Service insertion for equinix

Outlines the implementation and configuration of service insertion capabilities specifically designed for Equinix network environments and infrastructure requirements.

Feature history for service insertion for Equinix

Service insertion for Equinix enables deployment of Palo Alto Networks firewall on Equinix infrastructure and attachment of service chains to Equinix interconnect gateway through the Workflow Library in Cisco SD-WAN Manager.

This table describes the developments of this feature, by release.

Table 1. Feature history

Feature Name

Release Information

Description

Service Insertion for Equinix

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

Cisco Catalyst SD-WAN Manager Release 20.15.1

With this feature, you can deploy Palo Alto Networks firewall on Equinix and attach a service chain to Equinix interconnect gateway from the Workflow Library in Cisco SD-WAN Manager.

Service insertion for Equinix

Service insertion for Equinix is a feature that

  • enables the use of Cisco SD-WAN Manager to define, create, instantiate, and deploy service chains in Equinix, and

  • supports creating service chains that include a single standalone or stateful Palo Alto Networks Firewall service instance per service chain.

Service insertion workflow automation

The Cisco SD-WAN Manager service insertion workflow automates configurations on a Cisco IOS XE Catalyst SD-WAN device. Based on the selection of the service and the service type, the service instance creates a configuration group for service insertion which has the details of the service instances defined in the workflow.

Requirements for service insertion for Equinix

Ensure that you meet all prerequisites before configuring service insertion for Equinix to avoid deployment issues and ensure successful integration.

  • Ensure that you have an active Equinix account. If you dont already have an account, you can create an account on the Equinix portal. Refer to the New User Equinix Fabric Portal Access documentation from Equinix.

  • Ensure that you have an active Equinix billing account. If you dont already have one, you can create billing accounts for each region in which you would like to deploy an Interconnect Gateway using this account. Refer to the Billing Account Management documentation from Equinix.

  • Ensure that the Equinix account is associated to the Cisco SD-WAN Manager. For more information, see Associate Equinix Account with Cisco SD-WAN Manager.

  • Deploy the Equinix Interconnect Gateway to a configuration group. For more information, see Create Interconnect Gateway at an Equinix Location.

  • Purchase the required Palo Alto Networks firewall licenses.

Service insertion configuration workflow for Equinix

The workflow to configure service insertion for Equinix includes defining and configuring service chains, instantiating service chains, attaching service chains to Cisco SD-WAN devices, and configuring service chain actions for data policies.

  1. Define and configure service chain: Creates a service chain definition. The service chain definition comprises of a service type and the order of the service. After you provide the details in the workflow, Cisco SD-WAN Manager creates a configuration group. You cannot edit the parameters in the configuration group after it's creation.

  2. Instantiate service chain: Instantiates a service chain by deploying an instance of the service in Equinix.

  3. Attach a service chain to the Cisco SD-WAN Device: Attach the service chain to Equinix interconnect gateway.

    Detach a service chain instance: Detach the service chain instance from Equinix interconnect gateway

  4. Configure service chain actions for a data policy to route traffic through a service chain. See Configure Service Chain Actions in a Data Policy in Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 26.x.

Define and configure service chain

Define and configure a service chain to establish network security services using Palo Alto Networks firewall in the Equinix environment.

Service chains enable you to deploy and manage network security services in cloud environments. This task focuses on configuring firewall services within the Equinix platform through the workflows interface.

Before you begin

Follow these steps to define and configure service chain:

Procedure

Step 1

In the Cisco SD-WAN Manager menu, click Workflows > Workflows Library > Define and Configure Service Chain.

Step 2

Follow the on-screen instructions to complete the service chain definition workflow.

Following are some of the parameters in the workflow:

  • In Select Environment page, choose Equinix as the environment for the service chain definition.

  • Choose only firewall as the service type. For each service chain intance you can choose only one Palo Alto Networks firewall.

  • The Size, Flavor, and SW-Version in the workflow refers to the Palo Alto Networks firewall that you choose.

  • The sshPublickey Value is retrieved from the Equinix account that you choose.

  • Enter the management plane bandwidth (Mbps) between the router and the service in the Management Plane field.

  • The name entered in the User Name field is the user name of the Palo Alto Networks firewall credentials.

  • Choose Stateful or Standalone type of HA mode for the service. If you choose Stateful HA mode, ensure that you have the appropriate active licenses to proceed with the instantiation of the service chain.

