Service Insertion FW traffic flow
Task: Configure Service Insertion FW in such a way that traffic from Branch1 to Branch 2 traverse through FW at DC1 or DC2.
Configure the Following to achieve this task:
Go to Configuration | Policy | Centralized Policy | Add Policy | Create Groups of Interest | Next to move to Configure Topology & VPN Membership
Click Add Topology | Custom Control Topology | Name Multi-Topology-FW | Sequence Type Route: Name: VPN20toDC | Match Site Id All-Branches, VPN-id Secpci-VPN | Action Accept, Set TLOC: DC-TLOCs
Click Sequence Type: Route | Name FW-Service-Insertion | Match VPN ID: Corp-VPN, Site ID: All-Branches | Match Accept | Service FW VPN 10 |
Default Action | Accept
Click on VPN Membership | Add VPN Membership Policy | Name Drop-GuestWifi-VPN40 | Site List: All-Branches, VPN-List Corp-VPN, SecPci-VPN | Save
Click Next to Move Traffic Data Rules | Traffic Data | Add Policy | Create New | Name Application Firewall Drop
Sequence Type: Application Firewall | Name Application Firewall Drop | Match Destination Prefix: All-Prefixes | Action: Drop
Default Action: Accept
Save and Move Next to Configure Apply Policy to Sites & VPNS
Select Traffic Data | name Multi-Topology-FW-Service-Channing | Under Application Firewall Drop
Select New Site List & VPN List | Site List: All-Branches | VPN-List: Guest-VPN | Direction Service
Select Topology | Direction Out | Site List: All-Branches
Activate this policy.
Select Monitor | Network | BR2-VEDGE1 | Troubleshooting | Traceroute
Proceed with blow figure and you will see that Traffic from Branch 1 to Branch 2 is going to FW (198.18.130.1 or 10.2.0.1 ) sitting in DC1 and DC 2.