Introduction
In past few years Branch has become more crucial and independent due to shift in application usage from Datacenter hosted applications to applications hosted in hybrid environment which includes Hybrid Cloud, Internet hosted productivity apps, and Datacenter hosted applications.
The internet bound productivity traffic is increasing year over year with an estimated increase of 20 to 50 percent per year. Hence, it’s not beneficial to keep central breakout for internet; instead offload the internet bound traffic at the Branch itself. This new use-case also raises concern to tighten the security at the Branch due to increased targets at the access sites.
Versa SD-WAN’s Direct Internet Access (DIA) provides a solution to address this use case scenario. This white paper gives you the confidence to move to DIA and secure your Branch and prepare your organization for future growth and innovations.
Direct Internet Access
DIA is a component of the Versa solution in which certain Internet-bound traffic or public cloud traffic from the Branch can be routed directly to the Internet. DIA helps reduce IT spending and ensures better application experiences.
In a traditional hub-and-spoke architecture all the traffic is routed to headquarters. The primary advantages of DIA are:
Reduced bandwidth requirements at headquarters
Fewer network hops, and
Reduced latency due to direct routing and better optimization.
The increased reliability of the Internet for WAN transport makes DIA desirable in Branch deployments.
Sending traffic directly from the Branch to the Internet creates additional security challenges because the traffic bypasses security tools deployed at headquarters. Therefore, you need to deploy security features at the Branch. Security needs at the Branch resemble those at the headquarters, and an enterprise-class protection is required to protect against enterprise-class threats. A full threat defense stack that includes firewall, content security, intrusion detection and prevention, advanced malware protection, and application visibility and control provides the best protection against increasingly sophisticated cyber attacks.
Split Tunnel
Split tunneling allows a Branch to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. Versa leverages the split tunnel mechanism which help the Branch use the same or multiple internet link for both internet as well as VPN traffic.
DIA Use Cases and Optimization Features
These are the DIA optimization feature
Branch‐to‐Cloud
Branch‐to‐Data Center
Application-Based QOS
Application-Based SLA and Dynamic Policies
Branch‐to‐Cloud
Traffic may be routed directly via Versa FlexVNF within the branch to cloud applications such as Gmail, Salesforce.com, Office 365. This traffic may have unique routing policies local to the branch or redundancy and resiliency requirements via MPLS and broadband access links. Such traffic may also have unique security policy and encryption requirements. Virtual Private Cloud applications may require tight integration with branch office or core sites. In such cases, FlexVNF is an ideal traffic management element to handle per flow and endpoint security requirements.
Branch‐to‐Data Center
Traffic may be routed via Versa FlexVNF in a branch connecting to corporate data center applications such as Exchange server and internal web services. These applications are likely to have the strictest security and availability requirements due to their mission-critical nature. FlexVNF enables tight routing policies based on source, destination, application type, latency and jitter requirements. Optimal paths such as higher cost MPLS links may be preferred when available, but alternate encrypted links such as broadband and LTE may serve as redundant alternatives to ensure business continuity.
Application-Based QOS
An administrator can configure AppQOS policies to ensure preferential treatment to performance-sensitive, well-known or user-defined applications. Versa FlexVNF automatically detects about 2400 well-known applications based on application signatures or heuristics. Applications can be grouped, tagged, filtered on various parameters. Custom groups are also supported.
Application-Based SLA and Dynamic Policies
When multiple WAN links are available at a branch site, FlexVNF uses the optimal path that meets the SLA or performance requirements of the application. SLAs and performance requirements are based on network attributes including latency, packet loss ratio, bandwidth etc. In the event that none of the WAN links meet the SLA or performance requirements of an application, FlexVNF intelligently discards traffic from non-business critical applications while selectively forwarding traffic associated with the most important applications under strict SLAs. These policies can provisioned in advance and are enforced dynamically. For example, a Network Administrator may configure a policy to rate-limit YouTube traffic and drop Skype, when business-critical video traffic jitter rises above 1%.
