Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The purpose of this article is to provide an overview of segmentation for the VMware SD-WAN by VeloCloud service.
Network segmentation was introduced in VMware by VeloCloud Release 3.0.0.This feature serves several high-level objectives: Simplifying Enterprise ConfigurationsSupporting Overlapping IP Addresses Between VLANs Allowing Segment-aware Partner Gateway Handoff Simplifying Enterprise Configurations For enterprise customers, VLAN isolation (e.g. for PCI VLANs) can only be achieved today through inter-VLAN firewall rules. This has several drawbacks: it is complex to create and manage this set of firewall policies; it requires using a unique subnet for each VLAN on each edge; it relies on a single global routing table which increases the size of the routing table; and it limits the functionality of the guest VRF to direct Internet traffic only.Segmentation addresses all these concerns. Consider the below example: inter-VLAN firewall rules are not required because isolation is inherent; each segment can use the same subnet at each branch; routing tables are simplified because they are per-segment; and the guest VLAN can be extended to support accessing a subset of the corporate VPN (e.g. for internet backhaul). Supporting Overlapping IP Addresses Between VLANs As noted above, sometimes customers want to use the same IP address between different VLANs at the branch. There are several use cases that require this, but the two most common are: enterprises simplifying configuration by always being able to quickly identify which site a subnet belongs to (since it is the same on each segment); and service providers who offer "double play" or "triple play" services and assign the same subnet to each service corresponding to a different handoff on the VMware SD-WAN Partner Gateway. This use case is illustrated below with the addition of the subnet that corresponds to each segment on the VMware SD-WAN Branch Edge: Allowing Segment-aware VMware-WAN Partner Gateway Handoff Today, the VRF on a Gateway is per-customer. This complicates Service Provider deployments where different types of customer branch offices are contained within the same customer and each have access to different services within the Service Provider Core. In the example below, Customer A has Retail sites, Data Center sites, and Manufacturing sites. These sites each have a unique set of services which they are allowed to access, and each of these services represents a different BGP peering relationship with the PE. Segmentation allows us to route only to the services required by an individual branch while ensuring that they never have access to services they are not allowed to access.