Dynamic Mesh Tunnels Overview
In releases earlier than CSO 4.1.0, all the overlay tunnels for the site are established between branch sites during the Zero Touch Provisioning (ZTP) process.
However, starting with CSO Release 4.1.0, during ZTP, only the following static tunnels are established:
Between a branch site and the corresponding enterprise hub (primary enterprise hub or secondary enterprise hub)
Between a branch site and the provider hub (primary provider hub or secondary provider hub)
Between two enterprise hubs
Therefore, the communication between two branch sites (with SD-WAN Advanced service) is established only through the enterprise hub or the provider hub.
For sites with SD-WAN Advanced service, CSO dynamically creates or deletes a mesh tunnel (also called DVPN tunnel) between two branch sites directly so that the traffic does not go through an enterprise hub or a provider hub, if:
The number of sessions closed between two branch sites crosses the configured threshold value, and
The WAN links of branch sites have matching mesh tags. For more information, see Mesh Tags Overview.
The dynamic mesh feature is applicable only for SD-WAN Advanced sites (Full mesh).
Sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or the Tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.
The tenant administrator can modify the default threshold value on the following pages:
The Administration > Tenant Settings page (Dynamic Mesh section) of Customer Portal (global level)
The Add Branch Site page
The Add Enterprise Hub page
The threshold value that you specify at site-level takes precedence over the global-level threshold values.
That is, the threshold value that you specify on the Add Site page (branch or enterprise hub) overrides the threshold value that you specified on the Tenant Settings page of Customer Portal.
CSO allows you to manually create or delete dynamic mesh tunnels between a source site and a destination site by using the Add On-Demand Mesh Tunnel or Delete On-Demand Mesh Tunnel pages in Customer Portal.
From Release 5.1.0 onward, CSO supports site-to-site tunnels for WAN links of CPE devices behind NAT in full mesh topology. In releases before Release 5.1.0, CSO supports private IP addresses for WAN links behind NAT only for the WAN links that are not selected for meshing, and such WAN links can establish the tunnels only to provider hubs. The support for CPE devices behind NAT in full mesh topology is applicable only for spoke devices. The OAM hubs, data hubs, and enterprise hubs or on-premise gateways require static public IP addresses for their WAN interfaces.