Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Releases 19.1, 19.2, and 19.3

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Releases 19.1, 19.2, and 19.3

Chapter Title

Service Chaining

Results

Updated:
November 25, 2019

Chapter: Service Chaining

Service Chaining

Service chaining allows data traffic to be rerouted through one or more services, such as firewall, load balancer, and intrusion detection and prevention (IDP) devices.

Services in the Network

Services such as firewall, load balancer, and intrusion detection and prevention (IDP) are often run within a virtualized environment, and they may physically be centralized in one location or in several locations for redundancy. Services may be internal, cloud based, or external subscriptions. Networks must be able to reroute traffic from any location in the network through such services.

Customers want the ability to internally spawn or externally subscribe to new services on demand—for capacity, redundancy, or simply to select best-of-breed technologies. For example, if a firewall site exceeds its capacity, a customer can spawn new firewall service at a new location. Supporting this new firewall would require the configuration of policy-based, weighted load distribution to multiple firewalls.

Following are some of the reasons to reroute a traffic flow through a service or chain of services:

  • Traffic flow from a less secure region of a network must pass through a service, such as a firewall, or through a chain of services to ensure that it has not been tampered with.

  • For a network that consists of multiple VPNs, each representing a function or an organization, traffic between VPNs must traverse through a service, such as a firewall, or through a chain of services. For example, in a campus, interdepartmental traffic might go through a firewall, while intradepartmental traffic might be routed directly.

  • Certain traffic flows must traverse a service, such as a load balancer.

Today, the only way to reroute traffic flow is by provisioning every routing node—from the source to the service node to the systems beyond the service node—with a policy route. This is done either by having an operator manually configure each node or by using a provisioning tool that performs the configuration for each node on behalf of the operator. Either way, the process is operationally complex to provision, maintain, and troubleshoot.

Provisioning Services in the Cisco SD-WAN Overlay Network

In the Cisco SD-WAN solution, the network operator can enable and orchestrate all service chaining from a central controller, that is, from the Cisco vSmart controller. No configuration or provisioning is required at any of the Cisco vEdge devices.

The general flow of service chaining in a Cisco SD-WAN network is as follows:

  • vEdge routers advertise the services available in their branch or campus—such as firewall, IDS, and IDP—to the Cisco vSmart controllers in their domain. Multiple Cisco vEdge devices can advertise the same services.

  • Cisco vEdge devices also advertise their OMP routes and TLOCs to the Cisco vSmart controllers.

  • For traffic that require services, policy on the Cisco vSmart controller changes the next hop for the OMP routes to the service landing point. In this way, the traffic is first processed by the service before being routed to its final destination.

The following figure illustrates how service chaining works in the Cisco SD-WAN solution. The network shown has a centralized vEdge hub router that is connected to two branches, each with a Cisco vEdge device. The standard network design implements a control policy such that all traffic from branch site 1 to branch site 2 travels through the vEdge hub router. Sitting behind the hub router is a firewall device. So now, assume we want all traffic from site 1 to site 2 to first be processed by the firewall. Traffic from the Cisco vEdge device at site 1 still flows to the vEdge hub router, but instead of sending it directly to site 2, the hub router redirects the traffic to the firewall device. When the firewall completes its processing, it returns all cleared traffic to the hub, which then passes it along to the Cisco vEdge device at site 2.

Service Route SAFI

The hub and local branch Cisco vEdge devices advertise the services available in their networks to the Cisco vSmart controllers in its domain using service routes, which are sent via OMP using the service route Subsequent Address Family Identifier (SAFI) bits of the OMP NLRI. The Cisco vSmart controllers maintain the service routes in their RIB, and they do not propagate these routes to the vEdges.

Each service route SAFI has the following attributes:

  • VPN ID (vpn-id)—Identifies the VPN that the service belongs to.

  • Service ID (svc-id)—Identifies the service being advertised by the service node. The Cisco SD-WAN software has the following predefined services:

    • FW, for firewall (maps to svc-id 1)

    • IDS, for Intrusion Detection Systems (maps to svc-id 2)

    • IDP, for Identity Providers (maps to svc-id 3)

    • netsvc1, netsvc2, netsvc3, and netsvc4, which are reserved for custom services (they map to svc-id 4, 5, 6, and 7, respectively)

  • Label—For traffic that must traverse a service, the Cisco vSmart replaces the label in the OMP route with the service label in order to direct the traffic to that service.

  • Originator ID (originator-id)—The IP address of the service node that is advertising the service.

