Source Interface Configuration

Source Interface Configuration Overview

On network devices operating with SD-AVC, you can specify the interface to be used for communication from the device to the SD-AVC network service, using the source-interface command. This can be any type of interface, including virtual, such as a loopback interface.

When the network device sends packets to the SD-AVC network service, the Source IP of the packets will be the IP address of the interface specified by the source-interface command.

Specifying the interface for SD-AVC traffic can address several issues described in Scenarios that Benefit from Source Interface Configuration.

Background

Network devices appear in the SD-AVC Dashboard, identified by an address. Typically, this is the IP of the interface on the device used for communication between the device and the SD-AVC network service. The routing table on the device determines the interface(s) used for communication with the SD-AVC network service.

In the following example, the default path for packets sent from the device to the network service will be:

  • Source: 1.1.1.1
  • Destination: 9.9.9.9

In this case, the network device appears in the SD-AVC Dashboard, identified as 1.1.1.1, as shown below.

Scenarios that Benefit from Source Interface Configuration

Specifying a source interface for SD-AVC traffic can be helpful in numerous scenarios.

  • Improve visibility by providing a consistent IP address for SD-AVC traffic.

  • Simplify configuring a network firewall by providing a consistent source IP address for SD-AVC traffic.

  • Separate SD-AVC FTP traffic from non-SD-AVC FTP traffic.

Scenario: Default Connection Down

If the default path between a network device and the SD-AVC service is not available, and traffic is routed over a different interface, the source of the packets may change. For example:

  • Default packet source: 1.1.1.1
  • Packet source when using secondary path: 2.2.2.2

In the following example, the default path is not available, and packets sent from the device to the network service will follow the secondary path (using interface 2.2.2.2) instead of the default (interface 1.1.1.1):

  • Source: 2.2.2.2
  • Destination: 9.9.9.9

Earlier, the network device appeared in the SD-AVC Dashboard as 1.1.1.1. Now it appears as 2.2.2.2, reflecting the secondary path to the SD-AVC network service. The device hostname remains the same, but the IP has changed, as shown below. This may not be desired.

Configuring a consistent source interface ensures that the network device appears in the SD-AVC Dashboard with a consistent IP.

This can be accomplished by creating a loopback interface (5.5.5.5 in the example below) and setting it to be the source interface for all SD-AVC traffic from the device. See Specifying a Loopback as Source Interface.

Regardless of the path used for SD-AVC traffic, the device appears consistently in the SD-AVC Dashboard as 5.5.5.5.

Scenario: Network Firewall Policy

In some network configurations, a firewall blocks all traffic to the SD-AVC network service, other than devices on a whitelist. This may require whitelisted devices to present themselves to the firewall with a consistent IP address. In the following illustration, traffic to the SD-AVC network service can use the 1.1.1.1 or 2.2.2.2 paths.

Configuring a consistent source interface ensures that SD-AVC traffic from the network device consistently presents itself to the firewall with the same IP. This simplifies firewall whitelist policy.

This can be accomplished by creating a loopback interface (5.5.5.5 in the example below) and setting it to be the source interface for all SD-AVC traffic from the device. See Specifying a Loopback as Source Interface.

Scenario: Internal FTP/HTTP Server

In some network configurations, a network device communicates with an FTP/HTTP server through an interface that cannot reach the SD-AVC network service. This can cause conflict with the FTP/HTTP communications between the SD-AVC agent on the network device and the SD-AVC network service.

To avoid conflict between different types of FTP/HTTP activity, use the source-interface command to specify an interface that can reach the SD-AVC network service. This enables SD-AVC FTP/HTTP traffic on one interface, and other FTP/HTTP traffic on another interface.

In the example below:

  • Non-SD-AVC FTP/HTTP traffic is on gigabitEthernet interface 3: 

    Device(config)#ip ftp source-interface gigabitEthernet 3
Device(config)#ip http client source-interface gigabitEthernet 3

  • SD-AVC FTP/HTTP traffic uses the loopback interface as source (see Specifying a Loopback as Source Interface): 

    Device(config-sd-service-controller)#source-interface loopback0

Configuring Source Interface for SD-AVC Communication

On network devices, use the source-interface command to specify the source interface, and therefore the Source IP, for SD-AVC traffic.

You can specify any physical or virtual interface on the device, but to address the scenarios described above, use a loopback interface.

Specifying a Loopback as Source Interface

To address scenarios such as those described above, create a virtual (loopback) interface and specify that SD-AVC traffic sent from the network device to the SD-AVC network service will use the virtual interface to define the Source address. The Source IP for SD-AVC packets sent from the network device will be the IP address of the specified interface.

  1. On the network device, create a loopback interface (virtual), and assign it an IP address.

  2. On the SD-AVC network service host, ensure access to the loopback interface on the network device.


    Note

    This may require adding one or more routing table entries to enable access to the loopback interface. Configuring a routing table path to the loopback interface may be something like this:

    ip route device-loopback-ip 255.255.255.255 device-physical-interface

    Example: 

    HostDevice(config)#ip route 5.5.5.5 255.255.255.255 1.1.1.1

  3. On the network device, use the source-interface command to select the loopback interface. In the example, the loopback interface is loopback0 .

    In configuration mode:

    • avc sd-service
    • segment segment
    • controller
    • address sd-avc-network-service-IP
    • source-interface source-interface

    Example: 

    Device(config)#avc sd-service
Device(config-sd-service)#segment sdavc
Device(config-sd-service)#controller
Device(config-sd-service-controller)#address 9.9.9.9
Device(config-sd-service-controller)#source-interface loopback0

In the SD-AVC Dashboard, the network device will be identified consistently by the specified source interface. In the example above, the source interface specified is loopback0 , with IP 5.5.5.5.


Note

The IP is updated in the Dashboard when the network device sends an update to the SD-AVC network service.