Allow Direct Internet Access Traffic Failover to MPLS Link
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Allow Direct Internet Access Traffic Failover to MPLS Link
Requirements for DIA traffic to fail over to an MPLS
link.
At an SD-WAN branch office, the firewall performs
split tunneling so that any applications having a public IP address
take the Direct Internet Access (DIA) interface to the internet,
and applications having private IP addresses that belong to the
hub take the VPN interface. The firewall automatically fails over
DIA applications to the MPLS private connection to the hub when
necessary, so that the traffic destined for the internet takes an
alternative path through the hub to reach the internet. To allow
this to work, you must do the following:
- Create an MPLS link between your branch and hub. When you create the SD-WAN Interface profile, the link type must be MPLS for both the hub and branch.If you want the private traffic to go through the VPN tunnel, enable VPN Data Tunnel Support in the SD-WAN Interface profile. If you disable VPN Data Tunnel Support, the private data will go outside of the VPN tunnel.Configure an SD-WAN Policy Rule for specific applications, Create a Path Quality Profile, and Create a Traffic Distribution Profile that specifies the Top Down Priority method. The Traffic Distribution profile must also specify an MPLS link as one of the failover options (identified by a tag). Verify that the applications in the SD-WAN policy rule reference the correct Path Quality and Traffic Distribution profiles, and that the Traffic Distribution profile specifies Top Down Priority.After the VPN Data Tunnel Support is enabled on both the hub and branch and the MPLS link is operational, the firewall automatically uses the MPLS connection to fail over DIA traffic when necessary.In the hub configuration, ensure the hub has a path to the internet and routing is properly set up for the hub traffic to reach the internet.The firewall uses the DIA virtual interface and the VPN virtual interface to ensure that the public internet traffic is kept separate from your private traffic in the same path; that is, the internet traffic and private traffic do not go through the same VPN tunnel. Full segmentation with proper zoning is in full effect.