Re: Can CFLOW and Syslog traffic from CEDGE be pinned to a specific TL - Page 2

csco10260962 · ‎06-10-2023

Can CFLOW and Syslog traffic from CEDGE be pinned to a specific TLOC ?

We have AAR in place with traffic being pinned to tloc private 1 (fiber ipvpn in our case) and as fallback private2 is up (LTE connection)

For all traffic from service side vpn's is correctly pinned to privae1 tloc. Only traffic as syslog and cflow from the cedge itself using a service side vpn interface as source is using both tlocs (In the case of some cedges this couses al lot of data usasge on the private2 lte tloc)

csco10260962 · ‎06-12-2023

fik-rt01#sh sdwan app-route sla-class
APP PROBE
INDEX NAME LOSS LATENCY JITTER CLASS ID APP PROBE CLASS FALLBACK BEST TUNNEL
-------------------------------------------------------------------------------------------------------------------------------------------
0 __all_tunnels__ 0 0 0 0 None None
1 Best-Effort 5 500 500 0 None None
2 Default 50 500 500 0 None Latency Jitter

fik-rt01#sh sdwan app-route stats | include remote-system-ip|local-color|remote-color|sla-class-index
remote-system-ip 10.14.252.70
local-color private2
remote-color private2
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.252.70
local-color private1
remote-color private1
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.252.71
local-color private2
remote-color private2
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.252.71
local-color private1
remote-color private1
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.255.100
local-color private2
remote-color private2
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.255.100
local-color private1
remote-color private1
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.255.101
local-color private2
remote-color private2
sla-class-index 0,1,2
fallback-sla-class-index None
remote-system-ip 10.14.255.101
local-color private1
remote-color private1
sla-class-index 0,1,2
fallback-sla-class-index None

Kanan Huseynli · ‎06-12-2023

Now, all seem normal. Strange case. Maybe you are right in this release, local traffic does not pass AAR or data policy. Or locally generated control (CPU) traffic does not pass. I actually tested in v20.11/17.11 with ping/telnet&ssh traffic in LAB. Will check control syslog traffic too.

Can you do temporary filter in datapolicy by matching local service VPN IP and remote (syslog/cflowd collector server with respective ports) with action drop (don't do drop for all traffic of VPN IP, you may have some routing in LAN and it will also be blocked). Plus, add icmp to this block list. It can be case that, icmp (ping) blocked, because it is user generated traffic (like regular transit, dataplane traffic), but syslog is still not blocked because it is control traffic. Then, it is definitely control plane issue. Router generated dataplane passes AAR/Datapolicy, control traffic is not.

Below is from my lab, as you see I have 10.2.1.254 on service side as router IP and it matches AAR policy. It matches seq 1 (as you see in upstream feature and policy) and actual local color is biz-internet, while preferred local is public-internet (I've higher loss in my lab for public-internet transport while I do this test). You can also use NWPI tool (needs, data stream to be enabled).

interface GigabitEthernet2
vrf forwarding 1
ip address 10.2.1.254 255.255.255.0
no ip redirects
load-interval 30
negotiation auto
arp timeout 1200
no mop enabled
no mop sysid
end

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Kanan Huseynli · ‎06-12-2023

However, I configured syslog on router towards one of the remote sites. Also, did telnet (dataplane traffic) from local router as telnet client to remote core switch, both are shown in NWPI tool and for both tool shows AAR/Datapolicy checks with respective SLA class, matching case etc. The one test is left, doing the same check (you can begin to do test in datapolicy with drop for syslog traffic for example) in your environment (20.7 version). In my lab (v20.11) everything works as I mentioned. Both locally generated dataplane and control plane pass both AAR and Datapolicy

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

csco10260962 · ‎06-12-2023

I'll try and do the data policy test with drop later this week as we have sdwan migrations the two coming days. I'll keep you posted

csco10260962 · ‎06-13-2023

I found some time to do a quick test but it looks like i does not work. As i attached it as egress acl to celluar0/1/0 interface template. After adding it to local data policy. As it is router generated traffic with source interface of service vpn. Celluar0/1/0 it part of vpn0 so it does not see unecapsulated traffic pf cflow. It would probably work for if i would send it over vpn0 but i dont want unecrypted cflow data over vpn0 (Same for syslog but you can use tls on that)

Kanan Huseynli · ‎06-13-2023

You need centralized data policy, but not local policy with sd-wan access-list.

Create data policy for one of the sites.

Seq 1 match router VPN IP as source data-prefix ; remote syslog server with respective port in destination data-prefix, do action drop

Don't forget to add explicit permit any otherwise everything will be blocked (or change default action to permit)

Then you need to add this data policy in centralized policy and attach to respective VPN for the site (you may need to pre-define VPN list and Site-list for using in selection)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

csco10260962 · ‎06-14-2023

I already had QOS classification sequence-> CFLOW sequence for those sites in the traffic policy in centralized data policy. So i added custom sequence with destination netflow exporter adderess as data prefix protocoll 17 and port 2055. With action accept and furth local tloc private 1 default action at the end changed to accept. Will post how this turns out

Kanan Huseynli · ‎06-15-2023

Hi,

actually I asked for drop action to check whether datapolicy is evaluated for locally generated traffic or not in 20.7/17.7 release.

Or you can also use NWPI tool.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

csco10260962 · ‎06-19-2023

HI NWPI tool didn't show any results. And drop didn't seem to work as well. Log entry on the sequence also produced no results. So i'm probably running into some caveat. Were are also doing dynamic tunneling as the full mesh option for our prodcuvtion sites would also run up a to high costs on the LTE intrefaces with only BFD. At the moment i have prepared a net Central Control and data policy where i translated the AAR prefer tloc loadblance and strict tloc settings to a centralized data policy. Split into three seperate central data traffic policies set to service side only. Applied to our production OT sites, another policy for the datacenter sites and the last one for our small office sites. OT and small office sites have there own source prefixes and service vpns towards the data center prefixes. And the datacenter has it's prefices as a source and as a destination the OT production sites and the small office site prefixes. With the sequences in all policies with the more specific entries/actions above the more general entries. Some co-workers still have to review this before i activate this new Central policy. I will let you know the results.