Configuration - Overlays and Security Flashcards
Business Intent Overlays (BIOs)
Use the Business Intent Overlays (BIOs) tab to create separate, logical networks that are individually customized to your applications and requirements within your network.
overlay summary table
is used for easy comparison of values between your various configured
overlays
ACL
- Orchestrator matches traffic to an ACL, progressing down the ordered priority list of overlays until it identifies the first one that matches.
- The matched traffic is then analyzed against the overlay’s Internet
Traffic configuration and forwarded within the fabric, or broken out to the internet based on the preferred policy order.
WAN Links & Bonding Policy
If the software determines that the traffic is not destined for the internet, it refers to the WAN Links & Bonding Policy configuration and forwards traffic accordingly within the overlay.
Overlay Configuration
- Select the name of the overlay. The Overlay Configuration window opens. If you want to edit the default overlay or create a new overlay, enter the new name of the overlay in the Name field.
- Select the Match field and choose the match criteria from the menu.
- Click the Edit icon next to the ACL field. To apply default ACLs or create your own, select Add Rule in the Associate ACL window.
- Click Save.
Regional Routing
- When enabled, regional routing enables you to manage your SD-WAN fabric by regions. It involves intraregion and inter-region route distribution across the SD-WAN fabric.
- You can provide different Business Intent Overlay for each region by enabling regional routing and customizing BIOs per region.
Regional Multi-Hub BIO Topology
Optimized Regional BIO Topology
Routing Segmentation
Configuration > Networking > Routing > Routing Segmentation (VRF)
- Use this tab to enable and disable routing segmentation across your network and apply unique configuration to your segments.
- Routing segmentation allows for the configuration of VRF (Virtual Routing
and Forwarding)–style Layer 3 segmentation in your SD-WAN deployments.
Note the following before configuring routing segmentation in Orchestrator:
l You must upgrade all EdgeConnect appliances and Orchestrator to version 9.0.
l All EdgeConnects must be configured to Inline Router mode.
l If a new appliance has been added to your network, or if an existing appliance has been replaced, you need to upgrade the appliance software to the appropriate version running in the network.
l After upgrading, segmentation is disabled by default. You will have to enable it on this tab.
l Regardless of whether segmentation is enabled or disabled, a Default segment is automatically created when you upgrade to 9.0.
l The system-generated Default segment cannot be deleted.
l After you enable routing segmentation, all existing configuration across your network is associated with the Default segment.
Segment Configuration
l Overlays & Breakout Policies
l Firewall Zone Policies
l Inter-Segment Routing & D-NAT
l Inter-Segment SNAT
l Loopback
Firewall Zone Policies
Configuration > Security >Firewall Zone Security Policies
Use this tab to enable and associate firewall zones to your segments.
With segmentation enabled, firewall zone security policies are orchestrated and there is no need for Firewall Security Templates
Complete the following steps to set a rule or policy to your firewall zones within your segment
Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone window opens.
NOTE If you are already in Table View, click Add Rule.
2. Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.
3. Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is going to.
4. Select Add Rule.
5. Complete the content in the table
Firewall zones
are unique to each segment. For example, the default zone in Segment X will not be the same default zone in Segment Y.
Inter-Segment Routing & DNAT
Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments.
Click +Add and the Inter-Segment Routing & DNAT window opens.
Inter-Segment Routing & SNAT
This window enables you to enable source network address translation to your segments.
Delete a Segment
Segmentation involves drastic changes to your physical network.
Deleting segments can be service affecting. Carefully read this section before deleting any of your segments.
Deleting a segment removes all the segmentation configuration from all the appliances within your network.
When you delete a segment, Orchestrator automatically deletes
l The segment’s association with the overlay and break-out policies
l The intra-segment and inter-segment firewall zone policies
l The inter-segment routing & D-NAT rules
l The inter-segment S-NAT rule
l The loopback interfaces associated with the segment
l The VTI interfaces associated with the segment
l All the interface and VLAN interfaces
Manual Tasks to Complete Before Deleting a Segment
The following configuration is disassociated from the segment and you need to manually delete the following:
l Any manual created tunnels
l BGP peers in the segment
l Internal subnet table rules
l Overlay ACL rules associated to the deleted segment
Disable a Segment
To disable routing segmentation across your network, you need to delete all configured segments in the network, except the default segment (which cannot be deleted). After all the segments are deleted, navigate to this tab and move the toggle at the top of the page to disable.
Management Services
Configuration > Networking > Routing > Management Services
When enabled, management services are functional in the associated segment based on the selected interface.
l When disabled, all the interfaces are available for configuration.
Inter-Segment Routing and D-NAT Exceptions
Configuration > Networking > Routing > Inter-Segment Routing & D-NAT Exceptions
Use this tab to configure inter-segment routing and Destination NAT (D-NAT) rules when traffic is crossingbetween segments.
Click the edit icon to open the Inter-Segment Routing & D-NAT dialog box.
Inter-Segment S-NAT Exceptions
Configuration > Networking > Routing > Inter-Segment S-NAT Exceptions
Use this tab to enable source network address translation to your segments.
Select an appliance or group of in the Orchestrator appliance tree to apply your Source NAT (S-NAT) exceptions.
