The traditional WAN solution backhauls all the internet traffic to the data
centers that results in packet latency, drops, and jitter. Direct Internet Access (DIA)
is one of the solutions where the internet-bound traffic from the branch can be routed
directly to the internet. This reduces the latency of tunneling Internet-bound traffic
to the data center (or central location).
Implementing DIA provides the following advantages:
Provides DIA to the users at the remote locations
Minimizes bandwidth consumption
Reduces latency and jitter
Cost efficient by offloading internet traffic from the private
network
Although SD-WAN is designed to support both public DIA and private traffic
flows efficiently and apply security at each egress location, some use cases still
require the redirection of all traffic (both DIA and private) to the hub for central
logging and security enforcement. This usecase is generally implemented with one or more
private WAN links and no public ISP circuits.
The important things to note with this use case include the following.
SD-WAN’s DIA AnyPath must be implemented to redirect the branch’s DIA
traffic through the WAN link.
You must permit the branch to redirect its DIA traffic to the hub by enabling the
Allow DIA VPN option in the Panorama SD-WAN plugin’s VPN
Cluster hub configuration and this setting is enabled/disabled per hub.
As all traffic is redirected through the WAN link(s), SaaS quality profiles are not
needed on the branch office, and are only configured on the Hub SD-WAN firewall (if needed).
Security policies are used at either the branch or hub locations to permit or deny
branch traffic. It is more efficient to block unwanted applications at the branch
before it sends it over the WAN link.
QoS can also be used as an SD-WAN overlay to regulate the amount of
traffic the branch is permitted to redirect to the hub. Additional information on
configuring QoS with SD-WAN can be found in the Implementing QoS with
SD-WAN technical paper.
