Your web browser doesn't support some required capabilities.

This interactive demo works best with the latest version of Chrome, Firefox, or Safari.


An error occurred. Please reload the page or download again from the VMware Demo Library:

For VMware partners:

For VMware employees:


Visit the VMware Demo Library
to get more demos!

For VMware partners:

For VMware employees:


Unable to initialize the simulation player:

This demo file may be incomplete or damaged. Please reload the page or download again from the VMware Demo Library:

For VMware partners:

For VMware employees:


This is an interactive demo

Drive it with your mouse, your finger, or just use the arrow keys.

Use Learn mode to learn the demo. The orange boxes show where to click.

Use Present mode to hide the orange boxes and notes.

Click a Shortcut to jump to a specific part of the demo.

Hide notes
Restore notes
Open notes window
Increase font size
Decrease font size


Summary Steps: 

Step 1. Create new Segments for the Enterprise

Step 2. Assign Segment to Profile

Step 3. Configure new segments with settings like VLANS, IP Address, VPN topology and firewall rules.

Step 4. Verification Steps.


Detailed Steps: 

Step 1. Create and Assign Segments

  • click Configure from Orchestrator. For this demo, Segments are  created for Global Retail Customer
  • click Segments
  • click on the "+" to add/create new segments

    For this demo, End user will create 2 segments and will assign the segment to profile=Branch OSPF Profile

    CDE Segment
    Guest Segment

  • click and type "CDE Segment"
  • click for description. Description for this demo is auto filled
  • click on the "+" sign
  • click and type segment name as "Guest Segment"
  • click for description. Description for this demo is auto filled
  • click "Save Changes"

Step 2: Assign the new segments to the Profile

For this demo, New segments will be assigned to the "Branch OSPF Profile"

  • click Profiles
  • click Branch OSPF Profiles
  • click Devices 
  • Configure segments and currently the UI shows only 1 Segment. this is the default Segment "Global Segment"

    Default Segment is the Global Segment

  • click "Select Profile Segments" change
  • click CDE Segment and move it to the right. this way CDE segment will get assigned to the Profile. 
  • click Right Arrow to move the CDE to the profile

    Similarly move Guest Segment and assign to the profile. 

  • click  Guest Segment 
  • click right arrow to move Guest Segment
  • click confirm changes
  • click  Configure Segments. Now, the UI shows 3 Segments.

Step 3: Configure New Segments with settings like overlapping or different Vlans and IP address, different VPN topologies, business policy and firewall rules as per your business needs.

For this demo, End user will Configure

CDE Segment:
Cloud VPN= Hub Spoke Topology
Create Firewall Rule and disable Facebook Application.

Guest Segment:

Cloud VPN=Enable VPN to Non VeloCloudSite
All Internet Traffic will be redirected from Guest Segment to Zscaler Site for inspection. All Sports site traffic is sropped by Zscaler

  • click Configure VLAN->Add Vlan
  • click Segment from the drop down menu for "select an option"
  • click Vlan id and type 20
  • click "assign Overlapping subnets if you want to use the overlapping. For this demo, end user will select Overlapping ip address.
  • click Edge LAN IP address and
    type in
  • click CIDR and type 24
  • click lease time and change the lease time to 4 hrs. 
  • Similarly, end user will configure Vlan for Guest segment. This will be auto filled for the demo
  • click on the Firewall to create firewall rule on CDE  segment to block facebook traffic.
  • click CDE Segment from the drop down menu "Configure Segments"
  • click new rule, rule name is auto populated for this demo. 
  • click Application and type in facebook from the search bar and select facebook. 
  • click Action as deny. 
  • click save changes

    This firewall rule (Facebook deny) will be applied only to CDE Segments. Clients on LAN side with 192.168.20.x subnet will not have access to facebook app.

    Now, End user will configure a different VPN topology for Guest Segment.

    This is to demonstrate that each segment can have different VPN topologoies, firewall rules and other settings too.

