Link Search Menu Expand Document

Routing Segmentation

Configuration > Networking > Routing > Routing Segmentation (VRF)

Use this tab to enable and disable routing segmentation across your network and apply unique configuration to your segments. Routing segmentation allows for the configuration of VRF (Virtual Routing and Forwarding)–style Layer 3 segmentation in your SD-WAN deployments. Note the following before configuring routing segmentation in Orchestrator:

  • You must upgrade all EdgeConnect appliances and Orchestrator to version 9.0.

  • All EdgeConnects must be configured to Inline Router mode.

  • If a new appliance has been added to your network, or if an existing appliance has been replaced, you need to upgrade the appliance software to the appropriate version running in the network.

  • After upgrading, segmentation is disabled by default. You will have to enable it on this tab.

  • Regardless of whether segmentation is enabled or disabled, a Default segment is automatically created when you upgrade to 9.0.

  • The system-generated Default segment cannot be deleted.

  • After you enable routing segmentation, all existing configuration across your network is associated with the Default segment.

Add a New Segment

Before adding a segment, you must enable segmentation by moving the toggle at the top of the page. If Routing Segmentation is not enabled, you cannot make any modifications to the Default segment or add any new segments.

To add a new segment, click +Add Segment and enter a Segment Name. You can make further specifications by clicking the edit icon or by selecting the +Add icon in any of the columns in the table.

Segment Configuration

You can uniquely configure your segments by specifying the following on this page:

  • Overlays & Breakout Policies

  • Firewall Zone Policies

  • Inter-Segment Routing & DNAT

  • Inter-Segment SNAT

  • Loopback

NOTE: Inter-Segment Routing & DNAT and Inter-Segment SNAT are applicable only if you are using different segments.

The following sections provide more details.

Overlays & Breakout Policies for Segments

Use this dialog box to configure overlays and breakout policies for your segments. This configuration determines the overlays used by each segment when traffic is originating from that segment and sent over the SD-WAN fabric to other sites. This configuration is also used when traffic breaks out locally to the Internet and Cloud Services using the Preferred Policy Order on the Business Intent Overlay (BIO) tab. For traffic to match what is on the specified BIO tab, ensure the following two conditions are true:

  • BIO must include the defined segment policy

  • The BIO match criteria must match the new flow

The overlays are arranged by priority defined in the Match field in the Overlay Configuration dialog box on the BIO page. You can specify if you want to include or skip the segment for each overlay by clicking Include or Skip icon in the table cell. By default, all overlays are included for all configured segments.

Include and Skip

If you want to skip an overlay, click the enabled Include icon and Skip appears grayed out. The segment will not be applied to the specified overlay. Click Skip again to include the segment; it will turn back to green. If an overlay is set to Skip, traffic will not match that overlay and moves to the next prioritized BIO. Additionally, if no BIOs match, traffic is dropped.

TIP: If overlay is set to Skip, Flow Details on the Flows tab displays the list of skipped overlays.

Firewall Zone Policies

Use this dialog box to enable and associate firewall zones to your segments. With segmentation enabled, firewall zone security policies are orchestrated and there is no need for Firewall Security Templates. After migration, deactivate the Security Policies Template in all Template Groups. If left active, the template will override any default-default segment security policies configured on this dialog box.

Before you begin Firewall Zone configuration, note the following:

  • Review your existing security policies.

  • Create a new security templates group with the new firewall zoning policies that only includes zones associated with LAN and WAN interfaces.

  • Delete all rules in your previous Security Policy Template on the Apply Template Groups tab.

  • Ensure you have selected the Replace option in the previous Security Policy Template.

  • Save the previously used Security Policy Template. This deletes the security policy rules on your appliances.

Complete the following steps to set a rule or policy to your firewall zones within your segment.

  1. Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone dialog box opens.

    NOTE: If you are already in Table View, click Add Rule.

  2. Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.

  3. Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is going to.

  4. Select Add Rule.

  5. Complete the content in the table.

    Field Description
    Priority Enter the priority amount.
    Match Criteria Click the edit icon in this column to modify and create the match criteria for each zone.
    Action Select Allow or Deny to determine whether this zone will apply the selected segment.
    Enabled Select the check box to enable or clear it to disable.
    Logging Determines the filter for the zone-based firewall drop logging levels. You can select one of the following levels to apply: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.
    Tag Use tags to categorize or identify the purpose of a rule.
    Comment Any additional details about the firewall zone.
  6. Click Save. The Save Segment Firewall Zone Policies dialog box opens.

