Latest

Home / Cisco / Networks / Viptela SDWAN / Secure Segmentation in Cisco Viptela SDWAN

Secure Segmentation in Cisco Viptela SDWAN

March 15, 2020 , ,
In this article we will going to talk about the secure segmentation in Cisco Viptela SDWAN solution. Before that we will talk about the components of the Cisco SDWAN solution and the responsibility of the components which is described.

vManage in Cisco SDWAN
  • vManage is NMS system for your entire SDWAN fabric 
vBond in Cisco SDWAN
  • First point of authentication in white-list model
  • Orchestrates control and Management plane
  • Facilitates NAT traversal
vSmart in Cisco SDWAN
  • Distribute reachability and provide Layer 3 routes information between vEdges devices.
  • Distribute data and app-route policies to vEdges.
  • Enforce control policies
vEdge in Cisco SDWAN
  • These are WAN edge routers 
  • Establish OMP sessions with vSmart in order to establish overlay routing
  • Establish secured data plane between sites via IPSEC tunnels.

Secure Segmentation
Now as we talked about the basic components of the Cisco SDWAN solution, now how secure segmentation will be achieved in this solution.

Segmentation provides secure logical isolation on the SD-WAN network, where each segment is defined as a separate VPN and controlled centrally by access-control policies. So as a Layer 3 segmentation you can achieve.

  • Ability to group prefixes into a unique route table (RIB or FIB).
  • Ability to associate an interface with a route table so that traffic traversing the interface is routed based on prefixes in that route table.
Fig 1.1- Secure Segmentation
So for the secure segmentation on vEdge device you can see that there are three kind of VPNs and these VPNs are :
  • Transport VPN (Always be VPN 0)
  • Service VPN (Range from 1-511)
  • Management VPN (VPN 512)
VPN 0 is the transport VPN. It carries control traffic over secure DTLS/TLS tunnels between vSmart controllers and vEdge routers, and between vSmart controllers and vBond orchestrators. Initially, VPN 0 contains all a device's interfaces except for the management interface, and all the interfaces are disabled. For the control plane to establish itself so that the overlay network can function, you must configure WAN transport interfaces in VPN 0.

VPN 512 is the management VPN. It carries out-of-band network management traffic among the Viptela devices in the overlay network. By default, VPN 512 is configured and enabled. You can modify this configuration if desired

VPNs are isolated from each other and each VPN has its own forwarding table. Also note it down that by default route leaking is blocked within the VPNs.

vEdge router allocates label to each of its service VPNs and advertises it as route attribute in OMP updates. Make sure you know about Labels as they are used to identify VPN in the incoming packets.

Configuring VPN 0 with two transports

MPLS as transport
vEdge (config)# vpn 0 interface ge0/0
vEdge(config-interface)# ip address 172.16.1.1/30
vEdge(config-interface)# ip dhcp-client 4
vEdge(config-interface)# no shutdown
vEdge(config-interface)# tunnel-interface
vEdge(config-tunnel-interface)# color mpls
vEdge(config-tunnel-interface)# encapsulation ipsec
vEdge(config-vpn-0)# dns ip-address 10.10.10.1
vEdge(config)# commit

BIZ-Internet as transport
vEdge (config)# vpn 0 interface ge0/1
vEdge(config-interface)# ip address 172.18.1.1/30
vEdge(config-interface)# ip dhcp-client 4
vEdge(config-interface)# no shutdown
vEdge(config-interface)# tunnel-interface
vEdge(config-tunnel-interface)# color biz-internet
vEdge(config-tunnel-interface)# encapsulation ipsec
vEdge(config-vpn-0)# dns ip-address 10.10.10.1
vEdge(config)# commit

Output of the above configuration as below 


We will talk about Fabric operation in Cisco SDWAN in our next article.