Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
1
Replies

SD-WAN Security

RS19
Level 4
Level 4

‎02-19-2019 07:04 PM - edited ‎03-08-2019 05:35 PM

I have the below query on security on SD-WAN

To achieve local breakout for O365 traffic it is required to have default route in vEdge devices so that any traffic destined to O365 will go via local internet.

Since default route is open from branch side gateway device how secure it is ?

How to prevent users from reaching out internet since default route is open ?

Labels:
0 Helpful
1 Reply 1

elesani
Cisco Employee
Cisco Employee

‎02-19-2019 10:11 PM - edited ‎02-19-2019 10:14 PM

What you want to achieve - DIA (Direct Internet Access) is achievable through 

a) having a public access transport interface at your branch Edge router (SD-WAN Edge)

b) a Data Policy to direct traffic to the internet exit.

 

In other words, SD-WAN cEdge/vEdge router will transmit everything through TLOCs except if a data policy says the other way around and get it through DIA.

 

In your use-case, you should configure Data Policy to only direct O365 application traffic to DIA and as a result, same use that is generating O365 traffic doesn't have further direct access to the internet but through TLOCs. At the other hand, your overlay network at the branch side won't be open/reachable through public internet space neither. 

 

Have a look in below URL on how this works:

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_16.3/07Policy_Applications/04Using_a_vEdge_Router_as_a_NAT_Device/Configuring_Local_Internet_Exit

0 Helpful
Customers Also Viewed These Support Documents