Thursday, April 29, 2021

Cisco SD-WAN desing questions

I'm a newbie with Cisco's SD-WAN/SDA strugling with our companys new PoC....

I have a couple of questions somebody can hopefully answer:

1.) I want my guest VPN to have only internet access and no access to DC. I read that I create DIA with templates but how do I block access between the branches? Do I use a local data policy (ACL) to block them between sites, or do I configure a centralized VPN membership policy that blocks them from being advertised in OMP? I would also like to use the same subnet on all branches...

2.) I have a VPN segment for users that is full mesh between branches, I want to add a new VPN that for security reasons cannot communicate between branches but all communication has to go through firewalls in DC. So as far as I understand the concept I have to block the sites from learning each other TLOC and direct the TLOC's to the DC. But in which direction do I apply the policy?

TY



No comments:

Post a Comment