Service Insertion for Equinix

Table 1. Feature History

Feature Name

Release Information

Description

Service Insertion for Equinix

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

Cisco Catalyst SD-WAN Manager Release 20.15.1

With this feature, you can deploy Palo Alto Networks firewall on Equinix and attach a service chain to Equinix interconnect gateway from the Workflow Library in Cisco SD-WAN Manager.

Information About Service Insertion for Equinix

With this feature, you can use Cisco SD-WAN Manager to define, create, instantiate, and deploy service chains in Equinix. You can create service chains that include a single standalone or stateful Palo Alto Networks Firewall service instance per service chain.

The Cisco SD-WAN Manager service insertion workflow automates configurations on a Cisco IOS XE Catalyst SD-WAN device. Based on the selection of the service and the service type, the service instance creates a configuration group for service insertion which has the details of the service instances defined in the workflow.

Prerequisites for Service Insertion for Equinix

  • Ensure that you have an active Equinix account. If you dont already have an account, you can create an account on the Equinix portal. Refer to the New User Equinix Fabric Portal Access documentation from Equinix.

  • Ensure that you have an active Equinix billing account. If you dont already have one, you can create billing accounts for each region in which you would like to deploy an Interconnect Gateway using this account. Refer to the Billing Account Management documentation from Equinix.

  • Ensure that the Equinix account is associated to the Cisco SD-WAN Manager. For more information, see Associate Equinix Account with Cisco SD-WAN Manager.

  • Deploy the Equinix Interconnect Gateway to a configuration group. For more information, see Create Interconnect Gateway at an Equinix Location.

  • Purchase the required Palo Alto Networks firewall licenses.

Workflow to Configure Service Insertion for Equinix

  1. Define and Configure Service Chain: Creates a service chain definition. The service chain definition comprises of a service type and the order of the service. After you provide the details in the workflow, Cisco SD-WAN Manager creates a configuration group. You cannot edit the parameters in the configuration group after it's creation. See Define and Configure Service Chain.

  2. Instantiate Service Chain: Instantiates a service chain by deploying an instance of the service in Equinix. See Instantiate Service Chain.

  3. Attach a Service Chain to the Cisco SD-WAN Device: Attach the service chain to Equinix interconnect gateway. See Attach a Service Chain to the Cisco SD-WAN Device.

  4. Configure service chain actions for a data policy to route traffic through a service chain. See Configure Service Chain Actions in a Data Policy.

Define and Configure Service Chain

  1. In the Cisco SD-WAN Manager menu, click Workflows > Workflows Library > Define and Configure Service Chain.

  2. Follow the on-screen instructions to complete the service chain definition workflow.

    Following are some of the parameters in the workflow:

    • In Select Environment page, choose Equinix as the environment for the service chain definition.

    • Choose only firewall as the service type. For each service chain intance you can choose only one Palo Alto Networks firewall.

    • The Size, Flavor, and SW-Version in the workflow refers to the Palo Alto Networks firewall that you choose.

    • The sshPublickey Value is retrieved from the Equinix account that you choose.

    • Enter the management plane bandwidth (Mbps) between the router and the service in the Management Plane field.

    • The name entered in the User Name field is the user name of the Palo Alto Networks firewall credentials.

    • Choose Stateful or Standalone type of HA mode for the service. If you choose Stateful HA mode, ensure that you have the appropriate active licenses to proceed with the instantiation of the service chain.

Instantiate Service Chain

  1. In the Cisco SD-WAN Manager menu, click Workflows > Workflows Library > Instantiate Service Chain.

  2. Follow the on-screen instructions to instantiate the service chain.

    Following are some of the parameters of the workflow:

    • Ensure that you choose an active Equinix billing account for the service insertion workflow.

    • Ensure that you provide Palo Alto Networks firewall parameters based on your requirements. This workflow only instantiates the Palo Alto Networks firewall service. For any Palo Alto Networks firewall security policies and lifecycle management see the Palo Alto Networks firewall documentation.

    • The Size, Flavor, and SW-Version are retrieved from the Equinix portal based on the selected Equinix account and the Palo Alto Networks firewall you choose in the Instantiate Service Chain workflow.

Attach a Service Chain to the Cisco SD-WAN Device

Before You Begin

  • Ensure that you define a tracker. Tracker configuration is critical to avoid blackhauling. Defining a tracker ensures that the service chain is determined to be in the UP state and is used. If the IP address of a service chain firewall is used with an ICMP-based tracker, ensure that the firewall allows ICMP on the appropriate interface.

  1. In the Cisco SD-WAN Manager menu, click Workflows > Workflows Library > Attach Service Chain to Cisco SD-WAN Router.

  2. Follow the on-screen instructions to attach the service chain to a Cisco IOS XE Catalyst SD-WAN device.

    • You can select only one interconnect gateway at a time to attach a service chain.

    • Attach the service chain to the appropriate Cisco IOS XE Catalyst SD-WAN device. You dont need to attach the service chain to the branch routers.


Note


Alternatively, attach the Cisco IOS XE Catalyst SD-WAN device to a service chain using Configuration > Service Insertion > Service Chain Instances. Click ... next to the instance name you wish to attach a device and click Attach. This takes you to the service chain attachment workflow under Workflows > Workflows Library > Attach Service Chain to Cisco SD-WAN Router.


Detach a Service Chain Instance

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Service Insertion.

  2. Click Service Chain Instances to view the list of service chain instances and the devices attached to each instance.

  3. Click ... adjacent to the instance that you wish to detach the device and choose Detach.

  4. In the confirmation dialog box, click Detach.

Verify Configurations for Equinix Service Insertion

After you instantiate the service chain, you can view the service chain instances in Configuration > Service Insertion. This page displays a list of service chain instances along with the Cisco IOS XE Catalyst SD-WAN device attached to each service chain instance.

To view the details of the device that is attached to the service chain instance, click the device in the Attached to column. You can use the information about service TX and RX interfaces and the IP addresses on the Cisco SD-WAN Manager for the configurations on the Palo Alto Networks Firewall. Configure the service TX IP address on the service TX interface, and the service RX IP address on the service RX interface on the Palo Alto Networks Firewall.

To view details such as service type, password, IP address, and so on, of the service used in the service chain instance, click the Number of Services option.