Segmentation over single overlay
In this example, we assume PE VRF=1 and two Customer segments (CE VRFs) 11 and 12.
The snippets below use the "BGP on Loopback" design, but the "BGP per Overlay" design can be implemented with minimal changes.
This topic includes reference configurations for the following components:
Spoke
-
Enable subnet overlap:
config system settings set allow-subnet-overlap enable end -
Assign all the WAN-facing interfaces to the PE VRF, including underlays, overlays, and the Loopback used for BGP termination:
config system interface edit "Lo" set vrf 1 next edit "port1" set vrf 1 next edit "port4" set vrf 1 next edit "H1_ISP1" set vrf 1 next edit "H1_MPLS" set vrf 1 next edit "H2_ISP1" set vrf 1 next edit "H2_MPLS" set vrf 1 next end -
Assign all the LAN-facing interfaces to the respective CE VRFs:
config system interface edit "port5" set vrf 11 next edit "port6" set vrf 12 next end -
Enable
vpn-id-ipipencapsulation on the overlays:config vpn ipsec phase1-interface edit "H1_ISP1" set encapsulation vpn-id-ipip next edit "H1_MPLS" set encapsulation vpn-id-ipip next edit "H2_ISP1" set encapsulation vpn-id-ipip next edit "H2_MPLS" set encapsulation vpn-id-ipip next end -
Configure VRF parameters for BGP:
config router bgp config vrf edit "1" set role pe next edit "11" set role "ce" set rd "65000:11" set import-rt "65000:11" set export-rt "65000:11" next edit "12" set role "ce" set rd "65000:12" set import-rt "65000:12" set export-rt "65000:12" next end end
This configuration must be identical on all Spokes and Hubs in the SD-WAN network.
-
Configure VPNv4 settings for BGP neighbors and advertise all the CE VRF networks:
config router bgp config neighbor edit 10.200.1.253 set soft-reconfiguration enable set soft-reconfiguration-vpnv4 enable set route-map-in "H1_TAG" set route-map-in-vpnv4 "H1_TAG" next edit 10.200.1.254 set soft-reconfiguration enable set soft-reconfiguration-vpnv4 enable set route-map-in "H2_TAG" set route-map-in-vpnv4 "H2_TAG" next end config network edit 1 set prefix 10.0.1.0/24 next edit 2 set prefix 10.0.101.0/24 next end end
|
|
The remaining configuration is identical to the standard "BGP on Loopback" configuration from an earlier section. |
Hub
-
Enable subnet overlap:
config system settings set allow-subnet-overlap enable end -
Assign all the WAN-facing interfaces to the PE VRF, including underlays, overlays, and the Loopback used for BGP termination:
config system interface edit "Lo" set vrf 1 next edit "port1" set vrf 1 next edit "port4" set vrf 1 next edit "EDGE_ISP1" set vrf 1 next edit "EDGE_MPLS" set vrf 1 next end -
Assign all the LAN-facing interfaces to the respective CE VRFs:
config system interface edit "port5" set vrf 11 next edit "port6" set vrf 12 next end -
Enable
vpn-id-ipipencapsulation on the overlays:config vpn ipsec phase1-interface edit "EDGE_ISP1" set encapsulation vpn-id-ipip next edit "EDGE_MPLS" set encapsulation vpn-id-ipip next end -
Configure VRF parameters for BGP:
config router bgp config vrf edit "1" set role pe next edit "11" set role "ce" set rd "65000:11" set import-rt "65000:11" set export-rt "65000:11" next edit "12" set role "ce" set rd "65000:12" set import-rt "65000:12" set export-rt "65000:12" next end end
This configuration must be identical on all Spokes and Hubs in the SD-WAN network.
-
Configure VPNv4 settings for BGP neighbors and advertise all the CE VRF networks:
config router bgp config neighbor-group edit "EDGE" set soft-reconfiguration-vpnv4 enable set route-reflector-client-vpnv4 enable next end config network edit 2 set prefix 10.1.0.0/24 next edit 3 set prefix 10.1.100.0/24 next end end
|
|
The remaining configuration is identical to the standard "BGP on Loopback" configuration from an earlier section. |
Providing Internet access
The following configuration must be added on the Spoke, in order to provide Direct Internet Access to the CE VRF=11:
-
On hardware appliances only, enable multi-VDOM mode, in order to unhide the
npu_linkinterface:config system global set vdom-mode multi-vdom end -
Configure an inter-VRF link between the CE VRF=11 and the PE VRF=1. On hardware appliances, use the
npu_linkfor this purpose. On virtual appliances, use the software-basedvdom-link(shown in the snippets below):config system vdom-link edit "vrf11_leak" next end config system interface edit "vrf11_leak0" set type vdom-link set vrf 1 set vdom 'root' set ip 10.200.255.23/31 set allowaccess ping next edit "vrf11_leak1" set type vdom-link set vrf 11 set vdom 'root' set ip 10.200.255.22/31 set allowaccess ping next end -
Add a static default route to the CE VRF=11, pointing to the newly created inter-VRF link:
config router static edit 10011 set gateway 10.200.255.23 set device vrf11_leak1 next end -
In Firewall Policy configuration, allow each traffic hop independently. Below we enable SNAT both on the inter-VRF link and on the Internet-facing interface. We also use System Zones to simplify Firewall Policy configuration.
config system zone edit "lan_zone" append interface port5 next edit "pevrf_leak_zone" append interface "vrf11_leak0" next edit "vrfs_leak_zone" append interface "vrf11_leak1" next end config firewall policy edit 2 set name "Internet (to PE)" set srcintf 'lan_zone' set dstintf 'vrfs_leak_zone' set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile certificate-inspection set application-list "default" set logtraffic all set nat enable next edit 3 set name "Internet (DIA)" set srcintf 'pevrf_leak_zone' set dstintf "underlay" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile certificate-inspection set application-list "default" set logtraffic all set nat enable next