This lab will examine another common use case referred to as Direct Cloud Access (DCA).

In the previous lab, we provided direct Internet access (DIA) to the proxy servers in the guest VPN 6 so that guest clients can be proxied to the Internet. However, there is still one traffic optimization that we can make before moving on to another use case.

In the previous section about centralized control policies, in lab#6, we created a VPN membership policy that isolates the users within VPN6 (the guest segment) from communicating over the overlay fabric.

In this lesson, we will be looking at the key points in this section that you should learn and understand before continuing further with the course. If you don't feel comfortable with any of the topics, go back and reread the lessons in the chapter.

We have seen earlier in this chapter that we cannot assign a particular TLOC color to more than one interface per vEdge because the color uniquely identifies a single WAN link.

In the previous lab example, we saw how to control the overlay topology using restricted TLOC colors. In this example, we will see how to use tunnel-groups in conjunction with the restrict parameter to break up the overlay fabric into two separate meshes of tunnels.

In real-world deployments, a typical use case is a dual-homed branch with each vEdge router directly connected to a single WAN transport only. We can see such an example shown in figure 1 below, where vEdge-1 is connected only to the Internet whil