SD-WAN

 View Only
last person joined: 4 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
Expand all | Collapse all

What is everyone else doing to configure overlapping service addresses where a global "Internet" service has a port set and a more specific service addresses do not have ports defined?

  • 1.  What is everyone else doing to configure overlapping service addresses where a global "Internet" service has a port set and a more specific service addresses do not have ports defined?

     
    Posted 10-16-2018 00:00

    The example here is that I am trying to configure a local internet breakout service for tcp port 443 as show here:

    # configure authority service internet-443-only
    show
    name internet-443-only
    security encrypt-hmac-disabled
    transport tcp
    protocol tcp
    port-range 443
    start-port 443
    exit
    exit
    address
    0.0.0.0/0
    access-policy field-eng.corp
    source field-eng.corp
    exit

    I also have a more specific lab service shown here:

    # configure authority service sea-lab
    show
    name sea-lab
    service-group reidlab
    description ""Seattle lab service""
    scope private
    security corp-sec
    address 172.25.128.0/24
    access-policy field-eng.corp
    source field-eng.corp
    exit
    access-policy seattle-adam.field-eng.corp
    source seattle-adam.field-eng.corp
    permission allow
    exit
    service-policy sea-lab-redundant-policy

    As any service with a port defined takes precedence for service routing, when I try to send a packet towards a destination in the ""sea-lab"" service (e.g. 172.25.128.5) on port 443, the path selected uses the ""service-route"" defined for the ""internet-443-only"" service.

     

    I was able to configure the ""sea-lab"" service with all TCP ports as defined here to make the desired solution, but curious if anyone else has any better ideas:

    # configure authority service sea-lab
    show
    name sea-lab
    service-group reidlab
    description ""Seattle lab service""
    scope private
    security corp-sec
    transport tcp
    protocol tcp
    port-range 0
    start-port 0
    end-port 65535
    exit
    exit
    transport udp
    protocol udp
    exit
    transport icmp
    protocol icmp
    exit
    address 172.25.128.0/24
    access-policy field-eng.corp
    source field-eng.corp
    exit
    access-policy seattle-adam.field-eng.corp
    source seattle-adam.field-eng.corp
    permission allow
    exit
    service-policy
    sea-lab-redundant-policy

    # show sessions | grep 172.25.128 -A1
    Piping output...
    a7cf3873-32cc-4130-b807-8ee9fd176a6d sea-lab seattle-ad LAN 128 TCP 172.25.129 60312 172.25.128 443 0.0.0.0 0 true 4 0 days am.field- .102 .5 0:00:05

     



  • 2.  RE: What is everyone else doing to configure overlapping service addresses where a global "Internet" service has a port set and a more specific service addresses do not have ports defined?

     
    Posted 10-16-2018 00:00

    What you've done by adding the full range of ports is what I've done in the past too. It feels ugly but it makes sense.

     

    I had a similar-but-different scenario come up where I had a Squid proxy doing URL filtering (TCP/80) but only had it installed on one of my three 128T routers. Because services are global, my other routers were also matching TCP/80 to this service and therefore routing wasn't behaving as I'd hoped. What I did in this circumstance was to create subtenants that were effectively location based -- location1.mytenant was given access to my URL filtering service, and my 0.0.0.0/0 service was allowed access by mytenant. When sessions at location1 hit my 128T on TCP/80 they'd match my Squid proxy service, but at other routers TCP/80 would match the basic internet service.

     

    I recognize you probably can't make that distinction here, but it has a similar root cause (port matching being more specific than IP matching).