Extending Segmentation over the WAN

Two main types of connectivity can be provided over a WAN:

• Interconnectivity of segmented metropolitan-area networks (MANs) and campuses networks

• Aggregation of branches requiring segmentation

Subtle differences exist between supporting the interconnection of segmented MANs/campus networks and the aggregation of segmented branches. However, you can apply the available techniques to either scenario. The techniques for extending VNs over the WAN include the following:

• MPLS over Layer 2 circuits

• Multiple VPNs from the service provider

• CsC

• MPLS over GRE tunnels

• RFC 2547 VPNs over L2TPv3 IP tunnels

• Multi-VRF interconnected with mGRE/DMVPN overlays

• RFC 2547 VPNs over mGRE/DMVPN

In this section, we analyze the different techniques from both perspectives (site interconnection and branch aggregation). Each of the options can address the scenario in which segmentation is required at some branches and not required at others, as depicted in Figure 7-6. Branches that do not require segmentation might have to be placed in their own VRF, the default common VRF, or the global table at the headend depending on the enterprise requirements.

Note

As we analyze the different options, it is important to understand that all traffic is originally forwarded using the global routing table. As VNs are created, traffic that does not require segmentation can continue to use the global routing table, whereas segmented traffic can be assigned to VNs as needed.