The service chain definition workflow is completed and the firewall service is configured in the Equinix environment with the specified parameters.

Instantiate service chain

This task enables you to instantiate a service chain through the Cisco SD-WAN Manager Workflows Library, allowing you to deploy and configure network services such as Palo Alto Networks firewall services.

Use this workflow when you need to deploy network service chains in your environment. The workflow provides guided steps to configure service parameters and deploy services through the Equinix platform integration.

Procedure

Step 1

In the Cisco SD-WAN Manager menu, click Workflows > Workflows Library > Instantiate Service Chain.

Step 2

Follow the on-screen instructions to instantiate the service chain.

Following are some of the parameters of the workflow:

  • Ensure that you choose an active Equinix billing account for the service insertion workflow.

  • Ensure that you provide Palo Alto Networks firewall parameters based on your requirements. This workflow only instantiates the Palo Alto Networks firewall service. For any Palo Alto Networks firewall security policies and lifecycle management see the Palo Alto Networks firewall documentation.

  • The Size, Flavor, and SW-Version are retrieved from the Equinix portal based on the selected Equinix account and the Palo Alto Networks firewall you choose in the Instantiate Service Chain workflow.

The service chain is successfully instantiated and deployed in your network environment with the configured parameters.

Attach a service chain to the Cisco SD-WAN device

This task attaches a service chain to a Cisco SD-WAN device to enable service insertion functionality and ensure proper traffic routing through network services.

Service chains enable traffic to be routed through network services before reaching its destination. When attaching service chains to Cisco SD-WAN devices, you can select only one interconnect gateway at a time and should attach the service chain to the appropriate router without needing to attach it to branch routers.

Before you begin

  • Ensure that you define a tracker. Tracker configuration is critical to avoid blackhauling. Defining a tracker ensures that the service chain is determined to be in the UP state and is used. If the IP address of a service chain firewall is used with an ICMP-based tracker, ensure that the firewall allows ICMP on the appropriate interface.

Follow these steps to attach a service chain to the Cisco SD-WAN device:

Procedure

Step 1

In the Cisco SD-WAN Manager menu, click Workflows > Workflows Library > Attach Service Chain to Cisco SD-WAN Router.

Step 2

Follow the on-screen instructions to attach the service chain to a Cisco IOS XE Catalyst SD-WAN device.

  • You can select only one interconnect gateway at a time to attach a service chain.

  • Attach the service chain to the appropriate Cisco IOS XE Catalyst SD-WAN device. You dont need to attach the service chain to the branch routers.

Note

 

Alternatively, attach the Cisco IOS XE Catalyst SD-WAN device to a service chain using Configuration > Service Insertion > Service Chain Instances. Click ... next to the instance name you wish to attach a device and click Attach. This takes you to the service chain attachment workflow under Workflows > Workflows Library > Attach Service Chain to Cisco SD-WAN Router.

The service chain is successfully attached to the Cisco SD-WAN device, enabling service insertion functionality for traffic routing through network services.

Detach a service chain instance

Detach a device from a service chain instance to remove the service chain configuration and stop applying the configured services to traffic passing through that device.

Use this task when you need to remove a device from a service chain instance, effectively stopping the application of the service chain's configured services on that specific device.

Procedure

Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Service Insertion.

Step 2

Click Service Chain Instances to view the list of service chain instances and the devices attached to each instance.

Step 3

Click ... adjacent to the instance that you wish to detach the device and choose Detach.

Step 4

In the confirmation dialog box, click Detach.

The device is detached from the service chain instance, and the service chain configuration is removed from the device.

Configuration verification for Equinix service insertion

  • After you instantiate the service chain, you can view the service chain instances in Configuration > Service Insertion. This page displays a list of service chain instances along with the Cisco IOS XE Catalyst SD-WAN device attached to each service chain instance.

  • To view the details of the device that is attached to the service chain instance, click the device in the Attached to column. You can use the information about service TX and RX interfaces and the IP addresses on the Cisco SD-WAN Manager for the configurations on the Palo Alto Networks Firewall. Configure the service TX IP address on the service TX interface, and the service RX IP address on the service RX interface on the Palo Alto Networks Firewall.

  • To view details such as service type, password, IP address, and so on, of the service used in the service chain instance, click the Number of Services option.