Virtual Tech Update
ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K)
Michael Petersen, Systems Engineer, Cisco Denmark
Mikkel Brodersen, Systems Engineer, Cisco Denmark
Virtual Tech Update
ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K)
Michael Petersen, Systems Engineer, Cisco Denmark
Mikkel Brodersen, Systems Engineer, Cisco Denmark
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
1. ITD: An Introduction
2. New ITD capabilities in NxOS
3. ITD Deployment designs
4. Q&A
5. Nexus Hardware Update (7K,5K,2K)
6. Q&A
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017 4
Intelligent Traffic Director : An introduction What ? Why ? How ? While today’s Network Switches and Routers have evolved to multi-terabit capacities, Network service appliances and servers are still limited to a few Gigabits of capacity. Scaling to support this traffic now brings an important requirement: High Capacity Traffic Distribution. Cisco Intelligent Traffic Director(ITD) bridges this gap by providing ASIC-based (hardware) Traffic distribution for Layer 3 and 4 services and applications using Cisco Nexus 5/6/7/9k switches.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
WHAT is ITD ? Intelligent Traffic Director
Traffic distribution through
packet redirection
5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
WHAT is ITD ?
• Traffic distribution and redirection
• ASIC based solution(HW-switched)
• Caters to multi-terabit traffic
• Works on Nexus switches – 9/7/6/5k
Intelligent Traffic Director
Note: ITD performs L3-L4 traffic distribution,but does not replace Layer-7 Load-balancers
6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Where to use ITD ? (Examples)
Clients Servers
ITD to load-balance to the destination Example: Server-Load Balancing #1
7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Where to use ITD ? (Examples)
Clients Firewalls/other appliances
ITD for In-line traffic redirection Example: Firewalls, Wan Acceleration Engines, Web Cache etc.
#2
Destination
8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Why ITD ? Vs. Appliances
Line-Rate Traffic-distribution
Ease of deployment, reduced configuration
No service-module or external Appliance reqd.
Automatic Failure Handling
Intelligent Traffic Director
No service-module or external Appliance reqd.
Line-Rate Traffic-distribution
Automatic Failure Handling
Ease of deployment, reduced configuration
9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Supported Platforms/Software Release
NX-OS 6.2(10)
Nexus 7000/7700 Series
Nexus 9000 Series
Nexus 5000/6000 Series
Version
NX-OS 7.0(3)I1(2)
Platform
NX-OS 7.1.1N1(1)
Enhanced L2
License
Network Services
Enhanced L2/Network Services
10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD – Configuration Components
• Configure Nodes (Service Appliances) • Configure Probes • Configure Standby(backyup nodes)
ITD Device-Group • Attach device-group • Configure Ingress-interface • Configure Virtual IP Address • Configure traffic filtering/selection • Configure Load-balancing options • Configure Failover options
ITD Service
11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD – Configuration Components (Sample)
Load-balance: Load-balancing options
Device-Group: Defines Nodes
Basic ITD configuration consists of :
ITD-Service Define ITD instances
Probes: Node Failure-detection
Virtual IP(VIP): Traffic Selection
Ingress Interface: L3 interface where traffic is expected
12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
1. ITD: An Introduction
2. New ITD capabilities in NxOS
3. ITD Deployment designs
4. Q&A
5. Nexus7000 (M3)
6. Q&A
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD Capabilities
(Differences)
Nexus 5500 / 5600 / 6000 Nexus 7000 / 7700
Nexus 9000 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD Updates on
Nexus 5500 / 5600 / 6000
15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Nexus 5500/5600/6000 : 7.2(0)N1(1) ICMP Probe
Release 7.2(1)N1(1) on the N5k/6k/5600 introduces support for ICMP Probes for ITD.
Note: Currently only the ICMP Probe is supported on the N5/6k platforms. IP SLA is not required for this feature on the N5/6k
16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
New ITD Capabilities
Nexus 7000 / 7700
17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• IPv4 control Probe for IPv6 Node
• Node-level Probe
• Exclude-ACL
• ITD-Destination NAT for Server load-balancing
• Multiple device-groups per ITD-Service
Enhancements introduced in previous release: 6.2(10) - Weighted load-balancing - Node-level standby - L4-port load-balancing - Sandwich mode node-state sync
across VDC’s on same device. - DNS Probe - Start/Stop/Clear ITD Stats - VRF Support
Nexus 7000/7700 : NxOS 7.2 Enhancements
18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• Health Monitoring for IPv6 nodes is now
possible with IPv4 Probes. • As a result, the nodes need to be IPv4-IPv6
dual-stacked. • Only probes are IPv4. IPv6 traffic is still
handled by ITD. itd device-group IPv6-Nodes node ipv6 2001:db8::10:1:1:1 probe icmp ip 192.168.10.11 node ipv6 2001:db8::10:1:1:2 probe icmp ip 192.168.10.12
IPv6 Node IPv4 Probe
With this feature, IPv6 ITD can now support failure-handling of nodes.
