virtual tech update - cisco · virtual tech update itd: intelligent traffic director nexus hardware...

Virtual Tech Update

ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K)

Michael Petersen, Systems Engineer, Cisco Denmark

Mikkel Brodersen, Systems Engineer, Cisco Denmark

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017

1.  ITD: An Introduction

2.  New ITD capabilities in NxOS

3.  ITD Deployment designs

4.  Q&A

5.  Nexus Hardware Update (7K,5K,2K)

6.  Q&A

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017 4

Intelligent Traffic Director : An introduction What ? Why ? How ? While today’s Network Switches and Routers have evolved to multi-terabit capacities, Network service appliances and servers are still limited to a few Gigabits of capacity. Scaling to support this traffic now brings an important requirement: High Capacity Traffic Distribution. Cisco Intelligent Traffic Director(ITD) bridges this gap by providing ASIC-based (hardware) Traffic distribution for Layer 3 and 4 services and applications using Cisco Nexus 5/6/7/9k switches.


WHAT is ITD ? Intelligent Traffic Director

Traffic distribution through

packet redirection

5


WHAT is ITD ?

•  Traffic distribution and redirection

•  ASIC based solution(HW-switched)

•  Caters to multi-terabit traffic

•  Works on Nexus switches – 9/7/6/5k

Intelligent Traffic Director

Note: ITD performs L3-L4 traffic distribution,but does not replace Layer-7 Load-balancers

6


Where to use ITD ? (Examples)

Clients Servers

ITD to load-balance to the destination Example: Server-Load Balancing #1

7


Where to use ITD ? (Examples)

Clients Firewalls/other appliances

ITD for In-line traffic redirection Example: Firewalls, Wan Acceleration Engines, Web Cache etc.

#2

Destination

8


Why ITD ? Vs. Appliances

Line-Rate Traffic-distribution

Ease of deployment, reduced configuration

No service-module or external Appliance reqd.

Automatic Failure Handling

Intelligent Traffic Director

No service-module or external Appliance reqd.

Line-Rate Traffic-distribution

Automatic Failure Handling

Ease of deployment, reduced configuration

9


Supported Platforms/Software Release

NX-OS 6.2(10)

Nexus 7000/7700 Series

Nexus 9000 Series

Nexus 5000/6000 Series

Version

NX-OS 7.0(3)I1(2)

Platform

NX-OS 7.1.1N1(1)

Enhanced L2

License

Network Services

Enhanced L2/Network Services

10


ITD – Configuration Components

•  Configure Nodes (Service Appliances) •  Configure Probes •  Configure Standby(backyup nodes)

ITD Device-Group •  Attach device-group •  Configure Ingress-interface •  Configure Virtual IP Address •  Configure traffic filtering/selection •  Configure Load-balancing options •  Configure Failover options

ITD Service

11


ITD – Configuration Components (Sample)

Load-balance: Load-balancing options

Device-Group: Defines Nodes

Basic ITD configuration consists of :

ITD-Service Define ITD instances

Probes: Node Failure-detection

Virtual IP(VIP): Traffic Selection

Ingress Interface: L3 interface where traffic is expected

12





4.  Q&A

5.  Nexus7000 (M3)

6.  Q&A

Agenda


ITD Capabilities

(Differences)

Nexus 5500 / 5600 / 6000 Nexus 7000 / 7700

Nexus 9000 14


ITD Updates on

Nexus 5500 / 5600 / 6000

15


Nexus 5500/5600/6000 : 7.2(0)N1(1) ICMP Probe

Release 7.2(1)N1(1) on the N5k/6k/5600 introduces support for ICMP Probes for ITD.

Note: Currently only the ICMP Probe is supported on the N5/6k platforms. IP SLA is not required for this feature on the N5/6k

16


New ITD Capabilities

Nexus 7000 / 7700

17


•  IPv4 control Probe for IPv6 Node

•  Node-level Probe

•  Exclude-ACL

•  ITD-Destination NAT for Server load-balancing

•  Multiple device-groups per ITD-Service

Enhancements introduced in previous release: 6.2(10) -  Weighted load-balancing -  Node-level standby -  L4-port load-balancing -  Sandwich mode node-state sync

across VDC’s on same device. -  DNS Probe -  Start/Stop/Clear ITD Stats -  VRF Support

Nexus 7000/7700 : NxOS 7.2 Enhancements

18


•  Health Monitoring for IPv6 nodes is now

possible with IPv4 Probes. •  As a result, the nodes need to be IPv4-IPv6

dual-stacked. •  Only probes are IPv4. IPv6 traffic is still

handled by ITD. itd device-group IPv6-Nodes node ipv6 2001:db8::10:1:1:1 probe icmp ip 192.168.10.11 node ipv6 2001:db8::10:1:1:2 probe icmp ip 192.168.10.12

IPv6 Node IPv4 Probe

With this feature, IPv6 ITD can now support failure-handling of nodes.

