EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Service Chaining Configuration Example

Service Chaining Configuration Example

Posted on Jan 27, 2020 (0)

Example 1: Route Inter-site Traffic through a Service

Consider below situation, where Site-1 has to send the traffic to site -2, but while sending to site-2, it has to route the traffic to Firewall service behind vEdge hub whose system IP is 20.20.20.1 and all are in same VPN.

On vEdge Hub router, configure Firewall service, once done OMP on this vEdge hub router will advertises one service route to vSmart Controller. This Service Route contains location of FW, TLOC of vEdge Hub router and service label of svc-id-1 which identify the service type of firewall.

vpn 10
service FW address 2.2.2.2

On vSmart controller, configure the control policy that redirect the data traffic from Site-1 to Site-2 through firewall. Once done vSmart controller will apply this policy to site-1.

policy
lists
site-list dclessons-firewall-sites
site-id 1
control-policy dclessons-firewall-service
sequence 10
match route
site-id 2
action accept
set service FW vpn 10
default-action accept
apply-policy
site-list dclessons-firewall-sites control-policy dclessons-firewall-service out

Here once match is done for Site-2 destination, accept the route and redirect it to firewall service provided by vEdge hub router located in VPN 10. For all non-matching traffic accept it if traffic is not for site-2.  Apply this policy in outbound direction.

The TLOC is changed from Site-2 TLOC to vEdge Hub router TLOC. This TLOC is learned to vSmart controller from service route received by vEdge hub router.

The label is changed to svc-id-1 which identifies the firewall services. This label causes vEdge hub router to direct the traffic to firewall device.

Once the vEdge router receives the traffic, it forwards the traffic to IP 2.2.2.2 which is firewall system IP. Once Firewall process the traffic and return back to vEdge hub router, hub router then forwards it’s to final destination that is site-2.

Example 2: Route Inter-VPN Traffic through a Service Chain with One Service per Node.

From above figure, it is required that from Site-1 VPN10 to destination Site-2 VPN 30 for destination subnet 10.10.10.0/24 to go to Firewall on vEdge Hub1 and then to custom service netsvc1 behind vEdge Hub 2 and then to final destination.

For this policy to work:

  • VPN 10, VPN 20, and VPN 30 must be connected on Internet
  • VPN 10 must import routes from VPN 20 and VPN 30.
  • VPN 20 must import routes from VPN 30.
  • VPN 30 must import routes from VPN 20.

For this scenario, you configure four things:

  • Configure the IP address of the firewall device on the vEdge Hub-1 router.
  • Configure the IP address of the custom service device on the vEdge Hub-2 router.
  • On the vSmart controller, Configure a control policy such that it redirects traffic destined from Site 1 to Site 2 through the firewall device.
  • On the vSmart controller, configure a second control policy such that it redirects traffic to the custom service device.

Configure the firewall service on vEdge Hub-1.

vpn 10
service fw address 2.2.2.2

Configure the custom service netsvc1 on vEdge Hub-2.

vpn 10
service netsvc1 address 3.3.3.3

Configure a control policy on the vSmart controller for the firewall—and apply it to Site 1

policy
lists
site-list firewall-custom-service-sites
site-id 1
control-policy firewall-service
sequence 10
match route
vpn 30
site-id 2
action accept
set service FW
default-action accept
apply-policy
site-list firewall-custom-service-sites control-policy firewall-service out

When the vEdge Hub-1 receives the traffic, it forwards it to the address 2.2.2.2, system IP of the firewall. Once firewall completes processing the traffic, it returns the traffic to the vEdge Hub-1 router and as per policy defined in the next step, forwards it to the vEdge Hub-2 router.

Create a control policy on the vSmart controller for the second service in the chain.

policy
site-list custom-service
site-id 3
control-policy netsvc1-service
sequence 10
match route
vpn 10
site-id 2
action accept
set service netsvc1
default-action accept
apply-policy
site-list custom-service control-policy netsvc1-service out

When the vEdge Hub-2 receives the traffic, it forwards it to the address 3.3.3.3, system IP of the custom service. Once service completes processing the traffic, it returns the traffic to the vEdge Hub-2 router and as per policy defined in the next step, forwards it to the vEdge Site-2 router.

Example 3: Route Inter-VPN Traffic through a Service Chain with Multiple Services per Node

For this policy to work:

  • VPN 10, VPN 20, and VPN 30 must be connected on Internet.
  • VPN 10 must import routes from VPN 20 and VPN 30.
  • VPN 20 must import routes from VPN 30
  • VPN 30 must import routes from VPN 20

For this scenario, you configure the following:

  • On the vEdge hub router, configure the firewall and custom services.
  • On the vSmart controller, configure a control policy that redirects data traffic from Site 1 that is destined to Site 2 through the firewall.
  • On the vSmart controller, configure a data policy that redirects data traffic to the custom service

On the vEdge hub router, configure the firewall and custom services:

vpn 10
service FW address 2.2.2.2
service netsvc1 address 3.3.3.3

On the vSmart controller, configure a control policy to reroute traffic destined for VPN 30 (at Site 2) to firewall service and apply this policy to Site 1:

policy
lists
site-list vEdge-1
site-id 1
control-policy firewall-service
sequence 10
match route
vpn 30
action accept
set service FW
apply-policy
site-list vEdge-1 control-policy firewall-service out

On the vSmart controller, configure a data policy that redirects, data traffic from the firewall to the custom service netsvc1.

policy
lists
site-list vEdge-2
site-id 2
site-list vEdge-Hub-1
site-id 3
prefix-list svc-chain
ip-prefix 10.10.10.0/24
vpn-list vpn-10
vpn 10
data-policy netsvc1-policy
vpn-list vpn-10
sequence 1
match
ip-destination 10.10.10.0/24
action accept
set next-hop 3.3.3.3
apply-policy
site-list vEdge-Hub-1 data-policy netsvc1-policy from-service


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.