Solved: Re: Service Chaining - How vEdge redirects traffic to the service?

muthumohan · ‎06-15-2021

Hi,

In Service chaining, how does vEdge direct the traffic to the service running on its LAN side? Does it use GRE, WCCP etc.?

Or is it a requirement that the service (say Firewall) must be directly attached to the vEdge?

I have been searching answer for this question for more than a year and no one is able to tell me

Would appreciate any help.

Mohan

PS: Please note that I know how service chaining works over SDWAN overlay, my question is very specific on how the vEdge that is connected to the service (FW) directs/redirects the traffic to that service, on its LAN side.

Kanan Huseynli · ‎06-16-2021

Hi,

good questions...

if you do chaining with central control policy, then you will have normal routing as fallback.

if you do chaining with central data policy and "strict" is chosen in set service-VPN action, you will have drop. If not chosen, then normal routing happens.

Why does normal routing happen in this case? Because, normally vSMART changes label value in route advertisement (in central control policy scenario) or adds respective TLOC values with label (in central data policy scenario) when service is assumed online. If it is not available (because originator withdrew route), then vSmart don't change label values and router does routing based on normal OMP routes.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎06-16-2021

Hi,

router does simple routing (without any additional encapsulation), if service is configured with IP address. If interface GRE or IPSEC is used, then traffic is redirected through GRE or IPSEC interface to firewall - service.

It is not mandatory that service should be directly connected. You may do routing toward firewall (static routing for example). But you must be careful here. Intermediate node may immediately return traffic to router due to configured routing. You must use different VRF for in-out traffic or you may use PBR to route toward firewall.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

muthumohan · ‎06-16-2021

Hi Kanan,

Thank you for your reply. It clarifies the connectivity to the service.

One other related question: I know the vEdge will monitor the service (reachability to that service IP) to avoid blackholing the traffic if the service is not available. I believe the router will withdraw the service route if the service is not reachable. But happens to the user traffic if the service IP (say FW) becomes unavailable? Will the service chaining policy will not take effect and the traffic will be forwarded without the service in between, or will the traffic be dropped?

Thank you and I appreciate your reply.

Regards,

Mohan

Kanan Huseynli · ‎06-16-2021

Hi,

good questions...

if you do chaining with central control policy, then you will have normal routing as fallback.

if you do chaining with central data policy and "strict" is chosen in set service-VPN action, you will have drop. If not chosen, then normal routing happens.

Why does normal routing happen in this case? Because, normally vSMART changes label value in route advertisement (in central control policy scenario) or adds respective TLOC values with label (in central data policy scenario) when service is assumed online. If it is not available (because originator withdrew route), then vSmart don't change label values and router does routing based on normal OMP routes.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

muthumohan · ‎06-17-2021

Thank you, Kanan. Very Much. Your reply clarified crystal clear

This is exactly what I was looking for in the documentation.

Appreciate it.

Regards,

Mohan

JohnG2020 · ‎09-09-2021

Deleting my post here, I opened up new thread on it's own.