Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


About the Departments Page

To access this page, click Configuration > Shared Objects > Departments.

You can use the Departments page to add, view, or delete departments.

A network on a tenant site is divided into multiple LAN segments to improve traffic management and security. A LAN segment is a small portion of a LAN that is used by a work group. You can group LAN segments as departments for ease of management and for applying specific policies to LAN segments that are members of a department.

You can add one of the following types of departments from the Add Department page:

  • A standard department when Data Center Department field is selected as False (by default).

    A standard department can be assigned to a spoke site or an enterprise hub site through directly connected LAN segments only.

  • A data center department when you select Data Center Department field as True.

    A data center department is a shared department which enables you to connect to the tenant data center networks and hosts shared resources (for example host servers or web applications) that can be accessed by all the regular departments within the tenant.

    A data center department can be assigned to only enterprise hub sites through directly connected or dynamically routed LAN segments (which learn data center routes using OSPF or BGP protocols).

Network segmentation and departments:

If network segmentation is enabled for a tenant (by default), each department within the tenant has its own security zone and Layer 3 VPNs (also called virtual routing and forwarding instances [VRFs]). Since VRFs are isolated for each department in a network segmentation-enabled tenant, Contrail Service Orchestration (CSO) supports overlapping IP addresses across two or more departments. For more information, see Overlapping IP Addresses Across Departments.


When a tenant user has overlapping IP addresses configured across departments, access to enterprise hub data center routes requires a source Network Address Translation (NAT) rule with source as an incoming traffic zone (for example, trust) and destination as the data center department zone applied on the enterprise hub device.

If network segmentation is disabled for the tenant, each department has its own security zone but the departments within the tenant share the same Layer 3 VPNs (or VRFs).

Tasks You Can Perform

You can perform the following tasks from this page:

  • View detailed information about the department. Click the details icon that appears when you hover over the name of a department or select More > Detail.

  • Add a Department. See Add a Department.

  • Delete a department. See Delete a Department.

  • Filter departments. Hover over the filter (funnel) icon, click Add Filter to specify the filtering criteria, and click Add.

    The filtered results are displayed on the same page.

  • Search for a department. Click the Search icon in the top right corner of the page.

    You can enter partial text or full text of the keyword in the text box and press Enter.

    The search results are displayed on the same page.

  • Show or hide columns about a department. Click the Show/Hide columns icon in the top right corner of the page and select columns that you want to view on the page.

Field Descriptions

Table 1 describes the fields on the Departments page.

Table 1: Fields on the Departments Page




Name of the department.

Site/LAN Segments

Sites and LAN segments associated with the department. You can hover over the number link to view the complete list of associated sites and LAN segments.


Name of the VPN to which the department is assigned.

Data Center

Displays whether the department is a data center department or not (true or false).


Description of the department.

Network UUID

Internal network universally unique identifier (UUID) used by CSO.