Cisco SD-WAN Segmentation

Network segmentation has existed for over a decade and has been implemented in multiple forms and shapes.
At its most rudimentary level, segmentation provides traffic isolation. The most common forms of network
segmentation are virtual LANs, or VLANs, for Layer 2 solutions, and virtual routing and forwarding, or VRF, for
Layer 3 solutions.

There are many use cases for segmentation:

Use Cases for Segmentation

• An enterprise wants to keep different lines of business separate (for example, for security or audit
reasons).

• The IT department wants to keep authenticated users separate from guest users.

• A retail store wants to separate video surveillance traffic from transactional traffic.

• An enterprise wants to give business partners selective access only to some portions of the network.

• A service or business needs to enforce regulatory compliance, such as compliance with HIPAA, the U.S.
Health Insurance Portability and Accountability Act, or with the Payment Card Industry (PCI) security
standards.

• A service provider wants to provide VPN services to its medium-sized enterprises.

Limitations of Segmentation

One inherent limitation of segmentation is its scope. Segmentation solutions either are complex or are limited
to a single device or pair of devices connected via an interface. As an example, Layer 3 segmentation provides
the following:

1. Ability to group prefixes into a unique route table (RIB or FIB).

2. Ability to associate an interface with a route table so that traffic traversing the interface is routed
based on prefixes in that route table.

This is a useful functionality, but its scope is limited to a single device. To extend the functionality throughout
the network, the segmentation information needs to be carried to the relevant points in the network.

How to Enable Network-Wide Segmentation

There are two approaches to providing this network-wide segmentation:

• Define the grouping policy at every device and on every link in the network (basically, you perform
Steps 1 and 2 above on every device).

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

• Define the grouping policy at the edges of the segment, and then carry the segmentation information
in the packets for intermediate nodes to handle.

The first approach is useful if every device is an entry or exit point for the segment, which is generally not the
case in medium and large networks. The second approach is much more scalable and keeps the transport
network free of segments and complexity.

• Segmentation in Cisco SD-WAN

• VRFs Used in Cisco SD-WAN Segmentation
• Configure VRF Using Cisco vManage Templates
• Segmentation CLI Reference
Segmentation in Cisco SD-WAN

In the Cisco SD-WAN overlay network, VRFs divide the network into different segments.

Cisco SD-WAN employs the more prevalent and scalable model of creating segments. Essentially, segmentation
is done at the edges of a router, and the segmentation information is carried in the packets in the form of an
identifier.

The figure shows the propagation of routing information inside a VRF.

Figure 1. Propagation of Routing Information Inside a VRF

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

In this figure:

• Router-1 subscribes to two VRFs, red and blue.

o The red VRF caters to the prefix 10.1.1.0/24 (either directly through a connected interface or
learned using the IGP or BGP).
o The blue VRF caters to the prefix 10.2.2.0/24 (either directly through a connected interface or
learned using the IGP or BGP).
• Router-2 subscribes to the red VRF.
o This VRF caters to the prefix 192.168.1.0/24 (either directly through a connected interface or
learned using the IGP or BGP).
• Router-3 subscribes to the blue VRF.
o This VRF caters to the prefix 192.168.2.0/24 (either directly through a connected interface or
learned using the IGP or BGP).
Because each router has an Overlay Management Protocol (OMP) connection over a TLS tunnel to a Cisco
vSmart Controller, it propagates its routing information to the Cisco vSmart Controller. On the Cisco vSmart
Controller, the network administrator can enforce policies to drop routes, to change TLOCs, which are overlay
next hops, for traffic engineering or service chaining. A network administrator can apply these policies as
inbound and outbound policies on the Cisco vSmart Controller.
All the prefixes belonging to a single VRF are kept in a separate route table. This provides the Layer 3 isolation
required for the various segments in the network. So, Router-1 has two VRF route tables, and Router-2 and
Router-3 each have one route table. In addition, the Cisco vSmart Controller maintains the VRF context of each
prefix.

Separate route tables provide isolation on a single node. So how is routing information propagated across the
network?

In the Cisco SD-WAN solution, this is done using VRF identifiers, as shown in the figure below. A VRF ID, which
is carried in a packet, identifies each VRF on a link. When you configure a VRF on a router, the VRF has a label
associated with it. The router sends the label, along with the VRF ID, to the Cisco vSmart Controller. The Cisco
vSmart Controller propagates this router-to- VRF ID mapping information to the other routers in the domain.
The remote routers then use this label to send traffic to the appropriate VRF. The local routers, on receiving the
data with the VRF ID label, use the label to demultiplex the data traffic. This is similar to how MPLS labels are
used. This design is based on standard RFCs and is compliant with regulatory procedures such as PCI and
HIPAA.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

Figure 2. VRF Identifiers

Note The transport network that connects the routers is completely unaware of the VRFs. Only the routers
know about VRFs; the rest of the network follows standard IP routing.

VRFs Used in Cisco SD-WAN Segmentation

The Cisco SD-WAN solution involves the use of VRFs to separate traffic.
Global VRF

The global VRF is used for transport. To enforce the inherent separation between services (such as prefixes
that belong to the enterprise) and transport (the network that connects the routers), all the transport
interfaces, that is, all the TLOCs, are kept in the global VRF. This ensures that the transport network cannot
reach the service network by default. Multiple transport interfaces can belong to the same VRF, and packets
can be forwarded to and from transport interfaces.

A global VRF contains all the interfaces for a device, except the management interface, and all the interfaces are
disabled. For the control plane to establish itself so that the overlay network can function, you must configure
tunnel interfaces in a global VRF. For each interface in a global VRF, you must set an IP address, and create a
tunnel connection that sets the color and encapsulation for the WAN transport connection. (The encapsulation
is used for the transmission of data traffic.) These three parameters—IP address, color, and encapsulation—
define a TLOC (transport location) on the router. The OMP session running on each tunnel sends the TLOC to
the Cisco vSmart Controllers so that they can learn the overlay network topology.

Dual-Stack Support on Transport VPNs

In the global VRF, Cisco IOS XE SD-WAN devices and vSmart controllers support dual stack. To enable dual
stack, configure an IPv4 address and an IPv6 address on the tunnel interface. The router learns from a Cisco
vSmart Controller whether a destination supports IPv4 or IPv6 addresses. When forwarding traffic, a router
Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/
Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

chooses either the IPv4 or the IPv6 TLOC, based on the destination address. But IPv4 is always preferred when
configured.

Management VRF

Mgmt-Intf is the management VRF on Cisco IOS XE SD-WAN devices. It is configured and enabled by default. It
carries out-of-band network management traffic among the devices in the overlay network. You can modify
this configuration, if required.
Configure VRF Using Cisco vManage Templates

In Cisco vManage, use a CLI template to configure VRFs for a device. For each VRF, configure a subinterface and
link the subinterface to the VRF. You can configure up to 300 VRFs.
When you push a CLI template to a device, Cisco vManage overwrites existing configuration on the device and
loads the configuration defined in the CLI template. Consequently, the template cannot only provide the new
content being configured, such as VRFs. The CLI template must include all the configuration details required by
the device. To display the relevant configuration details on a device, use the show sdwan running-
config command.
For details about creating and applying CLI templates, and for an example of configuring VRFs, see the CLI
Templates for Cisco IOS XE SD-WAN Routers chapter of the Systems and Interfaces Configuration Guide, Cisco
IOS XE Release 17.x.

The following are the supported devices:

• Cisco ASR1001-HX

• ASR1002-HX

Configure VPNs Using vManage Templates

Create a VPN Template

Note Cisco IOS XE SD-WAN devices use VRFs for segmentation and network isolation. However, the
following steps still apply if you are configuring segmentation for Cisco IOS XE SD-WAN devices
through Cisco vManage. When you complete the configuration, the system automatically converts the
VPNs to VRFs for Cisco IOS XE SD-WAN devices.

