vBond
The vBond component is pretty much the key to the whole SD-WAN solution working. When a WAN Edge comes online, the only thing it’ll know about (learned from PNP, Zero-Touch Provisioning, or Manual or Bootstrap config) is the vBond. The vBond then directs the WAN Edge routers on how to get to vManage (Management Plane) and vSmart (Control Plane).
You can have multiple vBond servers and use a single DNS record to point to them. The WAN Edges will go through each IP sequentially until one succeeds.
The process is basically:
- WAN Edge comes online and tries to call home to vBond.
- If it calls home to the Cisco Provisioning Server, it will be directed to its own organization’s vBond.
- The router and the vBond authenticate each other.
- The vBond tells the WAN Edge how to get to vSmart and vManage.
- After the router successfully connects to vSmart and vManage, the connection to the vBond is torn down.
NAT
The vBond also acts as a STUN server (WAN Edge being the STUN client). Basically the client includes its interface IP address in the payload of the DTLS tunnel message. The vBond can then compare the IP in the payload with the source IP. If they don’t match, then the vBond knows the WAN Edge IP is being NAT’d. The vBond makes sure to tell the WAN Edge router, that way the router can tell all his friends that he’s being NAT’d.
Also, vSmart and vManage can be NAT’d and will perform this same STUN operation when initially communicating with vBond.
One important thing to note. Symmetric NAT (aka, dynamic PAT), can be in use by only one peer, the other peer must have a router must have a public IP or static NAT (full cone NAT). This is because symmetric NAT only works when the router being NAT’d initiates the conversation. If two symmetric NAT routers were trying to communicate with each other, they’d have no way of getting that initial conversation across.
Oscorp Labs 