SD-WAN

 View Only

Using Segmentation (VRF) and Destination/Source NAT

This thread has been viewed 22 times
  • 1.  Using Segmentation (VRF) and Destination/Source NAT

    Posted Apr 20, 2023 12:15 PM

    Use Case - Enable IOT network and then allow IOT to ping internal orchestrator and local breakout internet using segmentation.

    Before segmentation, to fulfill a walled-off environment such as guest or IOT there were several steps that had to be taken. A Firewall Zone had to be created and configured, applied to the BIO, and routing templates had to be modified to prevent the range from being advertised, especially if those ranges were identically addressed per site.

    With segmentation, the process is much simpler. Let's look at the Routing Segmentation (VRF) screen.

    Here we have: 

    •    Segment: When created, every device in the fabric gets the segment available to them. We will apply the segment to an interface as one of our steps.           
    •    Overlay and Breakout Policies: Here you can include all overlays for a segment or skip. In our example we will only include default. 
    •    Firewall Zone Policies: With the new ZBF model, firewall templates are no longer used. All firewall changes are made here for the requisite segment. 
    •    Inter-Segment Routing and DNAT: This is one of the steps that will allow traffic to traverse segments. 
    •    Inter-segment SNAT: Enable/Disable options. Enabled by default, should be left as "on" in most use cases. 
    •    Loopback: Each segment can have its own loopback; this page will take you to the loopback page for that segment. 

    Configuring the Branch

    Note: This customer wanted local breakout at branches for the traffic, but there are other approaches.

    1. Create the Interface and assign to segment. Assign the desired zone and segment. 

    Note: The guest segment range is the same, but the gateway is different. You can have identical IPs on different appliances (in different segments), but unique IPs are required on each appliance interface. Also, if using the EC as the DHCP server, the DHCP range must not overlap. E.G. Guest is 192.168.1.10-100, IOT 192.168.1.101-200. This use case may be niche, but worth mentioning.


    2. Set overlays 
    As previously mentioned, I am going to skip all but default. More of a preference than a requirement.

    3. ZBF Change

    By default, all ZBF zones are set to "DENY" between segments (IOT to Default in the below). Let's change the rule for "From Zone Untrusted To Zone OUT" to allow. Zone creation is outside the scope of this but are customizable.

    Again, note that the segment traffic is going from "IOT to Default". All WAN interfaces are hard set to the default segment. This is critical for breakout.

    After the change:


    4. Segment Routing Changes (not needed if only doing local breakout)
    When a segment is created, it also gets its own routing table. By default, new segments have their routing set to not readvertise the local LAN subnets. If the goal is to use Inter-Segment Routing and DNAT to traverse the fabric for IOT to reach 10.15.99.100, the hub must be aware of that. As shown below, from the hub's perspective it has no routes in the IOT segment's table.  We can also see from the flow detail, NO ROUTE.

    To fix this, go to the spoke and enable local subnets to re-advertise. This can be done via template for scale.

    Now check the hub, and the route should be there. Traffic will now flow, as shown in step 5.



    1. 5.Testing and Validation

    Pinging to the outside via local breakout should now be successful.


    Let's review the flow to validate. The result has been filtered to the IOT segment, and observe the IOT-Default direction, and the Inbound/Outbound Tunnel. 

    Let's also review some portions of the flow detail. Here we can see the flow destined for the internet was broken out to our local INET1 egress, using the WAN address of 192.19.2.11

    Now, let's look at the backhauled ping to 10.15.99.10 across the fabric. Because the default segment has a route for 10.15.99.0/24, the traffic can be routed from IOT to Default across the fabric.


    Segmentation was introduced into the EC architecture starting in 9.0 and has developed into a powerful and useful feature. This guide covered a simple implementation of using a segment for local breakout of a guest/IOT network, and then configuring inter-segment routing to traverse between segments. We also covered the new end-to-end Zone Based Firewall (ZBF) implementation. As this is intended to be a practical guide and not exhaustive instruction, please read up on both features to ensure the concepts are fully understood.

    https://www.silver-peak.com/sites/default/files/UserDocuments/v9resources/pdf/zone_based_firewall.pdf
    https://www.silver-peak.com/sites/default/files/UserDocuments/v9resources/pdf/advanced_segmentation.pdf

    NOTE: On Orchestrator installs upgraded to 9.0, segmentation and the new end-to-end firewall feature are not enabled by default. Please reach out to your SE to discuss before enabling segmentation, as it can be service affecting, including but not limited to changes in how ZBF is applied. There also some feature restrictions when enabling segmentation that you should be aware of.








    ------------------------------
    Nathaniel Scriven
    Edge Connect/SDWAN SE
    ------------------------------