Skip to content

3.4 Segmentation Design

Document Information

Field Value
Document ID SDWAN-SEC-3.4
Version 1.0
Last Updated December 2025
Author Network Architecture Team
Classification Internal Use

1. Executive Summary

This section documents the comprehensive segmentation design for Abhavtech's SD-WAN deployment. Network segmentation is a critical security control that isolates traffic between different user groups, applications, and security zones. The design aligns with the existing SD-Access Virtual Network (VN) structure to provide end-to-end segmentation from campus to WAN.

1.1 Segmentation Objectives

+------------------------------------------------------------------+
|                   SEGMENTATION OBJECTIVES                         |
+------------------------------------------------------------------+
|                                                                   |
|  +------------------+    +------------------+    +------------------+
|  | ISOLATION        |    | COMPLIANCE       |    | PERFORMANCE     |
|  +------------------+    +------------------+    +------------------+
|  | Prevent lateral  |    | Regulatory       |    | Traffic         |
|  | movement between |    | requirements     |    | optimization    |
|  | segments         |    | (PCI, HIPAA)     |    | per segment     |
|  +------------------+    +------------------+    +------------------+
|                                                                   |
|  +------------------+    +------------------+    +------------------+
|  | ACCESS CONTROL   |    | VISIBILITY       |    | SCALABILITY     |
|  +------------------+    +------------------+    +------------------+
|  | Granular policy  |    | Per-segment      |    | Grow without    |
|  | enforcement      |    | monitoring       |    | redesign        |
|  +------------------+    +------------------+    +------------------+
|                                                                   |
+------------------------------------------------------------------+

1.2 Design Principles

Principle Description Implementation
Default Deny No inter-segment traffic unless explicitly allowed VPN isolation
Least Privilege Minimum required access between segments Controlled route leaking
End-to-End Segmentation from campus through WAN to cloud VN-to-VPN mapping
Centralized Policy Single point of policy definition SD-WAN Manager templates
Scalable Support growth without redesign Hierarchical VPN structure

2. VPN Architecture

2.1 VPN Structure Overview

+------------------------------------------------------------------+
|                      SD-WAN VPN STRUCTURE                         |
+------------------------------------------------------------------+
|                                                                   |
|  +-----------------------------------------------------------+   |
|  |                     MANAGEMENT VPNs                        |   |
|  |  +----------------+  +----------------+  +----------------+|   |
|  |  | VPN 0          |  | VPN 512        |  | VPN 513       ||   |
|  |  | Transport      |  | Management     |  | Reserved      ||   |
|  |  | (DTLS/TLS)     |  | (Out-of-band)  |  | (Future)      ||   |
|  |  +----------------+  +----------------+  +----------------+|   |
|  +-----------------------------------------------------------+   |
|                                                                   |
|  +-----------------------------------------------------------+   |
|  |                      SERVICE VPNs                          |   |
|  |  +----------------+  +----------------+  +----------------+|   |
|  |  | VPN 10         |  | VPN 20         |  | VPN 30        ||   |
|  |  | Employee       |  | Guest          |  | IoT           ||   |
|  |  | (Corporate)    |  | (Internet-only)|  | (Restricted)  ||   |
|  |  +----------------+  +----------------+  +----------------+|   |
|  |                                                            |   |
|  |  +----------------+  +----------------+  +----------------+|   |
|  |  | VPN 40         |  | VPN 50         |  | VPN 100       ||   |
|  |  | Voice          |  | Shared Svc     |  | PCI Zone      ||   |
|  |  | (QoS Priority) |  | (DNS/DHCP)     |  | (Compliance)  ||   |
|  |  +----------------+  +----------------+  +----------------+|   |
|  +-----------------------------------------------------------+   |
|                                                                   |
+------------------------------------------------------------------+

