uCPE[3]- Understanding Service Chaining Order

Parbhat Kapoor

parbhat@versa-networks.com

1 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Purpose/Audience:

1. This document will shed a light on Service Chaining order by showing how inbound/outbound traffic flow via FlexVNF
& 3rd Party Firewalls.

2 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Service Chaining Simple Analogy:

3 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Service Chaining Simple Analogy:

4 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 1: Traffic originating from Remote SDWAN/Internet towards LAN
WAN
TO
1. Setup info: Both FlexVNF & Palo Alto will have Security policies to allow/deny respective traffic. LAN

2. Initially we will start with allowing traffic on both FlexVNF & Palo Alto Firewalls and then we will start “Denying” traffic 1 st in FlexVNF and then in
Palo Alto FW and will observe which SNG rule is matched first.

3. GOAL of this exercise is to understand Service Chaining Order when traffic is originating from the Internet/Remote SDWAN branch.

Scenario 1a:

In next Slide: You will observe the path a packet takes from WAN towards LAN. No traffic is being blocked by FlexVNF/Palo Alto NGFW Access policies.

5 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 MPLS/INTERNET 8.8.8.8
Server
10.0.8.5
Remote SDWAN Branch
WAN IP: 192.168.2.1/24
Scenario 1a : Traffic originating from Remote SDWAN/Internet towards LAN and NO BLOCKING!
Vni0/0.0
Return traffic
Internet-Transport-VR
SDWAN/Internet originated traffic

tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall

Palo Alto Firewall

dtvi-0/41

tvi0/11.0
DIA TRAFFIC PATH
Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance

tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM

172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1

Vni-0/302.0 172.16.10.1 172.16.10.2 Trust

Lan: 172.16.191.1/24 Vni0/1.0

admin@Marriot-Branch2-AWS-cli> traceroute 172.16.191.2 routing-instance Marriott-LAN-VR

traceroute to 172.16.191.2 (172.16.191.2), 30 hops max, 60 byte packets
1 ***
2 172.16.20.2 141.519 ms 141.501 ms 141.477 ms
3 172.16.191.1 141.437 ms 141.437 ms 141.437 ms
4 172.16.191.2 147.007 ms 189.745 ms 189.716 ms
[ok][2019-02-09 10:48:53] 172.16.191.2/24
admin@Marriot-Branch2-AWS-cli>
6 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 1b: Traffic originating from Remote SDWAN/Internet towards LAN & being blocked by FLEXVNF NGFW Policies:

1. In this scenario we had configured our FlexVNF NGFW to block any traffic coming from Remote SDWAN branch/Internet originated traffic:

admin@PA-uCPE-Marriott-cli> show configuration orgs org-services Marriott security access-policies rules Allow_From_Remote
Default-Policy {
rules {
Allow_From_Remote {
match {
source {
zone {
zone-list [ ptvi L-ST-Marriott-LAN-VR-PK-INET];
}
user {
user-type any;
}
}
…..
set {
action deny;
…..

2. In next animation slide it will be clear that FlexVNF Security policies are matched after Palo Alto FW policies. Palo Alto Service Chaining Order comes before FlexVNF’s default-SNG rule hence its
access-policies will be matched before FlexVNF access policies. Traffic via Palo Alto will be able to pass-through and which ultimately getting dropped by FlexVNF Access Policies.

admin@PA-uCPE-Marriott-cli> show configuration orgs org Marriott service-chains

…
SC-Marriott-uCPE-PA-ToLAN {
type internal;
service-node-group Marriott-uCPE-PA-ToLAN-SNG;
service-node-group default-sng;
}
[ok][2019-02-09 12:10:14]
admin@PA-uCPE-Marriott-cli>

7 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 MPLS/INTERNET 8.8.8.8
Server
10.0.8.5
Remote SDWAN Branch
WAN IP: 192.168.2.1/24
Scenario 1b : Traffic originating from Remote SDWAN/Internet towards LAN and FlexVNF BLOCKING the traffic
Vni0/0.0

Internet-Transport-VR
Internet originated traffic

tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall

dtvi-0/41 Palo Alto Firewall

tvi0/11.0
DIA TRAFFIC PATH
Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance

tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM

172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1

Vni-0/302.0 172.16.10.1 172.16.10.2 Trust

Lan: 172.16.191.1/24 Vni0/1.0

admin@Marriot-Branch2-AWS-cli> traceroute 172.16.191.2 routing-instance Marriott-LAN-VR
traceroute to 172.16.191.2 (172.16.191.2), 30 hops max, 60 byte packets
1 ***
2 172.16.20.2 92.737 ms 98.234 ms 92.698 ms
3 * * * [ FlexVNF Blocking the traffic ]
4 ***
5 ***
6 *** 172.16.191.2/24