  • click on the Guest Segment from devices
  • click enable cloud vpn
  • click drop down and select Zscaler
  • click and select Zscaler West 
  • click save changes
  • click confirm
  • This will configure NVS VPN for Guest Segment. 

  • Similarly, end user will configure Hub spoke VPN for CDE Segment
  • click CDE Segment from "Configure Segment" drop down
  • click enable Cloud VPN and use the HUB option. 
  • use DC1 as the hub device
  • click save changes

    Guest Segment now has NVS VPN and the CDE Segment has the Hub Spoke topology

    Step 4: Verification Steps

    For this demo, Chicago Branch site which is assigned to the Branch OSPF profile is used. Also, a client machine ( linux based) is connected to the LAN side of the Chicago Branch Site. 

    GE1 interface of the edge device has connection to the Client machine. When the Guest segments needs to be verified, client machine will get connected to guest segment by assigning the GE1 to Guest segment and so on for the other segments. 

    Verification 1: Verifying different firewall rules for segments. In this case, Facebook is disabled for CDE segment. Client machine will not be able to browse Facebook.

    Verification for CDE Segment with Firewall Rule 

    End Result: Client machine with CDE segment is NOT allowed to access Facebook. 
  • click Chicago Branch Site
  • click devices
  • assign the GE1 interface to CDE Segment
  • click save changes
  • login to the client machine by clickin on the browser tab labelled with "chicago Client"

  • Let's confirm that the client machine is part of CDE segment. CDE segment vlan subnet is 192.168.20.x
  • from the client (linux machine), confirm the client machine LAN subnet. as per the config, client machine should be part of 192.168.20.x subnet. this subnet belongs to  CDE Segment. 
  • Now, open the browser and type in facebook. this should be disallowed as per the firewall rule. Other sites should be allowed. 

Verification 2: Verifying different firewall rules for segments. In this case, Facebook is Enabled for Guest segment. Client machine will be able to browse Facebook.

Verification for GUEST Segment with Firewall Rule 

End Result: Client machine with Guest segment allow to access Facebook. 

Follow the same process as above.

  • click and change the GE1 to Guest Segment. 
  • click Save changes 
  • click client machine and check to see if the client machine part of new segment ( in this case GUEST Segment. Guest segment is with Vlan 30 192.168.30.x
  • Open browser tab and
  • click on Facebook icon from the browser Top Sites. 
  • Facebook from the client machine is allowed

Verification 3: Verifying different VPN topologies per segments.

In this case, for Guest Segment NVS (Zscaler) is enabled and for CDE segment Hub Spoke topology is enabled. 

Verification for GUEST Segment with NVS. 

For this test case, Redirect all Internet Traffic for Chicago Branch Site to Zscaler. Zscaler has a policy to drop all sports site traffic. 

  • For Guest Segment create a Internet redirect rule.
  • click Business policy for Chicago Branch Site.
  • click and select Guest Segment from drop down
  • click Create Business Policy Rule with Internet traffic. 
  • click New Rule
  • click Destination->Define-> Select Internet 
  • click Action-> Network Services-> Select Internet Backhaul--> select the NVS Site (in this case Chicago-West)
  • click ok and save changes for the Guest Segment
  • Do check the Business Policy for the CDE Segment. There should not be any internet rule for the CDE segment. 
  • click on the drop down for Select Segment and do the verification.

  • click the Chicago Client machine to verify the configuration. All internet traffic should get redirected to Zscaler and sports website should be blocked. 

  • espn.com is autofilled for this demo. You can see that any sports website gets blocked as the client machine is part of Guest Segment. 
  • Other internet sites are allowed at the same time for Guest Segment clients.



How likely is it that you would recommend this demo to a friend or colleague?
Not at all likely Extremely likely
Thanks, we appreciate your feedback!
Copyright © 2018 VMware, Inc. All rights reserved.