Workflow-Based Split Tunnel Options Explaned

Table of contents
What are your feelings
Updated on March 12, 2024

Workflow-based Split Tunnel options explained

Version 1.0 by Andrey Bazovkin

Introduction

This article provides an overview of the Split Tunnel configuration options using workflows in Versa Director.

There is an explanation with possible adjustments for each option provided.

Screenshots and examples in this article are made in Versa Director 22.1.2, however the same approach is applicable for 21.2 versions as well.

Split Tunnel configuration in a workflow – General information

Split Tunnel is an optional configuration in a workflow, which is present on its “Tunnels” tab, and which is intended to build direct connectivity between two VRs on the router with different additional options. One side of such Split tunnel is one of LAN VRs, present on this router, and another – one of WAN VRs. Each Split tunnel may have optional “Direct Internet Access” and “Gateway” flags selected. It’s possible to configure several Split Tunnels per router with different options.

In subsequent sections of this article all 4 combinations of “Direct Internet Access” and “Gateway” flags selection will be explained.

Split Tunnel for local-only Direct Internet Access

In this section it will be described the scenario when Split Tunnel workflow option is used to provide Direct Internet Access (DIA) for LAN segment of this branch only:

Workflow setting:


• Select Desired LAN-VR and WAN Interface(s) used for DIA


• Select “Direct Internet Access” flag

Settings added by workflow to the device template:


1. Pair of tvi interfaces is added (tvi-0/6xx)


2. CGNAT rule created:


a. Source Pool contains network of selected WAN interface


b. Translation rule matches LAN side of Split Tunnel as destination zone (L-ST-* one), so DIA traffic exits LAN-VR with translated source


3. BGP peering is created between LAN-VR and Transport-VR over Split Tunnel with following details:


a. Transport-VR prefixes are being advertised to LAN-VR. When received in LAN-VR, they’re getting marked with 64513:64513 community, based on which they’re further being rejected from advertising to SD-WAN, and LP 120, 119… (depending on Tunnel order and “Load balance” flag in a workflow).


b. All LAN prefixes are advertised to Transport-VR, while SD-WAN prefixes are blocked over Split Tunnel.

4. If NGFW is enabled in a Workflow, default “Allow_From_Trust” policy source will be extended with zones, corresponding to WAN side of Split Tunnel (W-ST-* ones).

Notes and possible modifications:

1. If more than one Split Tunnel configured, prefixes received from them will get LPs 120,119… assigned depending on Tunnel position in the list (where the first will receive 120, and next ones decrementing by 1). Selecting “Load balance” flag will set LP for prefixes from all tunnels to 120, so they will be equally preferred: 2. Optionally in case there are several Internet links available, or there is another backup Internet breakout location available, and there’s only static default route to ISP, it’s possible to assign monitor to the INET interface, so VOS will stop advertising default route to LAN and SD-WAN in case there’s no Internet connectivity over this link (so backup connectivity options may take over). This can be done in interface settings in a workflow: And put monitored IP into “Remote IP” field:

This will create corresponding IP-SLA monitor and assign it to the BGP redistribution policy in corresponding Transport-VR.


3. Default route (or other prefixes), received from Transport-VR, would be an eBGP prefix in LAN-VR, so it will be more preferred than the eventual one, received from SD-WAN. If local DIA needs to be just as a backup to the centralized Internet breakout, or it is expected to have just selective DIA, it is needed to increase the “Route Preference” parameter for local DIA prefix in LAN-VR to the value above 200 (i.e. 210). This is to be done in Device template’s Virtual Routers -> LAN-VR -> BGP -> Peer/Group Policy -> From_ST_* -> Color_ST_Routes. Below are step-by-step screenshots

then select BGP tab and corresponding BGP instance (number may vary): Switch to Peer/Group Policy tab: Edit Action in Color_ST_Routes Term for each From_ST_* Policy: 4. If selective Direct Internet Access is expected, when only certain traffic needs to be broken out locally, and the remaining Internet traffic should go to the centralized Internet breakout location via SD-WAN, then it’s needed to apply workaround from previous note#3 (so that all Internet traffic prefer SD-WAN path to remote location by default), and add SD-WAN policy, which will match traffic for local DIA, and assign corresponding Forwarding Profile for local breakout.  