  • TLOC—The transport location address of the vEdge that is “hosting” the service.

  • Path ID (path-id)—An identifier of the OMP path.

Service Chaining Policy

To route traffic through a service, you provision either a control policy or a data policy on the Cisco vSmart controller. You use a control policy if the match criteria are based on a destination prefix or any of its attributes. You use a data policy if the match criteria include the source address, source port, DSCP value, or destination port of the packet or traffic flow. You can provision the policy directly via CLI, or it can be pushed from the vManage management system.

The Cisco vSmart controller maintains OMP routes, TLOC routes, and service routes in its route table. A given OMP route carries a TLOC and the label associated with it. On a Cisco vSmart controller, a policy can be applied that changes the TLOC and its associated label to be that of a service.

Service Chaining Configuration Examples

Service chaining control policies direct data traffic to service devices that can be located in various places in the network before the traffic is delivered to its destination. For service chaining to work, you configure a centralized control policy on the Cisco vSmart Controller, and you configure the service devices themselves on the Cisco vEdge device collocated in the same site as the device. To ensure that the services are advertised to the Cisco vSmart Controller, the IP address of the service device must resolve locally.

This topic provides examples of configuring service chaining.

Route Intersite Traffic through a Service

A simple example is to route data traffic traveling from one site to another through a service. In this example, we route all traffic traveling from the Cisco vEdge device at Site 1 to the Cisco vEdge device at Site 2 through a firewall service that sits behind a vEdge hub (whose system IP address is 100.1.1.1). To keep things simple, all devices are in the same VPN.

For this scenario, you configure the following:

  • On the vEdge hub router, you configure the IP address of the firewall device.

  • On the Cisco vSmart Controller, you configure a control policy that redirects traffic destined from Site 1 to Site 2 through the firewall service.

  • On the Cisco vSmart Controller, you apply the control policy to Site 1.

Here is the configuration procedure:

  1. On the vEdge hub router, provision the firewall service, specifying the IP address of the firewall device. With this configuration, OMP on the vEdge hub router advertises one service route to the Cisco vSmart Controller. The service route contains a number of properties that identify the location of the firewall, including the TLOC of the vEdge hub router and a service label of svc-id-1, which identifies the service type as a firewall. (As mentioned above, before advertising the route, the Cisco vEdge device ensures that the firewall's IP address can be resolved locally.) 

    vpn 10
  service FW address 1.1.1.1

  2. On the Cisco vSmart Controller, configure a control policy that redirects data traffic traveling from Site 1 to Site 2 through the firewall. Then, also on the Cisco vSmart Controller, apply this policy to Site 1. 

    policy
  lists 
    site-list firewall-sites
      site-id 1
  control-policy firewall-service
    sequence 10
      match route
        site-id 2
      action accept
        set service FW vpn 10
    default-action accept
apply-policy
  site-list firewall-sites control-policy firewall-service out

    This policy configuration does the following:

    • Create a site list called firewall-sites that is referenced in the apply-policy command and that enumerates all the sites that this policy applies to. If you later want to scale this policy so that all traffic destined to Site 2 from other sites should also first pass through the firewall, all you need to do is add the additional site IDs to the firewall-sites site list. You do not need to change anything in the control-policy firewall-service portion of the configuration.

    • Define a control policy named firewall-service. This policy has one sequence element and the following conditions:

      • Match routes destined for Site 2.

      • If a match occurs, accept the route and redirect it to the firewall service provided by the vEdge Hub router, which is located in VPN 10.

      • Accept all nonmatching traffic. That is, accept all traffic not destined for Site 2.

    • Apply the policy to the sites listed in firewall-list, that is, to Site 1. The Cisco vSmart controller applies the policy in the outbound direction, that is, on routes that it redistributes to Site 1. In these routes:

      • The TLOC is changed from Site 2’s TLOC to the vEdge hub router’s TLOC. This is the TLOC that the Cisco vSmart Controller learned from the service route received from the vEdge hub router. It is because of the change of TLOC that traffic destined for Site 2 is directed to the vEdge hub router

      • The label is changed to svc-id-1, which identifies the firewall service. This label causes the vEdge hub router to direct the traffic to the firewall device.

    When the vEdge hub router receives the traffic, it forwards it to the address 1.1.1.1, which is the system IP address of the firewall. After the firewall has finished processing the traffic, the firewall returns the traffic to the vEdge hub router, and this router then forwards it to its final destination, which is Site 2.

