Company E wants to deploy Cisco SD-WAN with controllers in AWS. The company's existing WAN is on private MPLS without Internet access to controllers in
AWS. An Internet circuit is added to a site in addition to the existing MPLS circuit. Which interface template establishes BFD neighbors over both transports?
A.
B.
C.
D.
The correct answer is B. In a scenario where Cisco SD-WAN controllers are deployed in AWS and the existing WAN is on a private MPLS without internet access to controllers in AWS, the MPLS transport will not be able to establish control connections with the controllers. By setting the 'Maximum Control Connections' to 0, we ensure that no control connections will be attempted over the MPLS link. This allows the establishment of BFD (Bidirectional Forwarding Detection) neighbors over both the MPLS and the newly added internet circuits by advertising the MPLS TLOCs over the internet transport. While the other options provide different functionalities, they do not address the specific requirement of establishing BFD neighbors over both the existing MPLS and the new internet transport.
This should be B. The question specifically states that the MPLS link has no connectivity to the controllers in AWS. Without configuring max-control-connections to 0, BFD sessions will not form on the MPLS link. The restrict option, while desirable, is not necessary. Tunnels will attempt from mpls<->biz-internet and will fail, but mpls<->mpls and biz-internet<->biz-internet tunnels will still form. Per Cisco Press's SD-WAN Book: "When a WAN Edge attempts to join the fabric, it attempts to build control connections across each transport deployed at that site. By default, if a transport doesn’t have control connectivity to any of the Cisco SD-WAN controllers, then it won’t build a data plane connection across that transport either. This is very common with cloud deployments where the controllers are in a public or private cloud and your MPLS transport has no connectivity to the Internet." Followed by this note: "There are a few options to still achieve data plane with no control connectivity. One option is to disable control connections on that transport via the max-control-connections command. "
B is the correct answer: - vBond isn`t reachable via MPLS (as explaint in the Text) -> so C can`t be the right answere - onyl 1 Controll Session make no sense, because vSmarts are also Controllers and not reachable vie MPLS (as explaint in the Text) -> So D can`t be the right answere - Answere A limits the IPSEC Tunnels to the color MPLS (but for this, the Controllers DTLS Session must be formed to learn and advertise OMP Routes) - Answere B can only the right Answere, because with setting the max. Controll Sesisons to 0 we told the Edge Device it is not possible to form Control Sessions about this MPLS link and the Edge Device advertise about the existing Internet Control Sessions the MPLS Color TLOCs to the vSmart. This Help to build IPSEC Tunnel over Private Links without creating Control Tunnels over this Cloud!
The key here is the BFD neighbors
A. Wrong (restrict enabled will prevent tunnel establishment between differ color type) B. Control-connection is NO needed for this mpls TLOC (because as question, mpls link has no connection to controllers, so controller connection will be up via Internet link) C. due to mpls link, I suspect there is no NAT, so vBond as Stun is no needed this time. D. Same with B, the control-connection is no needed here. B or D are fine.
B is correct, the router shouldn't establish control connections through the mpls link. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html#r_control_connections_4876.xml On a vEdge router, configure two tunnel interfaces (two TLOCs). The tunnel on ge0/1 connects to a public WAN, and the tunnel on ge0/2 connects to a private MPLS network. The router establishes a control connection over ge0/1. The no control-connections command on ge0/2 disables attempts to establish control connections over the MPLS network.
We need the vBond STUN function to build BFD tunnel over the two WAN edges(transports) that don’t know each other. Private IP needs to be NAT via the internet link, non-control connection via TLOC is possible.
"Which interface template establishes BFD neighbors over both transports?" so how can the MPLS establish a BFD peer with an INET tranport? with STUN, because MPLS should know from vBOND whats its public IP, wright? correct: C
B is the only correct answer
D is correct
I think B is correct.
Can someone explain why A? It uses the restrict feature meaning it would only form tlocs with the same color and it this case is MPLS, the requirements mention both transports, MPLS and Internet. I think it should be D, if someone has an explanation please let me know
This should not be A, please correct. It should be D. Agree with @MiraGod
Correct is D, because that config allow to establish full-mesh as soon the new links coming up in vEdge.
D is the correct answer
B is the corect answer. If MPLS doesn't have access to the controllers, only max-control-connections to 0 will allow it to form BFD tunnels on MPLS link.
B is correct
B is correct
B is correct As per requirements of the question the only correct answer is B, here is what I found on a book: For transports that don’t need to facilitate control connectivity to the controllers (such as with MPLS, wherein the controllers are only reachable via the Internet), you must restrict control connections via the max- control- connections 0 command. This command is applied to the transport tunnel interface.
I also believe it is B. https://community.cisco.com/t5/sd-wan-and-cloud-networking/cisco-sdwan-mpls-transport/td-p/4759812 It is similar thing and you force for max cc as 0 to not form control connections with controllers but you still force other tlocs to advertise this tloc in order to build data plane over it. "If that is true you can update the MPLS interface (under tunnel-interface) with "max-control-connections 0". This command will force the other two transports (gold, green) that can connect to the controllers to send the MPLS interface TLOC info to the controllers." If we choose vBond as Stun Server, it doesn't make sense as there is no NAT done in the MPLS circuit so how would it help? Private colors are not intended to be used with NAT. "On the other hand, private colors are intended for use on connections to clouds where NAT is not utilized"
D is correct.
A wrong cause of Restrict B wrong cause cause of 0 Control connections Why D, not C?
B is not wrong. "Control connections 0" means tunnel in MPLS link do not establish control connection (not try to establish because MPLS transport can not reach AWS). So it can connect to controller by internet link.
C is correct, disable restrict to form tunnels over all links. You need at least two permanent control connections. One to vSmart and one to vManage. The STUN setting is not relevant, and should be set to on normally for NAT traversal
Correct answer is A. "Which interface template establishes BFD neighbors over both transports?" The question doesn't say anything about full-mesh. "over both transports", meaning mpls-mpls and internet-internet. D will not create a full mesh because of the max control connection set to 1 anyway.
D is the correct answer
A is the correct Answer. Please remember the question specifies an existing topology of an MPLS TLOC, so you want to restrict this to MPLS, and leave the maximum connections ticked. This would complete the question. I have also rolled out this policy to the controllers for a customer where they added two circuits to an existing topology being MPLS from a ISP.
"Which interface template establishes BFD neighbors over both transports?" That immediately rules out the Restrict option. B is correct, you don't want to establish control connection through the MPLS link (since it doesn't reach the controllers).
B is correct because MPLS is not used for control connection and must max-control-connection on this interface be 0 A is not correct, because restrict is one of the OMP attributes that using for data plane not control plane C is not correct, because vbond use as a stun server when other controllers alos put on cloud D is not correct, because when we use internet connection for vbond connectio, we must max-control-connection = 0 on MPLS
I suppose D is the correct answer, due to reasons below, 1. As per the question "which interface template establishes BFD neigh over both interface". Which means we need to allow at least 1 control connections on each of the links in-order to form the control connections and in-turn the BFD neigh.
I think B is correct. When the Restrict option is turned On, it may limit the traffic to only specific paths or interfaces, which can interfere with the establishment of BFD neighbors across both the MPLS and Internet links.