Nexus 7000/7700 : 7.2(0)D1(1) IPv4 probe for IPv6 Node
19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Node-level Probing allows each node to be configured with its own probe for further customization. itd device-group Servers node ip 192.168.1.10 probe icmp frequency 10 retry-down-count 5 node ip 192.168.1.20 probe icmp frequency 5 retry-down-count 5 node ip 192.168.1.30 probe icmp frequency 20 retry-down-count 3
Per-node Probes
Prior to this feature probe-configuration was done at the device-group level.
Node-level probes are useful in scenarios where each node has to be
monitored differently for failure conditions.
For Ex. IPv6 device-groups need specific IPv4 probes per-node.
Nexus 7000/7700 : 7.2(0)D1(1) Node-Level Probe
20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Exclude-ACL specifies traffic that will bypass ITD. Traffic selected by the Exclude-ACL will get RIB-Routed without ITD functionality. Itd Service_Test device-group test-group ingress interface Vlan10 exclude access-list ITDExclude no shut ip access-list ITDExclude 10 permit ip 5.5.5.0 255.255.255.0 any 20 permit ip 192.168.100.0 255.255.255.0 192.168.200.0
Note: Ø The Exclude ACL supports only
“permit” statements. Ø Traffic that is matched by a Permit-
ACE in Exclude-ACL bypasses ITD. Exclude Access-list
Exclude example: Developer-VLANs and Testbed-VLANs not needing Firewall
inspection can bypass ITD.
Nexus 7000/7700 : 7.2(0)D1(1) Exclude ACL
21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• ITD now supports Server-Load Balancing using NAT on Nexus 7000/7700
• Traffic from the Client-IP -> VIP is translated to the real IP addresses of the servers.
• Without ITD, external load-balancers are required for this functionality.
Prior to ITD-NAT, SLB was possible only using DSR mode which required VIP
configuration on the Servers.
Nexus 7000/7700 : 7.2(1)D1(1) ITD-Destination NAT for SLB
22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Clients
Device-group 1 Device-group 2
Destination
• With this feature, a single ITD-Service can have multiple Device-groups in it.
• Each Device-group is separated/filtered via its Virtual-IP address/range.
• An ITD service still generates one route-map, with different sequences pointing to different device-groups
Nexus 7000/7700 : 7.2(1)D1(1) Multiple device-groups per Service
23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• Caters to different types of traffic requiring different services, but arriving on the same ingress-interface
• VIP-address is used to differentiate between
the different device-groups.
• Supporting multiple device-groups per service on the same interface allows ITD to scale.
Nexus 7000/7700 : 7.2(1)D1(1) Multiple device-groups per Service
Web Servers Auth Servers
Example with Multiple device-groups
24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• Include-ACL for traffic selection
• Optimized Node insertion/removal
Nexus 7000/7700 : 7.3(0)D1(1) Enhancements
25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• VIP can only match Destination fields(IP/
Ports). Source fields cannot be matched/filtered by VIP.
• “Include ACL” feature defines a user-defined ACL for selecting traffic requiring ITD-redirection. VIP does not use Source-IP or Src-Port
numbers. For traffic-selection requiring Src(or) {Src & Dst} filtering, ITD-IncludeACL feature is used.
Nexus 7000/7700 : 7.3(0)D1(1) Include-ACL for traffic selection*
* Refer 7.x configuration guide for guidelines and limitations
26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• Allows users to add or remove nodes when ITD service is UP.
• Maintains an intermittent state of nodes when nodes are deleted or added.
• Buckets are reprogrammed once user has completed node addition/removal.
• Currently once ITD service is created, adding or removing node requires the service to be in shut state
• Shutting down ITD service will cause 100% packet loss
Nexus 7000/7700 : 7.3(0)D1(1) Optimized node Insertion/Removal
27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD on Nexus 9000
28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Supported N9K Platforms: 9300: Cisco Nexus 9332PQ, 9372PX, 9372TX, 9396PX, 9396TX, 93120TX, and 93128TX 9500: X9432PQ, X9464PX, X9464TX, X9536PQ, X9564PX, X9636PQ, and X9564TX line cards License: N93-SERVICES1K9 N95-SERVICES1K9
Nexus 9000: 7.0(3)I1(2) ITD features
* - Not an exhaustive list
29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• Include-ACL for traffic selection • Non-disruptive add/delete (new nodes) • Multiple device-groups • TCP, UDP, DNS Probes • Node-state Synchronization between services • Support for 40G ports Roadmap Features under evaluation: • Destination-NAT SLB • IPv6 ITD support • L2 mode ITD • N3k/92XX support • HTTP support
Nexus 9000: Recent feature additions
Note: Roadmap Items are tentative only
30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
* Based on latest releases in each train # For exhaustive list, refer ITD configuration guides in reference slide
SR Feature N5K N7K N9K 7.2* 6.2* 7.2* 7.3 7.0(3)I3
1 IPv4 L3/L4 Traffic Distribution Yes Yes Yes Yes Yes 2 IPv6 L3/L4 Traffic Distribution No Yes Yes Yes No 3 Weighted load-balancing Yes Yes Yes Yes Yes 4 IP Persistence Yes Yes Yes Yes Yes 5 Traffic Distribution with destination NAT No No Yes Yes No 6 Probe - ICMP Yes Yes Yes Yes Yes TCP/UDP No Yes Yes Yes Yes IP SLA based No Yes Yes Yes Yes HTTP No No No TBD No 7 Exclude feature (ACL to deny traffic) No Yes Yes Yes Yes 8 VRF support for ITD service Yes Yes Yes Yes Yes 9 Include ACL (ACL to select traffic) No No No Yes Yes
10 Non-disruptive add/delete node No No No Yes Yes 11 DCNM Support No Yes Yes Yes -
ITD Feature Matrix across N5/6/7/9k#
31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Agenda
1. ITD: An Introduction
2. New ITD capabilities in NxOS
3. ITD Deployment designs
4. Q&A
5. Nexus Hardware Update (7K,5K,2K)
6. Q&A
32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD: Deployment Designs
33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
ITD Use-cases
• Server Load balancing • Server farms, Application servers,
Web Servers
• Services Load balancing, Clustering • Firewall, IDS, IPS, L7 Server LB,
WAF, VDS-TC (Transparent Caching)
• Traffic Steering, Redirection • Web accelerator Engine (WAE), Web
Caches, Web Proxy
34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
• Application requests are Load-balanced across multiple servers.
• In the Direct Server Return(DSR) mode, the Servers respond back to the clients directly without involving the load-balancing system.
• In Destination NAT method, ITD performs NAT + load-balancing towards the Servers.
Clients
APPLICATION
Server-N
Server-2
Server-1
Server Load-Balancing (SLB)
35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Typical Deployment of ITD for SLB-DSR
• All Servers are configured with the VIP as the Loopback IP address(same on all servers).
• Client sends packet to VIP. ITD load-balances these requests to different servers.
ITD – SLB with DSR mode
36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
With SLB-NAT using ITD, NAT + ITD redirection is done on the Nexus switch.
Clients Virtual-IP
ITD-NAT
ITD Real Servers NAT
SLB-Destination NAT with ITD
ITD – SLB with Destination NAT
37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Client-1: 10.1.1.10 Server-1: 30.1.1.10
VIP: 20.1.1.10
Src IP 10.1.1.10
Dst IP 20.1.1.10
Src IP 10.1.1.10
Dst IP 30.1.1.10
ITD-NAT address translation
NAT
Src IP 20.1.1.10
Dst IP 10.1.1.10
Src IP 30.1.1.10
Dst IP 10.1.1.10
Client -> Server
Client ß Server NAT
Unlike DSR mode, ITD Destination-NAT requires no separate
configuration on the servers. This makes it easier for deploy for
SLB applications.
ITD – SLB with Destination NAT
38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Guidelines and Limitations:
Ø NAT-SLB with VIP-Port is also supported. Ø NAT Functionality is limited to ITD for SLB, not for Carrier-
grade NAT as a feature itself.
Ø Only Destination-NAT is supported.
Ø Currently only supported on Nexus 7000/7700
Ø Note: For the return-traffic, the next-hop on the Nexus Switch needs to be manually configured within ITD.
ITD – SLB with Destination NAT
39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Summary • HW based L3-L4 Traffic-distribution
Solution • No additional overheads to forwarding • Multi-Terabit solution • Health Monitoring and Node Failover • Appliance agnostic
• CAPEX & OPEX savings • Scalable to high traffic loads • Easier manageability
• ASA, Firewalls, Security Appliances • Server Load-balancing • WAN acceleration/HTTP/Web Services • Video Caching Services
ITD Summary
ITD Benefits ITD Benefits
40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-1017
Agenda
1. ITD: An Introduction
2. New ITD capabilities in NxOS
3. ITD Deployment designs
4. Q&A
5. Nexus Hardware Update (7K,5K,2K)
6. Q&A
41
Thank you.