Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Service Chaining Configuration Examples

Service chaining control policies direct data traffic to service devices that can be located in various places in the network before the traffic is delivered to its destination. For service chaining to work, you configure a centralized control policy on the vSmart controller, and you configure the service devices themselves on the vEdge router collocated in the same site as the device. To ensure that the services are advertised to the vSmart controller, the IP address of the service device must resolve locally.

This article provides examples of configuring service chaining.

Route Intersite Traffic through a Service

s00056.pngA simple example is to route data traffic traveling from one site to another through a service. In this example, we route all traffic traveling from the vEdge router at Site 1 to the vEdge router at Site 2 through a firewall service that sits behind a vEdge hub (whose system IP address is 100.1.1.1). To keep things simple, all devices are in the same VPN.

For this scenario, you configure the following:

  • On the vEdge hub router, you configure the IP address of the firewall device.
  • On the vSmart controller, you configure a control policy that redirects traffic destined from Site 1 to Site 2 through the firewall service.
  • On the vSmart controller, you apply the control policy to Site 1.

Here is the configuration procedure:

  1. On the vEdge hub router, provision the firewall service, specifying the IP address of the firewall device. With this configuration, OMP on the vEdge hub router advertises one service route to the vSmart controller. The service route contains a number of properties that identify the location of the firewall, including the TLOC of the vEdge hub router and a service label of svc-id-1, which identifies the service type as a firewall. (As mentioned above, before advertising the route, the vEdge router ensures that the firewall's IP address can be resolved locally.)
vpn 10
  service FW address 1.1.1.1
  1. On the vSmart controller, configure a control policy that redirects data traffic traveling from Site 1 to Site 2 through the firewall. Then, also on the vSmart controller, apply this policy to Site 1.
policy
  lists 
    site-list firewall-sites
      site-id 1
  control-policy firewall-service
    sequence 10
      match route
        site-id 2
      action accept
        set service FW vpn 10
    default-action accept
apply-policy
  site-list firewall-sites control-policy firewall-service out

This policy configuration does the following:

  • Create a site list called firewall-sites that is referenced in the apply-policy command and that enumerates all the sites that this policy applies to. If you later want to scale this policy so that all traffic destined to Site 2 from other sites should also first pass through the firewall, all you need to do is add the additional site IDs to the firewall-sites site list. You do not need to change anything in the control-policy firewall-service portion of the configuration.
  • Define a control policy named firewall-service. This policy has one sequence element and the following conditions:
    • Match routes destined for Site 2.
    • If a match occurs, accept the route and redirect it to the firewall service provided by the vEdge Hub router, which is located in VPN 10.
    • Accept all nonmatching traffic. That is, accept all traffic not destined for Site 2.
  • Apply the policy to the sites listed in firewall-list, that is, to Site 1. The vSmart controller applies the policy in the outbound direction, that is, on routes that it redistributes to Site 1. In these routes:
    • The TLOC is changed from Site 2’s TLOC to the vEdge hub router’s TLOC. This is the TLOC that the vSmart controller learned from the service route received from the vEdge hub router. It is because of the change of TLOC that traffic destined for Site 2 is directed to the vEdge hub router
    • The label is changed to svc-id-1, which identifies the firewall service. This label causes the vEdge hub router to direct the traffic to the firewall device.

When the vEdge hub router receives the traffic, it forwards it to the address 1.1.1.1, which is the system IP address of the firewall. After the firewall has finished processing the traffic, the firewall returns the traffic to the vEdge hub router, and this router then forwards it to its final destination, which is Site 2.

Route Inter-VPN Traffic through a Service Chain with One Service per Node

s00057.pngA service chain allows traffic to pass through two or more services before reaching its destination. The example here routes traffic from one VPN to another through services located in a third VPN. The services are located behind different vEdge hub routers. Specifically, we want all traffic from vEdge-1 in VPN 20 and that is destined for prefix x.x.0.0/16 in VPN 30 on vEdge-2 to go first through the firewall behind vEdge Hub-1 and then through the custom service netsvc1 behind vEdge Hub-2 before being sent to its final destination.

For this policy to work:

  • VPN 10, VPN 20, and VPN 30 must be connected by an extranet, such as the Internet
  • VPN 10 must import routes from VPN 20 and VPN 30. Routes can be selectively imported if necessary.
  • VPN 20 must import routes from VPN 30. Routes can be selectively imported if necessary.
  • VPN 30 must import routes from VPN 20. Routes can be selectively imported if necessary.

For this scenario, you configure four things:

  • You configure the IP address of the firewall device on the vEdge Hub-1 router.
  • You configure the IP address of the custom service device on the vEdge Hub-2 router.
  • On the vSmart controller, you configure a control policy that redirects traffic destined from Site 1 to Site 2 through the firewall device.
  • On the vSmart controller, you configure a second control policy that redirects traffic to the custom service device.

Here is the configuration procedure:

  1. Configure the firewall service on vEdge Hub-1. With this configuration, OMP on the vEdge Hub-1 router advertises a service route to the vSmart controller. The service route contains a number of properties that identify the location of the firewall, including the TLOC of the vEdge hub router and a service label of svc-id-1, which identifies the service type as a firewall.
vpn 10
  service fw address 1.1.1.1
  1. Configure the custom service netsvc1 on vEdge Hub-2. With this configuration, OMP on the vEdge Hub-2 router advertises a service route to the vSmart controller. The service route contains the TLOC of the vEdge Hub-2 and a service label of svc-id-4, which identifies the custom service.
vpn 10
  service netsvc1 address 2.2.2.2
  1. Create a control policy on the vSmart controller for first service in the chain—the firewall—and apply it to Site 1, which is the location of the vEdge-1 router:
policy
  lists
    site-list firewall-custom-service-sites
      site-id 1  
  control-policy firewall-service    
    sequence 10      
      match route        
        vpn 30        
        site-id 2      
      action accept        
        set service FW      
    default-action accept
apply-policy  
  site-list firewall-custom-service-sites control-policy firewall-service out

This policy configuration does the following:

  • Create a site list called firewall-custom-service-sites that is referenced in the apply-policy command and that enumerates all the sites that this policy applies to.
  • Define a control policy named firewall-service that has one sequence element and the following conditions:
    • Match routes destined for both VPN 30 and Site 2.
    • If a match occurs, accept the route and redirect it to a firewall service.
    • If a match does not occur, accept the traffic.
  • Apply the policy to the sites in the firewall-custom-service-sites site list, that is, to Site 1. The vSmart controller applies this policy in the outbound direction, that is, on routes that it redistributes to Site 1. In these routes:
    • The TLOC is changed from Site 2’s TLOC to the vEdge Hub-1 router’s TLOC. This is the TLOC that the vSmart controller learned from the service route received from the vEdge hub. It is because of the change of TLOC that traffic destined for Site 2 is directed to the vEdge Hub-1 router.
    • The label is changed to svc-id-1, which identifies the firewall service. This label causes the vEdge Hub-2 router to direct the traffic to the firewall device.

When the vEdge Hub-1 router receives the traffic, it forwards it to the address 1.1.1.1, which is the system IP address of the firewall. After the firewall completes processing the traffic, it returns the traffic to the vEdge Hub-1 router, which, because of the policy defined in the next step, forwards it to the vEdge Hub-2 router.

  1. Create a control policy on the vSmart controller for the second service in the chain, which is the custom service, and apply it to Site 3, which is the location of the vEdge Hub-2 router:
policy  
  site-list custom-service    
    site-id 3  
  control-policy netsvc1-service          
    sequence 10            
      match route              
        vpn 10              
        site-id 2            
      action accept              
        set service netsvc1           
    default-action accept
apply-policy  
  site-list custom-service control-policy netsvc1-service out

This policy configuration does the following:

  • Create a site list called custom-service that is referenced in the apply-policy command and that enumerates all the sites that this policy applies to.
  • Define a control policy named netsvc1-service that has one sequence element and the following conditions:
    • Match routes destined for both VPN 30 and Site 2.
    • If a match occurs, accept the route and redirect it to the custom service.
    • If a match does not occur, accept the traffic.
  • Apply the policy to the sites in the custom-service list, that is, to Site 3. The vSmart controller applies this policy in the outbound direction, that is, on routes that it redistributes to Site 3. In these routes:
    • The TLOC is changed from Site 2’s TLOC to the vEdge Hub-2 router’s TLOC. This is the TLOC that the vSmart controller learned from the service route received from the vEdge Hub-2 router. It is because of the change of TLOC that traffic destined for Site 2 is directed to the vEdge Hub-2 router.
    • The label is changed to svc-id-4, which identifies the custom service. This label causes the vEdge Hub-2 to direct the traffic to the device that is hosting the custom service

When the vEdge Hub-2 routers receives the traffic, it forwards it to the address 2.2.2.2, which is the system IP address of the device hosting the custom service. After the traffic has been processed, it is returned to the vEdge Hub-2 router, which then forwards it to its final destination, Site 2.

Route Inter-VPN Traffic through a Service Chain with Multiple Services per Node

s00058.pngIf a service chain has more than one service that is connected to the same node, that is, both services are behind the same vEdge router, you use a combination of control policy and data policy to create the desired service chain. The example here is similar to the one in the previous section, but instead has a firewall and a custom service (netsvc-1) behind a single vEdge hub router. Here, we want all data traffic from vEdge-1 in VPN 20 destined for prefix x.x.0.0/16 on vEdge-2 in VPN 30 to first go through the firewall at vEdge Hub-1, then through the custom service netsvc1, also at vEdge Hub1, and then to its final destination.

For this policy to work:

  • VPN 10, VPN 20, and VPN 30 must be connected by an extranet, such as the Internet.
  • VPN 10 must import routes from VPN 20 and VPN 30. Routes can be selectively imported if necessary.
  • VPN 20 must import routes from VPN 30. Routes can be selectively imported if necessary.
  • VPN 30 must import routes from VPN 20. Routes can be selectively imported if necessary.

For this scenario, you configure the following:

  • On the vEdge hub router, you configure the firewall and custom services.
  • On the vSmart controller, you configure a control policy that redirects data traffic from Site 1 that is destined to Site 2 through the firewall.
  • On the vSmart controller, you configure a data policy that redirects data traffic to the custom service.

Here is the configuration procedure:

  1. On the vEdge hub router, configure the firewall and custom services:
vpn 10
  service FW address 1.1.1.1
  service netsvc1 address 2.2.2.2

With this configuration, OMP on the vEdge hub router advertises two service routes to the vSmart Control, one for the firewall and the second for the custom service netsvc1. Both service routes contain the TLOC of the vEdge Hub-1 router and a service label that identifies the type of service. For the firewall service, the label is svc-id-1, and for the custom service, the label is svc-id-4.

  1. On the vSmart controller, configure a control policy controller to reroute traffic destined for VPN 30 (at Site 2) to firewall service that is connected to vEdge Hub-1 (at Site 3), and apply this policy to Site 1:
policy  
  lists    
    site-list vEdge-1      
      site-id 1    
  control-policy firewall-service      
    sequence 10        
      match route          
        vpn 30         
      action accept           
        set service FW
apply-policy      
  site-list vEdge-1 control-policy firewall-service out
  1. On the vSmart controller, configure a data policy that redirects, or chains, the data traffic received from the firewall device to the custom service netsvc1. Then apply this policy to vEdge Hub-1. This data policy routes packets headed for destinations in the network x.x.0.0/16 to the IP address 2.2.2.2, which is the system IP address of the device hosting the custom service.
policy  
  lists    
    site-list vEdge-2      
      site-id 2 
    site-list vEdge-Hub-1
      site-id 3   
    prefix-list svc-chain      
      ip-prefix x.x.0.0/16
    vpn-list vpn-10
      vpn 10
  data-policy netsvc1-policy    
    vpn-list vpn-10       
      sequence 1         
        match           
          ip-destination x.x.0.0/16         
        action accept           
          set next-hop 2.2.2.2
apply-policy      
  site-list vEdge-Hub-1 data-policy netsvc1-policy from-service

Additional Information

Service Chaining

  • Was this article helpful?