Full DIA Configurations
Refer to these full DIA configurations:
Configuring Split Tunnel
Configuring CGNAT
Configuring Redistribution Policies
Configuring Split Tunnel
To achieve a split tunnel configuration we create two Tunnel Virtual Interface (Paired TVI). This is significant locally and required for route redistribution between customer LAN-VR and Internet-Transport-VR.
Follow these steps to configure a paired tunnel interface:
Select Appliance Context > Configuration >
Networking >
Interfaces and select Tunnel tab in the dashboard.
Click
to add a tunnel interface. This opens the Add Tunnel Interface window.
This window has these two tabs:
a. Tunnel
b. Pseudo Tunnel
Select the Tunnel tab and enter these details:
Use this field… | to … |
Interface | Enter the slot and port number of the tunnel interface. NOTE: A tunnel interface always has a tvi prefix. |
Disable | Disable (deactivate) this interface post its configuration. |
Description | Enter a brief description of the tunnel interface and its purpose. |
MTU | Maximum transmission unit. The size in bytes of largest protocol data that the port can receive or transmit. |
Mode | Select the mode of configuring the tunnel interface:
|
Tunnel Type | Select Paired type of tunnel for this interface. This enables the Paired Interface field allowing you to enter the paired port number. |
Paired Interface | The tvi address as a paired address. Traffic directed to a paired interface is switched to the parent interface and vice-versa. |
Sub-Interface | Select the existing sub-interface and enter these parameters:
|
Click OK to save the configuration and create a tunnel interface.
Yang Configuration:
interfaces {
tvi-0/602 {
description "WAN side Split Tunnel interface between Internet1 and Tenant-LAN-VR";
enable true;
type paired;
paired-interface tvi-0/603;
unit 0 {
enable true;
family {
inet {
address 169.254.0.2/31;
}
}
}
}
tvi-0/603 {
description "LAN side Split Tunnel Interface between Internet1 and Tenant-LAN-VR";
enable true;
type paired;
paired-interface tvi-0/602;
unit 0 {
enable true;
family {
inet {
address 169.254.0.3/31;
}
}
}
}
}These TVI interfaces are also added to the interface list the tenant using for traffic identification
Configuring CGNAT
Versa FlexVNF supports full carrier-grade NAT (CGNAT) features. Carrier-grade NAT is a scalable NAT technique that enables bulk translation of traffic between addressing domains and translating diverse addressing space into consolidated flows separated based on IP ports. Scalable NAT within branch sites enables traffic to originate with addressing local to that branch site, ensuring reverse path traffic traverses the same links. Without local NAT within FlexVNF sites, selective routing via Internet links would still be subject to reverse path routing via primary corporate Internet routes.
Versa FlexVNF nodes within branch sites may be configured to breakout Internet-bound traffic locally. Internet-bound traffic may be routed via shared WAN and/or separate dedicated links for Internet traffic. If there is no local Internet breakout link available, traffic may be routed toward any other branch where Internet breakout is enabled. Site-specific routing is enabled through traffic steering policies. For those enterprises that prefer to have Internet connectivity routed centrally FlexVNF provides elastic and scalable CGNAT within core sites.
Follow these steps to configure a CGNAT:
Select Appliance Context > Configuration >
Services >
CGNAT and select an Organization entity. The dashboard displays these two tabs:
Pools
Rules
Select the Pools tab and click
to add a new CGNAT pool. This opens the Add CGNAT Pool window.
