Service Chaining Definition define the matching conditions and Actions to configure Service Chaining. Example usage is traffic between branch sides is force via FW that is connected to hub or regional firewall. It requires that service chaining is defined in respective VPN template for device that connect to external entity (firewall or IDS).
Diagram Classes data_policy (sdwan.centralized_policies.definitions) Name Type Constraint Mandatory Default Value traffic_data List [traffic_data]No
traffic_data (sdwan.centralized_policies.definitions.data_policy) Name Type Constraint Mandatory Default Value name String Regex: ^[A-Za-z0-9\-_]{1,127}$ Yes description String Yes default_action_type Choice accept, dropYes sequences List [sequences]No
sequences (sdwan.centralized_policies.definitions.data_policy.traffic_data) Name Type Constraint Mandatory Default Value base_action Choice accept, dropYes id Integer min: 1, max: 65534 Yes name String Yes ip_type Choice ipv4, ipv6, allNo ipv4type Choice custom, service_chaining, qos, application_firewall, traffic_engineeringNo custommatch_criterias Class [match_criterias]No actions Class [actions]No
match_criterias (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences) Name Type Constraint Mandatory Default Value application_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No dns_application_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No dns Choice request, responseNo dscp Integer min: 0, max: 63 No packet_length Integer min: 0, max: 65535 No plp Choice low, highNo protocols List Integer[min: 0, max: 255] No source_data_prefix_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No source_data_prefix String No source_ports List Integer[min: 0, max: 65535] No source_port_ranges List [source_port_ranges]No destination_data_prefix_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No destination_data_prefix String No destination_ports List Integer[min: 0, max: 65535] No destination_port_ranges List [destination_port_ranges]No tcp Choice synNo traffic_to Choice access, core, serviceNo destination_region Choice primary-region, secondary-region, other-regionNo
actions (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences) Name Type Constraint Mandatory Default Value counter_name String Regex: ^[A-Za-z0-9\-_]{1,20}$ No log Boolean true, falseNo cflowd Boolean true, falseNo sig Class [sig]No redirect_dns Class [redirect_dns]No loss_correction Class [loss_correction]No nat_pool Integer min: 1, max: 31 No nat_vpn Class [nat_vpn]No appqoe_optimization Class [appqoe_optimization]No dscp Integer min: 0, max: 63 No forwarding_class String min: 1, max: 32 No local_tloc_list Class [local_tloc_list]No next_hop Class [next_hop]No preferred_color_group String Regex: ^[A-Za-z0-9\-_]{1,32}$ No policer_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No service Class [service]No tloc Class [tloc]No tloc_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No vpn Integer min: 0, max: 65530 No
source_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias) Name Type Constraint Mandatory Default Value from Integer min: 0, max: 65535 Yes to Integer min: 0, max: 65535 Yes
destination_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias) Name Type Constraint Mandatory Default Value from Integer min: 0, max: 65535 Yes to Integer min: 0, max: 65535 Yes
sig (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value enabled Boolean true, falseYes fallback_to_routing Boolean true, falseNo
redirect_dns (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value type Choice host, umbrella, ipAddressYes ip_address IP No
loss_correction (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value type Choice fecAdaptive, fecAlways, packetDuplicationYes loss_threshold_percentage Integer min: 1, max: 5 No
nat_vpn (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value vpn_id Integer min: 0, max: 65530 No nat_vpn_fallback Boolean true, falseNo
appqoe_optimization (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value tcp Boolean true, falseNo dre Boolean true, falseNo service_node_group String No
local_tloc_list (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value colors List Choice[default, mpls, metro-ethernet, biz-internet, public-internet, lte, 3g, red, green, blue, gold, silver, bronze, custom1, custom2, custom3, private1, private2, private3, private4, private5, private6] Yes encaps List Choice[ipsec, gre] Yes restrict Boolean true, falseNo
next_hop (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value ip_address IP Yes when_next_hop_is_not_available Choice route_table_entryNo
service (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value type Choice appqoe, FW, IDP, IDS, netsvc1, netsvc2, netsvc3, netsvc4, netsvc5Yes vpn Integer min: 0, max: 65530 No tloc Class [tloc]No tloc_list String Regex: ^[A-Za-z0-9\-_]{1,32}$ No local Boolean true, falseNo restrict Boolean true, falseNo
tloc (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value ip IP Yes color Choice default, mpls, metro-ethernet, biz-internet, public-internet, lte, 3g, red, green, blue, gold, silver, bronze, custom1, custom2, custom3, private1, private2, private3, private4, private5, private6Yes encap Choice ipsec, greYes
Examples Example-1: A simple data policy that matches all traffic from VPN 20 and forces it via FW service insertion.
- name : NAC-DATA-POLICY-BRANCH-VPN20-v1
description : Data policy for branch VPN 20
default_action_type : accept
counter_name : ServiceInsertion
