Extract from Policies section of Cisco SD-WAN Design Guide:
‘Data policies influence the flow of data traffic through the network based on fields in the IP packet headers and VPN membership.
Centralized data policies can be used in configuring application firewalls, service chaining, traffic engineering, quality of service (QoS), and Cflowd.‘
Cisco have have an excellent chapter on Service Chaining from their Policies Configuration Guide book here:
Here are some of the extracts from this guide for study:
Flow
The general flow of service chaining in a Cisco SD-WAN network is as follows:
- vEdge routers advertise the services available in their branch or campus—such as firewall, IDS, and IDP—to the Cisco vSmart controllers in their domain. Multiple Cisco vEdge devices can advertise the same services.
- Cisco vEdge devices also advertise their OMP routes and TLOCs to the Cisco vSmart controllers.
- For traffic that require services, policy on the Cisco vSmart controller changes the next hop for the OMP routes to the service landing point. In this way, the traffic is first processed by the service before being routed to its final destination.
Service Routes
The hub and local branch Cisco vEdge devices advertise the services available in their networks to the Cisco vSmart controllers in its domain using service routes, which are sent via OMP using the service route Subsequent Address Family Identifier (SAFI) bits of the OMP NLRI. The Cisco vSmart controllers maintain the service routes in their RIB, and they do not propagate these routes to the vEdges.
(Attribute details for service routes are in the Cisco guide)
Configuration Examples:
Scenario 1: Route Intersite Traffic route via firewall service (Same VPN)
For this scenario, you configure the following:
- On the vEdge hub router, you configure the IP address of the firewall device.
- On the Cisco vSmart Controller, you configure a control policy that redirects traffic destined from Site 1 to Site 2 through the firewall service.
- On the Cisco vSmart Controller, you apply the control policy to Site 1.
On the vEdge Hub we set the firewall device within VPN10:
vpn 10
service FW address 1.1.1.1
Control Policy configuration on vSmart: (Applied to Site 1)
policy
lists
site-list firewall-sites
site-id 1
control-policy firewall-service
sequence 10
match route
site-id 2
action accept
set service FW vpn 10
default-action accept
apply-policy
site-list firewall-sites control-policy firewall-service out
Now things can step up here and we can do the same thing, but with different VPNs..
Scenario 2: Route Inter-VPN Traffic through a Service Chain with One Service per Node / vEdge
For this scenario, you configure four things:
- You configure the IP address of the firewall device on the vEdge Hub-1 router.
- You configure the IP address of the custom service device on the vEdge Hub-2 router.
- On the Cisco vSmart Controller, you configure a control policy that redirects traffic destined from Site 1 to Site 2 through the firewall device.
- On the Cisco vSmart Controller, you configure a second control policy that redirects traffic to the custom service device.
vEdge Hub 1:
vpn 10
service fw address 1.1.1.1
vEdge Hub 2:
vpn 10
service netsvc1 address 2.2.2.2
Control Policy on vSmart for Service 1: (Applied to Site1)
policy
lists
site-list firewall-custom-service-sites
site-id 1
control-policy firewall-service
sequence 10
match route
vpn 30
site-id 2
action accept
set service FW
default-action accept
apply-policy
site-list firewall-custom-service-sites control-policy firewall-service out
Control Policy on vSmart for Service 2: (Applied to Hub site)
policy
site-list custom-service
site-id 3
control-policy netsvc1-service
sequence 10
match route
vpn 30
site-id 2
action accept
set service netsvc1
default-action accept
apply-policy
site-list custom-service control-policy netsvc1-service out
Scenario 3: Route Inter-VPN Traffic through a Service Chain with Multiple Services per Node / vEdge
For this scenario, you configure the following 3 things:
- On the vEdge hub router, you configure the firewall and custom services.
- On the Cisco vSmart Controller, you configure a control policy that redirects data traffic from Site 1 that is destined to Site 2 through the firewall.
- On the Cisco vSmart Controller, you configure a data policy that redirects data traffic to the custom service.
On the Hub vEdge:
vpn 10
service FW address 1.1.1.1
service netsvc1 address 2.2.2.2
Control Policy to redirect data from Site 1 to Site 2 via firewall (Applied to vEdge1)
policy
lists
site-list vEdge-1
site-id 1
control-policy firewall-service
sequence 10
match route
vpn 30
action accept
set service FW
apply-policy
site-list vEdge-1 control-policy firewall-service out
Data Policy to redirect data from Site1 to Site2 via custom service (Applied to vEdge-Hub1)
policy
lists
site-list vEdge-2
site-id 2
site-list vEdge-Hub-1
site-id 3
prefix-list svc-chain
ip-prefix x.x.0.0/16
vpn-list vpn-10
vpn 10
data-policy netsvc1-policy
vpn-list vpn-10
sequence 1
match
ip-destination x.x.0.0/16
action accept
set next-hop 2.2.2.2
apply-policy
site-list vEdge-Hub-1 data-policy netsvc1-policy from-service
The configuration does step up each time and this something I am planning to lab as soon as I can get a firewall going in EVE-NG. 🙂
Pingback: CISCO SDWAN | Service Chaining | A L L A B O U T N E T W O R K