"Vbond-as-stun-server" sounds like an innocous command, but it is not. Here's why.

 I've been there. 

You've got an SD-WAN edge device behind NAT and you just can't get it to join the control-plane fabric, or even worse: It's joined to the control plane and vSmart, but some or all of it's BFD tunnels are down.

In our brave new world where google search results consist entirely of SEO Garbage or AI slop, you'll likely be misled into believing the Vbond-as-stun-server command, allow-service stun may allow your edge router to traverse the treacherous NAT path. 

You might get even more confident once you see the thousands of incorrect posts on the cisco supportforums erroneously claiming that by default vBond uses STUN to determine if a device is behind NAT. This is completely incorrect.

 

Before you use this command and instantly regret typing out "commit", it's worth taking a quick look at the Cisco SD-WAN cEdge CLI command reference:

Command: Vbond-as-stun-server

To enable Session Traversal Utilities for NAT (STUN) and allow the tunnel interface to discover its public IP address and port number when the Cisco IOS XE SD-WAN device is located behind a NAT, use the vbond-as-stun-server command in tunnel interface configuration mode. When you configure this command, Cisco IOS XE SD-WAN devices can exchange their public IP addresses and port numbers over private TLOCs. To disable STUN, use the no form of the command.

Command Default:
STUN is not enabled by default.

Sounds great right? Silly Cisco! Why would you not enable this by default? it's so useful!

The usage guidelines tell a different story, 

With this configuration, the Cisco IOS XE SD-WAN device uses the Cisco vBond orchestrator as a STUN server, so that the device can determine its public IP address and public port number. The device cannot learn the type of NAT that it is behind. No overlay network control traffic is sent and no keys are exchanged over tunnel interface configured to use the Cisco vBond orchestrator as a STUN server. However, BFD does come up on the tunnel, and data traffic can be sent on it.

As you can probably understand from the bolded text, this command is not very likely to help you with getting your control plane traffic to work over NAT since it disables control traffic over interfaces configured with this command!

The logic here is that the Edge router already has a way of determining its public IP and private IP, that's what the vBond is for! 

When an Edge router connects to the hostname* you have specified for the vBond, in the DTLS exchange it will provide it's "real" (Private IP Address) and source Port to the vBond. 

If the Edge router is behind a NAT device, the vBond will be able to determine this by looking at the source ip and source port of the DTLS packet as compared to the "real" (Private IP) and source port the Edge router asserts in the DTLS exchange 

So, as you can see, the "stun" protocol is not needed by vBond here, it's got it's own way of determining if your device is behind NAT. 

In conclusion, it's very unlikely the "vbond-as-stun-server" command is going to help you, in fact it's very likely to cause you just completely lose connection to your Edge router since, as stated in the CLI reference:

"No overlay network control traffic is sent and no keys are exchanged over tunnel interface configured to use the Cisco vBond orchestrator as a STUN server."

It's worth noting the CLI reference points out that BFD tunnels will still be established over any interface configured with this command. Hey Cisco, can't I accomplish that just by using control-preference commands? This command to me at least, seems like a solution looking for a problem. 

Then again, I could be wrong dear reader! If you've had a reason to use this command, please comment and let me know i'd be interested to learn more.

Happy NAT-Traversal everyone!

*As per my previous blog post, It's not best practice or good design to use an IP address when configuring the system vbond command because the hostname can be configured to return two IP addresses in the DNS response, Your Edge router needs to be able to talk to at least two separate vBond's in order to correctly determine what "type" of NAT gateway you are behind (Address Independent or Port independent)

A useful command that displays your Windows network stacks calculated Path MTU, Estimated Path Speed and RTT time for your recent IP or IPv6 destinations!

I recently stumbled across this useful windows command to show what MTU value windows will try and use for your IP connections based on the source, next hop and destination address.

 netsh interface ipv4 show destinationcache

Interface 10: Ethernet

PMTU Destination Address                           Next Hop Address

---- --------------------------------------------- -------------------------

1500 4.153.29.52                                   192.168.1.1

1500 13.91.148.88                                  192.168.1.1

You can even add the level=verbose option to display Windows estimated path speed as well as the RTT Mean (average) and RTT Deviation (also known as jitter.)

