SD-WAN with un-numbered VPN tunnels
Arkwright
All-Knowing Sage ✭✭✭✭
What is the deal with numbered vs un-numbered VPN tunnels + SD-WAN? Both the web interface and CLI documentation for SD-WAN + VPN describe using numbered VPN tunnels to do this, but don't explain why you would do it this way.
The reason I ask is:
- It is possible to add an un-numbered tunnel to an SD-WAN group
- It works [performance probes work, traffic is passed]
- It's a lot less work and admin overhead [eg finding a free /30 or /31 for every. single. VPN.]
This:
says:
"Constraints for Member Interfaces
- Member interfaces can only be WAN or Numbered Tunnel Interfaces"
but this doesn't seem to be true.
Any ideas?
Category: Mid Range Firewalls
Tagged:
0
Best Answer
-
Ena SonicWall Employee
Hi @Arkwright
Thanks so much for your patience regarding this inquiry. It looks like the KB article was outdated - Support and our KB management team are working to update the article with the latest information. You should see an update either today or tomorrow.
0
Answers
Hi @Arkwright, in my experience it doesn't make any difference, I think that was just the preference for whoever set up the guide, I would only use numbered Tunnel Interfaces with Advanced Routing like OSPF or BGP for static routing stick with unnumbered.
I presume when you say Unnumbered you are not creating VPN Tunnel Interfaces in the Network/Interfaces Page and just selecting Tunnel Interface as the VPN Type?
Yes, by "unnumbered" I mean a tunnel-mode VPN policy with no VTI bound to it.
My worry is that in 6 months when I have some obscure problem, support are going to say "Y U NO ADD VIRTUAL TUNNEL INTERFACE, TICKET CLOSED. HUR HUR HUR"
Hi @Arkwright, you would be best tagging in someone from SonicWall like @EnaBev for things like this to be clarified, I'd be interested to see why you can't carry on with your current settings if you are only using static routes
Any ideas on this @EnaBev?
Hi @Arkwright,
Thanks for reaching out.
I have sent your comments to Support for their review and insight. You should hear back soon.
Let me know if you have any questions in the meantime.
Did you hear back @EnaBev ?
Hi @Arkwright,
Thanks for following up. This inquiry is now with our Product Management team.
I'll let you know once I hear back.
Great stuff.
I see this was updated today. The "Constraints for SD-WAN Groups" were amended but "Constraints for Member Interfaces" were not.
@Arkwright , as you've had no response to this last one, you'll probably need to include Enabev to get this changed on the KB
Somebody else must be watching because it's been updated now :)