Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

SD-WAN with un-numbered VPN tunnels

ArkwrightArkwright Cybersecurity Overlord ✭✭✭
edited February 2022 in Mid Range Firewalls

What is the deal with numbered vs un-numbered VPN tunnels + SD-WAN? Both the web interface and CLI documentation for SD-WAN + VPN describe using numbered VPN tunnels to do this, but don't explain why you would do it this way.

The reason I ask is:

  • It is possible to add an un-numbered tunnel to an SD-WAN group
  • It works [performance probes work, traffic is passed]
  • It's a lot less work and admin overhead [eg finding a free /30 or /31 for every. single. VPN.]

This:

https://www.sonicwall.com/support/knowledge-base/introduction-to-sonicwall-sd-wan-software-defined-wide-area-network/190213085330745/


says:

"Constraints for Member Interfaces

  • Member interfaces can only be WAN or Numbered Tunnel Interfaces"

but this doesn't seem to be true.

Any ideas?

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    EnaEna SonicWall Employee
    Answer ✓

    Hi @Arkwright

    Thanks so much for your patience regarding this inquiry. It looks like the KB article was outdated - Support and our KB management team are working to update the article with the latest information. You should see an update either today or tomorrow.

Answers

  • prestonpreston Enthusiast ✭✭
    edited February 2022

    Hi @Arkwright, in my experience it doesn't make any difference, I think that was just the preference for whoever set up the guide, I would only use numbered Tunnel Interfaces with Advanced Routing like OSPF or BGP for static routing stick with unnumbered.

    I presume when you say Unnumbered you are not creating VPN Tunnel Interfaces in the Network/Interfaces Page and just selecting Tunnel Interface as the VPN Type?

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭
    edited February 2022

    Yes, by "unnumbered" I mean a tunnel-mode VPN policy with no VTI bound to it.

    My worry is that in 6 months when I have some obscure problem, support are going to say "Y U NO ADD VIRTUAL TUNNEL INTERFACE, TICKET CLOSED. HUR HUR HUR"

  • prestonpreston Enthusiast ✭✭

    Hi @Arkwright, you would be best tagging in someone from SonicWall like @EnaBev for things like this to be clarified, I'd be interested to see why you can't carry on with your current settings if you are only using static routes

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Any ideas on this @EnaBev?

  • EnaEna SonicWall Employee

    Hi @Arkwright,

    Thanks for reaching out.

    I have sent your comments to Support for their review and insight. You should hear back soon.

    Let me know if you have any questions in the meantime.

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Did you hear back @EnaBev ?

  • EnaEna SonicWall Employee

    Hi @Arkwright,

    Thanks for following up. This inquiry is now with our Product Management team.

    I'll let you know once I hear back.

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Great stuff.

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    I see this was updated today. The "Constraints for SD-WAN Groups" were amended but "Constraints for Member Interfaces" were not.

  • prestonpreston Enthusiast ✭✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/13895#Comment_13895

    @Arkwright , as you've had no response to this last one, you'll probably need to include Enabev to get this changed on the KB

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Somebody else must be watching because it's been updated now :)

Sign In or Register to comment.