SDWAN - DIA anypath -Scenario?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

SDWAN - DIA anypath -Scenario?

L1 Bithead

Im still trying to get a grasp of the concept of SDWAN - DIA anypath.  The components and configuration are pretty straight forward but the "why/when" is not making sense.  The main scenario that's proposed is "when you want to fail over to using the internet at another site (over the vpn) when local DIA is not available."  Again, I must be missing something obvious here but when your local internet is down, the vpn is most likely down as well. You cant fail over to the vpn.  I can understand some of the other scenarios mentioned such as having some bandwidth heavy applications go out local internet while having some applications go out the hub internet for extra inspection/visibility.


L0 Member

That was one of the docs I was referring to in my question. Again, it mentions that if your local DIA is down, then you can fail over to a vpn link. Again though, if your local ISP is down, then your vpn (that uses your local ISP) is down as well.

If local DIA isn't available, you need to have another transport that has access to another site. A big benefit of SD-WAN is using multiple links to carry traffic. Sites with single links won't really see a benefit from SD-WAN since there's no failover or traffic manipulation over multiple links.

The doc that @Declan69 included states that "DIA links must be able to fail over to another link that has a direct path or indirect path (through a hub or branch) to the internet" 

That might be MPLS or P2P for example, but there needs to be multiple links.

Right but in that same doc, it says to fail over not using MPLS but rather vpn. That is my whole question that the doc seems counterintuitive. If you have a vpn up, then you have a DIA. They aren’t mutually exclusive. So why would ever fail over to a vpn for Internet if the very fact that you have vpn means you have local internet. Now if it said fail over to mpls or direct link like you mentioned, then this would totally make sense.

Are you referring to this: "DIA AnyPath supports a DIA link failing over to a private VPN tunnel going to a hub firewall to then reach the internet."

Even over private links, the overlay of SD-WAN is a VPN. VPNs in SD-WAN don't necessarily go over the internet/DIA link, they will be over any transport available. 

Yes I’m talking about that whole paragraph…DIA links can fail over to an MPLS link, but you may not have an MPLS link. DIA links must be able to fail over to another link that has a direct path or indirect path (through a hub or branch) to the internet; the DIA traffic can take any pathavailable to get to the internet and isn’t restricted to DIA. DIA AnyPath supports a DIA link failing over to a private VPN tunnel going to a hub firewall to then reach the internet.

This makes it sound as if your DIA links are down, and you don’t have other links such as MPLS, then you can use private vpns to reach the internet as if they are these separate entities.

Now if they are simply saying that with sdwan, that Internet traffic doesn’t HAVE to route out the local DIA and can route over the sdwan created vpn tunnels over any medium (mpls, DF, P2P, etc), then that’s just bad writing. That is also misleading and a little overselling as “unique specific feature” because that is the basic premise of SDWAN of routing traffic over different types of links based on different variables. That would be like saying there is another feature called “Dropbox Anypath” that can route Dropbox traffic over various links. Again, that’s just the whole premise of SDWAN and not really a unique sdwan feature.

Just wanted to make sure that I wasn’t messing something but if it’s just bad wording, then it is what is.
  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!