Configure Segments

Segmentation is the process of dividing the network into logical sub-networks called Segments by using isolation techniques on a forwarding device such as a switch, router, or firewall. Network segmentation is required when traffic from different organizations and data types must be isolated.

In the segment-aware topology, different Virtual Private Network (VPN) profiles can be activated for each segment. For example, Guest traffic can be backhauled to remote data center firewall services, Voice media can flow direct from Branch-to-Branch based on dynamic tunnels, and the PCI segment can backhaul traffic to the data center to exit out of the PCI network.

To activate the segmentation capability for an Enterprise, in the Operator portal, navigate to System Properties, and then set the value of the system property, enterprise.capability.enableSegmentation as True. For additional information about how to configure system properties, refer to the "System Properties" section in the Arista VeloCloud Orchestrator Deployment and Monitoring Guide.

By default, you can configure a maximum of 16 segments per Enterprise. However, you can choose to increase this default value to a maximum of 128 segments per Enterprise. Ensure that you define the maximum number of allowed segments in the enterprise.segments.system.maximum system property. For additional information about the various system properties that you must set up for the segmentation capability, refer to the "Segmentation" table in the "List of System Properties" section in the Arista VeloCloud Orchestrator Deployment and Monitoring Guide.

Limitations

Keep in mind the following limitations before you increase the default value to a maximum of 128 segments per Enterprise:
  • It is mandatory that you upgrade your SASE Orchestrator and your Edges to version 4.3 or above.
  • After you have configured 128 segments for an Enterprise, you cannot downgrade your Edges to a version lower than 4.3. If you need to downgrade your Edges, ensure that you have only 16 segments, which is the default value for any Enterprise and delete the remaining segments before you downgrade the Edges.

To configure the Segments:

  1. In the SD-WAN service of the Enterprise Portal, select Configure > Segments .
    The Segments page displays the existing Segments.
    Figure 1. Segments
  2. Select Add to add a new Segment and configure the following details:
    Table 1. New Segment - Options and Descriptions
    Option Description
    Segment Name Enter a name for the Segment. The maximum number of characters allowed is 256.
    Description Enter a descriptive text for the Segment. The maximum number of characters allowed is 256.
    Type Choose the Segment type as one of the following:
    • Regular- The standard segment type.
    • Private- Used for traffic flows that require limited visibility in order to address end user privacy requirements.
    • CDE- Arista provides PCI certified SD-WAN service. The Cardholder Data Environment (CDE) type is used for traffic flows that require PCI and want to leverage the PCI certification.
    Note: For Global Segment, you can set the type either to Regular or Private. For non-global segments, the type can be Regular, CDE, or Private.
    Service VLAN Enter the service VLAN identifier. For additional information, see Define Mapping Segments with Service VLANs.
    Delegate To Partner By default, this checkbox is selected. If this checkbox is not selected, the Partner cannot change the configurations within the segment, including the Interface assignment.
    Delegate To Customer By default, this checkbox is selected. If this checkbox is not selected, the Customer cannot change the configurations within the segment, including the Interface assignment.
  3. Select Save Changes.
    If the segment is configured as Private, then the segment:
    • Does not upload user flow stats to Orchestrator except for Arista Control, Arista Management, and a single IP flow that counts all transmitted and received packets and bytes sent on the segment. For example, Customer flow stats like Source IP, Destination IP and so on, are not shown in the Monitor tab for the flows related to Private segment.
    • Does not allow users to view flows in Remote Diagnostics.
    • Does not allow traffic to be sent as Internet Multipath as all business policies that are set to Internet Multipath are automatically overridden to Direct by the Edge.

    If the segment is configured as CDE, then the Arista hosted Orchestrator and Controller will be aware of the PCI segment and will be in the PCI scope. Gateways (marked as non-CDE Gateways) will not be aware or transmit PCI traffic and will be out of PCI scope.

  4. To remove a Segment, select the Segment and select Delete. You cannot delete a Segment used by a Profile.