Konnect Hub Use Cases
The Konnect Hub service supports the following four use cases for TCP, UDP & ICMP.
Site to Internet {via Hub} - (Red line)
Site to Intranet (Blue line)
Site to Site (Green line)
Intranet to Site (Purple line)
These workflows can understood easily by using the below flowchart:
Konnect Hub Use Cases
Use Case 1: Site to Internet (via Hub)
Sessions from a client connected to an access network at a remote site device to a server in the Internet - This use case is shown in red in the Figure Konnect Hub Use Cases. This facility is available in both the Standard Hub and the Enterprise Hub License types.
Use Case 1 - Site to Internet {via Hub}
Steps for configuration:
The configuration done in the Configuration Wizard > General Settings > Konnect Hub screen is the same for all use cases. Please refer section Configuration in the Konnect Hub page of the online help for the required steps.
-20240418-193831.png?inst-v=cde043d3-1605-487a-8870-49f756b2f30d)
Konnect Hub Configuration
The difference between the available use cases is brought upon only by the Access Networks - Configuration.
During the Access Networks - Configuration, in the NAT Type field, select any option from the dropdown menu. The available mapping options are NONAT, SNAT and NETMAP.
All these three mapping types will support Use case 1: Site to Internet (via Hub).
If the NAT Type is SNAT or NETMAP, an additional field ‘Map To’ will be available. This is where the remote subnet will be mapped to in the Konnect Hub server.
For SNAT, the ‘Map To’ field can be a CIDR subnet, or just an IP
For NETMAP, the ‘Map To’ field must be a CIDR subnet, with the same prefix length as that of the ‘Edge Device Subnet’ field.
Access Networks Configuration
Use Case 2: Site to Intranet
Sessions from a client connected to an access network at a remote site device to a server in an Intranet (i.e. an access network local to the Konnect Hub server) – This use case is shown in blue in the Figure Konnect Hub Use Cases. This facility is available in the Enterprise Hub license type only.
Use Case 2 - Site to Intranet
Steps for configuration:
The configuration done in the Configuration Wizard > General Settings > Konnect Hub screen is the same for all use cases. Please refer section Configuration in the Konnect Hub page of the online help for the required steps.
Konnect Hub Configuration
The difference between the available use cases is brought upon only by the Access Networks - Configuration.
During the Access Networks - Configuration, in the NAT Type field, select any option from the dropdown menu. The available mapping options are NONAT, SNAT and NETMAP.
All these three mapping types will support Use case 2: Site to Intranet.
If the NAT Type is SNAT or NETMAP, an additional field ‘Map To’ will be available. This is where the remote subnet will be mapped to in the Konnect Hub server.
For SNAT, the ‘Map To’ field can be a CIDR subnet, or just an IP
For NETMAP, the ‘Map To’ field must be a CIDR subnet, with the same prefix length as that of the ‘Edge Device Subnet’ field.
Access Networks Configuration
Use Case 3: Site to Site
Sessions from a client connected to an access network at a remote site device to a server connected to an access network at another remote site device – This use case is shown in green in the Figure Konnect Hub Use Cases. This facility is available in the Enterprise Hub only.
Use Case 3 - Site to Site
Steps for configuration:
The configuration done in the Configuration Wizard > General Settings > Konnect Hub screen is the same for all use cases. Please refer section Configuration in the Konnect Hub page of the online help for the required steps.
Konnect Hub Configuration
The difference between the available use cases is brought upon only by the Access Networks - Configuration.
During the Access Networks - Configuration, in the NAT Type field, select any option from the dropdown menu. The available mapping options are NONAT, SNAT and NETMAP.
NONAT mapping type will support both outgoing and incoming sessions in Use case 3: Site to Site.
SNAT & NETMAP will support the outgoing sessions but will not support incomings sessions in Use case 3: Site to Site.
If the NAT Type is SNAT or NETMAP, an additional field ‘Map To’ will be available. This is where the remote subnet will be mapped to in the Konnect Hub server.
For SNAT, the ‘Map To’ field can be a CIDR subnet, or just an IP
For NETMAP, the ‘Map To’ field must be a CIDR subnet, with the same prefix length as that of the ‘Edge Device Subnet’ field.
Access Networks Configuration
Use Case 4: Intranet to Site
Sessions from a device connected to an Intranet (i.e. an access network local to the Konnect Hub server) to a server connected to an access network at a remote site device – This use case is shown in purple in the Figure Konnect Hub Use Cases. This facility is available in the Enterprise Hub only.
Use Case 4 - Intranet to Site
Steps for configuration:
The configuration done in the Configuration Wizard > General Settings > Konnect Hub screen is the same for all use cases. Please refer section Configuration in the Konnect Hub page of the online help for the required steps.
