There are some use cases where segmentation are used.
- Requirement to keep business units Separate from guest users
- Requirement to group prefixes in to unique route table
- A SP requirement to provide VPN service to its customers
- Requirement to provide selective access to business partners.
Now when we configure Segmentation or VPN on device , it is limited and local to that device only and if we want to extend this function throughout network the VPN or segmentation information needs to be sent or carried throughout network.
There are following approaches used to provide this network segmentation:
- At every device and on every link define grouping policy to group prefixes
- Define group policy at edge device to carry the segmentation information to immediate host.
Let’s see how routing information is propagated inside VPN
- VEdge-1 subscribes to two VPNs, yellow and Violet s it has two route table
- The Yellow VPN has prefix 10.1.1.0/24 (either directly through a connected interface or learned via the IGP or BGP).
- The Violet VPN has prefix 10.2.2.0/24 (either directly through a connected interface or learned via the IGP or BGP).
- vEdge-2 subscribes to the Yellow VPN so it has one route table
- This VPN has prefix 192.168.1.0/24 (either directly through a connected interface or learned via the IGP or BGP).
- vEdge-3 subscribes to the Violet VPN so it has one route table
- This VPN has prefix 192.168.2.0/24 (either directly through a connected interface or learned via the IGP or BGP).
Now each router has OMP connection to vSmart controller and they will share the routing information to controller. On vSmart controller, based on enforced polices by network admin, it can take action like drop routes, change TLOC, Change VPN id etc which is applied inbound or outbound direction.
Now Based on VPN ID, these routing information is propagated across Viptela network. As soon as VPN is configured on vEdge router, it associates a Label to it and vEdge router sends the Label with VPN ID , to vSmart controller and then vSmart will propagate this vEdge-to-VPN ID mapping information to other Edge routers in the domain. And then the vEdge router will use this label to send the traffic to correct VPN and vice Versa
This can be understood by below diagram:
There are two Default VPN Cisco Viptela provides to separate traffic.
- VPN 0 ( Transport VPN ) : all transport interface are kept in this VPN
- VPN 512: Management VPN for Management OOB traffic isolation
We have discussed this information a lot times in previous sections.
Dual stack feature is supported on vEdge and vSmart on VPN 0. If you want to enable dual stack configure IPV4 & IPV6 address on tunnel interface, based on traffic pattern, it will select either IPV4 or IPV6 interface