In this example, I am also passing the address parameter so you can see the syntax if you want to drill down to a specific destination, the level=verbose param works fine with or without a destination specified :)

netsh interface ipv4 show destinationcache address=74.214.24.53 level=verbose

Destination              : 74.214.24.53

Next Hop Address         : 192.168.1.1

Source                   : 192.168.1.11

Interface                : Ethernet

Path MTU                 : 1500

Upper-layer MTU          : 1480

RTT mean                 : 16

RTT deviation            : 6

Path transmit speed (Bps): 10337720

Path receive speed (Bps) : 28962424

Link transmit Speed (bps): 1000000000

Link receive Speed (bps) : 1000000000

Flags                    : 0x0

To get the same info for IPv6, just replace ipv4 with ipv6 in your netsh command.

The important of two vBond Controllers

 Hi Guys

Just a quick note: if you only have one vBond controller, you are never going to be able to discover what kind of NAT you are behind, so don't get into the habit of using IP addresses in your system->vbond commands as this will mean that you're not going to be able to determine the NAT type.

If you do use a static "ip host" command, make sure you specify TWO addresses:

ip host vbond-9991397001.sdwan.cisco.com 1.9.151.47 27.155.41.205

use the "show sdwan control local-properties" to find your nat type:

 NAT TYPE: E -- indicates End-point independent mapping

           A -- indicates Address-port dependent mapping

           N -- indicates Not learned

           Note: Requires minimum two vbonds to learn the NAT type

session target loopback:rtp

Hi Everyone!

I came across a feature for Cisco CUBE called loopback RTP. 

It's a great way to test your CUBE SIP configuration by creating a dial-peer that, when matched, will provide a "Test call echo" type feature that simply echo's your voice. Very similar to a skype test call.

Here's a quick example of the configuration:

dial-peer voice 1000 voip

 session protocol sipv2

 destination-pattern 1000

 session target loopback:rtp

!

The feature can be configured on IOS 15 and above.

Check out the description of the feature and link below for additional info, including how to utilize it for testing incoming video calls too :)

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube_proto/configuration/15-mt/cube-proto-15-mt-book/voi-rtp-media.html

"RTP packets are looped back toward the source device when the RTP Media Loopback for SIP Calls feature is configured on a dial peer. The SIP RTP media loopback can be used during Cisco UBE deployments to make test calls to verify the media path between the endpoints and Cisco UBE. In a voice loopback call, an echo is heard at the device originating the call. In a video loopback call, the locally captured video and the audio echo must be rendered at the source device."

(Oh, and apologies for the lack of blog posts, You should see a lot more from me this year, with a lot of posts on SD-WAN coming up!)

The growing importance of DNS in your CUCM configs

Hi Guys!

It used to be that DNS was an afterthought for most CUCM deployments, many engineers advocated at one point or another just using an IP address rather than dealing with the system team who could either be extremely cooperative or extremely slow.

Those days are GONE, my friends. 

Every bit of UC software you use should be properly configured with DNS.

 Infact, anywhere you CAN use DNS, you should be using it.

The main driver for this is definitely Jabber, I can't count the number of things that can go wrong with Jabber if you do not have your DNS configured correctly.

If you absolutely must get a system up very rapidly and the sysadmin team have been very slow to get there side finished, you can use a router as a temporary DNS server:

The config for this is shown below:

conf t
 ip domain-name
ip  dns server
ip name-server 8.8.8.8 4.4.2.2

ip host _cisco-uds._tcp.ccierants.com srv 0 10 8443 cucm01.ccierants.com
ip host cucm01 192.168.1.10
ip host unity 192.168.1.20
ip host imp 192.168.1.30
ip host _cuplogin._tcp.ccierants.com srv 0 10 8443 imp.ccierants.com


As you can see from the example above, you can use the host command to specify manual DNS entries, you can even do SRV records etc, the only records i can't seem to see are CNAME records, but for our purposes this does not matter.

You can then point your UC servers to this router as there DNS server as a temporary workaround while you wait for the system administration team.