Enter these details in the Add CGNAT Pool window:
Use this field… | to … |
General tab | |
Name | Specify the name of the CGNAT Pool. NOTE: You can create multiple CGNAT Pools.
|
Description | Specify a brief description of the CGNAT Pool and its purpose. |
Tags | Specify a keyword or phrase that allows you to filter the CGNAT Pool profile.. |
Timeout | Specify the protocol timeout :
|
IP Address tab | |
IP Address/ Range | Select this to specify IP address or IP address range with which you want to NAT the ingress traffic. This enables the IP Address/Mask section and the IP Address Range section. |
Egress Network | Select this to specify the IP address and the egress network name with which you want to NAT the traffic. This enables the IP Address/Mask section and the Egress Network section. |
IP Address/Mask | Click to add the IP address that you want to pool. |
Egress Network | Click to select the egress network name from the drop down field. NOTE: This field in enabled only when you select the Egress Network option. |
IP Address Range | Specify the IP address range:
Click to add this range to the CGNAT. |
Address Allocation Scheme | Select the scheme that allocates one port from each address in a range. |
Routing Instance | Select a corresponding routing instance for the mentioned IP address/egress network with which you want to NAt the ingress traffic. |
Provider Org | Select a provider organization. On completion of NATing the traffic is directed to the configured routing instance and provider organization. |
Port tab | |
Destination Port | Select this and enter these values:
|
Source Port—Select this to enter the source port. | |
Allocation Scheme | Select this to allocates one port from each address in a range. These are the options:
|
Allocate IP/Port Randomly | Select this to allocate the IP/Port randomly. |
Preserve Source Port Range | Select this to preserve source port range. |
Preserve Source Port Parity | Select this to preserve the source port parity. |
Port Block Allocation | Select this to block port allocation. |
Block Timeout | Specify the timeout limit for the block. |
Block Size | Specify the block size. |
Max Block Per User | Specify the maximum block per user. |
Select the Rules tab and click to add a new CGNAT pool. This opens the Add CGNAT Rule window.
Enter these details in the Add CGNAT Rule window:
Use this field… | to … |
General tab | |
Name | Specify the name of the CGNAT Pool. NOTE: You can create multiple CGNAT Rules.
|
Description | Specify a brief description of the CGNAT Rule and its purpose. |
Tags | Specify a keyword or phrase that allows you to filter the CGNAT Rule profile.. |
Precedence | Specify priority to the rule. You can configure multiple rules and assign each a priority. The increasing order of priority is 1 > 2 > 3. Rules with a higher priority take precedence over the ones with a lower priority. |
Match tab—Configures the criteria to select traffic for translation. You can define the match criteria based on one or a combination of these: | |
Source | |
Source Zones | Matches packets from these zones only. Click to add the source zones from the list. |
IP Address/Mask | Click to add the source IP address. |
Routing Instance | Select the routing instance of the incoming packet. |
IP Address Range | Click and specify the IP address range. Enter the lower range and higher range. |
Destination | |
Destination Zones | Matches packets to these zones only. Click to add the destination zones from the list. |
IP Address/Mask | Click to add the IP address/port. |
Low Port | Specify the low port. |
High Port | Specify the high port. |
IP Address Range | Click and specify the IP address range. Enter the lower range and higher range. |
Protocol | Specify the protocol used for match criterion. |
Action tab | |
Destination Port | Select this and enter these values:
|
Source Port—Select this to enter the source port. | |
Allocation Scheme | Select this to allocates one port from each address in a range. These are the options:
|
Allocate IP/Port Randomly | Select this to allocate the IP/Port randomly. |
Preserve Source Port Range | Select this to preserve source port range. |
Preserve Source Port Parity | Select this to preserve the source port parity. |
Port Block Allocation | Select this to block port allocation. |
Block Timeout | Specify the timeout limit for the block. |
Block Size | Specify the block size. |
Max Block Per User | Specify the maximum block per user. |
Click OK.
Yang Configuration:
cgnat {
pools {
DIA-Pool-Internet1 {
routing-instance Internet1-Transport-VR;
egress-network [ Internet1 ];
source-port {
random-allocation;
}
}
}
rules {
DIA-Rule-Tenant-LAN-VR-Internet1 {
from {
destination-zone [ L-ST-Tenant-LAN-VR-Internet1 ];
}
then {
translated {
translation-type napt-44;
source-pool DIA-Pool-Internet1;
filtering-type none;
mapping-type none;
}
}
}
objects {
zones {
# after RTI-Internet2-Zone
W-ST-Tenant-LAN-VR-Internet1 {
interface-list [ tvi-0/602.0 ];
}
L-ST-Tenant-LAN-VR-Internet1 {
interface-list [ tvi-0/603.0 ];
}
}
}
}
}
Configuring Redistribution Policies
We create BGP peering between the TVI and redistribute the static (default) route from Internet-Transport-VR.