Route Inter-VPN Traffic through a Service Chain with One Service per Node

A service chain allows traffic to pass through two or more services before reaching its destination. The example here routes traffic from one VPN to another through services located in a third VPN. The services are located behind different vEdge hub routers. Specifically, we want all traffic from vEdge-1 in VPN 20 and that is destined for prefix x.x.0.0/16 in VPN 30 on vEdge-2 to go first through the firewall behind vEdge Hub-1 and then through the custom service netsvc1 behind vEdge Hub-2 before being sent to its final destination.

For this policy to work:

  • VPN 10, VPN 20, and VPN 30 must be connected by an extranet, such as the Internet

  • VPN 10 must import routes from VPN 20 and VPN 30. Routes can be selectively imported if necessary.

  • VPN 20 must import routes from VPN 30. Routes can be selectively imported if necessary.

  • VPN 30 must import routes from VPN 20. Routes can be selectively imported if necessary.

For this scenario, you configure four things:

  • You configure the IP address of the firewall device on the vEdge Hub-1 router.

  • You configure the IP address of the custom service device on the vEdge Hub-2 router.

  • On the Cisco vSmart Controller, you configure a control policy that redirects traffic destined from Site 1 to Site 2 through the firewall device.

  • On the Cisco vSmart Controller, you configure a second control policy that redirects traffic to the custom service device.

Here is the configuration procedure:

  1. Configure the firewall service on vEdge Hub-1. With this configuration, OMP on the vEdge Hub-1 router advertises a service route to the Cisco vSmart Controller. The service route contains a number of properties that identify the location of the firewall, including the TLOC of the vEdge hub router and a service label of svc-id-1, which identifies the service type as a firewall. 

    vpn 10
  service fw address 1.1.1.1

  2. Configure the custom service netsvc1 on vEdge Hub-2. With this configuration, OMP on the vEdge Hub-2 router advertises a service route to the vSmart controller. The service route contains the TLOC of the vEdge Hub-2 and a service label of svc-id-4, which identifies the custom service. 

    vpn 10
  service netsvc1 address 2.2.2.2

  3. Create a control policy on the Cisco vSmart Controller for first service in the chain—the firewall—and apply it to Site 1, which is the location of the vEdge-1 router: 

    policy
  lists
    site-list firewall-custom-service-sites
      site-id 1  
  control-policy firewall-service    
    sequence 10      
      match route        
        vpn 30        
        site-id 2      
      action accept        
        set service FW      
    default-action accept
apply-policy  
  site-list firewall-custom-service-sites control-policy firewall-service out

    This policy configuration does the following:

    • Create a site list called firewall-custom-service-sites that is referenced in the apply-policy command and that enumerates all the sites that this policy applies to.

    • Define a control policy named firewall-service that has one sequence element and the following conditions:

      • Match routes destined for both VPN 30 and Site 2.

      • If a match occurs, accept the route and redirect it to a firewall service.

      • If a match does not occur, accept the traffic.

    • Apply the policy to the sites in the firewall-custom-service-sites site list, that is, to Site 1. The Cisco vSmart controller applies this policy in the outbound direction, that is, on routes that it redistributes to Site 1. In these routes:

      • The TLOC is changed from Site 2’s TLOC to the vEdge Hub-1 router’s TLOC. This is the TLOC that the Cisco vSmart Controller learned from the service route received from the vEdge hub. It is because of the change of TLOC that traffic destined for Site 2 is directed to the vEdge Hub-1 router.

      • The label is changed to svc-id-1, which identifies the firewall service. This label causes the vEdge Hub-1 router to direct the traffic to the firewall device.

    When the vEdge Hub-1 router receives the traffic, it forwards it to the address 1.1.1.1, which is the system IP address of the firewall. After the firewall completes processing the traffic, it returns the traffic to the vEdge Hub-1 router, which, because of the policy defined in the next step, forwards it to the vEdge Hub-2 router.

  4. Create a control policy on the Cisco vSmart Controller for the second service in the chain, which is the custom service, and apply it to Site 3, which is the location of the vEdge Hub-2 router: 

    policy  
  site-list custom-service    
    site-id 3  
  control-policy netsvc1-service          
    sequence 10            
      match route              
        vpn 30              
        site-id 2            
      action accept              
        set service netsvc1           
    default-action accept
apply-policy  
  site-list custom-service control-policy netsvc1-service out

    This policy configuration does the following:

    • Create a site list called custom-service that is referenced in the apply-policy command and that enumerates all the sites that this policy applies to.

