Configuration - Overlays and Security Flashcards
Business Intent Overlays (BIOs)
Use the Business Intent Overlays (BIOs) tab to create separate, logical networks that are individually customized to your applications and requirements within your network.
overlay summary table
is used for easy comparison of values between your various configured
overlays
ACL
- Orchestrator matches traffic to an ACL, progressing down the ordered priority list of overlays until it identifies the first one that matches.
- The matched traffic is then analyzed against the overlay’s Internet
Traffic configuration and forwarded within the fabric, or broken out to the internet based on the preferred policy order.
WAN Links & Bonding Policy
If the software determines that the traffic is not destined for the internet, it refers to the WAN Links & Bonding Policy configuration and forwards traffic accordingly within the overlay.
Overlay Configuration
- Select the name of the overlay. The Overlay Configuration window opens. If you want to edit the default overlay or create a new overlay, enter the new name of the overlay in the Name field.
- Select the Match field and choose the match criteria from the menu.
- Click the Edit icon next to the ACL field. To apply default ACLs or create your own, select Add Rule in the Associate ACL window.
- Click Save.
Regional Routing
- When enabled, regional routing enables you to manage your SD-WAN fabric by regions. It involves intraregion and inter-region route distribution across the SD-WAN fabric.
- You can provide different Business Intent Overlay for each region by enabling regional routing and customizing BIOs per region.
Regional Multi-Hub BIO Topology
Optimized Regional BIO Topology
Routing Segmentation
Configuration > Networking > Routing > Routing Segmentation (VRF)
- Use this tab to enable and disable routing segmentation across your network and apply unique configuration to your segments.
- Routing segmentation allows for the configuration of VRF (Virtual Routing
and Forwarding)–style Layer 3 segmentation in your SD-WAN deployments.
Note the following before configuring routing segmentation in Orchestrator:
l You must upgrade all EdgeConnect appliances and Orchestrator to version 9.0.
l All EdgeConnects must be configured to Inline Router mode.
l If a new appliance has been added to your network, or if an existing appliance has been replaced, you need to upgrade the appliance software to the appropriate version running in the network.
l After upgrading, segmentation is disabled by default. You will have to enable it on this tab.
l Regardless of whether segmentation is enabled or disabled, a Default segment is automatically created when you upgrade to 9.0.
l The system-generated Default segment cannot be deleted.
l After you enable routing segmentation, all existing configuration across your network is associated with the Default segment.
Segment Configuration
l Overlays & Breakout Policies
l Firewall Zone Policies
l Inter-Segment Routing & D-NAT
l Inter-Segment SNAT
l Loopback
Firewall Zone Policies
Configuration > Security >Firewall Zone Security Policies
Use this tab to enable and associate firewall zones to your segments.
With segmentation enabled, firewall zone security policies are orchestrated and there is no need for Firewall Security Templates
Complete the following steps to set a rule or policy to your firewall zones within your segment
Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone window opens.
NOTE If you are already in Table View, click Add Rule.
2. Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.
3. Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is going to.
4. Select Add Rule.
5. Complete the content in the table
Firewall zones
are unique to each segment. For example, the default zone in Segment X will not be the same default zone in Segment Y.
Inter-Segment Routing & DNAT
Use this tab to configure inter-segment routing and DNAT rules when traffic is crossing between segments.
Click +Add and the Inter-Segment Routing & DNAT window opens.