Follow these steps to configure a BGP:
Select the Director Context > Config Templates > Networking to configure the PNIC/VNIC.
Select a Staging Template from the list box that is just below the Director Context list box.
Select the Networking
> Virtual Routers from the left panel.
Click
to configure a virtual router. This opens the Configure Virtual Router window.
Select the BGP section in the Configure Virtual Router window and click
to open the Add BGP Instance window.
BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts in a network. BGP is often the protocol used between gateway hosts on the internet.
a. Select the General tab and enter these details:
Use this field… | to … |
Description | Enter a brief description of the interface and its purpose. |
Instance ID | Assign an ID for the BGP Instance. A router can have multiple instances of BGP. |
Router ID | Specify the IP address of the router. |
Local AS | Specify the local Autonomous System number for the BGP. |
Peer AS | Specify the peer Autonomous System number for the BGP. |
Local Address | Specify the IP address of the BGP instance. |
Hold Time | Specify the hold time to negotiate with a peer. |
TTL | Specify the time to live. This configures the number of hops a packet travel in a network. |
Password | Specify the password to authenticate the BGP instance. |
Local Network Name | Select the local area network to which the BGP instance belongs. This field lists the names of user-defined networks. |
IBGP Preference | Specify the preference value given to the IBGP learnt routes. |
EBGP Preference | Specify the preference value given to the EGP learnt routes. |
Passive | Select this to enable the BGP to only accepts traffic and not to transmit routes. |
Remove All Private AS# | Select this to advertise all the private autonomous system numbers before transmitting routes. |
Route Reflector Client | Select this to enable the BGP router to functions as a route reflector and broadcasts the routes of all the other routers in the network, instead of each router broadcasting its own route. NOTE:This parameter applies to an IBGP setup. |
Family | Select the type of protocol. These are the options:
|
Click OK to save the General configuration.
b. Select the Advanced tab and enter these details:
Use this field… | to … |
Cluster ID | Specify the cluster ID of the reflector clients. |
Path Selection | |
Always Compare MED | Select this to enable the router to send routes to another router. A route with a lower MED (Multi Exit Discriminator) is given priority. |
Cisco-Nondeterministic | Select this enable the routing of table path selection. The active path is always first. All non-active, but eligible paths follow the active path and are maintained in the order in which they are received, with the most recent path first. Ineligible paths remain at the end of the list. When a new path is added to the routing table, path comparisons are made without removing from consideration those paths that should not be selected because those paths lose the MED tie-breaking rule. |
Enable BFD | Select this to mark the link as down whenever the BFD is down. |
Minimum Receive Interval | Specify the time interval, in milliseconds, to mark the link as down if the routing updates are not received. |
Multiplier | Specify the value to compute the final minimum receive interval. Minimum receive interval is multiplied with this value to get the time interval. |
Minimum Transmit Interval | Specify the Time interval at which BGP instances communicate with each other. |
Route Flap Option | |
Free Max Time | Specify the maximum time to remember an assigned penalty to the router. A penalty is assigned to a router when its routes go up and down. |
Reuse Max Time | Specify the time corresponding to the last reuse list. |
Reuse Size | Specify the number of reuse lists. |
Reuse Array Size | Specify the size of the reuse index arrays. |
Enable Graceful Restart—Select this to allow the BGP to restart when it goes down. | |
Maximum Restart TIme | Specify the maximum time limit, in seconds, the BGP requires to restart and come up. |
Stalepath Time | Specify the maximum time, in seconds, the BGP waits before removing the stale routes from a neighbor after a restart of the neighbors session. |
Recovery Time | Specify the estimated recovery time after a restart. |
Defer Time | Specify the maximum time, in seconds, for a BGP process to wait performing a route session after a local restart. |
Dynamic Peer Restart Time | Specify a minimum time, in seconds, for the dynamic peers to reconnect after the restart of the BGP process. |
Family | Enter these values:
|
Click OK to save the Advanced configuration.