Procedure

Step 1
In Cisco vManage, choose Configuration > Templates.
Step 2
In the Device tab, click Create Template.
Step 3
From the Create Template drop-down, select From Feature Template.
Step 4
From the Device Model drop-down, select the type of device for which you are creating the template.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

Step 5
To create a template for VPN 0 or VPN 512:

a. Click the Transport & Management VPN tab located directly beneath the Description
field, or scroll to the Transport & Management VPN section.
b. From the VPN 0 or VPN 512 drop-down, click Create Template. The VPN template form
displays. The top of the form contains fields for naming the template, and the bottom
contains fields for defining VPN parameters.
Step 6
To create a template for VPNs 1 through 511, and 513 through 65527:
a. Click the Service VPN tab located directly beneath the Description field, or scroll to the
Service VPN section.
b. Click the Service VPN drop-down.
c.From the VPN drop-down, click Create Template. The VPN template form displays. The top
of the form contains fields for naming the template, and the bottom contains fields for
defining VPN parameters.

Step 7
In the Template Name field, enter a name for the template. The name can be up to 128 characters
and can contain only alphanumeric characters.
Step 8
In the Template Description field, enter a description of the template. The description can be up to
2048 characters and can contain only alphanumeric characters.

Configure Basic VPN Parameters

To configure basic VPN parameters, choose the Basic Configuration tab and then configure the following
parameters. Parameters marked with an asterisk are required to configure a VPN.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

Parameter Name Description

VPN
Enter the numeric identifier of the VPN.

Range for Cisco IOS XE SD-WAN devices: 0 through 65527

Values for Cisco vSmart Controller and Cisco vManage devices: 0, 512
Name Enter a name for the VPN.
Note
For Cisco IOS XE SD-WAN devices, you cannot enter a device-specific name for
the VPN.

Note To complete the configuration of the transport VPN on a router, you must configure at least one
interface in VPN 0.

To save the feature template, click Save.

Configure Basic Interface Functionality

To configure basic interface functionality in a VPN, choose the Basic Configuration tab and configure the
following parameters:

Note
Parameters marked with an asterisk are required to configure an interface.

Parameter IPv4 or Options Description

Name IPv6
Shutdown* Click No to enable the interface.
Interface
name* Enter a name for the interface.

For Cisco IOS XE SD-WAN devices, you must:

• Spell out the interface names completely (for example,

GigabitEthernet0/0/0).

• Configure all the router's interfaces, even if you are not using them, so
that they are configured in the shutdown state and so that all default
values for them are configured.
Description Enter a description for the interface.
IPv4 / IPv6 Click IPv4 to configure an IPv4 VPN interface. Click IPv6 to configure an IPv6
interface.
Dynamic Click Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP)
client, so that the interface receives its IP address from a DHCP server.
Both DHCP Optionally, enter an administrative distance value for routes
Distance learned from a DHCP server. Default is 1.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

IPv6 DHCP
Rapid Optionally, configure the DHCP IPv6 local server to
Commit support DHCP Rapid Commit, to enable faster client
configuration and confirmation in busy environments.

Click On to enable DHCP rapid commit

Click Off to continue using the regular commit process.
Static Click Static to enter an IP address that doesn't change.
IPv4 IPv4 Enter a static IPv4 address.
Address
IPv6 IPv6 Enter a static IPv6 address.
Address
Secondary IPv4 Click Add to enter up to four secondary IPv4 addresses for a service-side
IP Address interface.
IPv6 IPv6 Click Add to enter up to two secondary IPv6 addresses for a service-side
Address interface.
DHCP Both To designate the interface as a DHCP helper on a router, enter up to eight
Helper IP addresses, separated by commas, for DHCP servers in the network. A
DHCP helper interface forwards BootP (broadcast) DHCP requests that it
receives from the specified DHCP servers.
Block Non- Yes / No Click Yes to have the interface forward traffic only if the source IP address
Source IP of the traffic matches the interface's IP prefix range. Click No to allow other
traffic.
To save the feature template, click Save.

Create a Tunnel Interface

On Cisco IOS XE SD-WAN devices, you can configure up to four tunnel interfaces. This means that each Cisco
IOS XE SD-WAN device router can have up to four TLOCs. On Cisco vSmart Controllers and Cisco vManage, you
can configure one tunnel interface.

