Network Segmentation

Abstract

> It is the process of isolating traffic in order to enforce security. > SDWAN implements VPN concept in order to enforce segmentation. > SDWAN VPN (Virtual Private Network) is similar in concept to traditional VRF (Virtual Routing and Forwarding) > VRF technology was primarily used in tradition WAN to isolate network routes of various customers using multiple instances of RIB > All SDWAN devices maintain VPN tables to maintain network routes VPN 0 Transport VPN > WAN Facing VPN/VRF that is available in all SDWAN devices by default (cannot be removed) > It represents Control Plane and provides transport pathway for all Controllers and WAN Edges > Special DTLS/TLS tunnels are automatically built over VPN 0 between all Controllers and between WAN Edge and Controllers (IPSec tunnel is only built between WAN Edges) > OMP protocol runs on VPN 0 to transport Routes, Policies, Templates and IPSec Security Parameters. > It maintains underlay routes only in the VRF VPN 512 Management VPN > Management VPN/VRF that carries out-of-band network management traffic > Typically available for vManage only > It is used to access GUI and CLI of vManage > It does not implement any routing protocol > It represents Management Plane VPN XXX Service VPN [ 1-65528 excluding 512 ] > LAN Facing VPN/VRF > Available in WAN Edges only > It implements routing protocols and network services (Firewall, IPS, IDS) > It represents the Data plane Task# View all configured VPNs # sh run vpn int ip addr | tab