Akshay Adhikari

Question

What needs to be configured for application-based DIA (direct internet access)? PBF rules or SD-WAN rules?

Solution

The configuration for application-based DIA depends on the default route. If SD-WAN VPN is the default route, then configure SD-WAN rules. If the route is not through SD-WAN VPN, then configure a PBF rule.

Use Cases

The following are the use cases for Internet access.

• Case 1: Central breakout only. All Internet traffic should egress via an Internet hub. The default route is via the hub. This is not a DIA use case for a branch, as all Internet traffic goes to the hub. However, on the hub this is a DIA use case. The user may want specific applications to egress via a specific WAN link. 
• Case 2: Local breakout only. All Internet traffic breaks out locally. For specific applications, say, App1 and App2, use WAN link 1 and WAN link 2 respectively. All other applications are load balanced between WAN link 1 and WAN link 2. For this use case, there are two ECMP default routes imported from the two transport VRs. Configure two PBF rules:
  • Rule 1: Match App1 - set the nexthop to the paired TVI to WAN1 transport VR.
  • Rule 2: Match App2 - set the nexthop to the paired TVI to WAN2 transport VR.

NOTE: This use case is applicable to the local breakout on a branch as well as Internet egress on a hub. Branches send all Internet traffic to the hub and the hub uses PBF policies for app-based DIA.

• Case 3: Central breakout with local breakout exceptions. In this use case, the Internet traffic is expected to egress via a hub. Few specific applications (for example, App1), use local breakout. For this use case, configure the default route through the hub. Create an SD-WAN policy rule to match App1 and set the nexthop to the paired TVI to the desired transport VR.
• Case 4: Local breakout with central breakout exceptions. The Internet traffic uses local breakout, while a few specific applications, say App1, egresses via the hub. This use case is not supported directly. Automatically importing the default route through the WAN transport VRs, configuring a PBF rule to match App1, and setting its nexthop to the hub is not possible.
  Instead, do the following:
  • Import the default route from the hub, so that this looks like use case 3 above.
  • Create rules to match all site-to-site traffic (all 192.168 and 172.168 addresses) and set the forwarding profile for them.
  • Create rules to match specific application which needs central breakout and set forwarding profile which has configuration to prefer underlay path to reach Hub/Gateway.
  • Configure wildcard rules to catch all internet traffic and set nexthop as paired TVI to the transport VR. This should be the last rule to match all internet traffic for local breakout.

App-based DIA always involves NAT, whilst NAT and PBF do not work together for a single session. Therefore, app-based DIA requires creation of these two sessions for each application session:

• A session in the LAN VR/customer organization, where PBF makes a path selection.
• A session in the transport VR/provider organization, which has NAT (Refer to the FAQ, In policy-based routing (PBF or SD-WAN policy next-hop rules) and NAT, does NAT happen before PBF?)