Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding ALG Support for VRF group

 

In an SD-WAN network, the basic requirement of ALG is to avoid any break on the applications. An ASL resource manages the ALG group for each ALG feature, the ASL resource is enhanced to support the new tuple of VRF group. ALG supports only the control and data sessions that belongs to the same VRF groups.

ALG parses layer 7 control messages and receives negotiating information that is carried by the control session. ALG creates dynamic policies for its data session and adds VRF group to match the gate. The first data traffic enters the flow first path processing to identify if the traffic matches the gate. The search key changes as – zone, source/destination IP, source/destination port, protocol, VRF group. If there is no VRF group on the gate, then the traffic matches any.

Interaction with External Module

ALG interacts with routing, NAT, and policy to support VRF group:

  1. Interacting with routing —VoIP ALGs routes lookup for the IPs embedded in payload before applying NAT during control session process. To perform route lookup for payload IPs:

    • In the control session, check if the packet is from VRF or LSI interface. Use the VRF information from the session to perform route lookup.

    • If the packet is not from VRF or LSI interface, use the VRF information from source interface of the control packet to perform route lookup.

    When the next-hop is identified, the VRF used to perform the route lookup is added to the VRF group provided by flow. ALG uses this VRF group in the session and the VRF group-ID is stored in the session.

  2. Interacting with NAT —During packet processing, ALG uses NAT during control session negotiation and after the gate hit, when the new data session is created, source NAT is needed. ALG provides VRF group information to NAT for rule search for both source and destination NAT. The process for extracting VRF and VRF group is similar when interacting with routing.

  3. Interacting with Policy —VoIP ALGs does policy search after gate hit to check if the data traffic is permitted by policy. The match and search APIs are enhanced to support source and destination VRF groups. If there is no VRF group, then the policy matches any.

Related Documentation