Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

Traffic steering to a service chain

Want to summarize with AI?

Log in

Describes how to direct network traffic to a service chain using three methods: control policy, data policy, or interface access control list for traffic steering implementation.


You can direct traffic to a service chain by using a control policy, data policy, or interface access control list.


How traffic steering using a control policy works

You can use a control policy to modify Cisco Overlay Management Routes, also referred to as vRoutes, to direct traffic to a service chain instead of the original destination.

Summary

The key components involved in traffic steering using a control policy are:

  • Control policy: Modifies vRoutes to redirect traffic to service chains

  • Service chain hub (SC-HUB1): Advertises service chain routes

  • Branch routers (B1, B2): Source and destination points for traffic flow

  • Cisco SD-WAN Controller: Processes and advertises modified routes based on control policy

  • Service chain (SC1): Traffic processing path applied to matching flows

The policy causes service chain 1 (SC1) to be applied to traffic that flows between H1 (host 1) and H3 (host 3) by setting SC1 as the next hop for H1 and H3 traffic routes.

Workflow

Figure 1. Traffic Steering with a Control Policy

These stages describe how traffic steering using a control policy works:

  1. SC-HUB1 advertises the SC1 route to make the service chain available for traffic steering.
  2. B2 advertises the H3 route to the Cisco SD-WAN Controller to establish the original destination path.
  3. The control policy results in overriding the H3 route next hop to SC1 and the Cisco SD-WAN Controller advertises the modified H3 route to B1. Before the policy is in effect, traffic flows from B2 (branch 2) to B1 (branch 1). After the policy is in effect, traffic flows from B2 to SC-HUB1:SC1 to B1.
    Note

    Example configuration:

    Control-policy name
        sequence number
            match route
            action accept
    	  set service-chain sc_name [tloc|tloc-list name] [vpn vpn]
    apply-policy site-list site_list control-policy name out
    

How data policies steer traffic

You can use a data policy to match traffic and operate in the context of source VPNs during forwarding.

Summary

The key components involved in traffic steering using data policies are:

  • Data policy: Matches traffic and defines forwarding actions based on specified criteria

  • Match criteria: Specifies applications to be matched to source and destination IP address combinations

  • Service chain: Defines the path for traffic processing through network services

  • TLOC ranking: Specifies traffic path preference using TLOC ranking

Workflow

Figure 2. Traffic Steering with Traffic Service Chaining Intent Specified at a Remote Branch

These stages describe how data policies steer traffic:

  1. The system configures the data policy with match criteria and service chaining parameters for remote branch traffic steering.
    • match criteria specifies applications to be matched to source and destination IP address combinations
    • restrict|fallback configures restrict or fall back
    • TLOC|TLOC-list list specifies the traffic path preference using TLOC ranking
    Note
    set attribute trust-posture is available from Cisco Catalyst SD-WAN Manager Release 20.14.1.
    policy
     data-policy name
      vpn-list name
       sequence 100
        match criteria
        action accept
         set service-chain sc_name vpn vpn {restrict|fallback} [tloc|tloc-list list]
    set attribute trust-posture {trusted | untrusted}
    apply-policy site-list remote-sites data-policy name from-service
    
  2. The system applies service chaining intent locally on the device to which the service chain is attached.
    Figure 3. Traffic Steering with Traffic Service Chaining Intent Specified on a Local Device
    In this configuration, local indicates that traffic needs to be directed to a service chain locally.
    set service-chain SC1 [vpn vpn] local [restrict|fallback]
    apply-policy site-list SC-HUB-sites data-policy policy {from-service|from tunnel}|from-tunnel}
    

Traffic steering using an interface access control list

You can use an interface access control list (ACL) to service chain traffic that is incoming or outgoing on a specified interface. In some situations, the traffic forwarding decision may need to come from a prior routing lookup or data policy.

This approach is useful when all traffic from an interface should be directed through a service chain.

Summary

The key components involved in traffic steering using an interface ACL are:

  • Interface ACL: Controls traffic flow on specified interfaces and directs traffic through service chains

  • Service chain: Processes traffic according to configured policies and routing decisions

  • Traffic matching criteria: Determines which traffic flows are subject to service chaining

Workflow

Figure 4. Traffic Steering with an ACL

Traffic steering using an interface ACL involves the following stages:

  1. Configure the access control list with matching criteria and service chain action.
    access-list list
      sequence number
        match criteria
        action accept
         set service-chain SC1 [vpn vpn] {restrict|fallback}
  2. Apply the access list to the interface for incoming or outgoing traffic.
    interface interface 
     access-list list {in|out}
  3. The system processes traffic according to the configured ACL rules and directs matching traffic through the specified service chain.
    Note

    Service chaining can be used in dual-site setups using Virtual Router Redundancy Protocol (VRRP) for redundancy. Ensure your service chaining policy does not block VRRP control traffic. Service chaining policies often have a default action to drop traffic that does not meet the match criteria. This can accidentally block VRRP control packets. To prevent this, set the default action in your service chaining policy to accept VRRP control traffic. This will ensure VRRP works correctly for redundancy.