCf5IK26Q/mqdefault.jpg)
Seems NAT Fallback assumes internet traffic will go via overlay. What about a site with broadband and LTE for local internet breakout where broadband is primary for internet and if goes down then all internet bound traffic from service vpn go via LTE transport locally. Is this possible in cEdge 17.3.2?
Yes you are right. NAT fallback is the feature used to failover the traffic through an overlay tunnel incase the DIA tracker goes down. By default, if you have two DIA circuits, it will load balance the traffic on both circuits. In the event, when one DIA circuit is down, the other DIA cirucit can still carry the DIA traffic out. Same goes for the scenario where data-policy action of "local-tloc" is set to prefer one circuit over the other. If the primary DIA circuit fails then traffic will still go out through another DIA circuit.
Hi, In the example, NAT is done using the TLOC interface .. Is it recommended to use a different Public IP for breakout NAT??
The choice totally depends on a use case. For example, if you have Servers hosted in network, then maybe you could utilize different public IP for that and for DIA you could still overload on interface IP address.
Do we need to configure DIA tracker policy per URL or we have any option to define the policy for multiple URL in one go
As of today, we can only have one endpoint per tracker. Future releases will provide an option to configure Dual endpoints under the same tracker.
Hi, Can we configure tracker to a logical interface or does it just work on physical interfaces only?
As of today DIA tracker can be applied to a physical interface only. Future releases will provide support to bind a DIA tracker to logical interface as well.
what if we enable fallback without configuring tracker. Does fallback works?
No, Fallback will not work in this case. As long as WAN interface remains up where NAT is configured, DIA NAT will NOT get disabled. So, if DIA tracker is not configured and if the the WAN interface remains up but the DIA path is down, this will defintely blackhole the traffic. DIA tracker is used to track things beyond the next-hop (path to internet). NAT fallback only works when NAT DIA gets disabled which in this case would be taken care internally by the DIA tracker.
Does this feature support controller version 20.3 and c-Edge version 17.3.3?
Yes, DIA tracker is supported on vManage controller version 20.3.1 onwards. The NAT fallback feature is supported in Cisco IOS XE Release 17.3.2 and later releases. For more information, please refer to the documentation:
www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/dia-tracker-ios-xe.html
What is the difference between NAT DIA and BFD feature?
With DIA you can directly go to internet by locally breaking out to Internet path provided by your ISP, thus getting natted locally on the Edge router to access the internet . If the tracker along the DIA path goes down, with the Fallback feature enabled, it will allow the internet traffic to be routed across the overlay BFD tunnel to another site which has internet path.
Service side NAT is a concept used to NAT the traffic sourced from one SD-WAN branch site and destined to another SD-WAN branch site through the overlay (BFD tunnels). This is not related to DIA NAT.