For the control plane to establish itself so that the overlay network can function, you must configure WAN
transport interfaces in VPN 0. The WAN interface will enable the flow of tunnel traffic to the overlay. You can
add other parameters shown in the table below only after you configure the WAN interface as a tunnel interface.

To configure a tunnel interface, select the Interface Tunnel tab and configure the following parameters:
Parameter Name Description
To configure additional tunnel interface parameters, click Advanced Options:
Parameter Description
Name
Carrier
Select the carrier name or private network identifier to associate with the tunnel.

Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default

Default: default
NAT Refresh Enter the interval between NAT refresh packets sent on a DTLS or TLS WAN transport
Interval connection.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

Parameter Description
Name

Range: 1 through 60 seconds

Default: 5 seconds
Hello Interval
Enter the interval between Hello packets sent on a DTLS or TLS WAN transport
connection.

Range: 100 through 10000 milliseconds

Default: 1000 milliseconds (1 second)
Hello Tolerance
Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection
before declaring that transport tunnel to be down.

Range: 12 through 60 seconds

Default: 12 seconds
Configure DNS and Static Hostname Mapping

To configure DNS addresses and static hostname mapping, click the DNS tab and configure the following
parameters:
Parameter Options Description
Name
Primary DNS Select either IPv4 or IPv6, and enter the IP address of the primary DNS server in this VPN.
Address
New DNS Click New DNS Address and enter the IP address of a secondary DNS server in this VPN. This
Address field appears only if you have specified a primary DNS address.
Mark as Check Mark as Optional Row to mark this configuration as device-specific. To
Optional include this configuration for a device, enter the requested variable values when
Row you attach a device template to a device, or create a template variables
spreadsheet to apply the variables.
Hostname Enter the hostname of the DNS server. The name can be up to 128 characters.
List of IP Enter up to eight IP addresses to associate with the hostname. Separate the entries
Addresses with commas.
To save the DNS server configuration, click Add.
To save the feature template, click Save.
Mapping Host Names to IP Addresses

! IP DNS-based host name-to-address translation is enabled

ip domain lookup

! Specifies hosts 192.168.1.111 and 192.168.1.2 as name servers

ip name-server 192.168.1.111 192.168.1.2

! Defines cisco.com as the default domain name the device uses to complete

! Set the name for unqualified host names

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

ip domain name cisco.com

Configure Segmentation Using CLI

Configure VRFs Using CLI

To segment user networks and user data traffic locally at each site and to interconnect user sites across the
overlay network, you create VRFs on Cisco IOS XE SD-WAN devices. To enable the flow of data traffic, you
associate interfaces with each VRF, assigning an IP address to each interface. These interfaces connect to local-
site networks, not to WAN transport clouds. For each of these VRFs, you can set other interface-specific
properties, and you can configure features specific for the user segment, such as BGP and OSPF routing, VRRP,
QoS, traffic shaping, and policing.
On Cisco IOS XE SD-WAN devices, a global VRF is used for transport. All Cisco IOS XE SD-WAN devices have
Mgmt-intf as the default management VRF.
To configure VRFs on Cisco IOS XE SD-WAN devices, follow these steps.

Note • Use the config-transaction command to open CLI configuration mode. The config terminal
command is not supported on Cisco IOS XE SD-WAN devices.

• The VRF ID can be any number between 1 through 511 and 513 through 65535. The numbers
0 and 512 are reserved for Cisco vManage and Cisco vSmart controller.

1. Configure service VRFs.

2.

3.

4. config-transaction
5. vrf definition 10
6. rd 1:10
7. address-family ipv4
8. exit-address-family
9. exit
10. address-family ipv6
11. exit-address-family
12. exit
13. exit
14.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

15. Configure the tunnel interface to be used for overlay connectivity. Each tunnel interface binds to a
single WAN interface. For example, if the router interface is Gig0/0/2, the tunnel interface number
is 2.

16.

17.

18. config-transaction
19. interface Tunnel 2
20. no shutdown
21. ip unnumbered GigabitEthernet1
22. tunnel source GigabitEthernet1
23. tunnel mode sdwan
24. exit
25.

