Smart-channel and Catena: Next generation Layer 4-7 services scaling technologies

Size: px

Start display at page:

Download "Smart-channel and Catena: Next generation Layer 4-7 services scaling technologies"

Alexina Thompson
5 years ago
Views:

2 Smart-channel and Catena: Next generation Layer 4-7 services scaling technologies Avni Baveja, Software Engineer Samar Sharma, Principal Engineer BRKDCN-1020

Install Spark or go directly to the space 4.

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkdcn Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Smart Channel for Line-Rate Traffic Distribution, Redirection Catena for Secure Segmentation, Service Chaining and Analytics

By 2021 58% of the population will be using

person By 2021 80% of all internet traffic

Cisco VNI Forecast 2016-2021 BRKDCN-1020

5 By % of the population will be using the internet By GB of internet traffic per month, per user By networked devices and connections per person By % of all internet traffic will be video By Mbps of the population will be using the internet By Mbps average mobile speed Source: Cisco VNI Forecast BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 5

7 Smart Channel

9 What is Smart-channel? Smart Channel is an intelligent ASIC-based(hardware) multi terabit traffic distribution, redirection solution. It can transparently load balance across many devices at line-rate speed. Smart channel can be used to build a scalable architecture for load balancing, traffic distribution and redirection. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Smart-channel Hardware Based Traffic Distribution Solution Load-balancing in L2 scenarios (e.g., transparent mode appliances) Resilient and Consistent hashing Traffic redirection to any type of device Works on most of the Cisco ASICs, LCs. E.g. Nexus 9k/7k Selective traffic distribution (include/exclude certain traffic*) *on Roadmap/EFT BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Network topology using Smart Channel 209.165.201.

of Smart Channel No MAC or IP rewrite done

11 Network topology using Smart Channel Smartchannel N7k1 Nexus 9000 Hardware based algorithm to splits traffic ACL Selection Redirection Load balancing Many Devices can be Part of Smart Channel No MAC or IP rewrite done BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Smart-Channel Configuration Components PORT GROUP Ports connected to appliance/device SMART CHANNEL SERVICE Port Group Load Balance Method Buckets Include/Exclude Filters Vlan List Mode ( trunk or access) *Roadmap/EFT BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Basic Smart-Channel Configuration Smartchannel Vlan N7k1 Step 1 Create Port group of ports to load balance traffic smart-channel port-group monitor-group interface Eth1/11 interface Eth1/13.. interface Eth1/40 interface Eth1/41 Step 2 Create and Enable Smart Channels smart-channel svc-vlan10 port-group monitor-group vlan 10 load-balance method dst ip source ip filter any any no shutdown BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Smart Channel: Resilient/Consistent Load Balancing Flow S1:Device 1 Smartchannel Flow sets: S1, S2, S3, S aaaa N7k1 Flow sets: S5, S6, S7, S Flow S1 Flow S1:Match Port 1 Flow sets: S9, S10, S11, S12 Flow sets: S13, S14, S15, S16 TCAM based algorithm splits the traffic (there is no actual hashing) BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Smart Channel: Resilient/Consistent Load Balancing aaaa Smartchannel N7k1 Flow sets: S1, S2, S3, S4 Flow S5:Device 2 Flow sets: S5, S6, S7, S Flow S5 Flow S5:Match Port 2 Flow sets: S9, S10, S11, S12 Flow sets: S13, S14, S15, S16 TCAM based algorithm splits the traffic (there is no actual hashing) BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Smart channel: No Disruption/rehashing of flows with failures Smartchannel Flow sets: aaaa N7k1 Flow sets: S5, S6, S7, S8, S1, S4 Flow sets: S9, S10, S11, S12, S Flow sets: S13, S14, S15, S16, S3 TCAM based algorithm splits the traffic (there is no actual hashing) BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Smart-channel can be used to do weighted load balancing Weighted Smartchannel N7k1 Weight W1: TCAM Match Flow sets: S3, S4, S5, S6, S7, S8 Weight W2: TCAM Match Flow sets:s1, S2 Weight W3: TCAM Match

17 Smart-channel can be used to do weighted load balancing Weighted Smartchannel N7k1 Weight W1: TCAM Match Flow sets: S3, S4, S5, S6, S7, S8 Weight W2: TCAM Match Flow sets:s1, S2 Weight W3: TCAM Match Flow sets: S9, S10, S11 TCAM based algorithm splits the traffic according to weights Weight W4: TCAM Match Flow sets: S12, S13, S14, S15 BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Benefits of Smart Channel Line-Rate Load Balancing Resilient hash (flows are not re-hashed on node addition/removal) IP-stickiness Not dependent on Nexus HW architecture Same hashing irrespective of Line-card types, ASICs, Nexus 9k/7k/6k/5k, etc. Symmetric hash even across different types of switches Health monitoring User can select the traffic to be redirected, via ACL The solution handles an unlimited number of flows BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Benefits of Smart Channel CAPEX Saving : Wiring, Power, Rackspace and Cost savings No additional header on the packet Supports NX-API, CLI, XML Weighted load-balancing No control protocol needed Simplified provisioning and ease of deployment BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Comparison between Ether-channel and Smart-Channel Feature/Benefit Port Channel Smart Channel Link Failure detection Weighted load-balancing * Traffic selection * Hashing is same irrespective of wiring, port numbering, reboot, link bring up Same hashing/mapping across all types of line cards/switches Resilient: Non-Disruptive to existing flows Max # of nodes for scaling Ease of configuration, troubleshooting Load-balancing method per VLAN/port * Roadmap/EFT BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Use-cases

22 Use-cases of Smart-Channel Scale out Monitoring Networks IPS, IDS, Loggers, Security Appliance, ISE Scale-out the transparent devices WSA VDS-TC (Video Scape Transparent caching) WAF (Web application firewall) Virtual appliances, like CSP, vwaas, ASAv, CSR, vwlc Improve the clustering solution ASA Scale Firepower, Sourcefire Traffic Steering, Redirection BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 How to Scale Monitoring Networks with Smart Channel? Servers aaaa Nexus Data Broker Smartchannel RX/TX vlan Clients Production Network Monitoring Network Appliances, such as: IPS, IDS, WAF, WAE, Virtual appliances, Open Source IPS, Analytics tools, Video Monitoring Examples: ASA, Sourcefire, Firepower, ISE, WSA, WAAS, CSP, vwaas, ASAv, CSR, vwlc BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 23

25 Configuring Smart-channel

26 Basic Smart-Channel Configuration Smartchannel Vlan N7k1 Step 1 Create Port group of ports to load balance traffic smart-channel port-group monitor-group interface Eth1/11 interface Eth1/13.. interface Eth1/50 interface Eth1/51 Step 2 Create and Enable Smart Channels smart-channel svc-vlan10 port-group monitor-group vlan 10 load-balance method dst ip no shutdown BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Smart-channel Enabling Feature [no] feature smart-channel Executed in CLI config mode Enables/Disables smart-channel feature N7k# conf t Enter configuration commands, one per line. End with CNTL/Z. N7k(config)# feature smart-channel N7k# sh feature grep smart-channel smart-channel 1 enabled BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Smart-channel Service Creation Steps Three Primary steps to configure an smart-channel Service 1 Create port group 2 Create smart-channel service 3 Attach port group to smart-channel Service NOTE: smart-channel is a conditional feature and needs to be enabled via feature smart-channel BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Smart-channel Configuring port Group [no] smart-channel port-group <port-group-name> Executed in CLI config mode Creates/Deletes port Group N7k(config)# feature smart-channel N7k(config)# smart-channel port-group WEBSERVERS N7k(config-port-group)# interface Eth 2/2 N7k(config-port-group)# interface Eth 2/3 N7k(config-port-group)# interface Eth 2/4 N7k(config-port-group)# interface Eth 2/5 N7k(config-port-group)# BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Smart-channel Configuring a Service [no] smart-channel <service-name> Executed in CLI config mode Creates/Deletes smart-channel service N7k(config)# smart-channel WebTraffic BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Smart-channel Configuring Vlans [no] access vlan <access-vlan> vlan <vlan range> Executed in CLI config mode Executed as sub-mode of smart-channel service CLI Specify list of vlan for smart-channel service Access vlan for access vlan Vlan <vlan-range> for trunked vlans N7k(config)# smart-channel WebTraffic N7k(config-smart-channel)# vlan Or N7k(config)# smart-channel WebTraffic N7k(config-smart-channel)# access vlan 10 BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Smart-channel Associating port Group [no] port-group <port group name> Executed in CLI config mode Executed as sub-mode of smart-channel service CLI Specify port Group to associate with smart-channel service N7k(config)# smart-channel WebTraffic N7k(config-smart-channel)# vlan N7k(config-smart-channel)# port-group WEBSERVERS BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Smart-channel Configuring Load-balance Method [no] load-balance method [src dst ] Executed in CLI config mode Executed as sub-mode of smart-channel service CLI Specify Loadbalancing method N7k(config)# smart-channel WebTraffic N7k(config-smart-channel)# vlan N7k(config-smart-channel)# port-group FW-INSPECT N7k(config-smart-channel)# load-balance method src ip Bucket 16 BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Smart-channel Configuring filters [no] destination filter ip <ip-address> [<net mask> <prefix>] [ip tcp <port-num> udp <port-num> ] Executed in CLI config mode Executed as sub-mode of smart-channel service CLI Used to select certain destination subnets N7k(config)# smart-channel WebTraffic N7k(config-smart-channel)# vlan N7k(config-smart-channel)# port-group WEBSERVERS N7k(config-smart-channel)# loadbalance method src-ip N7k(config-smart-channel)# destination filter ip N7k(config-smart-channel)# source filter ip BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Smart-channel Creating smart-channel Service smart-channel service attributes: port-group Associate port Group with service Access vlan Specify access vlan Vlan <1-3967> Range of trunked vlans load-balance Select Load distribution method destination filter Configuring destination filter IP Source filter Configuring destination filter IP switch(config)# smart-channel svc switch(config-smart-channel)#? access Access vlan destination Destination ip configuration load-balance Loadbalance port-group Smart channel port group shutdown source Source ip configuration vlan trunk Vlans N7k(config-smart-channel)# load-balance method? dst Destination based parameters src Source based parameters N7k(config-smart-channel)# load-balance method src? ip IP N7k(config-smart-channel)# destination filter ip ? tcp TCP Protocol udp UDP Protocol N7k(config-smart-channel)# source filter ip ? BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Load-balance Bucket Load balance Bucket option provides user to specify the number of ACLs created per service. The Bucket value must be configured in powers of 2. When Bucket are configured more than the configured Active interfaces, the Bucket are applied in Round Robin. Bucket configuration is optional, by default the value is computed based on the number of interfaces in port group. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Smart-channel Port Events If port fails the reassign is configured by default When the interface goes down failed, When one interfaces goes down.the traffic will be reassigned to the first Available Active interfaces. When the interface comes up success from failed state, the interface that came up will start handling the connections. If all the interfaces are down, the packets will be get forwarded automatically. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Smart-channel sample configurations

39 Smart-channel Configure a Service N7k-1 Configuration N7k-1(config)# feature smart-channel N7k-1(config)# port-group FW-INSPECT N7k-1(config-port-group)# interface Eth 2/2 N7k-1(config-port-group)# interface Eth 2/3 N7k-1(config-port-group)# interface Eth 2/4 N7k-1(config-port-group)# interface Eth 2/5 N7k-1(config)# smart-channel WebTraffic N7k-1(config-smart-channel)# vlan 10 N7k-1(config-smart-channel)# port-group FW-INSPECT N7k-1(config-smart-channel) load-balance method src ip N7k-1(config-smart-channel)# no shut N7k-2 Configuration N7k-2(config)# feature smart-channel N7k-2(config)# port-group FW-INSPECT N7k-2(config-port-group)# interface Eth 12/2 N7k-2(config-port-group)# interface Eth 12/3 N7k-2(config-port-group)# N7k-2(config-smart-channel)# smart-channel WebTraffic N7k-2(config-smart-channel)# vlan 20 N7k-2(config-smart-channel)# port-group FW-INSPECT N7k-2(config-smart-channel)# load-balance method dst ip N7k-2(config-smart-channel)# no shut e 3/1 smartchannel Service N7k-1 Configuration Steps: 2/2 2/4 Enable smart-channel feature on both N7k Configure a port Group Configure an smart-channel Service a) Configure Service Name b) Specify vlan c) Associate port Group d) Specify Load Distribution Scheme e) Activate smart-channel Service BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Troubleshooting Smart-channel

41 show commands smart-channel switch(config-smart-channel)# show smart-channel svc1 Legend: ST(Status): ST-Standby,LF-Link Failed,PF-Probe Failed,PD-Peer Down,IA-Inactive Name LB Scheme Status Buckets svc1 dst-ip ACTIVE 2 Port Group Pool Vlans Status svc1_smartc_pool Source/Destination Filter Protocol Port / IP Member-Interface WGT Ethernet2/6 1 Bucket List svc1_smartc_ip_1_bucket_1 Member-Interface WGT Ethernet2/7 1 Bucket List svc1_smartc_ip_1_bucket_2 Show running-config smart-channel!command: show running-config smart-channel!time: Fri Sep 21 17:05: version 7.3(0)D1(1) feature smart-channel smart-channel port-group 3 interface Eth2/6 interface Eth2/7 smart-channel svc1 port-group 3 vlan source filter ip load-balance method dst ip no shutdown BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Verifications for smart-channel When a Smart Channel is active Following is a check-list 1. Make sure Smart Channel ACL s and Vlan ACL s Created 2. Check Smart Channel ports configuration has vlan allowed and mode & check port is up 3. Verify Smart Channel TCAM entries BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Step1) Smart Channel ACL s and Vlan ACL s Created switch(config)# sh run aclmgr Eg config feature smart-channel smart-channel port-group 3 interface Eth2/6 interface Eth2/7 smart-channel svc1 port-group 3 vlan source filter ip load-balance method dst ip no shutdown!command: show running-config aclmgr!time: Fri Sep 21 17:06: version 7.3(0)D1(1) ip access-list smartc_svc1_smartc_pool_allow_all_vacl 10 permit ip any any ip access-list svc1_smartc_ip_1_bucket_1 10 permit ip / ip access-list svc1_smartc_ip_1_bucket_2 10 permit ip / vlan access-map svc1_smartc_pool 10 match ip address svc1_smartc_ip_1_bucket_1 action redirect Ethernet2/6 vlan access-map svc1_smartc_pool 11 match ip address svc1_smartc_ip_1_bucket_2 action redirect Ethernet2/7 vlan access-map svc1_smartc_pool 12 match ip address smartc_svc1_smartc_pool_allow_all_vacl action forward vlan filter svc1_smartc_pool vlan-list BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Step2) Smart Channel ports configuration switch(config)# sh run int eth 2/6-7 feature smart-channel smart-channel port-group 3 interface Eth2/6 interface Eth2/7 smart-channel svc1 port-group 3 vlan source filter ip load-balance method dst ip no shutdown!command: show running-config interface Ethernet2/6-7!Time: Fri Sep 21 17:13: version 7.3(0)D1(1) interface Ethernet2/6 switchport switchport mode trunk switchport trunk allowed vlan no shutdown interface Ethernet2/7 switchport switchport mode trunk switchport trunk allowed vlan no shutdown BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Step4) Smart Channel TCAM entries feature smart-channel show system internal access-list vlan 10 input statistics smart-channel port-group 3 interface Eth2/6 interface Eth2/7 smart-channel svc1 port-group 3 vlan source filter ip load-balance method dst ip no shutdown BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 show smart-channel debug/event history switch# show system internal smartc event-history? all Show all logs of smartc debugs Show debug logs of smartc errors Show error logs of smartc events Show event logs of smartc fsm Fsm event logs infra Show internal infra logs of smartc msgs Show various message logs of smartc packets Show packet logs of smartc warnings Show warning logs of smartc switch(config-smart-channel)# debug smartc? all Configure all debug flags of smart-channel discovery Configure debugging of Smartc discovery error Configure debugging of smart-channel Errors events Configure debugging of smartc Events fsm Configure debugging of smart-channel FSM Events ha Configure debugging of smart-channel HA infra Configure debugging of smartc internal infra packets Configure debugging of smartc Packets trace Configure debugging of smart-channel trace trace-detail Configure debugging of smartc detail trace warning Configure debugging of smart-channel Warnings BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Availability N9k series N7k, N7700 : Already available in Freeport: NX-OS 7.0(3)I6(1) : EFT available ( on nxos-smartc@cisco.com for details) License Network Services License References Configuration Guide: x/interfaces/configuration/guide/b_cisco_nexus_9000_series_nx- OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX- OS_Interfaces_Configuration_Guide_7x_chapter_01111.pdf Contacts & Mailer: Avni Baveja : avbaveja@cisco.com nxos-smartc@cisco.com BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Agenda What is Catena Catena Use Cases Catena Benefits Catena Configuration Catena Sample Configurations

49 Video -all-in-one-service-chaining-solution/v/d-id/

50 What is Catena? Catena is a multi-terabit security, service chaining, segmentation, analytics and L4-L7 applications integration solution, natively on the switch/router. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 50

53 Problem Statement Network Traffic Type 1 Traffic Type 2 Network Functions, eg, Firewall, IPS, Load-balancer, NAT, Applications Traffic Type N BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 BRKDCN

55 Catena Hardware based application chaining Telemetry and analytics: natively on the switch No proprietary packet headers. No special hardware. Create multiple chains with multiple elements in each chain eg, Firewall, IPS, IDS, DOS Protection, WAAS, switches, VMs, containers Performs health monitoring and automatic failure handling Transparent insertion of appliances (configurations not required) Wire-speed performance Secure Segmentation eg, each tenant can have its own chains Catena is also a platform, for which users can write apps BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Deployment BRKDCN-1020 2017 Cisco and/or its

57 Deployment : Transparent Mode Traffic without Catena Traffic with Catena Blocked Traffic with Catena Firewall IDS/IPS Vlan 10 Eth 1/1 Vlan 20 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 Nexus switch Vlan 30 Eth 1/8 Per segment telemetry, and analytics at each point in the network. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Deployment : Routed Mode Traffic without Catena Traffic with Catena Blocked Traffic with Catena Appliance1 Appliance2 Appliance Eth 2/1 Eth 2/2 Eth 2/3 Eth 1/1 Eth 1/8 Nexus switch Per segment telemetry, and analytics at each point in the network. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Benefits of Catena Secure segmentation Insert/Remove Network Functions Build an elastic Data Center User can select the traffic to be chained, via ACL No dependency on Nexus HW architecture Independent of Line-card types, ASICs, Nexus 9k/7k, etc. No vendor-specific controller required Telemetry for each chain, for each element, for each category of traffic No proprietary packet headers Zero-touch appliance deployment BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Benefits of Catena (Contd.) Zero-latency: Catena adds no latency CAPEX savings: User doesn t have to buy any service module or specialized hardware Catena feature does not add any load to the supervisor No certification, integration, or qualification needed between the appliances and the switch OPEX savings: Without Catena, the user has to do VLAN stitching or create default gateways, which is very hard to deploy and hard to add/remove devices. Without Catena, either all the traffic is in a chain or not in a chain. Catena allows securely partitioning the traffic through multiple chains. Today s solution, does not allow user to create multiple chains using the same network elements. Catena allows that. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 60

VXLAN Fabric: Traffic without Catena Traffic without Catena RR RR Traffic with Catena Blocked Traffic with Catena VXLAN Overlay with BGP-EVPN VxLAN Encap Packet

61 VXLAN Fabric: Traffic without Catena Traffic without Catena RR RR Traffic with Catena Blocked Traffic with Catena VXLAN Overlay with BGP-EVPN VxLAN Encap Packet Host A MAC_A IP_ ASA Firewall APP Firewall BRKDCN-1020 Host B MAC_B IP_ Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 VXLAN Fabric: Traffic with Catena Traffic without Catena RR RR Traffic with Catena Blocked Traffic with Catena VXLAN Overlay with BGP-EVPN VxLAN Encap Packet Host A MAC_A IP_ ASA Firewall App Firewall BRKDCN-1020 Host B MAC_B IP_ Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Management for Catena CLI NX-API XML User created Apps on top of Catena DME: Coming soon DCNM (Data Center Network Manager) GUI: coming soon BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Health Monitoring Probes Link State: For Transparent mode ICMP Ping TCP Port-number UDP Port-number DNS HTTP User can specify the probe frequency, timeout, retry-count etc. BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Failure Handling Modes In case a device fails, either Forward the packet (normal L2/L3 forwarding) Bypass the current device Drop the packet BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Configuring Catena

67 Catena Enabling [no] feature catena switch# conf t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# feature catena switch# sh feature grep catena catena 1 enabled NOTE: catena is a conditional feature and needs to be enabled via feature catena BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Catena: Configuration Steps 1. Create port group Add interfaces to the port group 2. Create vlan group Add vlans to the vlan group 3. Create device group Add IP nodes to the device group Probe to use for health monitoring of node 4. Create access list 5. Create catena instance BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Configuring Port Group [no] catena port-group <port-group-name> switch(config)# feature catena switch(config)# catena port-group pg1 switch(config-port-group)# interface Eth 2/2 switch(config-port-group)# interface Eth 2/3 switch(config-port-group)# interface Eth 2/4 switch(config-port-group)# interface Eth 2/5 Creating a port group Adding an interface BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Configuring VLAN Group [no] catena vlan-group <vlan-group-name> switch(config)# feature catena switch(config)# catena vlan-group vg1 switch(config-vlan-group)# vlan 10 switch(config-vlan-group)# vlan 20 switch(config-vlan-group)# vlan switch(config-vlan-group)# vlan 50,55 Creating a vlan group Adding a vlan BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Configuring Device Group Device group contains: Node ip address Probe to use for health monitoring of nodes [no] catena device-group <device-group-name> If there are multiple nodes, then traffic will be load-balanced switch(config)# feature catena switch(config)# catena device-group dg-1 Creating a device group switch(config-device-group)# node ip Configuring an active node switch(config-device-group)# node ip Configuring an active node switch(config-device-group)# probe icmp Configuring a probe. Per dev-grp BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 71

73 Configuring Chain & Sequence list [no] chain <chain-id> [no] <sequence-no> access-list <acl-name> {vlan-group <vg-name> ingress-portgroup <ipg-name>} {egress-port-group <epg-name> egress-device-group <edgname> [mode <mode>] switch(config)# catena instance1 switch(config-catena-instance)# chain 10 switch(config-catena)# 10 access-list acl11 vlan-group vg1 egressport-group pg1 mode forward switch(config)# catena instance2 switch(config-catena-instance)# chain 20 switch(config-catena)# 20 access-list acl12 ingress-port-group pg1 egress-device-group dg-1 mode forward BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Creating Catena-Transparent Instance switch(config)# catena instance1 switch(config-catena-instance)#? chain Chain for instance shutdown switch(config-catena)# chain? < > Chain ID switch(config-catena)#? < > Sequence number switch(config-catena)# 10? access-list ACL list switch(config-catena)# 10 access-list acl10? ingress-port-group Specify ingress port group name for ACL rule vlan-group Specify vlan group name for ACL rule switch(config-catena)# 10 access-list acl10 vlan-group vg1? egress-port-group Specify egress port group name for ACL rule egress-device-group Specify egress device group name for ACL rule switch(config-catena)# 10 access-list acl10 vlan-group vg1 egress-port-group pg1? <CR> mode Failure mode switch(config-catena)# 10 access-list acl10 vlan-group vg1 egress-port-group pg1 mode? drop forward redirect BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Creating Catena-Routed Instance switch(config)# catena instance2 switch(config-catena-instance)#? chain Chain for instance shutdown switch(config-catena)# chain? < > Chain ID switch(config-catena)#? < > Sequence number switch(config-catena)# 10? access-list ACL list switch(config-catena)# 10 access-list acl10? ingress-port-group Specify ingress port group name for ACL rule vlan-group Specify vlan group name for ACL rule switch(config-catena)# 10 access-list acl10 ingress-port-group pg1? egress-port-group Specify egress port group name for ACL rule egress-device-group Specify egress device group name for ACL rule switch(config-catena)# 10 access-list acl10 ingress-port-group pg1 egress-device-group dg1? <CR> mode Failure mode switch(config-catena)# 10 access-list acl10 ingress-port-group pg1 egress-device-group dg1 mode? drop forward redirect BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 Show Commands Command Syntax: show catena <instance-name> [brief] Displays more information for a given instance Command Syntax: show running-config catena Displays current catena running configuration BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Catena sample configurations

78 Configure Catena-Transparent Nexus Configuration N9k(config)# feature catena N9k(config)# catena port-group pg1 N9k(config-port-group)# interface Eth 3/1 N9k(config)# catena port-group pg2 N9k(config-port-group)# interface Eth 3/2 N9k(config)# catena vlan-group vg1 N9k(config-vlan-group)# vlan 10 N9k(config)# catena vlan-group vg2 N9k(config-vlan-group)# vlan 20 Vlan 10 Vlan 20 Eth 3/1 Eth 3/2 Nexus switch Vlan 30 Eth 3/3 N9k(config)# ip access-list acl10 N9k(config-acl)# 10 permit */24 any Similarly, the Catena return instance is configured N9k(config)# catena instance1 N9k(config-catena-instance)# chain 10 N9k(config-catena)# 10 access-list acl10 vlan-group vg1 egress-port-group pg1 mode forward N9k(config-catena)# 20 access-list acl10 vlan-group vg2 egress-port-group pg2 mode forward N9k(config-catena-instance)# no shut BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Configure Catena-Routed N9k(config)# feature catena N9k(config)# catena port-group pg1 N9k(config-port-group)# interface Eth 3/1 N9k(config)# catena port-group pg2 N9k(config-port-group)# interface Eth 3/3 N9k(config)# catena device-group dg-1 N9k(config-device-group)# node ip N9k(config-device-group)# probe icmp N9k(config)# catena device-group dg-2 N9k(config-device-group)# node ip N9k(config-device-group)# probe icmp N9k(config)# ip access-list acl10 N9k(config-acl)# 10 permit /24 any Appliance1 Appliance2 inside outside Eth 3/2 Eth 3/3 Eth 3/4 Eth 3/1 Eth 3/5 Nexus switch Similarly, the Catena return instance is configured N9k(config)# catena instance2 N9k(config-catena-instance)# chain 10 N9k(config-catena)# 10 access-list acl10 ingress-port-group pg1 egress-device-group dg-1 mode forward N9k(config-catena)# 20 access-list acl10 ingress-port-group pg2 egress-device-group dg-2 mode forward N9k(config-catena-instance)# no shut BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 79

81 Catena Supported Platforms/Software Release Platform Nexus 7000/7700 Series Nexus 9000 Series Version License NX-OS 8.0(1) Network Services NX-OS 7.0(3)I6(1) Network Services BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 References Mailing list: Config guide sco_nexus7000_catena_config_guide_8x/configuring_catena.html Command reference guide d/cisco_nexus7000_catena_command_ref_8x.html Blog: BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Summary How to build an elastic network Data Center Enterprise Service Provider Scale same type of functions; Smart-Channel Insert different type of functions: Catena BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

84 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

85 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKDCN Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Thank you

Configuring the Catena Solution

Configuring the Catena Solution This chapter describes how to configure Catena on a Cisco NX-OS device. This chapter includes the following sections: About the Catena Solution, page 1 Licensing Requirements for Catena, page 2 Guidelines