SD-WAN plugin changes the interface zone to "zone-to-branch"
10087
Created On 07/13/22 21:08 PM - Last Modified 06/01/23 09:31 AM
Symptom
- The following two behaviors are observed when pushing the sdwan config to the hub firewall when having the SD-WAN interface profile configured with MPLS link type.
- SD-WAN auto provision changes the zone name to "zone-to-branch"
- Tunnel and physical interfaces seen in a mixed bundle.
Environment
- Panorama with SD-WAN Plugin
Cause
- As part of the feature "dia failover mpls", the physical interface eth1/X will be added the SDWAN VIFs (sdwan.90X) and it will be seen mixed with other tunnel interfaces. also the zone-to-branch will be assigned to eth1/X interface.
- This is all done by sdwan auto provision and customers has no visibility on how its being done in the background by the sdwan scripts.
- The behavior is expected and we would see the following on the Hub side when you have link type MPLS
- The ethernet interface changes to "zone-to-branch".
- The ethernet interface will be added/bundled with other tunnel interfaces in the same SDWAN VIF by the SD-WAN plugin.
Lab test :
- The sdwan config on the hub and branch devices have one of the physical interfaces "eth1/3" configured with sdwan interface profile set with link type as MPLS.
- Interface has the zone set to "L3-Untrust".
- Hub interface/zone config as seen in the panorama.
- SD-WAN Interface Profile config
- After pushing the config from the panorama to the hub, the sdwan auto provision changes the zone from "L3-Untrust" to "zone-to-branch" .
- The eth1/3 was bundled with other tunnel interfaces in the same SDWAN VIF.
Resolution
- The behavior is expected, as part of DIA feature the behavior would change the zone name and the interfaces be in mixed bundle.