Segmentation over single overlay
Our generic deployment workflow can be used with minimal adjustments when implementing segmentation across the SD-WAN network, as discussed in the respective section of the SD-WAN / SD-Branch Architecture for MSSPs guide.
The following adjustments must be made to the Project Template:
-
For each LAN interface in the profile, its VRF ID must be specified, using the
vrf
parameter. This will be the CE VRF. If Internet access must be provided for this CE VRF, an additionalallow_dia
parameter must be set too. In the below example, only one of the two CE VRFs will have Internet access:'Silver': { 'interfaces': [ ... { 'name': 'port5', 'role': 'lan', 'vrf': 11, 'allow_dia': true, 'ip': lan_ip_edu }, { 'name': 'port6', 'role': 'lan', 'vrf': 12, 'ip': lan_ip_fin } ] }
-
The region must also list all the existing CE VRFs:
'West': { 'as': '65001', 'lo_summary': '10.200.1.0/24', 'hubs': [ 'site1-H1', 'site1-H2' ], 'vrfs': [ { 'id': 11 }, { 'id': 12 } ] }
The rest of the Project Template remains unchanged.
By default, the PE VRF is set to 1. This can be changed, using an optional parameter |
Another adjustment needs to be made to the Firewall Policies. As described in the SD-WAN / SD-Branch Architecture for MSSPs guide, two sessions are required for the Internet access, and therefore two separate Firewall Rules are needed to permit those sessions.
The following rules will permit the Internet access on the Spokes. Note that we use the System Zones automatically generated by the Jinja Templates during inter-VRF link creation:
Name |
From |
To |
Src |
Dst |
Service |
NAT |
---|---|---|---|---|---|---|
Internet (CEto-PE) | lan_zone | vrfs_leak_zone | all | all | ALL | Yes |
Internet (DIA) |
pevrf_leak_zone |
underlay |
all |
all |
ALL |
Yes |
Internet (RIA) |
pevrf_leak_zone |
overlay |
all |
all |
ALL |
Lo-Pool |
In Remote Internet Access (RIA), the traffic is NATed using an IP Pool named "Lo-Pool", which must include the Loopback address. This NAT is required, because the traffic is already NATed on the inter-VRF link. Without the second NAT, it would egress the Spoke with the inter-VRF link IP, which is internal to the Spoke and hence not reachable from the rest of the overlay network. |