  7. Enter a comment (optional) in the Audit Log Comment field, and then click Save. Any text entered in the Audit Log Comment field appears on the Audit Logs tab.

NOTE: Firewall zones are unique to each segment. For example, the default zone in Segment X will not be the same default zone in Segment Y.

Inter-Segment Routing & DNAT Exceptions

Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments.

Starting with Orchestrator release 9.5.1, you can configure rules that allow multiple source segments to connect to one subnet destination. This configuration will form a group of rules. Source segments connected to the same subnet destination must be grouped in one rule. For example, if you select both “Guest” and “IoT” as the Source Segment for a subnet destination, you cannot add another rule that contains either “Guest” or “IoT” for that same destination.

Field Description
Source Segment Name of the segment that traffic is initiating from. You can select multiple source segments to create a group of rules.
Matches Destination IP IP address that matches the destination segment IP address, before DNAT. The IP address is included in the defined policy match criteria.
Send to Segment Name of the segment the packets are translated to from the matched destination IP address. This is included in the set criteria. Click in the cell to display the multi-selector, and then select or clear segments.
Translated Destination IP IP address of the DNAT IP address when the segment is translated.

NOTE: If DNAT is not needed, this field is empty.
Enabled Indicates whether inter-segment DNAT is enabled or disabled within your segment. You can enable or disable multiple rules.
Comment Any additional information.
Add a Rule
  1. Click the +Add link under the Inter-Segment Routing & DNAT column to open the Inter-Segment Routing & DNAT dialog box.

  2. Click +Add Rule to add a new rule.

    NOTE: To edit a rule that is part of a group of rules, you must delete the existing rule from the grouped rule by clearing the segment from the Source Segment list. Click in the Source Segment cell to display the multi-selector, as shown in the following screen capture.

    img

  3. Click in any cell to provide the details for the new rule (see field descriptions above).

  4. Click Save to create the new rule or click Cancel to close the dialog box without making any changes.

NOTE: Inter-segment routing & DNAT rules are orchestrated globally to all appliances from this tab. To review rules on individual appliances, click Inter-Segment Routing & DNAT Exceptions and select the appliance in the tree. It is best practice to use only the globally orchestrated rules and avoid using local exceptions per appliance.

Delete a Rule

  1. Click the corresponding delete icon (X). If the rule is a grouped rule, each rule that contains the same source segment will be deleted also. Deleting one rule, could result in multiple rules being deleted.

  2. Click Save.

Inter-Segment SNAT Exceptions

This tab enables you to enable source network address translation to your segments.

NOTE: The default setting for SNAT is enabled for inter-segment traffic.

Field Description
Source Name of the segment that the SNAT is starting from.
Destination Name of the segment that SNAT is translated to.
SNAT Whether SNAT is enabled or disabled.

Loopback

Click +Add and you are redirected to the Loopback Orchestration tab. Select the segment you want to apply a loopback interface from the table, and then click +Add Loopback Interface.

Appliances

This column represents the amount of appliances the selected segment is enabled on.

Comment

Click the cell in the Comment column to add a comment including any additional information for that particular segment.

Delete a Segment

WARNING: Segmentation involves drastic changes to your physical network. Deleting segments can be service affecting. Carefully read this section before deleting any of your segments.

Deleting a segment removes all the segmentation configuration from all the appliances within your network. When you delete a segment, Orchestrator automatically deletes the following:

  • The segment’s association with the overlay and break-out policies

  • The intra-segment and inter-segment firewall zone policies

  • The inter-segment routing & DNAT rules

  • The inter-segment SNAT rule

  • The loopback interfaces associated with the segment

  • The VTI interfaces associated with the segment

  • All the interface and VLAN interfaces

Manual Tasks to Complete Before Deleting a Segment

The following configuration is disassociated from the segment and you need to manually delete the following:

  • Any manual created tunnels

  • BGP peers in the segment

  • Internal subnet table rules

  • Overlay ACL rules associated to the deleted segment

To delete a segment, click the X in the last column in the table. A Delete Routing Segment warning appears. Click Delete or Cancel.

Disable a Segment

To disable routing segmentation across your network, you need to delete all configured segments in the network, except the default segment (which cannot be deleted). After all the segments are deleted, navigate to this tab and move the toggle at the top of the page to disable.