Link Search Menu Expand Document

Routing Segmentation

Configuration > Networking > Routing > Routing Segmentation (VRF)

Use this tab to enable and disable routing segmentation across your network and apply unique configuration to your segments. Routing segmentation allows for the configuration of VRF (Virtual Routing and Forwarding)–style Layer 3 segmentation in your SD-WAN deployments. Note the following before configuring routing segmentation in Orchestrator:

  • You must upgrade all EdgeConnect appliances and Orchestrator to version 9.0.

  • All EdgeConnects must be configured to Inline Router mode.

  • If a new appliance has been added to your network, or if an existing appliance has been replaced, you need to upgrade the appliance software to the appropriate version running in the network.

  • After upgrading, segmentation is disabled by default. You will have to enable it on this tab.

  • Regardless of whether segmentation is enabled or disabled, a Default segment is automatically created when you upgrade to 9.0.

  • The system-generated Default segment cannot be deleted.

  • After you enable routing segmentation, all existing configuration across your network is associated with the Default segment.

Add a New Segment

Before adding a segment, you must enable segmentation by moving the toggle at the top of the page. If Routing Segmentation is not enabled, you cannot make any modifications to the Default segment or add any new segments.

To add a new segment, click +Add Segment and enter a Segment Name. You can make further specifications by clicking the edit icon or by selecting the +Add icon in any of the columns in the table.

Segment Configuration

You can uniquely configure your segments by specifying the following on this page:

  • Overlays & Breakout Policies

  • Firewall Zone Policies

  • Inter-Segment Routing & DNAT

  • Inter-Segment SNAT

  • Loopback

NOTE: Inter-Segment Routing & DNAT and Inter-Segment SNAT are applicable only if you are using different segments.

The following sections provide more details.

Overlays & Breakout Policies for Segments

Use this dialog box to configure overlays and breakout policies for your segments. This configuration determines the overlays used by each segment when traffic is originating from that segment and sent over the SD-WAN fabric to other sites. This configuration is also used when traffic breaks out locally to the Internet and Cloud Services using the Preferred Policy Order on the Business Intent Overlay (BIO) tab. For traffic to match what is on the specified BIO tab, ensure the following two conditions are true:

  • BIO must include the defined segment policy

  • The BIO match criteria must match the new flow

The overlays are arranged by priority defined in the Match field in the Overlay Configuration dialog box on the BIO page. You can specify if you want to include or skip the segment for each overlay by clicking Include or Skip icon in the table cell. By default, all overlays are included for all configured segments.

Include and Skip

If you want to skip an overlay, click the enabled Include icon and Skip appears grayed out. The segment will not be applied to the specified overlay. Click Skip again to include the segment; it will turn back to green. If an overlay is set to Skip, traffic will not match that overlay and moves to the next prioritized BIO. Additionally, if no BIOs match, traffic is dropped.

TIP: If overlay is set to Skip, Flow Details on the Flows tab displays the list of skipped overlays.

Firewall Zone Policies

Use this dialog box to enable and associate firewall zones to your segments. With segmentation enabled, firewall zone security policies are orchestrated and there is no need for Firewall Security Templates. After migration, deactivate the Security Policies Template in all Template Groups. If left active, the template will override any default-default segment security policies configured on this dialog box.

Before you begin Firewall Zone configuration, note the following:

  • Review your existing security policies.

  • Create a new security templates group with the new firewall zoning policies that only includes zones associated with LAN and WAN interfaces.

  • Delete all rules in your previous Security Policy Template on the Apply Template Groups tab.

  • Ensure you have selected the Replace option in the previous Security Policy Template.

  • Save the previously used Security Policy Template. This deletes the security policy rules on your appliances.

Complete the following steps to set a rule or policy to your firewall zones within your segment.

  1. Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone dialog box opens.

    NOTE: If you are already in Table View, click Add Rule.

  2. Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.

  3. Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is going to.

  4. Select Add Rule.

  5. Complete the content in the table.

    Field Description
    Priority Enter the priority amount.
    Match Criteria Click the edit icon in this column to modify and create the match criteria for each zone.
    Action Select Allow or Deny to determine whether this zone will apply the selected segment.
    Enabled Select the check box to enable or clear it to disable.
    Logging Determines the filter for the zone-based firewall drop logging levels. You can select one of the following levels to apply: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.
    Tag Use tags to categorize or identify the purpose of a rule.
    Comment Any additional details about the firewall zone.
  6. Click Save. The Save Segment Firewall Zone Policies dialog box opens.

  7. Enter a comment (optional) in the Audit Log Comment field, and then click Save. Any text entered in the Audit Log Comment field appears on the Audit Logs tab.

NOTE: Firewall zones are unique to each segment. For example, the default zone in Segment X will not be the same default zone in Segment Y.

Inter-Segment Routing & DNAT

Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments. Click +Add and the Inter-Segment Routing & DNAT window opens. Click +Add Rule again and select any rule in the table to modify the following:

Field Description
Source Segment Name of the segment traffic is initiating from.
Matches Destination IP IP address got the source segment. This is used to match the packet destination IP address before the packet goes through DNAT.
Send to Segment Name of the segment the packets are translated to from the matched destination IP address.
Translated Destination IP address of the DNAT IP address when the segment is translated.
Enabled Whether or not this is enabled or disabled within your segment.
Comment Any additional information.

Inter-Segment SNAT

This dialog box enables you to enable source network address translation to your segments.

NOTE: The default setting for SNAT is enabled for inter-segment traffic.

Field Description
Source Name of the segment that the SNAT is starting from.
Destination Name of the segment that SNAT is translated to.
SNAT Whether SNAT is enabled or disabled.


Click +Add and you are redirected to the Loopback Orchestration tab. Select the segment you want to apply a loopback interface from the table, and then click +Add Loopback Interface.


This column represents the amount of appliances the selected segment is enabled on.


Click the cell in the Comment column to add a comment including any additional information for that particular segment.

Delete a Segment

WARNING: Segmentation involves drastic changes to your physical network. Deleting segments can be service affecting. Carefully read this section before deleting any of your segments.

Deleting a segment removes all the segmentation configuration from all the appliances within your network. When you delete a segment, Orchestrator automatically deletes the following:

  • The segment’s association with the overlay and break-out policies

  • The intra-segment and inter-segment firewall zone policies

  • The inter-segment routing & DNAT rules

  • The inter-segment SNAT rule

  • The loopback interfaces associated with the segment

  • The VTI interfaces associated with the segment

  • All the interface and VLAN interfaces

Manual Tasks to Complete Before Deleting a Segment

The following configuration is disassociated from the segment and you need to manually delete the following:

  • Any manual created tunnels

  • BGP peers in the segment

  • Internal subnet table rules

  • Overlay ACL rules associated to the deleted segment

To delete a segment, click the X in the last column in the table. A Delete Routing Segment warning appears. Click Delete or Cancel.

Disable a Segment

To disable routing segmentation across your network, you need to delete all configured segments in the network, except the default segment (which cannot be deleted). After all the segments are deleted, navigate to this tab and move the toggle at the top of the page to disable.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America