Nexus 7000/7700 : 7.2(0)D1(1) IPv4 probe for IPv6 Node

19


Node-level Probing allows each node to be configured with its own probe for further customization. itd device-group Servers node ip 192.168.1.10 probe icmp frequency 10 retry-down-count 5 node ip 192.168.1.20 probe icmp frequency 5 retry-down-count 5 node ip 192.168.1.30 probe icmp frequency 20 retry-down-count 3

Per-node Probes

Prior to this feature probe-configuration was done at the device-group level.

Node-level probes are useful in scenarios where each node has to be

monitored differently for failure conditions.

For Ex. IPv6 device-groups need specific IPv4 probes per-node.

Nexus 7000/7700 : 7.2(0)D1(1) Node-Level Probe

20


Exclude-ACL specifies traffic that will bypass ITD. Traffic selected by the Exclude-ACL will get RIB-Routed without ITD functionality. Itd Service_Test device-group test-group ingress interface Vlan10 exclude access-list ITDExclude no shut ip access-list ITDExclude 10 permit ip 5.5.5.0 255.255.255.0 any 20 permit ip 192.168.100.0 255.255.255.0 192.168.200.0

Note: Ø  The Exclude ACL supports only

“permit” statements. Ø  Traffic that is matched by a Permit-

ACE in Exclude-ACL bypasses ITD. Exclude Access-list

Exclude example: Developer-VLANs and Testbed-VLANs not needing Firewall

inspection can bypass ITD.

Nexus 7000/7700 : 7.2(0)D1(1) Exclude ACL

21


•  ITD now supports Server-Load Balancing using NAT on Nexus 7000/7700

•  Traffic from the Client-IP -> VIP is translated to the real IP addresses of the servers.

•  Without ITD, external load-balancers are required for this functionality.

Prior to ITD-NAT, SLB was possible only using DSR mode which required VIP

configuration on the Servers.

Nexus 7000/7700 : 7.2(1)D1(1) ITD-Destination NAT for SLB

22


Clients

Device-group 1 Device-group 2

Destination

•  With this feature, a single ITD-Service can have multiple Device-groups in it.

•  Each Device-group is separated/filtered via its Virtual-IP address/range.

•  An ITD service still generates one route-map, with different sequences pointing to different device-groups

Nexus 7000/7700 : 7.2(1)D1(1) Multiple device-groups per Service

23


•  Caters to different types of traffic requiring different services, but arriving on the same ingress-interface

•  VIP-address is used to differentiate between

the different device-groups.

•  Supporting multiple device-groups per service on the same interface allows ITD to scale.

Nexus 7000/7700 : 7.2(1)D1(1) Multiple device-groups per Service

Web Servers Auth Servers

Example with Multiple device-groups

24


•  Include-ACL for traffic selection

•  Optimized Node insertion/removal

Nexus 7000/7700 : 7.3(0)D1(1) Enhancements

25


•  VIP can only match Destination fields(IP/

Ports). Source fields cannot be matched/filtered by VIP.

•  “Include ACL” feature defines a user-defined ACL for selecting traffic requiring ITD-redirection. VIP does not use Source-IP or Src-Port

numbers. For traffic-selection requiring Src(or) {Src & Dst} filtering, ITD-IncludeACL feature is used.

Nexus 7000/7700 : 7.3(0)D1(1) Include-ACL for traffic selection*

* Refer 7.x configuration guide for guidelines and limitations

26


•  Allows users to add or remove nodes when ITD service is UP.

•  Maintains an intermittent state of nodes when nodes are deleted or added.

•  Buckets are reprogrammed once user has completed node addition/removal.

