Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SD-WAN with un-numbered VPN tunnels

ArkwrightArkwright Cybersecurity Overlord ✭✭✭
edited February 2022 in Mid Range Firewalls

What is the deal with numbered vs un-numbered VPN tunnels + SD-WAN? Both the web interface and CLI documentation for SD-WAN + VPN describe using numbered VPN tunnels to do this, but don't explain why you would do it this way.

The reason I ask is:

  • It is possible to add an un-numbered tunnel to an SD-WAN group
  • It works [performance probes work, traffic is passed]
  • It's a lot less work and admin overhead [eg finding a free /30 or /31 for every. single. VPN.]

This:

https://www.sonicwall.com/support/knowledge-base/introduction-to-sonicwall-sd-wan-software-defined-wide-area-network/190213085330745/


says:

"Constraints for Member Interfaces

  • Member interfaces can only be WAN or Numbered Tunnel Interfaces"

but this doesn't seem to be true.

Any ideas?

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    EnaEna Administrator
    Answer ✓

    Hi @Arkwright

    Thanks so much for your patience regarding this inquiry. It looks like the KB article was outdated - Support and our KB management team are working to update the article with the latest information. You should see an update either today or tomorrow.

    Ena Bevrnja

    SonicWall Community Manager

Answers

  • prestonpreston Enthusiast ✭✭
    edited February 2022

    Hi @Arkwright, in my experience it doesn't make any difference, I think that was just the preference for whoever set up the guide, I would only use numbered Tunnel Interfaces with Advanced Routing like OSPF or BGP for static routing stick with unnumbered.

    I presume when you say Unnumbered you are not creating VPN Tunnel Interfaces in the Network/Interfaces Page and just selecting Tunnel Interface as the VPN Type?

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭
    edited February 2022

    Yes, by "unnumbered" I mean a tunnel-mode VPN policy with no VTI bound to it.

    My worry is that in 6 months when I have some obscure problem, support are going to say "Y U NO ADD VIRTUAL TUNNEL INTERFACE, TICKET CLOSED. HUR HUR HUR"

  • prestonpreston Enthusiast ✭✭

    Hi @Arkwright, you would be best tagging in someone from SonicWall like @EnaBev for things like this to be clarified, I'd be interested to see why you can't carry on with your current settings if you are only using static routes

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Any ideas on this @EnaBev?

  • EnaEna Administrator

    Hi @Arkwright,

    Thanks for reaching out.

    I have sent your comments to Support for their review and insight. You should hear back soon.

    Let me know if you have any questions in the meantime.

    Ena Bevrnja

    SonicWall Community Manager

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Did you hear back @EnaBev ?

  • EnaEna Administrator

    Hi @Arkwright,

    Thanks for following up. This inquiry is now with our Product Management team.

    I'll let you know once I hear back.

    Ena Bevrnja

    SonicWall Community Manager

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Great stuff.

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    I see this was updated today. The "Constraints for SD-WAN Groups" were amended but "Constraints for Member Interfaces" were not.

  • prestonpreston Enthusiast ✭✭

    @Arkwright , as you've had no response to this last one, you'll probably need to include Enabev to get this changed on the KB

  • ArkwrightArkwright Cybersecurity Overlord ✭✭✭

    Somebody else must be watching because it's been updated now :)

Sign In or Register to comment.