Beruflich Dokumente
Kultur Dokumente
Parbhat Kapoor
parbhat@versa-networks.com
1 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Purpose/Audience:
1. This document is for Comcast usage only and not meant to be shared elsewhere.
2. Bugs/PR which are mentioned in this document are just for reference/knowledge only and most likely those bugs will be
fixed in 20.2 FRS release. Most likely in future releases we won’t need to perform manual task due to the bugs
mentioned in this document.
3. This document is continuation of previously written topic: uCPE[1]: How to provision it in 20.2, and hence workflow and
other related information won’t be duplicated here. This document will highlight service-chain configuration and its flaws
and how to workaround from it.
4. This document is only specific to how DIA outbound internet traffic will go via 3 rd Party FW (in this case Palo Alto). This
document is not applicable for traffic originating from Internet (Separate document will be written on SDWAN branch
to branch communication over 3rd party FW)
2 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Versa BUG: 36639 Order of Service Chains should be changed when DIA is enabled in uCPE deployment
Yes! As soon as you have deployed your 1st ever uCPE using 20.1/20.2 beta release, you have hit this bug.
Impact posed by this bug: You won’t be able to send any traffic from LAN-VR!
You need to fix this issue manually by tweaking SNG order in FromLAN service-chain “SC-Marriott-uCPE-PA-FromLAN”
From this:
admin@PA-uCPE-Marriott-cli> show configuration orgs org Marriott service-chains
SC-Marriott-uCPE-PA-FromLAN {
type internal;
service-node-group default-sng;
service-node-group Marriott-uCPE-PA-FromLAN-SNG;
}
SC-Marriott-uCPE-PA-ToLAN {
type internal;
service-node-group Marriott-uCPE-PA-ToLAN-SNG;
service-node-group default-sng;
}
TO this:
3 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Data Traffic will start flowing post adjusting SNG order: INTERNET
Internet-Transport-VR
Return traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
C:\Users\Parbhat Kapoor>tracert 8.8.8.8
Palo Alto VM
Trace complete.
C:\Users\Parbhat Kapoor>
172.16.191.2/24
4 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Workflow generated Service-Filters rule need modification before Traffic start flowing over 3 rd Party VNF’s
Given below rule by default only comes with [ptvi] interface. With this default config, Internet bound traffic will take regular DIA traffic path without
touching Palo Alto.
Workaround is to: Add “L-ST-Marriott-LAN-VR-PK-INET” interface to the destination zone into the list in given below rule:
From this:
admin@PA-uCPE-Marriott-cli> show configuration orgs org-services Marriott service-filters classifier rules FromLAN
default-classifier {
rules {
FromLAN {
match {
destination {
zone {
From this to: zone-list [ ptvi ];
To this: zone-list [ L-ST-Marriott-LAN-VR-PK-INET ptvi ];
}
}
}
set {
service-chain SC-Marriott-uCPE-PA-FromLAN;
}
}
}
}
5 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Data Traffic path BEFORE adding interface “L-ST-Marriott-LAN-VR-PK-INET” in Service-Filter : INTERNET
Internet-Transport-VR
Return traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM
Trace complete.
C:\Users\Parbhat Kapoor>
6 172.16.191.2/24
© 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Data Traffic path AFTER adding “L-ST-Marriott-LAN-VR-PK-INET” interface in Service-Filter “FROMLAN” rule : INTERNET
Internet-Transport-VR
Return traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
C:\Users\Parbhat Kapoor>tracert 8.8.8.8
Palo Alto VM
Trace complete.
C:\Users\Parbhat Kapoor>
172.16.191.2/24
7 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification method to confirm traffic is indeed traversing via Palo Alto
8 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification method to confirm traffic is indeed traversing via Palo Alto
9 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
admin@PA-uCPE-Marriott-cli> tcpdump vni-0/302 filter "host 8.8.8.8"
Starting capture on vni-0/302
Verification method:
tcpdump: verbose outputTCPDUMP on -vvni-0/302
suppressed, use &protocol
or -vv for full vni-0/303 interfaces
decode
listening on _vni_0_302, link-type EN10MB (Ethernet), capture size 262144 bytes
17:26:40.867120 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3979, length
40
17:26:40.879114 52:54:00:19:52:68 > 56:48:4f:53:54:00, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3979, length 40
17:26:41.871114 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3980, length
40
17:26:41.887114 52:54:00:19:52:68 > 56:48:4f:53:54:00, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3980, length 40
17:26:42.879113 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3981, length
40
17:26:42.895113 52:54:00:19:52:68 > 56:48:4f:53:54:00, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3981, length 40
^C
6 packets captured
10 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification method: Lastly you can always verify logs on 3rd party FW as well
11 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Thank You
12 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential