Cisco NSH Service Chaining Configuration Guide

Similar documents
Lifecycle Management for Virtual Machine Applications Configuration Guide, Cisco IOS Everest 16.6

Cisco CSR 1000V VxLAN Support 2

Cisco ACI Simulator VM Installation Guide

MAC Filtering for Lobby Ambassadors

Network Virtualization Configuration Guide, Cisco IOS XE (Cisco NCS 4200 Series)

IP over IPv6 Tunnels. Information About IP over IPv6 Tunnels. GRE IPv4 Tunnel Support for IPv6 Traffic

Sun RPC ALG Support for Firewall and NAT

IP Switching Configuring Fast Switching Configuration Guide Cisco IOS Release 15SY

Cisco Service Control Online Advertising Solution Guide: Behavioral. Profile Creation Using Traffic Mirroring, Release 4.0.x

Implementing NSH Based Service Chaining

Nested Class Map Support for Zone-Based Policy Firewall

Cisco ACI Terminology ACI Terminology 2

Intelligent WAN NetFlow Monitoring Deployment Guide

Cisco Discovery Protocol Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

IP Addressing: Fragmentation and Reassembly Configuration Guide

Using Cisco APIC to Deploy an EPG on a Specific Port

Cisco APIC in a Cisco ACI Multi-Site Topology New and Changed Information 2

Creating an IP Access List to Filter IP Options, TCP Flags, or Noncontiguous Ports

IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

Using Flexible NetFlow Flow Sampling

Using Flexible NetFlow Flow Sampling

Classifying and Marking MPLS EXP

Using the Multicast Routing Monitor

Cisco Jabber for Android 10.5 Quick Start Guide

Deploying Cisco SD-WAN on AWS

Flexible NetFlow Full Flow support

Metadata Configuration Guide Cisco IOS Release 15M&T

NAT Box-to-Box High-Availability Support

EVC Quality of Service

Cisco Smart Business Communications Systems. Cisco Small Business Unified Communications 300 Series

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Classifying Network Traffic

QoS Group Match and Set for Classification and Marking

Application Firewall-Instant Message Traffic Enforcement

Match-in-VRF Support for NAT

L2VPN Protocol-Based CLIs

User-to-Data-Center Access Control Using TrustSec Design Guide

HTTP 1.1 Web Server and Client

IPv6 over IPv4 GRE Tunnels

IPv6 over IPv4 GRE Tunnels

Cisco ACI with Red Hat Virtualization 2

QoS Tunnel Marking for GRE Tunnels

Configuring OSPF TTL Security Check and OSPF Graceful Shutdown

SAML SSO Okta Identity Provider 2

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

Cisco Unified Communications Self Care Portal User Guide, Release 11.5(1)

PPPoE Client DDR Idle-Timer

Cisco vwlc on Microsoft Hyper-V Deployment Guide

IPv6 Multicast Listener Discovery Protocol

IEEE 802.1X Open Authentication

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Performance Routing (PfR) Master Controller Redundancy Configuration

DHCP Client. Finding Feature Information. Restrictions for the DHCP Client

How to Get Started with Cisco SBA

Cisco Jabber IM for iphone Frequently Asked Questions

QoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T

TTL Propagate Disable and Site-ID Qualification

Mapping of Address and Port Using Translation

Embedded Packet Capture Configuration Guide

GETVPN Resiliency GM - Error Detection

ACL Syslog Correlation

IEEE 802.1ad Support on Provider Bridges

Quality of Service for VPNs

Classifying Network Traffic

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Embedded Packet Capture Configuration Guide

MPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012

Compatibility Matrix for Cisco Unified Communications Manager and the IM and Presence Service,

BGP mvpn BGP safi IPv4

Flow-Based per Port-Channel Load Balancing

IP Routing: ODR Configuration Guide, Cisco IOS Release 15M&T

Cisco Cloud Web Security

ING DIRECT turns ideas into revenue faster with Cisco UCS.

IPv6 First-Hop Security Binding Table

RFC 430x IPsec Support

CUWN Release 8.2 mdns Gateway with Chromecast Support Feature Deployment Guide

Implementing NAT-PT for IPv6

Fine-Grain NBAR for Selective Applications

Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values

Configuring Data Export for Flexible NetFlow with Flow Exporters

Encrypted Vendor-Specific Attributes

Static NAT Mapping with HSRP

QoS: Policing Support for GRE Tunnels

Compatibility Matrix for Cisco Unified Communications Manager and IM & Presence Service, Release 11.x

DHCP Relay Server ID Override and Link Selection Option 82 Suboptions

Flexible Packet Matching XML Configuration

Implementing Traffic Filters for IPv6 Security

Configuring IP Multicast over Unidirectional Links

How to Get Started with Cisco SBA

Proxy Mobile IPv6 Support for MAG Functionality

Configuring NAT for High Availability

Using Flexible NetFlow Top N Talkers to Analyze Network Traffic

8K GM Scale Improvement

HTTP 1.1 Web Server and Client

BGP Route-Map Continue

Horizontal Stacking Software Configuration Guide for IE 5000 Switches

Configurable Number of Simultaneous Packets per Flow

GETVPN Resiliency GM - Error Detection

Transcription:

Cisco NSH Service Chaining Configuration Guide NSH Service Chaining 2 Information About NSH-Service-Chaining 2 How to Configure NSH-Service-Chaining 3 Use Cases for NSH Service Chaining 5 Troubleshooting Tips 7 Additional References for NSH Service Chaining 8 Feature Information for NSH Service Chaining 9

Revised: July 28, 2016, NSH Service Chaining Service chaining allows multiple service nodes to be included in a service path so that the packets that belong to a particular flow can travel through all the virtual service nodes in the service chain. NSH Service Chaining feature uses Network Service Header (NSH), a service plane protocol, to create dynamic service chains. NSH Service Chaining allows you to place and dynamically add services anywhere in the network, and gives flexibility in the network for service provisioning. Information About NSH-Service-Chaining NSH Service Chaining In common deployment models, Service Functions (SFs) are inserted into the data-forwarding path of peers communicating with each other. However, with the introduction of service chaining functionality, SFs are not required to be located on the direct data path, rather the network traffic is routed through required SFs, wherever they are deployed. Classification NSH Service Chaining allows traffic flows to be classified so that only the desired flows are passed to the service. Moreover, classification enables network traffic to be dynamically moved to different service functions and service function paths without the need for major configuration changes or topology rewiring. Network Service Header (NSH) NSH is added to network traffic, in the packet header, to create a dedicated service plane that is independent of the underlying transport control protocol. In general, NSH contains path identification information, which is needed to realize a service path. In addition, NSH adds the metadata information about the packet, service chain or both to an IP packet, depending on the header type configured. Enterprise Policy Application (EPA) NSH Service Chaining feature can be configured either by using the Command Line Interface (CLI), or by using Enterprise Policy Application (EPA). EPA is an application that is hosted on controllers such as Application Policy Infrastructure Controller Enterprise Module (APIC-EM). You can use EPA GUI to configure a service chain based on services available in the network and apply a classifier to that chain. This information is then pushed to the controller (APIC-EM) to be applied to the network. Benefits of Using NSH Service Chaining NSH Service Chaining provides the following benefits: Agility: Services can be placed anywhere in the network, and dynamically added. Service provisioning: NSH service chaining need not be provisioned for peak traffic. Traffic types are classified so that only the desired flows are passed to the service. Flexibility: Easy to implement across a range of devices, both physical and virtual. Topological Independence: Network traffic can be dynamically moved to different service functions without requiring any changes to the network topology. 2

How to Configure NSH-Service-Chaining Configuring Service Function Forwarder To configure local Service Function Forwarder: service-chain service-function-forwarder local description local sff ip address 10.1.108.23 To configure remote Service Function Forwarder: service-chain service-function-forwarder abc ip address 10.10.108.1 Verifying the Service Function Forwarder Configuration Use the show service-chain sff command to verify the SFF configuration. Device# show service-chain sff all statistics Service-Chaining SFF(local) Statistics Count... Sent: Packets diverted: 39 Packets copied : 0 Packets dropped : 0 Service-Chaining SFF(abc) Statistics Count ----------------------- Sent: Packets diverted: 0 Packets copied : 0 Packets dropped : 0 Configuring Service Function To configure a Service Function (SF): service-chain service-function load-balance description load-balancer VM ip address 10.1.108.45 encapsulation gre Configuring Service Path To configure service path: service-chain service-path 20 service-index 2 service-function load-balance 3

Configuring Service-Chain Policy To configure service-chain policy: access-list 103 permit ip any any class-map match-all all-ip match access-group 103! policy-map type service-chain dynamic class all-ip forward service-path 20 service-index 2 Applying Service-Chain Policy to an Interface To apply service-chain policy to an interface: interface GigabitEthernet1 description Lab 10.1.108.0 on VMNet4 ip address 10.1.108.23 255.255.255.0 service-policy type service-chain input dynamic 4

Use Cases for NSH Service Chaining Dynamic Service Insertion Service functions can be inserted or deleted dynamically in a branch network. See the following figure for an illustration of dynamic service insertion scenario. Figure 1: Dynamic Service Insertion The following example shows how to configure the dynamic service insertion scenario: Service Chain Configuration service-chain service-function-forwarder local description local sff ip address 10.1.108.23 service-chain service-function waas description waas-lan ip address 10.1.108.45 encapsulation gre service-chain service-function load-balance description Load Balancer VM ip address 10.1.108.46 encapsulation gre service-chain service-path 20 5

service-index 255 service-function waas service-index 254 service-function load-balance service-index 253 terminate Service Classifier Configuration access-list 103 permit ip any any class-map match-all all-ip match access-group 103 policy-map type service-chain dynamic class all-ip forward service-path 20 service-index 255 interface GigabitEthernet1 description Lab 10.1.108.0 on VMNet4 ip address 10.1.108.23 255.255.255.0 service-policy type service-chain input dynamic Service Chaining to Internet You can classify the traffic destined or originated from the Internet, and pass the traffic through a set of security features without disrupting traffic on the branch network. See the following figure for an illustration of service chaining to Internet. Figure 2: Service Chaining to Internet The following example shows how to configure service chaining to internet. 6

Service Chain Configuration service-chain service-function-forwarder local description local sff ip address 10.1.108.23 service-chain service-function wireshark description Wireshark VM ip address 10.1.108.45 encapsulation gre service-chain service-function firewall ip address 10.1.108.19 encapsulation none service-chain service-function firewall-out ip address 10.40.108.19 encapsulation none service-chain service-path 40 service-index 255 service-function wireshark service-index 254 service-function firewall service-index 253 terminate service-chain service-path 41 service-index 255 service-function firewall-out service-index 254 terminate Service Classifier Configuration access-list 103 permit ip any any class-map match-all all-ip match access-group 103 policy-map type service-chain dia class all-ip forward service-path 40 service-index 255 policy-map type service-chain dia-out class all-ip forward service-path 41 service-index 255 interface GigabitEthernet1 description Lab 10.1.108.0 on VMNet4 ip address 10.1.108.23 255.255.255.0 service-policy type service-chain input dia interface GigabitEthernet2 description FW WAN side ip address 10.40.108.23 255.255.255.0 service-policy type service-chain input dia-out Troubleshooting Tips Conditional Debugging NSH service chaining feature uses conditional debugging for troubleshooting any problems on the IOS-XE data plane side. Conditional Debugging allows you to selectively enable debugging and logging for the feature based on the set of conditions you define. Before You Begin You need to understand these sequence of steps before you start conditional debugging on your system: 7

First, define a set of conditions. The common conditions examples are, interface, access list, IP address, and so on. Secondly, enable conditional debugging for the specific set of features. Finally, start the conditional debug on your system. Defining Conditions debug platform condition feature service-chain controlplane level verbose debug platform condition feature service-chain dataplane submode all level verbose Enabling Conditional Debugging debug platform condition [ingress both] Starting Conditional Debugging debug platform condition start Stopping Conditional Debugging debug platform condition stop The debug logs are stored in the platform shell of the specific Forwarding Processor (FP). Verifying Conditional Debugging show platform conditions Note Use the clear debug platform condition all command to remove the debug conditions applied to the platform. Additional References for NSH Service Chaining Related Documents Related Topic Cisco IOS commands Cisco IOS Wide-Area Networking Command Reference Document Title Cisco IOS Master Commands List, All Releases Cisco IOS Wide-Area Networking Command Reference Standards and RFCs Standard/RFC RFC 7665 Title Service Function Chaining (SFC) Architecture 8

Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Link http://www.cisco.com/c/en/us/support/index.html Feature Information for NSH Service Chaining The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Table 1: Feature Information for NSH Service Chaining Feature Name NSH Service Chaining Releases Cisco IOS XE Denali 16.3.1 Feature Information Service chaining allows multiple service nodes to be included in a service path so that the packets that belong to a particular flow can travel through all the virtual service nodes in the service chain. NSH Service Chaining feature uses Network Service Header (NSH), a service plane protocol, to create dynamic service chains. NSH Service Chaining allows you to place and dynamically add services anywhere in the network, and gives flexibility in the network for service provisioning. The following commands were introduced or modified by this feature: service-chain service-function-forwarder. 9

Cisco Systems, Inc. All rights reserved.

Americas Headquarters Cisco Systems, Inc. San Jose, CA 95134-1706 USA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback