Segmentation over single overlay
In this example, we assume PE VRF=1 and two Customer segments (CE VRFs) 11 and 12.
The snippets below use the "Dynamic BGP on Loopback" design.
This topic includes reference configurations for the following components:
Spoke
-
Enable subnet overlap:
config system settings set allow-subnet-overlap enable end -
Assign all the WAN-facing interfaces to the PE VRF, including underlays, overlays, and the Loopback used for BGP termination:
config system interface edit "Lo" set vrf 1 next edit "port1" set vrf 1 next edit "port4" set vrf 1 next edit "H1_ISP1" set vrf 1 next edit "H1_MPLS" set vrf 1 next edit "H2_ISP1" set vrf 1 next edit "H2_MPLS" set vrf 1 next end -
Assign all the LAN-facing interfaces to the respective CE VRFs:
config system interface edit "port5" set vrf 11 next edit "port6" set vrf 12 next end -
Enable
vpn-id-ipipencapsulation on the overlays:config vpn ipsec phase1-interface edit "H1_ISP1" set encapsulation vpn-id-ipip next edit "H1_MPLS" set encapsulation vpn-id-ipip next edit "H2_ISP1" set encapsulation vpn-id-ipip next edit "H2_MPLS" set encapsulation vpn-id-ipip next end -
Configure VRF parameters for BGP:
config router bgp config vrf edit "1" set role pe next edit "11" set role "ce" set rd "65000:11" set import-rt "65000:11" set export-rt "65000:11" next edit "12" set role "ce" set rd "65000:12" set import-rt "65000:12" set export-rt "65000:12" next end end
This configuration must be identical on all Spokes and Hubs in the SD-WAN network.
-
Configure VPNv4 settings for BGP neighbors and advertise all the CE VRF networks:
config router bgp config neighbor edit 10.200.1.253 set soft-reconfiguration enable set soft-reconfiguration-vpnv4 enable set capability-graceful-restart enable set capability-graceful-restart-vpnv4 enable next edit 10.200.1.254 set soft-reconfiguration enable set soft-reconfiguration-vpnv4 enable set capability-graceful-restart enable set capability-graceful-restart-vpnv4 enable next end config network edit 1 set prefix 10.0.1.0/24 next edit 2 set prefix 10.0.101.0/24 next end end -
If Dynamic BGP is enabled, configure VPNv4 settings also on the dynamic peering:
config router bgp config neighbor-group edit "DYN_EDGE" set soft-reconfiguration-vpnv4 enable set capability-graceful-restart-vpnv4 enable # Ready for multi-regional deployment set route-map-out-vpnv4 "LAN_OUT" next end end
|
|
The remaining configuration is identical to the standard "Dynamic BGP on Loopback" configuration from an earlier section. |
Hub
-
Enable subnet overlap:
config system settings set allow-subnet-overlap enable end -
Assign all the WAN-facing interfaces to the PE VRF, including underlays, overlays, and the Loopback used for BGP termination:
config system interface edit "Lo" set vrf 1 next edit "port1" set vrf 1 next edit "port4" set vrf 1 next edit "EDGE_ISP1" set vrf 1 next edit "EDGE_MPLS" set vrf 1 next end -
Assign all the LAN-facing interfaces to the respective CE VRFs:
config system interface edit "port5" set vrf 11 next edit "port6" set vrf 12 next end -
Enable
vpn-id-ipipencapsulation on the overlays:config vpn ipsec phase1-interface edit "EDGE_ISP1" set encapsulation vpn-id-ipip next edit "EDGE_MPLS" set encapsulation vpn-id-ipip next end -
Configure VRF parameters for BGP:
config router bgp config vrf edit "1" set role pe next edit "11" set role "ce" set rd "65000:11" set import-rt "65000:11" set export-rt "65000:11" next edit "12" set role "ce" set rd "65000:12" set import-rt "65000:12" set export-rt "65000:12" next end end
This configuration must be identical on all Spokes and Hubs in the SD-WAN network.
-
Configure VPNv4 settings for BGP neighbors and advertise all the CE VRF networks:
config router bgp config neighbor-group edit "EDGE" set soft-reconfiguration-vpnv4 enable set route-reflector-client-vpnv4 enable set capability-graceful-restart-vpnv4 enable next end config network edit 2 set prefix 10.1.0.0/24 next edit 3 set prefix 10.1.100.0/24 next end end
|
|
The remaining configuration is identical to the standard "Dynamic BGP on Loopback" configuration from an earlier section. |
Providing Internet access
The following configuration must be added on the Spoke, in order to provide Direct Internet Access to the CE VRF=11:
-
On hardware appliances only, enable multi-VDOM mode, in order to unhide the
npu_linkinterface:config system global set vdom-mode multi-vdom end -
Configure an inter-VRF link between the CE VRF=11 and the PE VRF=1. On hardware appliances, use the
npu_linkfor this purpose. On virtual appliances, use the software-basedvdom-link(shown in the snippets below):config system vdom-link edit "vrf11_leak" next end config system interface edit "vrf11_leak0" set type vdom-link set vrf 1 set vdom 'root' set ip 10.200.255.23/31 set allowaccess ping next edit "vrf11_leak1" set type vdom-link set vrf 11 set vdom 'root' set ip 10.200.255.22/31 set allowaccess ping next end -
Add a static default route to the CE VRF=11, pointing to the newly created inter-VRF link:
config router static edit 10011 set gateway 10.200.255.23 set device vrf11_leak1 next end -
In Firewall Policy configuration, allow each traffic hop independently. Below we enable SNAT both on the inter-VRF link and on the Internet-facing interface. We also use System Zones to simplify Firewall Policy configuration.
config system zone edit "lan_zone" append interface port5 next edit "pevrf_leak_zone" append interface "vrf11_leak0" next edit "vrfs_leak_zone" append interface "vrf11_leak1" next end config firewall policy edit 2 set name "Internet (to PE)" set srcintf 'lan_zone' set dstintf 'vrfs_leak_zone' set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile certificate-inspection set application-list "default" set logtraffic all set nat enable next edit 3 set name "Internet (DIA)" set srcintf 'pevrf_leak_zone' set dstintf "underlay" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile certificate-inspection set application-list "default" set logtraffic all set nat enable next