26. If the router is not connected to a DHCP server, configure the IP address of the WAN interface.

27.

28.

29. interface GigabitEthernet 1

30. no shutdown
31. ip address dhcp
32.

33. Configure tunnel parameters.

34.

35.

36. config-transaction
37. sdwan
38. interface GigabitEthernet 2
39. tunnel-interface
40. encapsulation ipsec
41. color lte
42. end
43.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

Note If an IP address is manually configured on the router, configure a default route as shown
below. The IP address below indicates a next-hop IP address.

config-transaction
ip route 0.0.0.0 0.0.0.0 192.0.2.25

44. Enable OMP to advertise VRF segment vroutes.

45.

46.

47. sdwan
48. omp
49. no shutdown
50. graceful-restart
51. no as-dot-notation
52. timers
53. holdtime 15
54. graceful-restart-timer 120
55. exit
56. address-family ipv4
57. advertise ospf external
58. advertise connected
59. advertise static
60. exit
61. address-family ipv6
62. advertise ospf external
63. advertise connected
64. advertise static
65. exit
66. address-family ipv4 vrf 1
67. advertise bgp
68. exit
69. exit
70.

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

71. Configure the service VRF interface.

72.

73.

74. config-transaction
75. interface GigabitEthernet 2
76. no shutdown
77. vrf forwarding 10
78. ip address 192.0.2.2 255.255.255.0
79. exit
80.
Verify Configuration

Run the show ip vrf brief command to view information about the VRF interface.

Device# sh ip vrf brief

Name Default RD Interfaces
10 1:10 Gi4
11 1:11 Gi3
30 1:30
65528 <not set> Lo65528
Segmentation ( VRFs) Configuration Examples
Some straightforward examples of creating and configuring VRFs to help you understand the configuration
procedure for segmenting networks.
Configuration on the vSmart Controller

On the vSmart controller, you configure general system parameters and the two VPNs—VPN 0 for WAN
transport and VPN 512 for network management—as you did for the Cisco IOS XE SD-WAN device. Also, you
generally create a centralized control policy that controls how the VPN traffic is propagated through the rest of
the network. In this particular example, we create a central policy, shown below, to drop unwanted prefixes
from propagating through the rest of the network. You can use a single vSmart policy to enforce policies
throughout the network.

Here are the steps for creating the control policy on the vSmart controller:

1. Create a list of sites IDs for the sites where you want to drop unwanted prefixes:

2. vSmart(config)# policy lists site-list 20-30 site-id 20

3. vSmart(config-site-list-20-30)# site-id 30

4. Create a prefix list for the prefixes that you do not want to propagate:

5. vSmart(config)# policy lists prefix-list drop-list ip-prefix 10.200.1.0/24

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

6. Create the control policy:

7. vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 match route

prefix-list drop-list
8. vSmart(config-match)# top
9. vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 action reject

10. vSmart(config-action)# top

11. vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 default-action

accept

12. vSmart(config-default-action)# top

13. Apply the policy to prefixes inbound to the vSmart controller:

14. vSmart(config)# apply-policy site-list 20-30 control-policy drop-unwanted-

routes in

Here is the full policy configuration on the vSmart controller:

apply-policy

site-list 20-30

control-policy drop-unwanted-routes in

policy

lists

site-list 20-30

site-id 20

site-id 30

prefix-list drop-list

ip-prefix 10.200.1.0/24

control-policy drop-unwanted-routes

sequence 10

match route
Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/
Reference: Cisco SD-WAN Segmentation Configuration Guide
 Cisco SD-WAN Segmentation

prefix-list drop-list

action reject

default-action accept

!
Segmentation CLI Reference

CLI commands for monitoring segmentation (VRFs).

• show dhcp

• show ipv6 dhcp

• show ip vrf brief

• show igmp commands

• show ip igmp groups

• show pim commands

Reference: Cisco SD-WAN Segmentation Configuration Guide

Ehsan Momeni Bashusqeh https://www.linkedin.com/in/ehsanmomenibashusqeh/

Reference: Cisco SD-WAN Segmentation Configuration Guide