Describes how the system routes trusted and untrusted traffic through different high availability pairs in service chaining configurations.
Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.14.1a, Cisco Catalyst SD-WAN Manager Release 20.14.1
In service chaining configurations, the system can separate trusted and untrusted traffic flows to maintain security and performance isolation. The default trust-posture of a packet is trusted unless explicitly configured otherwise.
Summary
The key components involved in service chaining trusted and untrusted traffic are:
-
Data policy: Uses the set attribute trust-posture untrusted action command to mark packets as trusted or untrusted
-
Trusted high availability pair: Receives and processes trusted traffic flows
-
Untrusted high availability pair: Receives and processes untrusted traffic flows
-
Service chain configuration: Defines the service transport HA pairs and their trust-posture attributes
Workflow
These stages describe how the system processes and routes trusted and untrusted traffic through service chains:
- The system evaluates incoming packets and determines their trust-posture based on data policy configuration. By default, packets are marked as trusted unless explicitly configured otherwise.
- The system routes trusted traffic to the configured trusted high availability pair within the service chain.
- The system routes untrusted traffic to the configured untrusted high availability pair within the service chain.
- The service chain configuration defines the trust-posture attribute for each service transport HA pair using the following example configuration:
service-chain SC1 service netsvc1 sequence 10 service-transport-ha-pair 1 attribute trust-posture {trusted|untrusted}