Konnect Hub Configuration
The difference between the available use cases is brought upon only by the Access Networks - Configuration.
During the Access Networks - Configuration, in the NAT Type field, select the NONAT option from the dropdown menu.
Only NONAT mapping type will support Use case 4: Intranet to Site.
Access Networks Configuration
Please note the following:
Whether a Konnect Hub server is a Standard Hub or an Enterprise Hub is determined by its license.
It is possible to apply application policies and traffic policies at both the Remote Site Device and the Konnect Hub. Any policy defined at any given network node will be enforced as the traffic flows through that network node.
Mapping Networks from Site to Hub
There are three mapping types supported to map the address of any endpoint at the remote site to the address seen by the Konnect Hub. These mapping types are:
Direct Mapping:
This is the ‘NONAT’ mapping where the address seen at the hub is the same as the address at the remote site. This type of mapping supports all 4 use cases.
If this mapping is used for a subnet at a remote site, that subnet must not be in conflict with any other subnet at any other remote site or at the hub. In this type of mapping it is not necessary to manipulate TCP & UDP ports.
A remote access network mapped like this will support:
All ‘Site to …’ use cases as – i.e. a client from this network will be able to initiate TCP & UDP sessions (and ICMP ‘
ping') to:Any server on the Internet,
Any server on any Intranet connected to the hub
Any server connected to any other Site.
All ‘… to Site’ use cases – i.e. a server on this network will be able to accept and serve sessions from:
Any client connected to any other Site
Any client on any Intranet connected to the Hub
Traffic Policies and Application Policies can be configured at the Konnect Hub for to traffic to & from subnets for which this type of mapping is applied, and also to individual IP Addresses within such subnets.
This mapping is only available in an enterprise hub. To configure this kind of mapping, the following must be known to, and configured at, the hub:
The name of the remote site
The subnet (at the remote site) of the access network being mapped.
Network Address Translation:
In this mapping the address at the remote site undergoes Source Network Address Translation (S-NAT) at the hub, such that multiple endpoint addresses from remote sites are mapped to one address (or a small number of addresses) at the hub.
Because of its very nature, this type of mapping requires that connections be tracked and if required TCP & UDP port numbers will be manipulated at the Konnect Hub.
A remote access network mapped like this will support all ‘Site to …’ use cases as – i.e. a client from this network will be able to initiate TCP & UDP sessions (and ICMP ‘ping') to:
Any server on the Internet,
Any server on any Intranet connected to the hub
Any server connected to any other Site.
This type of mapping will not support any of the the ‘… to Site’ use cases – i.e. a server on this network will not be able to accept and serve sessions from:
Any client connected to any other Site
Any client on any Intranet connected to the Hub
There are three styles of this mapping:
The ‘Anonymous’ (or ‘Default’) SNAT Mapping
This sub-type of mapping is available at a standard hub, where it is the only mapping available for this kind of hub. It is also available, by default, at an enterprise hub to catch remote subnets not otherwise mentioned – but this facility may be disabled if desired.
This type of mapping supports the following use cases:
Site to Internet
Site to Intranet
Only outgoings sessions in Site to Site.
In this mapping, sessions from any access subnet on any remote site will be Source Network Address Translated a local subnet (by default 192.168.254.1/32) on the Konnect Hub.
Since this is a ‘catch-all’ mapping, we cannot define Traffic Policies & Application Policies for individual remote subnets that are handled by this kind of mapping. Instead, we can define Traffic & Application Policies for all traffic to which this mapping applies.
The ‘Named' SNAT Mapping
This sub-type of mapping is only available at an enterprise hub.
This type of mapping supports the following use cases:
Site to Internet
Site to Intranet
Only outgoings sessions in Site to Site.
To configure this kind of mapping, the following must be known to, and configured at, the hub:
The name of the remote site
The subnet (at the remote site) of the access network being mapped
Traffic Policies and Application Policies can be configured at the Konnect Hub for to traffic to & from subnets for which this type of mapping is applied.
The ‘NETMAP’ SNAT Mapping
In this mapping the address seen at the hub is mapped one-to-one to another address at the hub. This mapping is also available only in an enterprise hub.
This type of mapping supports the following use cases:
Site to Internet
Site to Intranet
Only outgoings sessions in Site to Site.
To configure this kind of mapping, the following must be known to, and configured at, the hub:
The name of the remote site
The subnet (at the remote site) of the access network being mapped
If this mapping is used for a subnet at a remote site any conflict of that subnet with any other subnet at any other remote site or at the hub must be resolved at the Konnect Hub by mapping it to a non-conflicting subnet.
Traffic Policies and Application Policies can be configured at the Konnect Hub for to traffic to & from subnets for which this type of mapping is applied. Additionally, such policies can also be usefully applied to client devices with specific IP Addresses.