Refer to the exhibit. Which NAT type must the engineer configure for the vEdge router to bring up the data plane tunnels?
Refer to the exhibit. Which NAT type must the engineer configure for the vEdge router to bring up the data plane tunnels?
To bring up the data plane tunnels, the engineer must enable Full Cone NAT on the vEdge interface. Full Cone NAT allows both internal and external hosts to initiate connections to each other, which is necessary for establishing reliable data plane tunnels in an SD-WAN environment. Full Cone NAT is recommended for scenarios involving VPN tunnels and high levels of interaction between network segments behind NAT routers.
in this question said which NAT type that there are some type of the NAT: * full cone NAT : In this way internal and external hosts can initiate connection to each other * Symmetric NAT: In this way, only internal hosts can initiate connection to external hosts and suitable for where a number of users in internal need access to the internet * Address Restricted Cone NAT : This type of NAT works similar full cone NAT, but there is a difference that only external hosts allows to communicate with internal hosts if that has communicated with the external host before on * Port Restricted Cone NAT : This types of NAT likes address restricted cone NAT, except it uses the port number as a filter because private ip need to access internet I think C is correct
The question describes the VEdge Router to the NAT router (In a Private Network) This eliminates option D (Use a public color on the TLOC) This is all from my working knowledge working within the SD-WAN and being an Network Architect for 5 years. Due to the relatively new technology, their isn't a blueprint or templates to reference for this At least one side of the WAN Edge tunnel can always initiate a connection inbound to a second WAN Edge even if there is a firewall in the path. It is recommended to configure full-cone, or 1-to-1 NAT at the data center or hub site so that, regardless of what NAT type is running at the branch (restricted-cone, port-restricted cone, or symmetric NAT), the branch can send traffic into the hub site using IPsec at a minimum without issue. The logical answer here would be [B] - Full Cone NAT Link Reference https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html
looks good
Can you explain why D is the correct answer ? Thank you.
https://learningnetwork.cisco.com/s/question/0D56e0000CTs3eYCQR/nat-traversal-on-cisco-sdwan
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html Search color
The question specifically requires you the NAT type, a public IP address is not a NAT type. Their is only two real choices to be made here ( Full Cone NAT or Symmetric). I have given my explanation below to why it would be Full Cone NAT
Corect answer is D. Were do you see mention of public ip? Why you will configure a NAT on the vEdge when you've already have device which si already making that. I've deployed a similar setup and configured only biz-internet color on the cEdge interface, NAT being hadled by the next router.
Full cone NAT is needed, but on the NAT router, not the vEdge. The sensible action here would be using a public color. True, that doesn't match the wording of the question, asking for a NAT type. But it's also true that configuring NAT on the vEdge is ridiculous. So it's a 50/50 guess. Did they stupidly decide that the engineer should enable NAT on the vEdge, or did they stupidly mess up the wording, by saying "which NAT type" in the question instead of "which configuration."
If for some reason the vEdge router does need a NAT config, it's automatically full cone. The symmetric and restricted cone methods are uncommon, and (unless I'm mistaken) are not options on the vEdge. Cisco docs mention these NAT methods to warn customers that third party NAT devices may be using them, which causes problems for SD-WAN. So when they say full cone NAT is preferable, they are usually talking about the third-party NAT devices. This is a really badly worded question overall.
Correct Answer B
Te question clearly describes that the NAT shoud be on the router facing the internet, not the vEdge. In order to form the control connections it needs to be natted on the border router. Thus the answer is Symmetric NAT.
See below
WAN Edge routers always reach out to the vBond controller first to learn about the rest of the components in the fabric. During this process, they also learn whether they are behind a NAT device. When the WAN Edge initially connects to the vBond, it inserts its real IP address into the exchange. When this packet passes through the NAT device, the source IP and possibly the source port are translated. Because the message still contains the WAN Edge real IP and port, the vBond can send a message back to the WAN Edge. The message notifies the WAN Edge that it is behind a NAT (because the real IP differs from the NAT-translated IP that was received in the exchange).
The WAN Edge then inserts this information into its OMP TLOC route and sends it to the vSmart controller. If these values are different, the WAN Edge is behind a NAT device. This information is then reflected to all WAN Edges in the overlay, and the routers use this information to build its data plane. The way to achieve this NAT detection is by using STUN (RFC 5389). In the example, WAN Edge 2 has received an OMP TLOC route from the vSmart route to reach WAN Edge 1 through its public address
I AM CHANGING MY ANSWER TO C - BASED ON THE DIRECTION OF THE TRAFFIC. They are suggesting that this vEdge device is initiating the connection.
Symmetric NAT - Request from the same internal socket to a specific destination IP address and port is mapped to a unique external source socket. Only an external host that receives a packet from an internal host can send a packet back. With the symmetric NAT method, each request from the same internal socket to a specific destination socket is mapped to a unique external source socket. If the same internal host sends a packet with the same source socket but to a different destination, the NAT device creates a different mapping. Only an external host that receives a packet from an internal host can send a packet back. WAN Edge routers support symmetric NAT only on one side of the WAN tunnel. That is, when a WAN Edge router operates behind a NAT device that is running symmetric NAT, only one NAT device at either end of the tunnel can use symmetric NAT.
The WAN Edge router that is behind a symmetric NAT cannot establish a BFD tunnel with a remote WAN Edge router that is behind symmetric NAT, address-restricted NAT, or port-restricted NAT. To allow a WAN Edge router to function behind a symmetric NAT, you must configure the vManage and vSmart control connections to use TLS. DTLS control connections do not work through a symmetric NAT.
private colour so the public IP is used to establish the tunnel
Corect answer is D
The logical answer here would be [B] - Full Cone NAT