Explains service chaining in Cisco Catalyst SD-WAN, including service advertisement, policy-based traffic steering, routing behavior, health tracking, and limitations.
Service chaining in Cisco Catalyst SD-WAN is a centralized orchestration capability that
-
advertises available services using OMP service routes with defined service identifiers.
-
steers traffic through services by modifying OMP next-hop, TLOC, and labels via policy.
-
tracks service availability to prevent routing traffic to unavailable service devices.
Services in the network
Services such as firewall, load balancer, and intrusion detection and prevention (IDP) often run within a virtualized environment and may physically be centralized in one location or in several locations for redundancy. Services may be internal, cloud based, or external subscriptions. Networks must reroute traffic from any location in the network through such services.
Customers want the ability to internally spawn or externally subscribe to new services on demand for capacity, redundancy, or to select best-of-breed technologies.
For example, if a firewall site exceeds its capacity, a customer can spawn a new firewall service at a new location. Supporting this new firewall requires the configuration of policy-based, weighted load distribution to multiple firewalls.
Reasons to reroute traffic through services
Traffic flow from a less secure region of a network must pass through a service, such as a firewall, or through a chain of services to ensure that it has not been tampered with.
In a network that consists of multiple VPNs, each representing a function or an organization, traffic between VPNs must traverse a service, such as a firewall, or a chain of services.
In a campus, interdepartmental traffic might go through a firewall, while intradepartmental traffic might be routed directly. Certain traffic flows must traverse a service, such as a load balancer.
Today, operators reroute traffic flow by provisioning every routing node from the source to the service node to the systems beyond the service node with a policy route. Operators manually configure each node or use a provisioning tool that performs the configuration for each node on behalf of the operator. This process is operationally complex to provision, maintain, and troubleshoot.
Service chaining policy
To route traffic through a service, you provision either a control policy or a data policy on the Cisco SD-WAN Controller. You use a control policy if the match criteria are based on a destination prefix or any of its attributes. You use a data policy if the match criteria include the source address, source port, DSCP value, or destination port of the packet or traffic flow. You can provision the policy directly using the CLI, or it can be pushed from Cisco SD-WAN Manager.
The Cisco SD-WAN Controller maintains OMP routes, TLOC routes, and service routes in its route table. A given OMP route carries a TLOC and the label associated with it. On a Cisco SD-WAN Controller, a policy can be applied that changes the TLOC and its associated label to be that of a service.
Tracking the health of the service chain
Beginning with Cisco IOS XE Catalyst SD-WAN Release 17.3.1a, Cisco Catalyst SD-WAN periodically probes devices providing network services to test whether they are operational. Tracking the availability of devices in the service chain helps to prevent a null route, which can occur if a policy routes traffic to a service device which is not available. By default, Cisco Catalyst SD-WAN writes the tracking results to a service log, but this can be disabled.