cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
539
Views
0
Helpful
1
Replies

SD-WAN Security

RS19
Level 4
Level 4

I have the below query on security on SD-WAN

To achieve local breakout for O365 traffic it is required to have default route in vEdge devices so that any traffic destined to O365 will go via local internet.

Since default route is open from branch side gateway device how secure it is ?

How to prevent users from reaching out internet since default route is open ?

1 Reply 1

elesani
Cisco Employee
Cisco Employee

What you want to achieve - DIA (Direct Internet Access) is achievable through 

a) having a public access transport interface at your branch Edge router (SD-WAN Edge)

b) a Data Policy to direct traffic to the internet exit.

 

In other words, SD-WAN cEdge/vEdge router will transmit everything through TLOCs except if a data policy says the other way around and get it through DIA.

 

In your use-case, you should configure Data Policy to only direct O365 application traffic to DIA and as a result, same use that is generating O365 traffic doesn't have further direct access to the internet but through TLOCs. At the other hand, your overlay network at the branch side won't be open/reachable through public internet space neither. 

 

Have a look in below URL on how this works:

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_16.3/07Policy_Applications/04Using_a_vEdge_Router_as_a_NAT_Device/Configuring_Local_Internet_Exit