    • Define a control policy named netsvc1-service that has one sequence element and the following conditions:

      • Match routes destined for both VPN 30 and Site 2.

      • If a match occurs, accept the route and redirect it to the custom service.

      • If a match does not occur, accept the traffic.

    • Apply the policy to the sites in the custom-service list, that is, to Site 3. The Cisco vSmart controller applies this policy in the outbound direction, that is, on routes that it redistributes to Site 3. In these routes:

      • The TLOC is changed from Site 2’s TLOC to the vEdge Hub-2 router’s TLOC. This is the TLOC that the Cisco vSmart Controller learned from the service route received from the vEdge Hub-2 router. It is because of the change of TLOC that traffic destined for Site 2 is directed to the vEdge Hub-2 router.

      • The label is changed to svc-id-4, which identifies the custom service. This label causes the vEdge Hub-2 to direct the traffic to the device that is hosting the custom service

    When the vEdge Hub-2 routers receives the traffic, it forwards it to the address 2.2.2.2, which is the system IP address of the device hosting the custom service. After the traffic has been processed, it is returned to the vEdge Hub-2 router, which then forwards it to its final destination, Site 2.

Route Inter-VPN Traffic through a Service Chain with Multiple Services per Node

If a service chain has more than one service that is connected to the same node, that is, both services are behind the same Cisco vEdge device, you use a combination of control policy and data policy to create the desired service chain. The example here is similar to the one in the previous section, but instead has a firewall and a custom service (netsvc-1) behind a single vEdge hub router. Here, we want all data traffic from vEdge-1 in VPN 20 destined for prefix x.x.0.0/16 on vEdge-2 in VPN 30 to first go through the firewall at vEdge Hub-1, then through the custom service netsvc1, also at vEdge Hub-1, and then to its final destination.

For this policy to work:

  • VPN 10, VPN 20, and VPN 30 must be connected by an extranet, such as the Internet.

  • VPN 10 must import routes from VPN 20 and VPN 30. Routes can be selectively imported if necessary.

  • VPN 20 must import routes from VPN 30. Routes can be selectively imported if necessary.

  • VPN 30 must import routes from VPN 20. Routes can be selectively imported if necessary.

For this scenario, you configure the following:

  • On the vEdge hub router, you configure the firewall and custom services.

  • On the Cisco vSmart Controller, you configure a control policy that redirects data traffic from Site 1 that is destined to Site 2 through the firewall.

  • On the Cisco vSmart Controller, you configure a data policy that redirects data traffic to the custom service.

Here is the configuration procedure:

  1. On the vEdge hub router, configure the firewall and custom services:

    vpn 10
  service FW address 1.1.1.1
  service netsvc1 address 2.2.2.2

    With this configuration, OMP on the vEdge hub router advertises two service routes to the Cisco vSmart Controller, one for the firewall and the second for the custom service netsvc1. Both service routes contain the TLOC of the vEdge Hub-1 router and a service label that identifies the type of service. For the firewall service, the label is svc-id-1, and for the custom service, the label is svc-id-4.

  2. On the Cisco vSmart Controller, configure a control policy controller to reroute traffic destined for VPN 30 (at Site 2) to firewall service that is connected to vEdge Hub-1 (at Site 3), and apply this policy to Site 1: 

    policy  
  lists    
    site-list vEdge-1      
      site-id 1    
  control-policy firewall-service      
    sequence 10        
      match route          
        vpn 30         
      action accept           
        set service FW
apply-policy      
  site-list vEdge-1 control-policy firewall-service out

  3. On the Cisco vSmart Controller, configure a data policy that redirects, or chains, the data traffic received from the firewall device to the custom service netsvc1. Then apply this policy to vEdge Hub-1. This data policy routes packets headed for destinations in the network x.x.0.0/16 to the IP address 2.2.2.2, which is the system IP address of the device hosting the custom service. 

    policy  
  lists    
    site-list vEdge-2      
      site-id 2 
    site-list vEdge-Hub-1
      site-id 3   
    prefix-list svc-chain      
      ip-prefix x.x.0.0/16
    vpn-list vpn-10
      vpn 10
  data-policy netsvc1-policy    
    vpn-list vpn-10       
      sequence 1         
        match           
          ip-destination x.x.0.0/16         
        action accept           
          set next-hop 2.2.2.2
apply-policy      
  site-list vEdge-Hub-1 data-policy netsvc1-policy from-service

Was this Document Helpful?

FeedbackFeedback

Contact Cisco