Split Tunnel for Internet Access gateway location

In this section it will be described the scenario when Split Tunnel workflow option is used on the branch, which should provide Internet Access (DIA) for other branches, acting as Gateway:

Workflow setting:

• Select Desired LAN-VR and WAN Interface(s) used for DIA

• Select both – “Direct Internet Access” and “Gateway” – flags:

Settings added by workflow to the device template:

1. Pair of tvi interfaces is added (tvi-0/6xx)

2. CGNAT rule created:

a. Source Pool contains network of selected WAN interface

b. Translation rule matches LAN side of Split Tunnel as destination zone (L-ST-* one), so DIA traffic exits LAN-VR with translated source

3. BGP peering is created between LAN-VR and Transport-VR over Split Tunnel with following details:

a. Transport-VR prefixes are being advertised to LAN-VR, from which they can advertised to SD-WAN as well. When received in LAN-VR, they’re getting LP 100, 99… (depending on Tunnel order and “Load balance” flag in a workflow).

b. All prefixes (LAN and SD-WAN) are advertised to Transport-VR.

4. If NGFW is enabled in a Workflow, default “Allow_From_Trust” policy source will be extended with zones, corresponding to WAN side of Split Tunnel (W-ST-* ones).

Notes and possible modifications:

1. If more than one Split Tunnel configured, prefixes received from them will get LPs 100,99… assigned depending on Tunnel position in the list (where the first will receive 100, and next ones decrementing by 1). Selecting “Load balance” flag will set LP for prefixes from all tunnels to 100, so they will be equally preferred: 2. Optionally in case there are several Internet links available, or there is another backup Internet breakout location available, and there’s only static default route to ISP, it’s possible to assign monitor to the INET interface, so VOS will stop advertising default route to LAN and SD-WAN in case there’s no Internet connectivity over this link (so backup connectivity options may take over). This can be done in interface settings in a workflow: And put monitored IP into “Remote IP” field:

This will create corresponding IP-SLA monitor and assign it to the BGP redistribution policy in corresponding Transport-VR.

3. If this branch needs to be a backup Internet breakout location for the whole SD-WAN network, then following adjustments need to be applied: Default route, received from Transport-VR, should be less preferred than the one, received from SD-WAN. But as it’s an eBGP prefix in LAN-VR, it will be more preferred by default. To overcome this it is needed to increase the “Route Preference” parameter for local DIA prefix in LAN-VR to the value above 200 (i.e. 210). This is to be done in Device template’s Virtual Routers -> LAN-VR -> BGP -> Peer/Group Policy -> From_ST_GW_ * -> Color_ST_GW_Routes. Below are step-by-step screenshots:

then select BGP tab and corresponding BGP instance (number may vary): Switch to Peer/Group Policy tab: Edit Action in Color_ST_GW_Routes Term for each From_ST_GW_* Policy:

Split Tunnel for local Legacy WAN connectivity (“brownfield” deployment)

In this section it will be described the scenario when Split Tunnel workflow option is used on the branch, which should also have local connectivity to the legacy WAN, which can be a use case in “brownfield” deployments:

Workflow setting:

• Select desired LAN-VR and WAN Interface(s) used to connect to the Legacy WAN

• Do not select any – “Direct Internet Access” and “Gateway” – flags:

Settings added by workflow to the device template:

1. Pair of tvi interfaces is added (tvi-0/6xx)

2. BGP peering is created between LAN-VR and Transport-VR over Split Tunnel with following details:

a. Transport-VR prefixes are being advertised to LAN-VR. When received in LAN-VR, they’re getting marked with 64513:64513 community, based on which they’re further being rejected from

advertising to SD-WAN, and LP 100, 99… (depending on Tunnel order and “Load balance” flag in a workflow).

b. All LAN prefixes are advertised to Transport-VR, while SD-WAN prefixes are blocked over Split Tunnel.