8 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 1c: Traffic originating from Remote SDWAN/Internet towards LAN & being blocked by Palo Alto FW Policies:

1. In this scenario, we had configured Palo Alto to reject any packets hitting to its UNTRUST/WAN interface.

set rulebase security rules wan-to-mariott-lan from UNTRUST

set rulebase security rules wan-to-mariott-lan to any
set rulebase security rules wan-to-mariott-lan source any
set rulebase security rules wan-to-mariott-lan destination any
set rulebase security rules wan-to-mariott-lan service any
set rulebase security rules wan-to-mariott-lan application any
set rulebase security rules wan-to-mariott-lan action deny
set rulebase security rules wan-to-mariott-lan log-start yes
set rulebase security rules wan-to-mariott-lan log-end yes

2. In next animation slide it will be clear that Palo alto will reject any traffic hitting to its UNTRUST interface and FlexVNF FW won’t be receiving any packet (proved via tcpdump taken on vni302/303 interface)

admin@PA-uCPE-Marriott-cli> tcpdump vni-0/303 filter "host 10.0.8.5“ --PACKETS HITTING AT PALO ALTO UNTRUST INTERFACE
Starting capture on vni-0/303
..
12:14:51.853715 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 48, length 64
12:14:52.853712 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 49, length 64
12:14:53.853716 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 50, length 64
12:14:54.853717 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 51, length 64
……
^C
7 packets captured
…..
admin@PA-uCPE-Marriott-cli> tcpdump vni-0/302 filter "host 10.0.8.5“ ------NO PACKET FORWARDED BY PALO ALTO TOWARDS FLEXVNF VNI INTERFACE 302:
Starting capture on vni-0/302
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_302, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
..

9 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 MPLS/INTERNET
10.0.8.5
Remote SDWAN Branch 8.8.8.8
Server
WAN IP: 192.168.2.1/24
Scenario 1c : Traffic originating from Remote SDWAN/Internet towards LAN and Palo Alto BLOCKING the traffic
Vni0/0.0

Internet-Transport-VR
Internet originated traffic

tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall

dtvi-0/41 Palo Alto Firewall

tvi0/11.0
DIA TRAFFIC PATH
Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance

tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM

172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1

Vni-0/302.0 172.16.10.1 172.16.10.2 Trust

Lan: 172.16.191.1/24 Vni0/1.0

admin@Marriot-Branch2-AWS-cli> traceroute 172.16.191.2 routing-instance Marriott-LAN-VR

traceroute to 172.16.191.2 (172.16.191.2), 30 hops max, 60 byte packets
1 ***
2 ***
3 ***
4 ***
5 ***
172.16.191.2/24

10 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2: Traffic originating from LAN towards Remote SDWAN/Internet
LAN
TO
1. Setup info: Both FlexVNF & Palo Alto will have Security policies to allow/deny respective traffic. WAN

2. Initially we will start with allowing traffic on both FlexVNF & Palo Alto Firewalls and then we will start “Denying” traffic 1 st in FlexVNF and then in
Palo Alto FW and will observe which SNG rule is matched first.

3. GOAL of this exercise is to understand Service Chaining Order when traffic is originating from LAN towards Remote branch/Internet.

Scenario 2a:

In next Slide: You will observe the path a packet takes from LAN towards WAN. No traffic is being blocked by FlexVNF/Palo Alto NGFW Access policies.

11 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 8.8.8.8
Scenario 2a : Traffic originating from LAN to WAN and NO BLOCKING! SERVER
MPLS/INTERNET

C:\Users\Parbhat Kapoor>tracert 8.8.8.8

WAN IP: 192.168.2.1/24
Tracing route to google-public-dns-a.google.com [8.8.8.8] Vni0/0.0
over a maximum of 30 hops:
Return traffic
1 * * * Request timed out. Internet-Transport-VR
Internet originated traffic
2 1 ms <1 ms <1 ms 172.16.10.2 [PALO ALTO]
3 1 ms <1 ms <1 ms 172.16.191.1 [FLEX VNF]
4 2 ms 2 ms 2 ms 192.168.2.1 tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
5 5 ms 4 ms 3 ms 10.0.0.1 Versa FlexVNF Firewall
…
7 15 ms 20 ms 13 ms po-103-rur02.warrenton.va.richmond.comcast.net [68.85.70.141]
.. Palo Alto Firewall
16 19 ms 22 ms 16 ms google-public-dns-a.google.com [8.8.8.8]

