Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Parbhat Kapoor
parbhat@versa-networks.com
1 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Purpose/Audience:
1. This document will shed a light on Service Chaining order by showing how inbound/outbound traffic flow via FlexVNF
& 3rd Party Firewalls.
2 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Service Chaining Simple Analogy:
3 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Service Chaining Simple Analogy:
4 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 1: Traffic originating from Remote SDWAN/Internet towards LAN
WAN
TO
1. Setup info: Both FlexVNF & Palo Alto will have Security policies to allow/deny respective traffic. LAN
2. Initially we will start with allowing traffic on both FlexVNF & Palo Alto Firewalls and then we will start “Denying” traffic 1 st in FlexVNF and then in
Palo Alto FW and will observe which SNG rule is matched first.
3. GOAL of this exercise is to understand Service Chaining Order when traffic is originating from the Internet/Remote SDWAN branch.
Scenario 1a:
In next Slide: You will observe the path a packet takes from WAN towards LAN. No traffic is being blocked by FlexVNF/Palo Alto NGFW Access policies.
5 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
MPLS/INTERNET 8.8.8.8
Server
10.0.8.5
Remote SDWAN Branch
WAN IP: 192.168.2.1/24
Scenario 1a : Traffic originating from Remote SDWAN/Internet towards LAN and NO BLOCKING!
Vni0/0.0
Return traffic
Internet-Transport-VR
SDWAN/Internet originated traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall
tvi0/11.0
DIA TRAFFIC PATH
Marriott-Control-VR/MP-BGP/Tunnels
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM
172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1
1. In this scenario we had configured our FlexVNF NGFW to block any traffic coming from Remote SDWAN branch/Internet originated traffic:
admin@PA-uCPE-Marriott-cli> show configuration orgs org-services Marriott security access-policies rules Allow_From_Remote
Default-Policy {
rules {
Allow_From_Remote {
match {
source {
zone {
zone-list [ ptvi L-ST-Marriott-LAN-VR-PK-INET];
}
user {
user-type any;
}
}
…..
set {
action deny;
…..
2. In next animation slide it will be clear that FlexVNF Security policies are matched after Palo Alto FW policies. Palo Alto Service Chaining Order comes before FlexVNF’s default-SNG rule hence its
access-policies will be matched before FlexVNF access policies. Traffic via Palo Alto will be able to pass-through and which ultimately getting dropped by FlexVNF Access Policies.
7 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
MPLS/INTERNET 8.8.8.8
Server
10.0.8.5
Remote SDWAN Branch
WAN IP: 192.168.2.1/24
Scenario 1b : Traffic originating from Remote SDWAN/Internet towards LAN and FlexVNF BLOCKING the traffic
Vni0/0.0
Internet-Transport-VR
Internet originated traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall
tvi0/11.0
DIA TRAFFIC PATH
Marriott-Control-VR/MP-BGP/Tunnels
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM
172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1
8 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 1c: Traffic originating from Remote SDWAN/Internet towards LAN & being blocked by Palo Alto FW Policies:
1. In this scenario, we had configured Palo Alto to reject any packets hitting to its UNTRUST/WAN interface.
2. In next animation slide it will be clear that Palo alto will reject any traffic hitting to its UNTRUST interface and FlexVNF FW won’t be receiving any packet (proved via tcpdump taken on vni302/303 interface)
admin@PA-uCPE-Marriott-cli> tcpdump vni-0/303 filter "host 10.0.8.5“ --PACKETS HITTING AT PALO ALTO UNTRUST INTERFACE
Starting capture on vni-0/303
..
12:14:51.853715 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 48, length 64
12:14:52.853712 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 49, length 64
12:14:53.853716 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 50, length 64
12:14:54.853717 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 98: 10.0.8.5 > 172.16.191.2: ICMP echo request, id 62, seq 51, length 64
……
^C
7 packets captured
…..
admin@PA-uCPE-Marriott-cli> tcpdump vni-0/302 filter "host 10.0.8.5“ ------NO PACKET FORWARDED BY PALO ALTO TOWARDS FLEXVNF VNI INTERFACE 302:
Starting capture on vni-0/302
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_302, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
..
9 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
MPLS/INTERNET
10.0.8.5
Remote SDWAN Branch 8.8.8.8
Server
WAN IP: 192.168.2.1/24
Scenario 1c : Traffic originating from Remote SDWAN/Internet towards LAN and Palo Alto BLOCKING the traffic
Vni0/0.0
Internet-Transport-VR
Internet originated traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
Versa FlexVNF Firewall
tvi0/11.0
DIA TRAFFIC PATH
Marriott-Control-VR/MP-BGP/Tunnels
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM
172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1
10 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2: Traffic originating from LAN towards Remote SDWAN/Internet
LAN
TO
1. Setup info: Both FlexVNF & Palo Alto will have Security policies to allow/deny respective traffic. WAN
2. Initially we will start with allowing traffic on both FlexVNF & Palo Alto Firewalls and then we will start “Denying” traffic 1 st in FlexVNF and then in
Palo Alto FW and will observe which SNG rule is matched first.
3. GOAL of this exercise is to understand Service Chaining Order when traffic is originating from LAN towards Remote branch/Internet.
Scenario 2a:
In next Slide: You will observe the path a packet takes from LAN towards WAN. No traffic is being blocked by FlexVNF/Palo Alto NGFW Access policies.
11 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
8.8.8.8
Scenario 2a : Traffic originating from LAN to WAN and NO BLOCKING! SERVER
MPLS/INTERNET
Palo Alto VM
VRF: Marriott-LAN-VR
172.16.20.2 Untrust
Vni-0/303.0 172.16.20.1
172.16.191.2/24
12 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2b: Traffic originating from LAN towards Internet being blocked by FLEXVNF NGFW Policies:
1. In this scenario we had configured our FlexVNF NGFW to block any traffic coming from LAN towards Internet/SD-WAN Branch:
2. In next animation slide it will be clear that FlexVNF Security policies are matched after Palo Alto FW policies. Palo Alto Service Chaining Order comes before FlexVNF’s default-SNG rule hence its
access-policies will be matched before FlexVNF access policies. Traffic via Palo Alto will be able to pass-through and which ultimately getting dropped by FlexVNF Access Policies.
[ok][2019-02-09 12:10:14]
admin@PA-uCPE-Marriott-cli>
13 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2b : Traffic originating from Remote SDWAN/Internet towards LAN and FlexVNF BLOCKING the traffic 8.8.8.8
SERVER
INTERNET
C:\Parbhat Kapoor>tracert 8.8.8.8
Palo Alto VM
VRF: Marriott-LAN-VR
172.16.20.2 Untrust
Vni-0/303.0 172.16.20.1
172.16.191.2/24
14 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scenario 2b : Traffic originating from Remote SDWAN/Internet towards LAN and FlexVNF BLOCKING the traffic
Below TCPDUMP from uCPE shows that traffic from lan host is successfully received/forwarded by Palo Alto over VNI-0/302-303 interfaces which ultimately being blocked by FLEXVNF POLICY
15 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Thank You
16 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential