Segmentation Configuration Example

Segmentation Configuration Example

Posted on Jan 27, 2020 (0)

Segmentation Configuration Example

Here are some configuration steps and examples which will help you to understand how to segment the network.

Create Basic VPNs

Configure basic VPNs required by Viptela devices consist of these steps:

On the vEdge router:

• Create a VPN 0 instance for the transport VPN.
• Create a VPN 512 instance for the management VPN.
• Create a VPN instance to use for routing.

On the vSmart controller:

• Create a VPN 0 instance for the transport VPN.
• Create a VPN 512 instance for the management VPN.
• Optionally, create policies to influence routing and access control within the VPN.

Full configuration example for vEdge:

system                                          # Configure general system parameters
host-name vedge
domain-id 1
site-id 100
vpn 0                                               # Create the tunnel interface and allow
interface ge 0/0                                reachability to vSmart in transport VPN
ip address
color default
encapsulation ipsec
no shutdown
ip route
vpn 1                                              # Create new VPN, add interfaces and routing
interface ge 0/1
ip address
no shutdown
bgp 20
no shutdown
remote-as 20
address-family ipv4_unicast
vpn 512
interface mgmt0
ip dhcp-client
no shutdown

Configuration on the vSmart Controller

In vSmart router, configure VPN 0 and VPN 512 interface as we did for vEdge, additionally we need to configure a centralized control policy that controls how the VPN traffic is propagated through the rest of the network.
In this example let configure to drop unwanted prefixes from propagating through the rest of the network. You can use a single vSmart policy to enforce policies throughout the network

Create a list of sites IDs for the sites where you want to drop unwanted prefixes

vSmart(config)# policy lists site-list 10-20 site-id 20
vSmart(config-site-list-20-30)# site-id 20

Create a prefix list for the prefixes that you do not want to propagate:

vSmart(config)# policy lists prefix-list drop-list ip-prefix

Create the control policy:

vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 match route prefix-list drop-list
vSmart(config-match)# top
vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 action reject
vSmart(config-action)# top
vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 default-action accept
vSmart(config-default-action)# top

Apply the policy to prefixes inbound to the vSmart controller:

vSmart(config)# apply-policy site-list 10-20 control-policy drop-unwanted-routes in

Leak Routes across VPNs

In today complex scenario, it may be required to leak one VPN prefix to another VPN , so leak Prefixes , it is required to create the leaking control policy on vSmart controller .
In this example we will create the Leak control policy that allow an VPN to import routes from a VN list.

Following are the steps:

• Create a control policy to match routes from a list of VPNs. Here, sequence 10 of the policy matches all routes from the VPNs of all business partners (BPs). The business partner VPN IDs are listed in the All-customers list.

• Accept routes that match this policy, and import the prefixes into a new VPN called RED .
• Apply this policy towards the RED sites on routes inbound to the vSmart controller.

site-list customer-Sites
site-id 10
site-id 20
vpn-list All-customers
vpn 100
vpn 101
vpn-list RED-BP
vpn 200
control-policy import-customer-to-RED
sequence 10
match route
vpn-list All-customers
action accept
export-to vpn-list RED
! !
default-action accept
site-list BP-Sites
control-policy import-customer-to-RED in


    You are will be the first.


Please login here to comment.