3. If NGFW is enabled in a Workflow, default “Allow_From_Trust” policy source will be extended with zones, corresponding to WAN side of Split Tunnel (W-ST-* ones), to allow LAN to legacy WAN flows.

Notes and possible modifications:

1. If more than one Split Tunnel configured, prefixes received from them will get LPs 100,99… assigned depending on Tunnel position in the list (where the first will receive 100, and next ones decrementing by 1). Selecting “Load balance” flag will set LP for prefixes from all tunnels to 100, so they will be equally preferred.

2. If there are several links available, connecting to the Legacy WAN, and there is no dynamic routing protocol running over them, it is recommended to assign IP SLA monitors on those links, so that in case of connectivity failure legacy LAN prefixes wouldn’t be advertised from corresponding WAN-Transport-VR to LAN-VR. For more information, please, see Note#2 in Section#3.

Split Tunnel for Legacy WAN Gateway (“brownfield” deployment)

In this section it will be described the scenario when Split Tunnel workflow option is used on the branch, which should act as the Gateway to the legacy WAN, which can be a use case in “brownfield” deployments: Usually in such cases dynamic routing protocol should be used on WAN link to the Legacy WAN to keep configuration scalable.

Workflow setting:

• Select desired LAN-VR and WAN Interface(s) used to connect to the Legacy WAN

• Select only “Gateway” flag:

Settings added by workflow to the device template:

1. Pair of tvi interfaces is added (tvi-0/6xx)

2. BGP peering is created between LAN-VR and Transport-VR over Split Tunnel with following details:

a. Transport-VR prefixes are being advertised to LAN-VR, from which they can redistributed to SD-WAN. When received in LAN-VR, they’re getting LP 100, 99… (depending on Tunnel order and “Load balance” flag in a workflow).

b. All LAN and SD-WAN prefixes are advertised to Transport-VR over Split Tunnel.

3. If NGFW is enabled in a Workflow, default “Allow_From_Trust” policy source will be extended with zones, corresponding to WAN side of Split Tunnel (W-ST-* ones), to allow LAN to legacy WAN flows.

Notes and possible modifications:

1. If more than one Split Tunnel configured, prefixes received from them will get LPs 100,99… assigned depending on Tunnel position in the list (where the first will receive 100, and next ones decrementing by 1). Selecting “Load balance” flag will set LP for prefixes from all tunnels to 100, so they will be equally preferred.

2. If this branch needs to be a backup Gateway location for the SD-WAN network, then following adjustment needs to be applied: Prefixes, received from Transport-VR, should be less preferred than the ones, received from SD-WAN. But as they’re eBGP prefixes in LAN-VR, they will be more preferred by default. To overcome this it is needed to increase the “Route Preference” parameter for Legacy WAN prefixes in LAN-VR to the value above 200 (i.e. 210). This is to be done in Device template’s Virtual Routers -> LAN-VR -> BGP -> Peer/Group Policy -> From_ST_GW_ * -> Color_ST_GW_Routes. Step-by-step screenshots for this adjustment are provided under Note#3 in Section#4.

Appendix. Split Tunnel Firewall zones naming conventions

This section is added to help understand Firewall zone naming conventions, which are used in CGNAT and NGFW configurations, related to the Split Tunnel.

When creating a Split Tunnel, each of its endpoint interfaces is put into dedicated Firewall zones, which have following naming convention:

• LAN-VR side split tunnel zone name: L-ST-<LAN-VR_name>-<WAN-network_name> Example for Versa-LAN-VR and INET-1: L-ST-Versa-LAN-VR-INET-1

• WAN-Transport-VR side split tunnel zone name: W-ST-<LAN-VR_name>-<WAN-network_name> Example for Versa-LAN-VR and INET-1: W-ST-Versa-LAN-VR-INET-1 Below VOS router diagram illustrates FW zone assignments in case of Split Tunnel:

Summary

Versa Director Workflow provide reach options for configuring Split Tunnels on VOS devices, which include local DIA, DIA Gateway, legacy WAN connectivity – local and Gateway. In this article those options are presented with detailed explanation on the configuration being created for each of it, and also with possible tuning suggestions.