Routing Segmentation
Configuration > Networking > Routing > Routing Segmentation (VRF)
Use this tab to enable and disable routing segmentation across your network and apply unique configuration to your segments. Routing segmentation allows for the configuration of VRF (Virtual Routing and Forwarding)–style Layer 3 segmentation in your SD-WAN deployments. Note the following before configuring routing segmentation in Orchestrator:
-
You must upgrade all EdgeConnect appliances and Orchestrator to version 9.0.
-
All EdgeConnects must be configured to Inline Router mode.
-
If a new appliance has been added to your network, or if an existing appliance has been replaced, you need to upgrade the appliance software to the appropriate version running in the network.
-
After upgrading, segmentation is disabled by default. You will have to enable it on this tab.
-
Regardless of whether segmentation is enabled or disabled, a Default segment is automatically created when you upgrade to 9.0.
-
The system-generated Default segment cannot be deleted.
-
After you enable routing segmentation, all existing configuration across your network is associated with the Default segment.
Add a New Segment
Before adding a segment, you must enable segmentation by moving the toggle at the top of the page. If Routing Segmentation is not enabled, you cannot make any modifications to the Default segment or add any new segments.
To add a new segment, click +Add Segment and enter a Segment Name. You can make further specifications by clicking the edit icon or by selecting the +Add icon in any of the columns in the table.
Segment Configuration
You can uniquely configure your segments by specifying the following on this page:
-
Overlays & Breakout Policies
-
Firewall Zone Policies
-
Inter-Segment Routing & DNAT
-
Inter-Segment SNAT
-
Loopback
NOTE: Inter-Segment Routing & DNAT and Inter-Segment SNAT are applicable only if you are using different segments.
The following sections provide more details.
Overlays & Breakout Policies for Segments
Use this dialog box to configure overlays and breakout policies for your segments. This configuration determines the overlays used by each segment when traffic is originating from that segment and sent over the SD-WAN fabric to other sites. This configuration is also used when traffic breaks out locally to the Internet and Cloud Services using the Preferred Policy Order on the Business Intent Overlay (BIO) tab. For traffic to match what is on the specified BIO tab, ensure the following two conditions are true:
-
BIO must include the defined segment policy
-
The BIO match criteria must match the new flow
The overlays are arranged by priority defined in the Match field in the Overlay Configuration dialog box on the BIO page. You can specify if you want to include or skip the segment for each overlay by clicking Include or Skip icon in the table cell. By default, all overlays are included for all configured segments.
Include and Skip
If you want to skip an overlay, click the enabled Include icon and Skip appears grayed out. The segment will not be applied to the specified overlay. Click Skip again to include the segment; it will turn back to green. If an overlay is set to Skip, traffic will not match that overlay and moves to the next prioritized BIO. Additionally, if no BIOs match, traffic is dropped.
TIP: If overlay is set to Skip, Flow Details on the Flows tab displays the list of skipped overlays.
Firewall Zone Policies
Use this dialog box to enable and associate firewall zones to your segments. With segmentation enabled, firewall zone security policies are orchestrated and there is no need for Firewall Security Templates. After migration, deactivate the Security Policies Template in all Template Groups. If left active, the template will override any default-default segment security policies configured on this dialog box.
Before you begin Firewall Zone configuration, note the following:
-
Review your existing security policies.
-
Create a new security templates group with the new firewall zoning policies that only includes zones associated with LAN and WAN interfaces.
-
Delete all rules in your previous Security Policy Template on the Apply Template Groups tab.
-
Ensure you have selected the Replace option in the previous Security Policy Template.
-
Save the previously used Security Policy Template. This deletes the security policy rules on your appliances.
Complete the following steps to set a rule or policy to your firewall zones within your segment.
-
Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone dialog box opens.
NOTE: If you are already in Table View, click Add Rule.
-
Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.
-
Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is going to.
-
Select Add Rule.
-
Complete the content in the table.
Field Description Priority Enter the priority amount. Match Criteria Click the edit icon in this column to modify and create the match criteria for each zone. Action Select Allow or Deny to determine whether this zone will apply the selected segment. Enabled Select the check box to enable or clear it to disable. Logging Determines the filter for the zone-based firewall drop logging levels. You can select one of the following levels to apply: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug. Tag Use tags to categorize or identify the purpose of a rule. Comment Any additional details about the firewall zone. -
Click Save. The Save Segment Firewall Zone Policies dialog box opens.
-
Enter a comment (optional) in the Audit Log Comment field, and then click Save. Any text entered in the Audit Log Comment field appears on the Audit Logs tab.
NOTE: Firewall zones are unique to each segment. For example, the default zone in Segment X will not be the same default zone in Segment Y.
Inter-Segment Routing & DNAT
Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments. Click +Add and the Inter-Segment Routing & DNAT window opens. Click +Add Rule again and select any rule in the table to modify the following:
Field | Description |
---|---|
Source Segment | Name of the segment traffic is initiating from. |
Matches Destination IP | IP address got the source segment. This is used to match the packet destination IP address before the packet goes through DNAT. |
Send to Segment | Name of the segment the packets are translated to from the matched destination IP address. |
Translated Destination | IP address of the DNAT IP address when the segment is translated. |
Enabled | Whether or not this is enabled or disabled within your segment. |
Comment | Any additional information. |
Inter-Segment SNAT
This dialog box enables you to enable source network address translation to your segments.
NOTE: The default setting for SNAT is enabled for inter-segment traffic.
Field | Description |
---|---|
Source | Name of the segment that the SNAT is starting from. |
Destination | Name of the segment that SNAT is translated to. |
SNAT | Whether SNAT is enabled or disabled. |
Loopback
Click +Add and you are redirected to the Loopback Orchestration tab. Select the segment you want to apply a loopback interface from the table, and then click +Add Loopback Interface.
Appliances
This column represents the amount of appliances the selected segment is enabled on.
Comment
Click the cell in the Comment column to add a comment including any additional information for that particular segment.
Delete a Segment
WARNING: Segmentation involves drastic changes to your physical network. Deleting segments can be service affecting. Carefully read this section before deleting any of your segments.
Deleting a segment removes all the segmentation configuration from all the appliances within your network. When you delete a segment, Orchestrator automatically deletes the following:
-
The segment’s association with the overlay and break-out policies
-
The intra-segment and inter-segment firewall zone policies
-
The inter-segment routing & DNAT rules
-
The inter-segment SNAT rule
-
The loopback interfaces associated with the segment
-
The VTI interfaces associated with the segment
-
All the interface and VLAN interfaces
Manual Tasks to Complete Before Deleting a Segment
The following configuration is disassociated from the segment and you need to manually delete the following:
-
Any manual created tunnels
-
BGP peers in the segment
-
Internal subnet table rules
-
Overlay ACL rules associated to the deleted segment
To delete a segment, click the X in the last column in the table. A Delete Routing Segment warning appears. Click Delete or Cancel.
Disable a Segment
To disable routing segmentation across your network, you need to delete all configured segments in the network, except the default segment (which cannot be deleted). After all the segments are deleted, navigate to this tab and move the toggle at the top of the page to disable.