Solved: Cisco SD-WAN Service Route Label

JUANNN · ‎09-05-2025

Hello,

I have a doubt about how a WAN Edge router that has a network service directly connected to it forwards packets that have a service label that points to such service. Given the following scenario, exctracted from an excellent post about service routes in CLN (Cisco SD-WAN Service Chaining)

When the CHI router starts sending packets to the BOS router, after the network service (FW) has been injected and the OMP routing table on the SD-WAN Controller dictates that the next-hop TLOC for the VPN 100 prefixes is the NNJ router TLOC (and the WAN Edge routers reflect the updates on their data plane), an MPLS label (service label) is inserted as usual (but in this case it helps the NNJ to identify that no IP lookup should be done for this packets, since they have to be forwarded to the Firewall and on the return of the Firewall is when the IP lookup will be done, because the service label points to a network service and not a VPN service).

I am assuming that the NNJ router forwards traffic using the MAC address of the FW as soon as the packets from CHI arrive with the FW service label set, but will it be possible to have the network service sitting on a subnet not directly connected to the NNJ router? I don't see why not, but OMP Overview | NetworkAcademy.io says that there must not be L3 devices between the network service and the WAN Edge router.

Thanks, please correct me if I am misunderstanding something,

Juan

Kanan Huseynli · ‎09-12-2025

Hi,

firewall should be at L2 (directly or via tunnel), because firewall and intermediate L3 device do not understand that router does "fw insertion". How can router forward traffic to firewall if there is another L3 device between router and firewall? Tunneling can be used only.

With tunneling, it should be supported in Cisco SD-WAN

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Torbjørn · ‎09-06-2025

I can't speak to the specific technical limitation that creates the requirement for L2 adjacency - but if required you can use a GRE tunnel to achieve the L2 adjacency between your WAN edge and the firewall service device if it resides in another subnet.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Kanan Huseynli · ‎09-12-2025

Hi,

firewall should be at L2 (directly or via tunnel), because firewall and intermediate L3 device do not understand that router does "fw insertion". How can router forward traffic to firewall if there is another L3 device between router and firewall? Tunneling can be used only.

With tunneling, it should be supported in Cisco SD-WAN

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

JUANNN · ‎09-15-2025

Thanks, you are right. The packets get switched from the Wan Edge router to the FW when they have a label that points to a service, and because of that no IP lookup must be done in the way to the FW since the IP header points to the original destination and not the FW. Once the packet reaches the FW, then is the FW the one that does the IP lookup and sends the packet to the original destination, via the FW default gateway which will be the Wan Edge router again, but this time without a service label, so the IP lookup is then done at the Wan Edge router and all good.