Versa: uCPE[2]- Integrating Service Chaining with DIA

Parbhat Kapoor

parbhat@versa-networks.com

1 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Purpose/Audience:

1. This document is for Comcast usage only and not meant to be shared elsewhere.

2. Bugs/PR which are mentioned in this document are just for reference/knowledge only and most likely those bugs will be
fixed in 20.2 FRS release. Most likely in future releases we won’t need to perform manual task due to the bugs
mentioned in this document.

3. This document is continuation of previously written topic: uCPE[1]: How to provision it in 20.2, and hence workflow and
other related information won’t be duplicated here. This document will highlight service-chain configuration and its flaws
and how to workaround from it.

4. This document is only specific to how DIA outbound internet traffic will go via 3 rd Party FW (in this case Palo Alto). This
document is not applicable for traffic originating from Internet (Separate document will be written on SDWAN branch
to branch communication over 3rd party FW)

2 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Versa BUG: 36639 Order of Service Chains should be changed when DIA is enabled in uCPE deployment

Yes! As soon as you have deployed your 1st ever uCPE using 20.1/20.2 beta release, you have hit this bug.

Impact posed by this bug: You won’t be able to send any traffic from LAN-VR!
You need to fix this issue manually by tweaking SNG order in FromLAN service-chain “SC-Marriott-uCPE-PA-FromLAN”

From this:
admin@PA-uCPE-Marriott-cli> show configuration orgs org Marriott service-chains
SC-Marriott-uCPE-PA-FromLAN {
type internal;
service-node-group default-sng;
service-node-group Marriott-uCPE-PA-FromLAN-SNG;
}
SC-Marriott-uCPE-PA-ToLAN {
type internal;
service-node-group Marriott-uCPE-PA-ToLAN-SNG;
service-node-group default-sng;
}

TO this:

admin@PA-uCPE-Marriott-cli> show configuration orgs org Marriott service-chains

SC-Marriott-uCPE-PA-FromLAN {
type internal;
service-node-group Marriott-uCPE-PA-FromLAN-SNG;
service-node-group default-sng;
}
SC-Marriott-uCPE-PA-ToLAN {
type internal;
service-node-group Marriott-uCPE-PA-ToLAN-SNG;
service-node-group default-sng;
}

3 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 Data Traffic will start flowing post adjusting SNG order: INTERNET

WAN IP: 192.168.2.1/24

Vni0/0.0

Internet-Transport-VR

Return traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET

Internet bound traffic

DIA TRAFFIC PATH

Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance

tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
C:\Users\Parbhat Kapoor>tracert 8.8.8.8
Palo Alto VM

Tracing route to google-public-dns-a.google.com [8.8.8.8]

over a maximum of 30 hops: Vni-0/303.0 172.16.20.1 172.16.20.2 Untrust
VRF: Marriott-LAN-VR
1 * * * Request timed out.
2 1 ms <1 ms <1 ms 172.16.10.2 ---PA Trust interface Vni-0/302.0 172.16.10.1 172.16.10.2 Trust
3 1 ms <1 ms <1 ms 172.16.191.1 –Bug: 37393
4 2 ms 2 ms 2 ms 192.168.2.1
5 4 ms 4 ms 3 ms gw-10-0.versa-networks.com [10.0.0.1] Lan: 172.16.191.1/24 Vni0/1.0
….
14 19 ms 17 ms 13 ms google-public-dns-a.google.com [8.8.8.8]

Trace complete.

C:\Users\Parbhat Kapoor>

172.16.191.2/24
4 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Workflow generated Service-Filters rule need modification before Traffic start flowing over 3 rd Party VNF’s
Given below rule by default only comes with [ptvi] interface. With this default config, Internet bound traffic will take regular DIA traffic path without
touching Palo Alto.

Workaround is to: Add “L-ST-Marriott-LAN-VR-PK-INET” interface to the destination zone into the list in given below rule:

From this:
admin@PA-uCPE-Marriott-cli> show configuration orgs org-services Marriott service-filters classifier rules FromLAN
default-classifier {
rules {
FromLAN {
match {
destination {
zone {
From this to: zone-list [ ptvi ];
To this: zone-list [ L-ST-Marriott-LAN-VR-PK-INET ptvi ];
}
}
}
set {
service-chain SC-Marriott-uCPE-PA-FromLAN;
}
}
}
}

5 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Data Traffic path BEFORE adding interface “L-ST-Marriott-LAN-VR-PK-INET” in Service-Filter : INTERNET

WAN IP: 192.168.2.1/24

Vni0/0.0

Internet-Transport-VR

Return traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET

Internet bound traffic

DIA TRAFFIC PATH

Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance

tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM

C:\Users\Parbhat Kapoor>tracert 8.8.8.8

172.16.20.2 Untrust
Tracing route to google-public-dns-a.google.com [8.8.8.8] VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1
over a maximum of 30 hops:
Vni-0/302.0 172.16.10.1 172.16.10.2 Trust
1 <1 ms <1 ms <1 ms 172.16.191.1
2 1 ms 1 ms 1 ms 192.168.2.1
3 4 ms 3 ms 3 ms gw-10-0.versa-networks.com [10.0.0.1] Lan: 172.16.191.1/24 Vni0/1.0
….
14 19 ms 17 ms 13 ms google-public-dns-a.google.com [8.8.8.8]

Trace complete.

C:\Users\Parbhat Kapoor>

6 172.16.191.2/24
© 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 Data Traffic path AFTER adding “L-ST-Marriott-LAN-VR-PK-INET” interface in Service-Filter “FROMLAN” rule : INTERNET

WAN IP: 192.168.2.1/24

Vni0/0.0

Internet-Transport-VR

Return traffic
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET

Internet bound traffic

DIA TRAFFIC PATH

Marriott-Control-VR/MP-BGP/Tunnels

mpls-vpn-core-instance

tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
C:\Users\Parbhat Kapoor>tracert 8.8.8.8
Palo Alto VM

Tracing route to google-public-dns-a.google.com [8.8.8.8]

over a maximum of 30 hops: 172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1
1 * * * Request timed out.
2 1 ms <1 ms <1 ms 172.16.10.2 ---PA Trust interface Vni-0/302.0 172.16.10.1 172.16.10.2 Trust
3 1 ms <1 ms <1 ms 172.16.191.1 –Bug: 37393
4 2 ms 2 ms 2 ms 192.168.2.1
5 4 ms 4 ms 3 ms gw-10-0.versa-networks.com [10.0.0.1] Lan: 172.16.191.1/24 Vni0/1.0
….
14 19 ms 17 ms 13 ms google-public-dns-a.google.com [8.8.8.8]

Trace complete.

C:\Users\Parbhat Kapoor>

172.16.191.2/24
7 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification method to confirm traffic is indeed traversing via Palo Alto

admin@PA-uCPE-Marriott-cli> show orgs org-services Marriott service-chain-instances stats brief

service-chain-instances stats brief SC-Marriott-uCPE-PA-FromLAN (INTERNET BOUND TRAFFIC)
sc-id 128511
1
sng-name Marriott-uCPE-PA-FromLAN-SNG
egress vni-0/302.0
ingress vni-0/303.0
fwd-tx 599494
fwd-rx 597939
rev-tx 662386
rev-rx 661355
fwd-bypass 0
rev-bypass 0
fwd-drops 1194
rev-drops 0
service-chain-instances stats brief SC-Marriott-uCPE-PA-ToLAN (NOT TESTED THIS TIME, NEED SETUP TO GENERATE TRAFFIC FROM INTERNET)
sc-id 128767
2
sng-name Marriott-uCPE-PA-ToLAN-SNG
egress vni-0/303.0
ingress vni-0/302.0
fwd-tx 2622
fwd-rx 0
rev-tx 0
rev-rx 4
fwd-bypass 0
rev-bypass 0
fwd-drops 772
rev-drops 0
[ok][2019-02-06 17:20:46]
admin@PA-uCPE-Marriott-cli>

8 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification method to confirm traffic is indeed traversing via Palo Alto

vsm-vcsn0> show vsf session handle extensive 0x20048b1

Session ID: 20048b1 (NFP), Tenant ID: 2, Owner WT: 5
Protocol - Layer-3: 102, Layer-4: 17
Src Address: 172.16.191.2, Port: 58848
Dst Address: 173.194.53.201, Port: 443
Session Start Timestamp: 79248956
Session Last Active Tmestamp: 79262456
Session Idle Timeout: 30000 Session Hard Timeout: 0 Close Pending : 0
…
Service Chain: 29 26 21 1 16 6 2 3 4 9 5 17 8 10 13 22 15 14 12 18 24 20 7
##Nat Info Flags 0x11:
NFP-offload:N[N], RT gen:0[0], MTU:1500[1500], NH-Ready:Y[Y]
External Service Chaining:
Forw SC id : 128511 Rev SC id : -2147355137
Forw rcvif : vni-0/1.0 [1048] Rev rcvif : vni-0/0.0 [1046]
Forward - TX:
Total Packets : 522, Bytes : 64011
Forward - RX:
Total Packets : 522, Bytes : 64011
Reverse - TX:
Total Packets : 1769, Bytes : 2390198
Reverse - RX:
Total Packets : 1769, Bytes : 2390198

9 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 admin@PA-uCPE-Marriott-cli> tcpdump vni-0/302 filter "host 8.8.8.8"
Starting capture on vni-0/302
Verification method:
tcpdump: verbose outputTCPDUMP on -vvni-0/302
suppressed, use &protocol
or -vv for full vni-0/303 interfaces
decode
listening on _vni_0_302, link-type EN10MB (Ethernet), capture size 262144 bytes
17:26:40.867120 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3979, length
40
17:26:40.879114 52:54:00:19:52:68 > 56:48:4f:53:54:00, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3979, length 40
17:26:41.871114 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3980, length
40
17:26:41.887114 52:54:00:19:52:68 > 56:48:4f:53:54:00, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3980, length 40
17:26:42.879113 56:48:4f:53:54:00 > 52:54:00:19:52:68, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3981, length
40
17:26:42.895113 52:54:00:19:52:68 > 56:48:4f:53:54:00, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3981, length 40
^C
6 packets captured

admin@PA-uCPE-Marriott-cli> tcpdump vni-0/303 filter "host 8.8.8.8"

Starting capture on vni-0/303
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_303, link-type EN10MB (Ethernet), capture size 262144 bytes
17:26:48.915114 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3987, length
40
17:26:48.927119 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3987, length 40
17:26:49.919152 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3988, length
40
17:26:49.935114 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3988, length 40
17:26:50.923117 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3989, length
40
17:26:50.939114 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3989, length 40
17:26:51.931120 52:54:00:d4:87:e4 > 56:48:4f:53:54:01, ethertype IPv4 (0x0800), length 74: 172.16.191.2 > 8.8.8.8: ICMP echo request, id 1, seq 3990, length
40
17:26:51.943203 56:48:4f:53:54:01 > 52:54:00:d4:87:e4, ethertype IPv4 (0x0800), length 74: 8.8.8.8 > 172.16.191.2: ICMP echo reply, id 1, seq 3990, length 40
^C
8 packets captured

10 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification method: Lastly you can always verify logs on 3rd party FW as well 

11 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
 Thank You

12 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential