Port Hopping:
WAN Edge devices manage control plane connectivity using port hopping.
To summarize and clarify:
-
Default base port:
12346 -
Port hopping pattern: Increments by
20, trying12366,12386,12406,12426, then loops back. -
Enabled by default on WAN Edge routers, but can be disabled globally or per interface
-
Recommended practice:
-
Enable on branches for better connection reliability
-
Disable on data centers, hubs, or high-traffic locations to avoid connection disruption
-
-
Disabled by default on controllers (vManage, vSmart) and should remain disabled
-
vManage/vSmart with multi-core setup: Use different base ports per core
Port Offset:
Why Use Port Offsets Behind NAT?
When multiple WAN Edge routers sit behind the same NAT device and share a public IP address, if they all use the same base port (12346) to initiate connections to the controllers, the NAT device may not handle translation cleanly, causing connection failures or instability.
Solution: Port Offset
-
Base Port: 12346
-
With Port Offset = 1:
-
Base port becomes 12347
-
Port hopping pattern becomes: 12367, 12387, 12407, 12427
-
vBond IPs and port are static, It is recommended to permit UDP destination port 12346 to vBond and permit UDP source port 12346 from vBond.
This offset ensures each WAN Edge behind the same NAT has a unique source port pattern, minimizing NAT conflicts and making port usage predictable.
Default Behavior
-
Port Offset = 0 by default (i.e., no change from 12346)
-
You must explicitly configure an offset per WAN Edge router
Now Lets Play with Port-offset
from vEDGE to Other vEDGE and Controllers BFD session and Control Connections with destination UDP port 12346
Lets change the Port-offset = 2 on vEDGE
all BFD and IPsec tunnel are reset
No comments:
Post a Comment