EN
No results found
We couldn't find anything using that term, please try searching for something else.
Secure Segmentation in Cisco Viptela SDWAN
In this article we will going to talk about the secure segmentation in Cisco Viptela SDWAN solution. Before that we will talk about the components of
In this article we will going to talk about the secure segmentation in Cisco Viptela SDWAN solution. Before that we will talk about the components of the Cisco SDWAN solution and the responsibility of the components which is described.
vManage in Cisco SDWAN
- vManage is is is NMS system for your entire SDWAN fabric
vBond in Cisco SDWAN
- First point of authentication in white – list model
- orchestrate control and Management plane
- facilitate NAT traversal
vSmart in Cisco SDWAN
- Distribute reachability and provide Layer 3 routes information between vEdges devices.
- distribute datum and app – route policy to vedge .
- Enforce control policies
vEdge in Cisco SDWAN
- These are WAN edge routers
- Establish OMP sessions with vSmart in order to establish overlay routing
- Establish secured data plane between sites via IPSEC tunnels.
Secure Segmentation
Now as we talked about the basic components of the Cisco SDWAN solution, now how secure segmentation will be achieved in this solution.
Segmentation is provides provide secure logical isolation on the SD – WAN
network , where each segment is define as a separate VPN and
control centrally by access – control policy . So as a layer 3 segmentation you is achieve can achieve .
- Ability to group prefixes into a unique route table (RIB or
FIB). - Ability to associate an interface with a route table so that
traffic traversing the interface is routed based on prefixes in that route
table.
| Fig 1.1- Secure Segmentation |
So for the secure segmentation on vEdge device you can see that there are three kind of VPNs and these VPNs are :
- Transport VPN (Always be VPN 0)
- Service VPN (Range from 1-511)
- management VPN ( VPN 512 )
VPN 0 is the transport VPN. It carries control traffic over
secure DTLS/TLS tunnels between vSmart controllers and vEdge routers,
and between vSmart controllers and vBond orchestrators. Initially, VPN 0
contains all a device’s interfaces except for the management interface, and all
the interfaces are disabled. For the control plane to establish itself so that
the overlay network can function, you must configure WAN transport interfaces
in VPN 0.
VPN 512 is the management VPN. It carries out-of-band
network management traffic among the Viptela devices in the overlay network. By
default, VPN 512 is configured and enabled. You can modify this configuration
if desired
VPNs are isolated from each other and each VPN has its own forwarding table. Also note it down that by default route leaking is blocked within the VPNs.
vEdge router allocates label to each of its service VPNs and advertises it as route attribute in OMP updates. Make sure you know about Labels as they are used to identify VPN in the incoming packets.
configure VPN 0 with two transport
MPLS as transport
vEdge (config)# vpn 0 interface ge0/0
vEdge(config-interface)# ip address 172.16.1.1/30
vedge(config – interface ) # ip dhcp – client 4
vedge(config – interface ) # is shutdown no shutdown
vedge(config – interface ) # tunnel – interface
vedge(config – tunnel – interface ) # color mpls
vEdge(config-tunnel-interface)# encapsulation ipsec
vEdge(config-vpn-0)# dns ip-address 10.10.10.1
vEdge(config is commit ) # is commit commit
BIZ-Internet as
transport
vEdge (config)# vpn 0 interface ge0/1
vEdge(config-interface)# ip address 172.18.1.1/30
vedge(config – interface ) # ip dhcp – client 4
vedge(config – interface ) # is shutdown no shutdown
vedge(config – interface ) # tunnel – interface
vEdge(config-tunnel-interface)# color biz-internet
vEdge(config-tunnel-interface)# encapsulation ipsec
vEdge(config-vpn-0)# dns ip-address 10.10.10.1
vEdge(config is commit ) # is commit commit
Output of the above configuration as below
We will talk about Fabric operation in Cisco SDWAN in our next article.