•  Currently once ITD service is created, adding or removing node requires the service to be in shut state

•  Shutting down ITD service will cause 100% packet loss

Nexus 7000/7700 : 7.3(0)D1(1) Optimized node Insertion/Removal

27


ITD on Nexus 9000

28


Supported N9K Platforms: 9300: Cisco Nexus 9332PQ, 9372PX, 9372TX, 9396PX, 9396TX, 93120TX, and 93128TX 9500: X9432PQ, X9464PX, X9464TX, X9536PQ, X9564PX, X9636PQ, and X9564TX line cards License: N93-SERVICES1K9 N95-SERVICES1K9

Nexus 9000: 7.0(3)I1(2) ITD features

* - Not an exhaustive list

29


•  Include-ACL for traffic selection •  Non-disruptive add/delete (new nodes) •  Multiple device-groups •  TCP, UDP, DNS Probes •  Node-state Synchronization between services •  Support for 40G ports Roadmap Features under evaluation: •  Destination-NAT SLB •  IPv6 ITD support •  L2 mode ITD •  N3k/92XX support •  HTTP support

Nexus 9000: Recent feature additions

Note: Roadmap Items are tentative only

30


* Based on latest releases in each train # For exhaustive list, refer ITD configuration guides in reference slide

SR Feature N5K N7K N9K 7.2* 6.2* 7.2* 7.3 7.0(3)I3

1 IPv4 L3/L4 Traffic Distribution Yes Yes Yes Yes Yes 2 IPv6 L3/L4 Traffic Distribution No Yes Yes Yes No 3 Weighted load-balancing Yes Yes Yes Yes Yes 4 IP Persistence Yes Yes Yes Yes Yes 5 Traffic Distribution with destination NAT No No Yes Yes No 6 Probe - ICMP Yes Yes Yes Yes Yes TCP/UDP No Yes Yes Yes Yes IP SLA based No Yes Yes Yes Yes HTTP No No No TBD No 7 Exclude feature (ACL to deny traffic) No Yes Yes Yes Yes 8 VRF support for ITD service Yes Yes Yes Yes Yes 9 Include ACL (ACL to select traffic) No No No Yes Yes

10 Non-disruptive add/delete node No No No Yes Yes 11 DCNM Support No Yes Yes Yes -

ITD Feature Matrix across N5/6/7/9k#

31


Agenda




4.  Q&A


6.  Q&A

32


ITD: Deployment Designs

33


ITD Use-cases

•  Server Load balancing •  Server farms, Application servers,

Web Servers

•  Services Load balancing, Clustering •  Firewall, IDS, IPS, L7 Server LB,

WAF, VDS-TC (Transparent Caching)

•  Traffic Steering, Redirection •  Web accelerator Engine (WAE), Web

Caches, Web Proxy

34


•  Application requests are Load-balanced across multiple servers.

•  In the Direct Server Return(DSR) mode, the Servers respond back to the clients directly without involving the load-balancing system.

•  In Destination NAT method, ITD performs NAT + load-balancing towards the Servers.

Clients

APPLICATION

Server-N

Server-2

Server-1

Server Load-Balancing (SLB)

35


Typical Deployment of ITD for SLB-DSR

•  All Servers are configured with the VIP as the Loopback IP address(same on all servers).

•  Client sends packet to VIP. ITD load-balances these requests to different servers.

ITD – SLB with DSR mode

36


With SLB-NAT using ITD, NAT + ITD redirection is done on the Nexus switch.

Clients Virtual-IP

ITD-NAT

ITD Real Servers NAT

SLB-Destination NAT with ITD

ITD – SLB with Destination NAT

37


Client-1: 10.1.1.10 Server-1: 30.1.1.10

VIP: 20.1.1.10

Src IP 10.1.1.10

Dst IP 20.1.1.10

Src IP 10.1.1.10

Dst IP 30.1.1.10

ITD-NAT address translation

NAT

Src IP 20.1.1.10

Dst IP 10.1.1.10

Src IP 30.1.1.10

Dst IP 10.1.1.10

Client -> Server

Client ß Server NAT

Unlike DSR mode, ITD Destination-NAT requires no separate

configuration on the servers. This makes it easier for deploy for

SLB applications.


38


Guidelines and Limitations:

Ø  NAT-SLB with VIP-Port is also supported. Ø  NAT Functionality is limited to ITD for SLB, not for Carrier-

grade NAT as a feature itself.

Ø  Only Destination-NAT is supported.

Ø  Currently only supported on Nexus 7000/7700

Ø  Note: For the return-traffic, the next-hop on the Nexus Switch needs to be manually configured within ITD.


39


Summary •  HW based L3-L4 Traffic-distribution

Solution •  No additional overheads to forwarding •  Multi-Terabit solution •  Health Monitoring and Node Failover •  Appliance agnostic

•  CAPEX & OPEX savings •  Scalable to high traffic loads •  Easier manageability

•  ASA, Firewalls, Security Appliances •  Server Load-balancing •  WAN acceleration/HTTP/Web Services •  Video Caching Services

ITD Summary

ITD Benefits ITD Benefits

40


Agenda




4.  Q&A


6.  Q&A

41

Thank you.

virtual tech update - cisco · virtual tech update itd: intelligent traffic director nexus hardware...

Documents