2.2 VPN Definitions

VPN ID Name Description SD-Access VN SGT Range
0 Transport WAN underlay connectivity N/A N/A
10 Employee Corporate user traffic Employee_VN 3-6
20 Guest Guest/contractor access Guest_VN 4
30 IoT IoT devices and sensors IoT_VN 7-8
40 Voice Voice and video traffic Voice_VN 9
50 Shared_Services Infrastructure services Shared_VN 5, 10-12
100 PCI_Zone Payment processing PCI_VN 12
512 Management Device management Management_VN 2

2.3 VPN to VRF Mapping

+------------------------------------------------------------------+
|                    VPN-TO-VRF MAPPING                             |
+------------------------------------------------------------------+
|                                                                   |
|    SD-WAN Manager           WAN Edge               SD-Access      |
|   +---------------+      +---------------+      +---------------+ |
|   |               |      |               |      |               | |
|   | VPN 10        |----->| VRF Employee  |<---->| Employee_VN   | |
|   | VPN 20        |----->| VRF Guest     |<---->| Guest_VN      | |
|   | VPN 30        |----->| VRF IoT       |<---->| IoT_VN        | |
|   | VPN 40        |----->| VRF Voice     |<---->| Voice_VN      | |
|   | VPN 50        |----->| VRF Shared    |<---->| Shared_VN     | |
|   | VPN 100       |----->| VRF PCI       |<---->| PCI_VN        | |
|   |               |      |               |      |               | |
|   +---------------+      +---------------+      +---------------+ |
|                                                                   |
|   Note: Each VPN maintains complete routing table isolation       |
|         Route Distinguisher format: 65100:VPN-ID                  |
|         Route Target format: 65100:VPN-ID                         |
|                                                                   |
+------------------------------------------------------------------+

3. Transport VPN (VPN 0)

3.1 Transport VPN Purpose

The Transport VPN (VPN 0) provides the underlay connectivity for SD-WAN overlay tunnels. It is the only VPN that interfaces directly with external WAN networks.

+------------------------------------------------------------------+
|                    TRANSPORT VPN DESIGN                           |
+------------------------------------------------------------------+
|                                                                   |
|                        WAN Edge Router                            |
|  +-------------------------------------------------------------+ |
|  |                                                              | |
|  |  +------------------+  +------------------+                  | |
|  |  | Interface: G0/0  |  | Interface: G0/1  |                  | |
|  |  | Color: mpls      |  | Color: biz-internet|                | |
|  |  | VPN: 0           |  | VPN: 0           |                  | |
|  |  | TLOC: System-IP  |  | TLOC: System-IP  |                  | |
|  |  +--------+---------+  +--------+---------+                  | |
|  |           |                     |                            | |
|  |           +----------+----------+                            | |
|  |                      |                                       | |
|  |           +----------+----------+                            | |
|  |           |                     |                            | |
|  |  +--------+---------+  +--------+---------+                  | |
|  |  | DTLS Tunnel      |  | DTLS Tunnel      |                  | |
|  |  | To: Controller   |  | To: WAN Edges    |                  | |
|  |  +------------------+  +------------------+                  | |
|  |                                                              | |
|  +-------------------------------------------------------------+ |
|                                                                   |
+------------------------------------------------------------------+

3.2 Transport VPN Configuration

! VPN 0 - Transport Configuration
vpn 0
 name "Transport VPN"

 ! MPLS Transport Interface
 interface GigabitEthernet0/0/0
  description "MPLS Transport - VPN 0"
  ip address 10.100.16.2/30
  tunnel-interface
   encapsulation ipsec
   color mpls
   no allow-service all
   allow-service dhcp
   allow-service dns
   allow-service icmp
   allow-service netconf
   allow-service ntp
   allow-service sshd
   allow-service stun
  !
 !

 ! Internet Transport Interface
 interface GigabitEthernet0/0/1
  description "DIA Transport - VPN 0"
  ip dhcp-client
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   carrier "ISP-Primary"
   no allow-service all
   allow-service dhcp
   allow-service dns
   allow-service icmp
   allow-service stun
  !
 !

 ! Default Route to MPLS Provider
 ip route 0.0.0.0/0 10.100.16.1
!

3.3 Transport VPN Security

Control Implementation Purpose
Service ACL allow-service filters Control allowed services
NAT Outbound NAT for DIA Hide internal addressing
Tunnel Interface IPsec encapsulation Encrypt all overlay traffic
Control Connections TLS/DTLS to controllers Secure control plane

4. Service VPN Design

4.1 VPN 10: Employee Network

+------------------------------------------------------------------+
|                    VPN 10: EMPLOYEE NETWORK                       |
+------------------------------------------------------------------+
|                                                                   |
|  Purpose: Corporate user access to internal and cloud resources   |
|                                                                   |
|  Subnets:                                                         |
|  +----------------------------------------------------------+    |
|  | Site          | Network          | Description           |    |
|  +----------------------------------------------------------+    |
|  | Mumbai DC     | 172.16.10.0/23   | Employee LAN          |    |
|  | Chennai DR    | 172.16.12.0/23   | Employee LAN          |    |
|  | London        | 172.16.20.0/24   | Employee LAN          |    |
|  | New Jersey    | 172.16.22.0/24   | Employee LAN          |    |
|  | Bangalore     | 172.16.30.0/24   | Employee LAN          |    |
|  | Delhi         | 172.16.32.0/24   | Employee LAN          |    |
|  | Frankfurt     | 172.16.34.0/24   | Employee LAN          |    |
|  | Dallas        | 172.16.36.0/24   | Employee LAN          |    |
|  | Noida         | 172.16.38.0/24   | Employee LAN          |    |
|  +----------------------------------------------------------+    |
|                                                                   |
|  Access Rights:                                                   |
|  - Full access to corporate applications                          |
|  - Access to cloud services (M365, Salesforce, etc.)             |
|  - Controlled access to shared services                           |
|  - DIA breakout for SaaS applications                            |
|                                                                   |
+------------------------------------------------------------------+

4.2 VPN 10 Configuration

vpn 10
 name "Employee Network"
 omp
  advertise connected
  advertise static
 !

 ! Service-side Interface
 interface GigabitEthernet0/0/2.10
  description "Employee VLAN - SD-Access Handoff"
  encapsulation dot1q 10
  ip address 172.16.10.1/23
  no shutdown
 !

 ! Enable routing
 ip route 0.0.0.0/0 vpn 0

 ! NAT for DIA
 nat
  natpool EMPLOYEE-NAT-POOL
   range 198.51.100.1 198.51.100.10
  !
  interface GigabitEthernet0/0/1
   nat-outside
  !
  nat-pool-for-dia
   EMPLOYEE-NAT-POOL
  !
 !
!

4.3 VPN 20: Guest Network

+------------------------------------------------------------------+
|                    VPN 20: GUEST NETWORK                          |
+------------------------------------------------------------------+
|                                                                   |
|  Purpose: Guest and contractor internet-only access               |
|                                                                   |
|  Subnets:                                                         |
|  +----------------------------------------------------------+    |
|  | Site          | Network          | Description           |    |
|  +----------------------------------------------------------+    |
|  | All Sites     | 172.17.X.0/24    | Guest WiFi            |    |
|  +----------------------------------------------------------+    |
|                                                                   |
|  Access Rights:                                                   |
|  - Internet access only (DIA breakout)                           |
|  - NO access to corporate resources                              |
|  - NO access to other VPNs                                       |
|  - Bandwidth limited (50 Mbps per user)                          |
|  - Session timeout: 8 hours                                      |
|                                                                   |
|  Security Controls:                                               |
|  - Captive portal authentication                                 |
|  - Web filtering (Umbrella)                                      |
|  - DNS security                                                  |
|                                                                   |
+------------------------------------------------------------------+

4.4 VPN 20 Configuration

vpn 20
 name "Guest Network"
 omp
  advertise connected
 !

 ! Service-side Interface
 interface GigabitEthernet0/0/2.20
  description "Guest VLAN - SD-Access Handoff"
  encapsulation dot1q 20
  ip address 172.17.10.1/24
  no shutdown
 !

 ! Guest traffic goes directly to Internet
 ip route 0.0.0.0/0 vpn 0

 ! DIA for all guest traffic
 nat
  natpool GUEST-NAT-POOL
   range 198.51.100.50 198.51.100.60
  !
  nat-pool-for-dia
   GUEST-NAT-POOL
  !
 !
!

4.5 VPN 30: IoT Network

+------------------------------------------------------------------+
|                      VPN 30: IoT NETWORK                          |
+------------------------------------------------------------------+
|                                                                   |
|  Purpose: IoT devices, sensors, building automation               |
|                                                                   |
|  Device Categories:                                               |
|  +----------------------------------------------------------+    |
|  | Category       | SGT  | Access                           |    |
|  +----------------------------------------------------------+    |
|  | HVAC/BMS       | 7    | Cloud management, limited local  |    |
|  | IP Cameras     | 8    | NVR/VMS only, no internet        |    |
|  | Sensors        | 7    | Cloud analytics platform         |    |
|  | Badge Readers  | 7    | Access control server only       |    |
|  +----------------------------------------------------------+    |
|                                                                   |
|  Security Controls:                                               |
|  - Default deny between IoT devices                              |
|  - Restricted cloud access via firewall                          |
|  - No lateral movement capability                                |
|  - Continuous profiling via ISE                                  |
|                                                                   |
+------------------------------------------------------------------+

4.6 VPN 30 Configuration

vpn 30
 name "IoT Network"
 omp
  advertise connected
 !

 ! Service-side Interface
 interface GigabitEthernet0/0/2.30
  description "IoT VLAN - SD-Access Handoff"
  encapsulation dot1q 30
  ip address 172.18.10.1/24
  no shutdown
 !

 ! Limited routing - no default route
 ! Only specific cloud destinations allowed

 ! Static routes to allowed cloud services
 ip route 13.107.0.0/16 vpn 0  ! Azure IoT Hub
 ip route 52.0.0.0/8 vpn 0     ! AWS IoT

!

4.7 VPN 40: Voice Network

+------------------------------------------------------------------+
|                     VPN 40: VOICE NETWORK                         |
+------------------------------------------------------------------+
|                                                                   |
|  Purpose: Voice and video communications                          |
|                                                                   |
|  Components:                                                      |
|  +----------------------------------------------------------+    |
|  | Component      | Location       | Network                |    |
|  +----------------------------------------------------------+    |
|  | CUCM Cluster   | Mumbai DC      | 172.19.1.0/24          |    |
|  | Unity Conn     | Mumbai DC      | 172.19.2.0/24          |    |
|  | IP Phones      | All Sites      | DHCP per site          |    |
|  | Video Conf     | Major Sites    | 172.19.10.0/24         |    |
|  +----------------------------------------------------------+    |
|                                                                   |
|  QoS Requirements:                                               |
|  - Voice: DSCP EF (46), < 150ms latency, < 1% loss              |
|  - Video: DSCP AF41 (34), < 200ms latency, < 2% loss            |
|  - Signaling: DSCP CS3 (24)                                     |
|                                                                   |
+------------------------------------------------------------------+

4.8 VPN 40 Configuration

vpn 40
 name "Voice Network"
 omp
  advertise connected
  advertise static
 !

 ! Service-side Interface
 interface GigabitEthernet0/0/2.40
  description "Voice VLAN - SD-Access Handoff"
  encapsulation dot1q 40
  ip address 172.19.10.1/24
  qos-map VOICE-QOS
  no shutdown
 !

 ! Voice infrastructure routes
 ip route 172.19.1.0/24 vpn 50  ! CUCM via Shared Services
 ip route 172.19.2.0/24 vpn 50  ! Unity via Shared Services

!

4.9 VPN 50: Shared Services

+------------------------------------------------------------------+
|                  VPN 50: SHARED SERVICES                          |
+------------------------------------------------------------------+
|                                                                   |
|  Purpose: Infrastructure services accessible by all VPNs          |
|                                                                   |
|  Services:                                                        |
|  +----------------------------------------------------------+    |
|  | Service        | Network          | Accessible From      |    |
|  +----------------------------------------------------------+    |
|  | DNS Servers    | 172.20.1.0/24    | All VPNs             |    |
|  | NTP Servers    | 172.20.2.0/24    | All VPNs             |    |
|  | AD/LDAP        | 172.20.10.0/24   | VPN 10, 40, 512      |    |
|  | ISE PSN        | 172.20.20.0/24   | All VPNs             |    |
|  | CUCM           | 172.19.1.0/24    | VPN 40               |    |
|  | Infoblox       | 172.20.5.0/24    | VPN 512              |    |
|  +----------------------------------------------------------+    |
|                                                                   |
|  Access Control:                                                  |
|  - Only infrastructure protocols allowed                         |
|  - SGT-based access control                                      |
|  - Service-specific ports only                                   |
|                                                                   |
+------------------------------------------------------------------+

4.10 VPN 50 Configuration

vpn 50
 name "Shared Services"
 omp
  advertise connected
 !

 ! Service-side Interface
 interface GigabitEthernet0/0/2.50
  description "Shared Services VLAN - SD-Access Handoff"
  encapsulation dot1q 50
  ip address 172.20.1.1/24
  no shutdown
 !

 ! DNS Server Interface
 interface Loopback50
  ip address 172.20.1.10/32
  dns-server
 !

!

5. Route Leaking Design

5.1 Route Leaking Principles

Route leaking enables controlled communication between otherwise isolated VPNs. This must be carefully designed to maintain security while enabling required inter-segment access.

+------------------------------------------------------------------+
|                    ROUTE LEAKING DESIGN                           |
+------------------------------------------------------------------+
|                                                                   |
|  Principle: "Import what you need, export what others need"       |
|                                                                   |
|  +----------+     Route Leak     +----------+                     |
|  | VPN 10   |<------------------>| VPN 50   |                     |
|  | Employee |   (Shared Svc)     | Shared   |                     |
|  +----------+                    +----------+                     |
|       ^                               ^                           |
|       |                               |                           |
|       | No Leak                       | Route Leak                |
|       |                               |                           |
|       v                               v                           |
|  +----------+                    +----------+                     |
|  | VPN 20   |       XXXX         | VPN 40   |                     |
|  | Guest    | (No cross-access)  | Voice    |                     |
|  +----------+                    +----------+                     |
|                                                                   |
|  Guest VPN has no route leaking - complete isolation              |
|                                                                   |
+------------------------------------------------------------------+

5.2 Route Leaking Matrix

Source VPN Destination VPN Leaked Routes Purpose
VPN 10 VPN 50 172.20.0.0/16 Access shared services
VPN 50 VPN 10 172.16.0.0/14 Service responses
VPN 40 VPN 50 172.20.0.0/16, 172.19.0.0/16 Voice infra access
VPN 50 VPN 40 172.19.0.0/16 Voice responses
VPN 30 VPN 50 172.20.1.0/24 DNS only
VPN 20 None None Complete isolation
VPN 100 VPN 50 172.20.10.0/24 AD authentication

5.3 Route Leaking Configuration

! Control Policy for Route Leaking
policy
 control-policy ROUTE-LEAKING
  ! VPN 10 imports from VPN 50
  sequence 10
   match route
    vpn-list VPN-50-SHARED
   action accept
    set
     vpn-list VPN-10-EMPLOYEE
     route-type service-vpn-route
    !
   !
  !

  ! VPN 40 imports from VPN 50
  sequence 20
   match route
    vpn-list VPN-50-SHARED
   action accept
    set
     vpn-list VPN-40-VOICE
     route-type service-vpn-route
    !
   !
  !

  ! Block all other cross-VPN routes
  sequence 1000
   match route
    prefix-list ANY
   action reject
  !
 !
!

! Apply Control Policy
apply-policy
 site-list ALL-SITES
  control-policy ROUTE-LEAKING out
 !
!

5.4 Selective Service Access

! Data Policy for Selective Access
policy
 data-policy SHARED-SERVICES-ACCESS
  vpn-list VPN-10-EMPLOYEE
   ! Allow DNS to Shared Services
   sequence 10
    match
     destination-ip 172.20.1.0/24
     destination-port 53
    action accept
     count DNS-TO-SHARED
    !
   !

   ! Allow AD/LDAP to Shared Services
   sequence 20
    match
     destination-ip 172.20.10.0/24
     destination-port 389 636 3268 3269
    action accept
     count LDAP-TO-SHARED
    !
   !

   ! Allow NTP to Shared Services
   sequence 30
    match
     destination-ip 172.20.2.0/24
     destination-port 123
    action accept
     count NTP-TO-SHARED
    !
   !

   ! Block all other traffic to Shared Services
   sequence 100
    match
     destination-ip 172.20.0.0/16
    action drop
     count BLOCKED-TO-SHARED
    !
   !
  !
 !
!

6. VPN Isolation Verification

6.1 Isolation Test Matrix

Test Source VPN Destination VPN Expected Result Test Method
T1 VPN 10 VPN 20 No connectivity Ping/Traceroute
T2 VPN 20 VPN 10 No connectivity Ping/Traceroute
T3 VPN 20 VPN 30 No connectivity Ping/Traceroute
T4 VPN 30 VPN 10 No connectivity Ping/Traceroute
T5 VPN 10 VPN 50 (DNS) Connectivity DNS query
T6 VPN 40 VPN 50 (CUCM) Connectivity SIP registration

6.2 Verification Commands

! Verify VPN Routing Tables
show sdwan omp routes vpn 10
show sdwan omp routes vpn 20
show sdwan omp routes vpn 50

! Verify Route Leaking
show sdwan policy access-list-associations

! Verify VPN Isolation
show ip vrf detail Employee
show ip route vrf Employee

! Test Cross-VPN Access
ping vrf Employee 172.17.10.100  ! Should fail (Guest)
ping vrf Employee 172.20.1.10    ! Should succeed (Shared DNS)

! Verify Prefix Advertisement
show sdwan omp routes vpn 10 | include 172.16
show sdwan omp routes vpn 50 | include 172.20

6.3 Isolation Monitoring

+------------------------------------------------------------------+
|                 VPN ISOLATION MONITORING                          |
+------------------------------------------------------------------+
|                                                                   |
|  Dashboard Metrics:                                               |
|  +----------------------------------------------------------+    |
|  | Metric                | Alert Threshold                  |    |
|  +----------------------------------------------------------+    |
|  | Cross-VPN traffic     | > 0 packets (unexpected VPNs)    |    |
|  | Route leak violations | > 0 events                       |    |
|  | Guest-to-Corp attempts| > 10 per minute                  |    |
|  | IoT breakout attempts | > 0 (unauthorized destinations)  |    |
|  +----------------------------------------------------------+    |
|                                                                   |
|  vManage Monitoring:                                              |
|  Administration > Monitoring > VPN Summary                        |
|  - Per-VPN traffic statistics                                    |
|  - Cross-VPN policy violations                                   |
|  - Route table size per VPN                                      |
|                                                                   |
+------------------------------------------------------------------+

7. Topology Modes and Segmentation

7.1 Full Mesh Topology (Hub-Hub)

+------------------------------------------------------------------+
|                 FULL MESH - HUB SITES ONLY                        |
+------------------------------------------------------------------+
|                                                                   |
|     Mumbai DC <====================> Chennai DR                   |
|         ||\\                      //||                            |
|         || \\                    // ||                            |
|         ||  \\                  //  ||                            |
|         ||   \\                //   ||                            |
|         ||    \\              //    ||                            |
|         ||     \\============//     ||                            |
|         ||     ||  London   ||      ||                            |
|         ||     ||           ||      ||                            |
|         ||     ||===========||      ||                            |
|         ||    //            \\      ||                            |
|         ||   //              \\     ||                            |
|         ||  // New Jersey     \\    ||                            |
|         ||=====================\\===||                            |
|                                                                   |
|  Full mesh for:                                                   |
|  - VPN 10 (Employee) - DC interconnect                           |
|  - VPN 40 (Voice) - Call routing optimization                    |
|  - VPN 50 (Shared) - Service redundancy                          |
|                                                                   |
+------------------------------------------------------------------+

7.2 Hub-and-Spoke Topology (Branch)

+------------------------------------------------------------------+
|                HUB-AND-SPOKE - BRANCH SITES                       |
+------------------------------------------------------------------+
|                                                                   |
|                        +----------+                               |
|                        | Mumbai   |                               |
|                        |   DC     |                               |
|                        +----+-----+                               |
|                             |                                     |
|            +----------------+----------------+                    |
|            |                |                |                    |
|       +----+----+      +----+----+      +----+----+              |
|       |Bangalore|      | Delhi   |      | Noida   |              |
|       +---------+      +---------+      +---------+              |
|                                                                   |
|  Hub-and-spoke for:                                               |
|  - VPN 20 (Guest) - Central internet exit only                   |
|  - VPN 30 (IoT) - Centralized cloud access                       |
|  - VPN 100 (PCI) - Centralized compliance gateway                |
|                                                                   |
|  Benefits:                                                        |
|  - Centralized policy enforcement                                |
|  - Reduced branch complexity                                     |
|  - Simplified compliance                                         |
|                                                                   |
+------------------------------------------------------------------+

7.3 Per-VPN Topology Configuration

! Topology Configuration per VPN
policy
 topology VPN-TOPOLOGIES
  ! Full mesh for Employee VPN
  vpn-membership VPN-10-EMPLOYEE
   site-list HUB-SITES
    type full-mesh
   !
   site-list BRANCH-SITES
    type hub-and-spoke
    hub HUB-SITES
   !
  !

  ! Hub-and-spoke only for Guest
  vpn-membership VPN-20-GUEST
   site-list ALL-SITES
    type hub-and-spoke
    hub DC-SITES
   !
  !

  ! Hub-and-spoke only for IoT
  vpn-membership VPN-30-IOT
   site-list ALL-SITES
    type hub-and-spoke
    hub DC-SITES
   !
  !
 !
!

8. Multi-Region Fabric (MRF) Segmentation

8.1 MRF with VPN Segmentation

+------------------------------------------------------------------+
|                    MRF SEGMENTATION                               |
+------------------------------------------------------------------+
|                                                                   |
|  +---------------------+          +---------------------+         |
|  |   INDIA REGION      |          |   EMEA REGION       |        |
|  |   Access Domain     |          |   Access Domain     |        |
|  +---------------------+          +---------------------+         |
|  | Mumbai (Border)     |          | London (Border)     |        |
|  | Chennai (Border)    |          | Frankfurt           |        |
|  | Bangalore, Delhi,   |          |                     |        |
|  | Noida               |          |                     |        |
|  +----------+----------+          +----------+----------+         |
|             |                                |                    |
|             |    +------------------+        |                    |
|             +--->|   CORE REGION    |<-------+                    |
|                  | (Mumbai/Chennai  |                             |
|                  |  Border Routers) |                             |
|                  +--------+---------+                             |
|                           |                                       |
|             +-------------+-------------+                         |
|             |                           |                         |
|  +----------+----------+     +----------+----------+              |
|  |  AMERICAS REGION    |     |  CLOUD REGION       |              |
|  |  Access Domain      |     |  Access Domain      |              |
|  +---------------------+     +---------------------+              |
|  | New Jersey (Border) |     | AWS Gateway         |              |
|  | Dallas              |     | Azure Gateway       |              |
|  +---------------------+     +---------------------+              |
|                                                                   |
|  Each VPN maintains segmentation across all regions               |
|                                                                   |
+------------------------------------------------------------------+

8.2 MRF VPN Advertisement

! Border Router Configuration
! Control policy for inter-region route advertisement

policy
 control-policy MRF-ROUTE-POLICY
  ! Advertise VPN 10 routes to core
  sequence 10
   match route
    vpn-list VPN-10-EMPLOYEE
    site-list INDIA-SITES
   action accept
    set
     tloc-action secondary
    !
   !
  !

  ! Do NOT advertise Guest VPN to core
  sequence 20
   match route
    vpn-list VPN-20-GUEST
   action reject
  !

  ! Advertise Shared Services to all regions
  sequence 30
   match route
    vpn-list VPN-50-SHARED
   action accept
    set
     preference 1000
    !
   !
  !
 !
!

9. Compliance Zone Segmentation

9.1 PCI-DSS Cardholder Data Environment (CDE)

+------------------------------------------------------------------+
|                 PCI-DSS CDE SEGMENTATION                          |
+------------------------------------------------------------------+
|                                                                   |
|  VPN 100: PCI Zone                                                |
|  +----------------------------------------------------------+    |
|  |                                                          |    |
|  |  +------------------+     +------------------+           |    |
|  |  | Payment Servers  |<--->| Payment Gateway  |           |    |
|  |  | 172.30.10.0/24   |     | (Service Insert) |           |    |
|  |  +------------------+     +------------------+           |    |
|  |                                |                         |    |
|  |                                v                         |    |
|  |                     +------------------+                 |    |
|  |                     | External Firewall|                 |    |
|  |                     | (Palo Alto)      |                 |    |
|  |                     +--------+---------+                 |    |
|  |                              |                           |    |
|  +----------------------------------------------------------+    |
|                                 |                                |
|                                 v Internet (Payment Processor)   |
|                                                                   |
|  Segmentation Requirements:                                       |
|  - Complete isolation from all other VPNs                        |
|  - No route leaking allowed                                      |
|  - Service insertion for next-gen firewall                       |
|  - Full traffic logging and inspection                           |
|                                                                   |
+------------------------------------------------------------------+

9.2 PCI Zone Configuration

vpn 100
 name "PCI Cardholder Data Environment"
 omp
  advertise connected
  no advertise static
 !

 ! Isolated interface - no SD-Access handoff
 interface GigabitEthernet0/0/3
  description "PCI Zone - Dedicated Interface"
  ip address 172.30.10.1/24
  no shutdown
 !

 ! Service insertion for external firewall
 service firewall palo-alto
  ip address 172.30.10.254
  service-list
   permit all
  !
 !

 ! No default route - explicit routes only
 ip route 0.0.0.0/0 172.30.10.254

!

10. Best Practices Summary

10.1 VPN Design Best Practices

  • Keep VPN count manageable (< 15 for most deployments)
  • Use consistent VPN numbering across all sites
  • Document VPN purpose and allowed traffic clearly
  • Align VPN design with SD-Access VN structure

10.2 Route Leaking Best Practices

  • Default to no route leaking (isolation by default)
  • Document all route leaking with business justification
  • Use data policies to restrict leaked route usage
  • Regularly audit route leaking configuration

10.3 Compliance Best Practices

  • Create dedicated VPNs for compliance zones (PCI, etc.)
  • Implement additional controls (NGFW, logging) for compliance VPNs
  • Test and validate isolation regularly
  • Maintain documentation for auditors

10.4 Operational Best Practices

  • Monitor cross-VPN traffic for anomalies
  • Alert on unexpected VPN communication
  • Validate segmentation after any policy changes
  • Include segmentation testing in change procedures

References

Document Description Location
Cisco SD-WAN Segmentation Guide Official segmentation documentation cisco.com
PCI-DSS v4.0 Requirements Payment card industry standards pcisecuritystandards.org
Abhavtech VN Design SD-Access virtual network design SharePoint
Network Security Policy Corporate segmentation requirements Internal

Document Version: 1.0 Last Updated: December 2025 Classification: Internal Use Document ID: SDWAN-SEC-3.4