Skip to content

Traffic Data - Service Chaining Definition

Service Chaining Definition define the matching conditions and Actions to configure Service Chaining. Example usage is traffic between branch sides is force via FW that is connected to hub or regional firewall. It requires that service chaining is defined in respective VPN template for device that connect to external entity (firewall or IDS).

Diagram

data_policy (sdwan.centralized_policies.definitions)

Section titled “data_policy (sdwan.centralized_policies.definitions)”
NameTypeConstraintMandatoryDefault Value
traffic_dataList[traffic_data]No

traffic_data (sdwan.centralized_policies.definitions.data_policy)

Section titled “traffic_data (sdwan.centralized_policies.definitions.data_policy)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[A-Za-z0-9\-_]{1,127}$Yes
descriptionStringYes
default_action_typeChoiceaccept, dropYes
sequencesList[sequences]No

sequences (sdwan.centralized_policies.definitions.data_policy.traffic_data)

Section titled “sequences (sdwan.centralized_policies.definitions.data_policy.traffic_data)”
NameTypeConstraintMandatoryDefault Value
base_actionChoiceaccept, dropYes
idIntegermin: 1, max: 65534Yes
nameStringYes
ip_typeChoiceipv4, ipv6, allNoipv4
typeChoicecustom, service_chaining, qos, application_firewall, traffic_engineeringNocustom
match_criteriasClass[match_criterias]No
actionsClass[actions]No

match_criterias (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences)

Section titled “match_criterias (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences)”
NameTypeConstraintMandatoryDefault Value
application_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
dns_application_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
dnsChoicerequest, responseNo
dscpIntegermin: 0, max: 63No
packet_lengthIntegermin: 0, max: 65535No
plpChoicelow, highNo
protocolsListInteger[min: 0, max: 255]No
source_data_prefix_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
source_data_prefixStringNo
source_portsListInteger[min: 0, max: 65535]No
source_port_rangesList[source_port_ranges]No
destination_data_prefix_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
destination_data_prefixStringNo
destination_portsListInteger[min: 0, max: 65535]No
destination_port_rangesList[destination_port_ranges]No
tcpChoicesynNo
traffic_toChoiceaccess, core, serviceNo
destination_regionChoiceprimary-region, secondary-region, other-regionNo

actions (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences)

Section titled “actions (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences)”
NameTypeConstraintMandatoryDefault Value
counter_nameStringRegex: ^[A-Za-z0-9\-_]{1,20}$No
logBooleantrue, falseNo
cflowdBooleantrue, falseNo
sigClass[sig]No
redirect_dnsClass[redirect_dns]No
loss_correctionClass[loss_correction]No
nat_poolIntegermin: 1, max: 31No
nat_vpnClass[nat_vpn]No
appqoe_optimizationClass[appqoe_optimization]No
dscpIntegermin: 0, max: 63No
forwarding_classStringmin: 1, max: 32No
local_tloc_listClass[local_tloc_list]No
next_hopClass[next_hop]No
preferred_color_groupStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
policer_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
serviceClass[service]No
tlocClass[tloc]No
tloc_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
vpnIntegermin: 0, max: 65530No

source_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias)

Section titled “source_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias)”
NameTypeConstraintMandatoryDefault Value
fromIntegermin: 0, max: 65535Yes
toIntegermin: 0, max: 65535Yes

destination_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias)

Section titled “destination_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias)”
NameTypeConstraintMandatoryDefault Value
fromIntegermin: 0, max: 65535Yes
toIntegermin: 0, max: 65535Yes

sig (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “sig (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
enabledBooleantrue, falseYes
fallback_to_routingBooleantrue, falseNo

redirect_dns (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “redirect_dns (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
typeChoicehost, umbrella, ipAddressYes
ip_addressIPNo

loss_correction (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “loss_correction (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
typeChoicefecAdaptive, fecAlways, packetDuplicationYes
loss_threshold_percentageIntegermin: 1, max: 5No

nat_vpn (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “nat_vpn (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
vpn_idIntegermin: 0, max: 65530No
nat_vpn_fallbackBooleantrue, falseNo

appqoe_optimization (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “appqoe_optimization (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
tcpBooleantrue, falseNo
dreBooleantrue, falseNo
service_node_groupStringNo

local_tloc_list (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “local_tloc_list (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
colorsListChoice[default, mpls, metro-ethernet, biz-internet, public-internet, lte, 3g, red, green, blue, gold, silver, bronze, custom1, custom2, custom3, private1, private2, private3, private4, private5, private6]Yes
encapsListChoice[ipsec, gre]No
restrictBooleantrue, falseNo

next_hop (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “next_hop (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
ip_addressIPYes
when_next_hop_is_not_availableChoiceroute_table_entryNo

service (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “service (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
typeChoiceappqoe, FW, IDP, IDS, netsvc1, netsvc2, netsvc3, netsvc4, netsvc5Yes
vpnIntegermin: 0, max: 65530No
tlocClass[tloc]No
tloc_listStringRegex: ^[A-Za-z0-9\-_]{1,32}$No
localBooleantrue, falseNo
restrictBooleantrue, falseNo

tloc (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Section titled “tloc (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)”
NameTypeConstraintMandatoryDefault Value
ipIPYes
colorChoicedefault, mpls, metro-ethernet, biz-internet, public-internet, lte, 3g, red, green, blue, gold, silver, bronze, custom1, custom2, custom3, private1, private2, private3, private4, private5, private6Yes
encapChoiceipsec, greYes

Example-1: A simple data policy that matches all traffic from VPN 20 and forces it via FW service insertion.

sdwan:
centralized_policies:
definitions:
data_policy:
traffic_data:
- name: NAC-DATA-POLICY-BRANCH-VPN20-v1
description: Data policy for branch VPN 20
default_action_type: accept
sequences:
- base_action: accept
id: 11
name: Default
ip_type: ipv4
type: service_chaining
actions:
counter_name: ServiceInsertion
service:
type: FW
vpn: 20