DIA TRAFFIC PATH

Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET

Palo Alto VM

VRF: Marriott-LAN-VR
172.16.20.2 Untrust
Vni-0/303.0 172.16.20.1

Vni-0/302.0 172.16.10.1 172.16.10.2 Trust

Lan: 172.16.191.1/24 Vni0/1.0

172.16.191.2/24

12 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2b: Traffic originating from LAN towards Internet being blocked by FLEXVNF NGFW Policies:

1. In this scenario we had configured our FlexVNF NGFW to block any traffic coming from LAN towards Internet/SD-WAN Branch:

admin@PA-uCPE-Marriott-cli> show configuration orgs org-services Marriott security access-policies rules

Default-Policy {
rules {
Allow_From_Trust {
match {
source {
zone {
zone-list [ Intf-marriott-lan-segment-Zone W-ST-Marriott-LAN-VR-PK-INET ];
}
user {
user-type any;
}
}
}
set {
action deny;

2. In next animation slide it will be clear that FlexVNF Security policies are matched after Palo Alto FW policies. Palo Alto Service Chaining Order comes before FlexVNF’s default-SNG rule hence its
access-policies will be matched before FlexVNF access policies. Traffic via Palo Alto will be able to pass-through and which ultimately getting dropped by FlexVNF Access Policies.

admin@PA-uCPE-Marriott-cli> show configuration orgs org Marriott service-chains

…
SC-Marriott-uCPE-PA-FromLAN {
type internal;
service-node-group Marriott-uCPE-PA-FromLAN-SNG;
service-node-group default-sng;
}

[ok][2019-02-09 12:10:14]
admin@PA-uCPE-Marriott-cli>

13 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2b : Traffic originating from Remote SDWAN/Internet towards LAN and FlexVNF BLOCKING the traffic 8.8.8.8
SERVER
INTERNET
C:\Parbhat Kapoor>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]

WAN IP: 192.168.2.1/24
over a maximum of 30 hops:
Vni0/0.0

1 * * * Request timed out.

2 1 ms <1 ms <1 ms 172.16.10.2
Internet-Transport-VR
3 * * * Request timed out. Internet originated traffic
4 * * * Request timed out.
5 * * * Request timed out.
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall

Palo Alto Firewall

DIA TRAFFIC PATH

Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET

Palo Alto VM

VRF: Marriott-LAN-VR
172.16.20.2 Untrust
Vni-0/303.0 172.16.20.1

Vni-0/302.0 172.16.10.1 172.16.10.2 Trust

Lan: 172.16.191.1/24 Vni0/1.0

172.16.191.2/24

14 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2b : Traffic originating from Remote SDWAN/Internet towards LAN and FlexVNF BLOCKING the traffic

Below TCPDUMP from uCPE shows that traffic from lan host is successfully received/forwarded by Palo Alto over VNI-0/302-303 interfaces which ultimately being blocked by FLEXVNF POLICY

admin@PA-uCPE-Marriott-cli> tcpdump vni-0/302 filter "host 8.8.8.8"

Starting capture on vni-0/302
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_302, link-type EN10MB (Ethernet), capture size 262144 bytes
12:46:50.297704 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 297, length 40
12:46:55.297703 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 298, length 40
12:47:00.301704 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 299, length 40
^C
3 packets captured

admin@PA-uCPE-Marriott-cli> tcpdump vni-0/303 filter "host 8.8.8.8"

Starting capture on vni-0/303
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_303, link-type EN10MB (Ethernet), capture size 262144 bytes
12:47:10.301708 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 301, length 40
12:47:15.301710 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 302, length 40
12:47:20.297708 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 303, length 40
^C
3 packets captured

vsm-vcsn0> show vsf session all brief

Handle TNT WT Proto SIP DIP SPort DPort -->Pkts <--Pkts -->Drops <--Drops
------------ --- -- ----- --------------- --------------- ----- ----- ------- ------- -------- --------
0x200623a 2 5 6 172.16.191.2 52.114.142.22 59585 443 402 206 0 0
…
0x200735e 2 1 1 172.16.191.2 8.8.8.8 1 1 54 0 54 0

##Session Pkt Sink Forw:[Y] Reverse:[Y] Drop_module: policy

##Session Err Resp Forw:[N] Reverse:[N] Drop_module: NA

15 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 Thank You

16 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential