Segmentation is the process of dividing the network into logical sub-networks called Segments by using isolation techniques on a forwarding device such as a switch, router, or firewall. Network segmentation is important when traffic from different organizations and/or data types must be isolated.
In the segment-aware topology, different Virtual Private Network (VPN) profiles can be enabled for each segment. For example, Guest traffic can be backhauled to remote data center firewall services, Voice media can flow direct from Branch-to-Branch based on dynamic tunnels, and the PCI segment can backhaul traffic to the data center to exit out of the PCI network.
Note: You can configure a maximum of 16 Segments per enterprise customer.
To configure a new segment for an enterprise, perform the following steps:
- From the SD-WAN Orchestrator navigation panel, go to Configure > Segments. The Segments page for the selected enterprise appears.
- Click the + button and enter the following details to configure a new segment.
Field Description Segment Name The name of the segment (up to 256 characters). Description The description of the segment (up to 256 characters). Type The segment type can be one of the following: - Regular - The standard segment type.
- Private - Used for traffic flows that require limited visibility in order to address end user privacy requirements.
- CDE - VMware provides PCI certified SD-WAN service. The Cardholder Data Environment (CDE) type is used for traffic flows that require PCI and want to leverage the VMware PCI certification.
Note: For Global Segment, you can set the type either to Regular or Private. For non-global segments, the type can be Regular, CDE, or Private.Service VLAN The service VLAN identifier. For information, see Define Mapping between Segments and Service VLANs (Optional) section in Security VNFs. Delegate To Partner By default, this checkbox is selected. If you unselect it, the Partner cannot change configs within the segment, including the interface assignment. Delegate To Customer By default, this checkbox is selected. If you unselect it, the Customer cannot change configs within the segment, including the interface assignment. - Click Save Changes.
If the segment is configured as
Private, then the segment:
- Does not upload user flow stats to Orchestrator except for VMware Control, VMware Management, and a single IP flow that counts all transmitted and received packets and bytes sent on the segment.
- Does not allow users to view flows in Remote Diagnostics.
- Does not allow traffic to be sent as Internet Multipath as all business policies that are set to Internet Multipath are automatically overridden to Direct by the Edge.
If the segment is configured as CDE, then the VMware hosted Orchestrator and Controller will be aware of the PCI segment and will be in the PCI scope. Gateways (marked as non-CDE Gateways) will not be aware or transmit PCI traffic and will be out of PCI scope.