Service Chaining Definition define the matching conditions and Actions to configure Service Chaining. Example usage is traffic between branch sides is force via FW that is connected to hub or regional firewall. It requires that service chaining is defined in respective VPN template for device that connect to external entity (firewall or IDS).
Diagram Classes data_policy (sdwan.centralized_policies.definitions) Name Type Constraint Mandatory Default Value traffic_data List [traffic_data]
No
traffic_data (sdwan.centralized_policies.definitions.data_policy) Name Type Constraint Mandatory Default Value name String Regex: ^[A-Za-z0-9\-_]{1,127}$
Yes description String Yes default_action_type Choice accept
, drop
Yes sequences List [sequences]
No
sequences (sdwan.centralized_policies.definitions.data_policy.traffic_data) Name Type Constraint Mandatory Default Value base_action Choice accept
, drop
Yes id Integer min: 1
, max: 65534
Yes name String Yes ip_type Choice ipv4
, ipv6
, all
No ipv4
type Choice custom
, service_chaining
, qos
, application_firewall
, traffic_engineering
No custom
match_criterias Class [match_criterias]
No actions Class [actions]
No
match_criterias (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences) Name Type Constraint Mandatory Default Value application_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No dns_application_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No dns Choice request
, response
No dscp Integer min: 0
, max: 63
No packet_length Integer min: 0
, max: 65535
No plp Choice low
, high
No protocols List Integer[min: 0
, max: 255
] No source_data_prefix_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No source_data_prefix String No source_ports List Integer[min: 0
, max: 65535
] No source_port_ranges List [source_port_ranges]
No destination_data_prefix_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No destination_data_prefix String No destination_ports List Integer[min: 0
, max: 65535
] No destination_port_ranges List [destination_port_ranges]
No tcp Choice syn
No traffic_to Choice access
, core
, service
No destination_region Choice primary-region
, secondary-region
, other-region
No
actions (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences) Name Type Constraint Mandatory Default Value counter_name String Regex: ^[A-Za-z0-9\-_]{1,20}$
No log Boolean true
, false
No cflowd Boolean true
, false
No sig Class [sig]
No redirect_dns Class [redirect_dns]
No loss_correction Class [loss_correction]
No nat_pool Integer min: 1
, max: 31
No nat_vpn Class [nat_vpn]
No appqoe_optimization Class [appqoe_optimization]
No dscp Integer min: 0
, max: 63
No forwarding_class String min: 1
, max: 32
No local_tloc_list Class [local_tloc_list]
No next_hop Class [next_hop]
No preferred_color_group String Regex: ^[A-Za-z0-9\-_]{1,32}$
No policer_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No service Class [service]
No tloc Class [tloc]
No tloc_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No vpn Integer min: 0
, max: 65530
No
source_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias) Name Type Constraint Mandatory Default Value from Integer min: 0
, max: 65535
Yes to Integer min: 0
, max: 65535
Yes
destination_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias) Name Type Constraint Mandatory Default Value from Integer min: 0
, max: 65535
Yes to Integer min: 0
, max: 65535
Yes
sig (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value enabled Boolean true
, false
Yes fallback_to_routing Boolean true
, false
No
redirect_dns (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value type Choice host
, umbrella
, ipAddress
Yes ip_address IP No
loss_correction (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value type Choice fecAdaptive
, fecAlways
, packetDuplication
Yes loss_threshold_percentage Integer min: 1
, max: 5
No
nat_vpn (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value vpn_id Integer min: 0
, max: 65530
No nat_vpn_fallback Boolean true
, false
No
appqoe_optimization (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value tcp Boolean true
, false
No dre Boolean true
, false
No service_node_group String No
local_tloc_list (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value colors List Choice[default
, mpls
, metro-ethernet
, biz-internet
, public-internet
, lte
, 3g
, red
, green
, blue
, gold
, silver
, bronze
, custom1
, custom2
, custom3
, private1
, private2
, private3
, private4
, private5
, private6
] Yes encaps List Choice[ipsec
, gre
] Yes restrict Boolean true
, false
No
next_hop (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value ip_address IP Yes when_next_hop_is_not_available Choice route_table_entry
No
service (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value type Choice appqoe
, FW
, IDP
, IDS
, netsvc1
, netsvc2
, netsvc3
, netsvc4
, netsvc5
Yes vpn Integer min: 0
, max: 65530
No tloc Class [tloc]
No tloc_list String Regex: ^[A-Za-z0-9\-_]{1,32}$
No local Boolean true
, false
No restrict Boolean true
, false
No
tloc (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions) Name Type Constraint Mandatory Default Value ip IP Yes color Choice default
, mpls
, metro-ethernet
, biz-internet
, public-internet
, lte
, 3g
, red
, green
, blue
, gold
, silver
, bronze
, custom1
, custom2
, custom3
, private1
, private2
, private3
, private4
, private5
, private6
Yes encap Choice ipsec
, gre
Yes
Examples Example-1: A simple data policy that matches all traffic from VPN 20 and forces it via FW service insertion.
- name : NAC-DATA-POLICY-BRANCH-VPN20-v1
description : Data policy for branch VPN 20
default_action_type : accept
counter_name : ServiceInsertion