c. Select the Prefix List tab and click
Use this field… | to … |
Prefix List Name | Specify the prefix list name. Prefix lists are used in the peer group policy to change the attributes of routes and allow or deny advertising routes to the peer routers. |
Click | |
Sequence Number | Specify the order or sequence number of the prefix list. |
Action | Select one of these action on the routes:
|
Address Family | Select the broadcast family protocol of the route. Select one of these:
|
SAFI | Select the sub-address family indicator. |
IP Address | Specify an IP address to group the routes used for with this prefix list.
|
Click OK to configure Prefix List.
d. Select the Peer/Group Policy tab.
A peer/group policy is defined to manipulate routes defined in the prefix list. You can change the route attributes and allow or deny advertising these routes to the peers.
Click
Use this field… | to … |
Name | Specify the peer/group policy name. |
Click | |
Term Name | Specify the policy term name. Term entities are executed in the order they are listed in the Term Name table. |
Match tab | |
Family | Select the routes protocol family. Select one from these protocols:
|
AS Path | Specify the autonomous system (AS) path action. |
Metric |
|
NLRI | Select the Network Layer Reachability Information (NLRI) of the prefix list to be matched. It displays the user-defined prefix lists. |
Source Address | Select the source address of the prefix list to be matched. It displays the user-defined prefix lists. |
Next Hop | Select the IP address of the prefix list to be used as the next hop. It displays the user-defined prefix lists |
Community | Applicable to BGP protocol. This identifies and segregates BGP routes to enable a smooth traffic flow. A BGP community is a group of destinations with a common property. This is a path attribute in BGP update messages. The attribute identifies community members and performs actions at a group level, instead of an individual level. |
Extended Community | Applicable to BGP protocol. This identifies label for BGP routes. Yo ucan group a larger number of destinations as an extended community than in a community. |
Origin | Select the source of the route. The options are:
|
Action tab | |
Accept/Reject | Select to either accept or reject the route. |
Origin | Select the source of the route. These are the options:
|
Next Hop | Specify the IP address of the next hop. |
Local Preference | Specify the BGP attribute used to choose the outbound external BGP path. |
AS Path | Select a regular expression to match the AS-path for the route. Select one of these:
|
Local AS Prepend Count | Specify the number of times a local AS number is prepended to the AS path. |
AS Path Prepend | Specify the AS number to an AS path. |
Damping | Specify the BGP route-flap damping parameter configuration. |
Community Action | Select the regular expression to use when matching the community list for a route. These are the options:
|
Community | Specify a value to help identify and segregate BGP routes, enabling a smooth traffic flow. A BGP community is a group of destinations with a common property. This is a path attribute in BGP update messages. The attribute identifies community members and performs actions at a group level, instead of an individual level. |
Extended Community Action | Select an expression to use when matching the extended community list for a route:
|
Extended Community | Specify a value that acts like an identification label for BGP routes. A larger number of destinations can be grouped as an extended community than in a community. |
Metric Action | Select an action on the metric value. These are the options:
|
Metric | Specify the metric value for the route. |
Slave Action tab—This is applicable in a high availability setup. | |
Slave AS Path | Select the AS path action when the appliance is an inter-chassis HA slave. These are the options:
|
Slave Local AS Prepend Count | Specify the number of times a local AS number is prepended to the AS path while the appliance is a inter-chassis HA slave. |
Slave AS Path Prepend | Prepend the AS number to an AS path. |
Slave Metric Action | Select a metric action to perform. These are the options:
|
Slave Metric | Specify the metric value while the appliance is an inter-chassis HA slave. |
Slave Local Preference | Specify the local preference associated with a route. |
Click OK to configure Peer/Group Policy.
e. Select the Peer Group tab and click
There can be multiple BGP instances and these can be grouped. Enter these details to define the peer instance attributes:
Use this field… | to … |
Name | Specify the name of the peer group. |
Description | Enter a brief description of the interface and its purpose. |
Type | Select the peer group type. These are the options:
|
Peer AS | Specify the peer autonomous system number in number format. |
Local Address | Specify the local end address of the BGP session. |
Hold Time | Specify the hold time used when negotiating with a peer. |
TTL | Specify the number of hops a packet can travel in a network. |
Password | Specify the MD5 password for this peer group. |
Local Network Name | Select the network to which the peer group belong. Specify the network name or the local address of the peer group. |
Local AS | Specify the local autonomous system number. |
General | |
Family | Select the protocol family of the peer group. These are the options:
|
Loop | Specify the number of times the local AS is allowed in the received AS path. For example, if loop is set to a value 5 then Versa FlexVNF allows local AS in received AS path 5 times. |
Prefix Limit | Specify the the maximum number of prefixes that a BGP instance can receive per session from its peer. |
Neighbors—Click | |
Neighbor IP | Specify the neighbor peer group ID. |
Peer AS | Specify the autonomous system (AS) number in a number format. |
Local Address | Specify the local end address of the BGP session. |
Hold TIme | Specify the hold time used when negotiating with a peer. |
TTL | Specify the number of hops a packet can travel in a network. |
Password | Specify the MD5 password for this neighbor. |
Local Network Name | Select the network to which the neighbor peer group belong. Specify the network name or the local address of the peer group. |
Local AS | Specify the local autonomous system number. |
Description | Enter a brief description of the interface and its purpose. |
Neighbors > General tab. | |
Family | Select the protocol family of the neighbor peer group. These are the options:
|
Loop | Specify the number of times the local AS is allowed in the received AS path. |
Prefix Limit | Specify the the maximum number of prefixes that a BGP instance can receive per session from its peer. |
Neighbor > Advanced tab. | |
Passive | Enable BGP to accept traffic only and not to transmit any routes. |
Remove All Private AS# | Enable the AS to advertise all the private AS numbers before transmitting routes. |
Route Reflector Client | Enable the router functions as a route reflector by broadcasting the routes of all the other routers in the network. The other routers are connected to the router, which broadcasts the routes of all the routers, instead of each router broadcasting its own route. This is applicable in an IBGP setup. |
As Override | Specify the AS numbers to be replaced in the AS Path to be sent to neighbors. |
Policy |
|
Enable BFD | Indicate the link as down when the peer group goes down.
|
Allow—Use this tab to define the acceptable peer group routes. | |
All | Select all the IP addresses as acceptable peer group routes. |
IP Address/Mask | Click |
Advanced | |
Passive | Enable BGP to accept traffic only and not to transmit any routes. |
Remove All Private AS# | Enable the AS to advertise all the private AS numbers before transmitting routes. |
Route Reflector Client | Enable the router functions as a route reflector by broadcasting the routes of all the other routers in the network. The other routers are connected to the router, which broadcasts the routes of all the routers, instead of each router broadcasting its own route. This is applicable in an IBGP setup. |
Next Hop Self | Enable the IP address of the prefix list as the next hop. It displays the user-defined prefix list. |
As Override | Specify the AS numbers to be replaced in the AS Path to be sent to neighbors. |
Policy |
|
Enable BFD | Indicate the link as down when the peer group goes down.
|
Click OK to configure the BGP Peer Group.
f. Select the Policy Options tab and click
Use this field… | to … |
Dampening Name | Specify the name of the dampening policy. |
Suppress | Specify the cutoff threshold limit. Routes beyond this level are suppressed. |
Maximum Suppress Time (min) | Specify the maximum suppression time of a route. |
Reuse | Specify the reuse threshold of a suppressed route. |
Half Life Ok (min) | Specify the decay half life time, in minutes, to define the stability of the route while it is still reachable. |
Half Life Ng (min) | Specify the decay half life time, in minutes, to define the stability of the route while it is unreachable. |
Maximum Time Ok (min) | Specify the maximum time, in minutes, any memory of a previous instability is retained for a reachable route. |
Maximum TIme ng (min) | Specify the maximum time, in minutes, any memory of a previous instability is retained for an unreachable route. |
Click OK to configure the dampening policy.
Yang Configuration:
routing-instances {
Internet1-Transport-VR {
policy-options {
redistribution-policy ST-Policy {
term T1-STATIC {
match {
protocol static;
}
action {
accept;
set-origin igp;
}
}
}
redistribute-to-bgp ST-Policy;
}
interfaces [ tvi-0/602.0 ];
protocols {
bgp {
3000 {
router-id 169.254.0.1;
local-as {
as-number 64513;
}
group ST_Group {
type external;
neighbor 169.254.0.3 {
local-address 169.254.0.2;
peer-as 64514;
}
}
}
}
}
}At the same time we ensure the routes do not get leaked to other branches. Hence we match specific community and reject them.
Tenant-Control-VR {
protocols {
bgp {
4 {
routing-peer-policy TO_SDWAN {
# first
term Reject_DIA {
match {
community "(^|,)64513:64513($|,)";
}
action {
reject;
}
}
}
}
}
}
}# Redistribution at the LAN side VR and tagging the DIA routes with higher local preference to ensure routes prefer local DIA breakout. Policies are created so that other sites do not use this Local Breakout to reach internet.
Tenant-LAN-VR {
policy-options {
redistribution-policy Default-Policy-To-BGP {
# first
term T1-Paired-TVI-Direct {
match {
protocol direct;
address 169.254.0.0/16;
}
action {
reject;
}
}
# after term T2-DIRECT
term T4-BGP {
match {
protocol bgp;
}
action {
accept;
set-origin egp;
}
}
}
}
interfaces [ tvi-0/603.0 ];
protocols {
bgp {
3017 {
routing-peer-policy From_ST_Internet1 {
term Color_ST_Routes {
action {
accept;
community 64513:64513;
community-action set-specific;
set-local-preference 120;
}
}
}
routing-peer-policy Import-From-LAN-Policy {
term Reject-SDWAN-Routes {
match {
community "(^|,)8009:8009($|,)";
}
action {
reject;
}
}
term Allow-All {
action {
accept;
}
}
}
routing-peer-policy To_ST_DIA {
term Allow_Local_LAN {
match {
community "(^|,)8009:8009($|,)";
}
action {
reject;
}
}
term Allow_All {
action {
accept;
}
}
}
router-id 169.254.0.5;
local-as {
as-number 64514;
}
group ST-Group-1 {
type external;
family {
inet {
unicast {
}
}
}
import From_ST_Internet1;
export To_ST_DIA;
local-address 169.254.0.3;
peer-as 64513;
neighbor 169.254.0.2;
}
}
}
}
}
}
DIA for Application Specific Traffic
With Versa FlexVNF, the traffic breakout is controlled as per the use cases in this sample configuration. In this configuration we are restricting the Internet breakout only for few application categories. All the config will be same and we need to add below policies to achieve application specific DIA.
Follow these steps to configure a stateful firewall rule:
Select Appliance Context > Configuration > Services >
Stateful Firewall >
Security and select an entity from the Organization list.
Select the Rules tab and click
Select the General tab and configure the name and description for the DoS protection policy rule. Enter these details:
Use this field… | to … |
Name | Specify the access policy rule name. |
Description | Specify a brief description of the access policy rule and its purpose. |
Tags | Specify a keyword or phrase that allows you to filter the access policy. This is useful when you have many policies and want to view those that are tagged with a particular keyword. |
Select the Source/Destination tab to define the source zone and the source address, and destination zone and destination address of the incoming (source) and outgoing (destination) traffic to which the DoS protection policy rule applies. Enter these details:
Use this field… | to … |
Source Zone | Select the source zone to apply the rule to traffic coming from any interface in the specified zone. Click |
Destination Zone | Select the destination zone to apply the DoS policy to traffic coming from all interfaces into a given zone. Click |
Source Site ID | Select the unique source site ID to apply the rule to traffic coming from any interface in the specified zone. Click Use the CLI mode to manually access the source site ID. |
Destination Site ID | Select the unique destination site ID to apply the DoS policy to traffic coming from all interfaces into a given zone. Click Use the CLI mode to manually access the destination site ID. |
Source Address | Select and specify one or more source address to which the DoS Protection policy rule applies. Click |
Destination Address | Select and specify one or more destination address to apply the DoS Protection policy rule to the traffic marked to specific destination. |
Source Address Negate | Enable this to select any address except the configured addresses.
|
Destination Address Negate | Enable this to specify any address except the configured addresses. |
Routing Instance | Select the routing instance of the incoming traffic. |
Egress Routing Instance | Select the destination routing instance of the traffic. |
Select Header/Schedule tab to define the IP header, services and schedule to which the security access rule applies. Enter these details:
Use this field… | to … |
IP Version | Specify the IP header to which the security access rule applies. |
IP Flags | For IPv4, select one of these IP flags:
|
DSCP | Specify a Differentiated Service Code Point (DSCP) value to classify the way the IP packet is queued to get forward. |
TTL | |
Condition | Select the TTL condition of the IP packet that the security access policy rule verifies. These are the options:
|
Value | Specify the TTL value that is matched by the security access rule with the TTL condition. |
Others | |
Schedules | Select a schedule to specify when the security access rule is in effect. |
Services | |
Service List | Click |
Select Enforce tab to select the applications and URls to which the security access rule applies. Enter these details:
Use this field… | to … |
Applications | Click Refer Configuring Application Objects for more information on predefined and custom applications. |
URL Categories | Click Refer to Configuring URL Category Objects for more information on predefined and custom applications. |
Click OK to create a security access policy.
Refer to the Versa FlexVNF Security Configuration Guide for more information on access policy.
Yang Configuration:
admin@user-cli> show configuration orgs org-services security access-policies
org-services Tenant {
security {
access-policies {
Default-Policy {
rules {
Allow_From_Trust {
match {
source {
zone {
zone-list [ Intf-LAN-Zone W-ST-Tenant-LAN-VR-Internet1 ];
}
user {
user-type any;
}
}
url-category {
predefined [ business_and_economy educational_institutions news_and_media ];
}
}
set {
action allow;
lef {
event never;
options {
send-pcap-data {
enable false;
}
}
}
}
}
Deny_All {
match {
source {
zone {
zone-list [ Intf-LAN-Zone W-ST-Tenant-LAN-VR-Internet1 ];
}
user {
user-type any;
}
}
}
set {
action deny;
lef {
event never;
options {
send-pcap-data {
enable false;
}
}
}
}
}Security Solution Available with Versa
Branch faces the risk of being exposed to outside world in absence of security tools available due to increased security risk associated with the exposure of branch to the internet. As more and more attacks are trying to leverage the weekly guarded Branch sites in absence of proper threat management and security policy in place.
Versa SD-Security provides various security tools to cover the Branch security as per the different use cases. Versa FlexVNF has security features starting from Zone Based Standard firewall to NextGen Firewall which includes Application based filtering , URL filtering. Versa SD-Security also offers Antivirus , Malware protection , IDS/IPS , IP reputation and filtering , and DOS protection.
Conclusion
In summary, Versa security features provides the comprehensive level of security, privacy, and data integrity seen in private WANs, giving confidence to use the public Internet as a highly secure WAN transport for their Branch communication needs. Organizations can use DIA and continue to experience a high level of performance and security while saving money and securing their network.