Cisco IOS XE Catalyst SD-WAN Qualified Command Reference

service-chain

To create a service chain, use the service-chain command in SD-WAN configuration mode. To remove a service chain, use the no form of the command.

service-chain chain-number

no service-chain chain-number

Syntax Description


`chain-number`	Identifier of the service chain. Valid values: SC1 through SC16.

Command Default

A service chain is not created.

Command Modes

SD-WAN configuration (config-sdwan)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

You can create up to 16 service chains in a Cisco Catalyst SD-WAN network.

Example

The following example shows how to create a service chain named SC1:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1

Related Commands


Command	Description
service	Specifies the services that are in the service chain.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-description	Configures a description for a service chain
service-chain-enable	Enables a service chain, which makes it active on devices.
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

service-chain-affect-bfd

To configure all Cisco Catalyst SD-WAN bidirectional forwarding (BFD) sessions to be brought down automatically and immediately if the service chain goes down, use the service-chain-affect-bfd command in service-chain configuration mode. To remove this configuration, use the no form of this command.

service-chain-affect-bfd

no service-chain-affect-bfd

Syntax Description

This command has no arguments or keywords.

Command Default

Cisco Catalyst SD-WAN BFD sessions are not brought down automatically if the service chain goes down.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command is available after you create a service chain with the service-chain command.
Unless you require all BFD sessions to be brought down when a service chain goes down, we recommend that this command not be used to prevent the unintended disruption of BFD.

Example

The following example shows how to enable Cisco Catalyst SD-WAN BFD sessions to be brought down automatically and immediately if the service chain SC1 goes down:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-service-chain-SC1)# service-chain-affect-bfd

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-description	Configures a description for a service chain
service-chain-enable	Enables a service chain, which makes it active on devices.
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
service	Specifies the services that are in the service chain.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

service-chain-description

To configure a description for a service chain, use the service-chain-description command in service-chain configuration mode. To remove the description from a service chain, use the no form of this command.

service-chain-description description

no service-chain-description

Syntax Description


`description`	Description of the service chain. The description can contain up to 64 characters.

Command Default

A description for the service chain is not configured.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command is available after you create a service chain with the service-chain command.

Example

The following example shows how to configure “service-chain-site-1” as the description of service chain SC1:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-service-chain-SC1)# service-chain-description service-chain-site-1

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-enable	Enables a service chain, which makes it active on devices.
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
service	Specifies the services that are in the service chain.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

service-chain-enable

To enable a service chain, which makes it active on devices, use the service-chain-enable command in service-chain configuration mode. To disable the service chain, use the no form of this command.

service-chain-enable

no service-chain-enable

Syntax Description

This command has no arguments or keywords.

Command Default

A service chain is enabled.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command is available after you create a service chain with the service-chain command.
Because a service chain is enabled by default, you do not need to use this command to enable s service chain unless you have first used this command to disable the service chain.
This command is useful when you want to create a service chain but are not ready for it to become active. In this situation, create the service chain and use this command disable it. You enable the service chain later when you want it to be active.

Example

The following example shows how to enable service chain SC1:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-service-chain-SC1)# service-chain-enable

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-description	Configures a description for a service chain
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
service	Specifies the services that are in the service chain.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

service-chain-vrf

To specify the name of the VPN that hosts all services in the service chain, use the service-chain-vrf command in service-chain configuration mode.

service-chain-vrf vrf

Syntax Description


`vrf`	Name of a configured VPN in which all services in the service chain are to be hosted.

Command Default

A VRF name is not specified.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command is available after you create a service chain with the service-chain command.
All services in the service chain must be accessible through the VPN that you specify.
This command does not have a no form.

Example

The following example shows how to specify 101 as the VPN in which all services in the service chain SC1 are to be hosted:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-service-chain-SC1)# service-chain-vrf 101

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-description	Configures a description for a service chain
service-chain-enable	Enables a service chain, which makes it active on devices.
service	Specifies the services that are in the service chain.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

service

To specify the services that are in the service chain and configure related options, use the service command in service-chain configuration mode. To remove a service from a service chain, use the no form of this command

service service-type service-parameters

no service service-type

Syntax Description


`service-type`	Description of a service type to include in the service chain. Enter up to four of the following description types. These descriptions are for your reference only and you can use any description for any service type. The netscv1 through netscv10 descriptions are provided for use with your own services or when you do not want to explicitly describe a service such as a firewall for security reasons. firewall intrusion-detection intrusion-detection-prevention netscv1 through netsvc10
`service-parameters`	Parameters for each service type. See Usage Guidelines for information about applicable service parameters.

Command Default

A service chain is not configured.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command is available after you specify the name of the VPN in which all services in the service chain are to be hosted with the service-chain-vrf command.
A service chain must have at least one service, so you cannot remove all services from a service chain.
Using a service-type name that corresponds to a service provides a convenient way for you to identify a service in a service chain. However, any service can be connected to any service-type name.

Configure the following service-parameters for each service type:

sequence sequence-number

Relative position of the service type in the service chain, which is the order in which the services in the service chain are applied to traffic. Services are applied from the lowest sequence-number value to the highest, and this value can be any number from 1 through 65535.

We recommend that you leave gaps between sequence-number values so that you can easily add services to a service chain if needed. For example, if you create a service chain with two service types, assign the service types sequence numbers of 100 and 200. The service type with a sequence-number of 100 is applied to traffic first. If you then want add a third sequence but want it to be applied in the second position, you can assign it a sequence number of 150 (or any value between 100 and 200).
service-transport-ha-pair value {active | [backup ]} {tx | [rx ]} {{ipv4 | ipv6 | tunnel-interface } address-or-number } {interface port-number interface-name } [endpoint-tracker name ]

Specifies the number of high availability pairs (active and optionally backup interfaces) that can be configured for forwarding traffic for the service and configures these high availability pairs.

value is the number of high availability pairs and can be a number 1 through 8. The high availability pairs can use IPv4, IPv6, or tunneled interfaces, depending on how the service is attached to a router. For dual stack connectivity, configure up to four IPv4 and four IPv6 high availability pairs.

active specifies an active interface, and backup specifies a backup interface.

tx specifies that packets are sent on the interface, and rx specifies that packets are received on the interface. If rx is not specified, packets are both sent and received on the interface.

ipv4 , ipv6 , or tunnel-interface specify the method by which the service is attached to a router.

For the IPv4 or IPv6 attachment method address-or-number is the IP address of the service to be attached to the service type. For the tunnel interface attachment method, address-or-number is the tunnel number for the service to be attached to the service type.

interface is the type of interface that is used to connect to the service, port-number is the number of the port on which the service communicates, and interface-name is the name of the interface. interface can be any of the following:
- Ethernet
- FastEthernet
- FiveGigabitEthernet
- FortyGigabitEthernet
- GigabitEthernet
- HundredGigabitEthernet
- TenGigabitEthernet
- TwentyFiveGigE
- TwoGigabitEthernet

endpoint-tracker name

By default, tracking is enabled for the service chain, and the tracker uses the tx and rx IP addresses of a service to track the service. Use this endpoint-tracker option if you want to track the service using other IP addresses. name is the name of the tracker that defines the IP address to use. You can configure an endpoint tracker for the tx interface, the rx interface, or both interfaces. If you use this option, ensure that routing for this tracker is configured appropriately in your deployment.

Note

For any interface, reachability for only one IPv4 address and one IPv6 address can be tracked. For example, if a high availability pair is configured with the service IP address of 10.1.1.1 on the GigabitEthernet3 interface, another service IP address cannot be tracked on GigabitEthernet3. Similarly, only one IPv4 address and one IPv6 address can be tracked for a dual stack interface.

Example

The following example shows how to configure the firewall and netsvc1 service types for service chain SC1:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-sdwan)# service-chain-vrf 101
Device(config-service-chain-SC1)# service firewall
Device(config-service-firewall)# sequence 100
Device(config-service-firewall)# service-transport-ha-pair 1
Device(config-service-transport-ha-pair-1)# active tx ipv4 10.0.0.1 GagabitEthernet 1 endpoint-tracker tracker 1
Device(config-service-transport-ha-pair-1)# service netsvc1
Device(config-service-netsvc1)# sequence 200
Device(config-service-netsvc1)# service-transport-ha-pair 1
Device(config-service-transport-ha-pair-1)# active tx ipv4 10.0.0.2 GagabitEthernet 4

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-description	Configures a description for a service chain
service-chain-enable	Enables a service chain, which makes it active on devices.
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

service service-transport-ha-pair attribute trust-posture

To configure the trust posture a high availability pair that is in a service chain, use the service service-transport-ha-pair attribute trust-posture command in service-chain configuration mode. To set the trust posture to trusted if it has been set to untrusted, use the no form of this command.

service service-type service-transport-ha-pair value attribute trust-posture { trusted | | untrusted }

no attribute trust-posture

Syntax Description


`service-type`	Type of service for which to configure the trust posture. Enter one of the following values: firewall intrusion-detection intrusion-detection-prevention netscv1 through netsvc10
`value`	The number of high availability pairs for which to configure the trust posture. Range: 1 through 8
trusted	Configures the trust posture as trusted.
untrusted	Configures the trust posture as untrusted.

Command Default

The trust posture for each interface in each high availability pair is trusted.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.14.1a	Command qualified for use in Cisco Catalyst SD-WAN Manager CLI templates.

Usage Guidelines

The service command must be configured before you can configure a trust posture with this command. See service.
The trust posture configuration of each high availability pair in a service chain must be the same. By default, the trust posture for each interface in each high availability pair is trusted. However, if one interface in a high availability pair has a trust posture of trusted and the other interface has a trust posture of untrusted, all high availability pairs in the service chain must be configured in this way.

Example

The following example shows how to configure the trust posture of each high availability pair in SC1 as trusted:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-sdwan)# service-chain-vrf 101
Device(config-service-chain-SC1)# service firewall
Device(config-service-firewall)# sequence 100
Device(config-service-firewall)# service-transport-ha-pair 1
Device(config-service-transport-ha-pair-1)# attribute trust-posture trusted

0

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-description	Configures a description for a service chain
service-chain-enable	Enables a service chain, which makes it active on devices.
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
service	Specifies the services that are in the service chain.
track-enable	Specifies that the IP address of each service in the service chain can be tracked by using endpoint tracking.

track-enable

To specify that the IP address of each service in the service chain can be tracked by using endpoint tracking, use the service-chain track-enable command in service-chain configuration mode. To disable the use of the IP address of each service for tracking, use the no form of the command.

track-enable

no track-enable

Syntax Description

This command has no arguments or keywords.

Command Default

This command is enabled.

Command Modes

service-chain configuration (config-service-chain)

Command History


Release	Modification
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a	Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command is available after you create a service chain with the service-chain command.
Tracking generates an alert if a service goes down. If tracking is not enabled, you can still check the state of the Cisco Catalyst SD-WAN interface where a service is deployed to determine whether the service is up or down. For instructions, see ICMP Endpoint Tracker for NAT DIA.

Example

The following example shows how to specify that the IP address of each service in service chain SC1 can be tracked:

Device(config)# sdwan
Device(config-sdwan)# service-chain SC1
Device(config-service-chain-SC1)# track-enable

Related Commands


Command	Description
service-chain	Creates a service chain.
service-chain-affect-bfd	Configures all Cisco Catalyst SD-WAN bidirectional forwarding sessions to be brought down automatically and immediately if the service chain goes down
service-chain-enable	Enables a service chain, which makes it active on devices.
service-chain-description	Configures a description for a service chain
service-chain-vrf	Specifies the name of the VPN in which all services in the service chain are to be hosted.
service	Specifies the services that are in the service chain.
service service-transport-ha-pair attribute trust-posture	Specifies the trust posture for a high availability pair that is in a service chain

Bias-Free Language

Results

Chapter: Service Insertion Commands

Service Insertion Commands

service-chain

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

service-chain-affect-bfd

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

service-chain-description

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

service-chain-enable

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

service-chain-vrf

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

service

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

service service-transport-ha-pair attribute trust-posture

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

track-enable

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Example

Related Commands

Was this Document Helpful?

Contact Cisco