Virtual Tech Update ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K)

Virtual Tech Update ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K) Michael Petersen, Systems Engineer, Cisco Denmark Mikkel Brodersen, Systems Engineer, Cisco Denmark Virtual Tech Update ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K) Michael Petersen, Systems Engineer, Cisco Denmark Mikkel Brodersen, Systems Engineer, Cisco Denmark Agenda 1.  ITD: An Introduction 2.  New ITD capabilities in NxOS 3.  ITD Deployment designs 4.  Q&A 5.  Nexus Hardware Update (7K,5K,2K) 6.  Q&A BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Intelligent Traffic Director : An introduction What ? Why ? How ? While today’s Network Switches and Routers have evolved to multiterabit capacities, Network service appliances and servers are still limited to a few Gigabits of capacity. Scaling to support this traffic now brings an important requirement: High Capacity Traffic Distribution. Cisco Intelligent Traffic Director(ITD) bridges this gap by providing ASIC-based (hardware) Traffic distribution for Layer 3 and 4 services and applications using Cisco Nexus 5/6/7/9k switches. BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 WHAT is ITD ? Intelligent Traffic Director Traffic distribution through packet redirection BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 WHAT is ITD ? Intelligent Traffic Director •  Traffic distribution and redirection •  ASIC based solution(HW-switched) •  Caters to multi-terabit traffic •  Works on Nexus switches – 9/7/6/5k Note: ITD performs L3-L4 traffic distribution,but does not replace Layer-7 Load-balancers BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Where to use ITD ? (Examples) #1 ITD to load-balance to the destination Example: Server-Load Balancing Servers Clients BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Where to use ITD ? (Examples) #2 ITD for In-line traffic redirection Example: Firewalls, Wan Acceleration Engines, Web Cache etc. Destination Clients Firewalls/other appliances BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Why ITD ? Vs. Appliances Intelligent Traffic Director No service-module or external Appliance reqd. Line-Rate Traffic-distribution Automatic Failure Handling Ease of deployment, reduced configuration BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Supported Platforms/Software Release Platform Nexus 5000/6000 Series Version NX-OS 7.1.1N1(1) Enhanced L2/ Network Services License Nexus 7000/7700 Series Nexus 9000 Series NX-OS 6.2(10) NX-OS 7.0(3)I1(2) Enhanced L2 Network Services BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 ITD – Configuration Components ITD Service ITD Device-Group •  •  •  Configure Nodes (Service Appliances) Configure Probes Configure Standby(backyup nodes) •  •  •  •  •  •  Attach device-group Configure Ingress-interface Configure Virtual IP Address Configure traffic filtering/selection Configure Load-balancing options Configure Failover options BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 ITD – Configuration Components (Sample) Basic ITD configuration consists of : Device-Group: Defines Nodes Probes: Node Failure-detection ITD-Service Define ITD instances Virtual IP(VIP): Traffic Selection Load-balance: Loadbalancing options Ingress Interface: L3 interface where traffic is expected BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Agenda 1.  ITD: An Introduction 2.  New ITD capabilities in NxOS 3.  ITD Deployment designs 4.  Q&A 5.  Nexus7000 (M3) 6.  Q&A BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public ITD Capabilities (Differences) Nexus 5500 / 5600 / 6000 Nexus 7000 / 7700 Nexus 9000 BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 ITD Updates on Nexus 5500 / 5600 / 6000 BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Nexus 5500/5600/6000 : 7.2(0)N1(1) ICMP Probe Release 7.2(1)N1(1) on the N5k/6k/5600 introduces support for ICMP Probes for ITD. Note: Currently only the ICMP Probe is supported on the N5/6k platforms. IP SLA is not required for this feature on the N5/6k BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 New ITD Capabilities Nexus 7000 / 7700 BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Nexus 7000/7700 : NxOS 7.2 Enhancements •  IPv4 control Probe for IPv6 Node •  Node-level Probe Enhancements introduced in previous release: 6.2(10) •  Exclude-ACL •  ITD-Destination NAT for Server load-balancing •  Multiple device-groups per ITD-Service BRKDCT-1017 -  -  -  -  Weighted load-balancing Node-level standby L4-port load-balancing Sandwich mode node-state sync across VDC’s on same device. -  DNS Probe -  Start/Stop/Clear ITD Stats -  VRF Support © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Nexus 7000/7700 : 7.2(0)D1(1) IPv4 probe for IPv6 Node •  Health Monitoring for IPv6 nodes is now possible with IPv4 Probes. •  As a result, the nodes need to be IPv4-IPv6 dual-stacked. •  Only probes are IPv4. IPv6 traffic is still handled by ITD. itd device-group IPv6-Nodes node ipv6 2001:db8::10:1:1:1 probe icmp ip 192.168.10.11 node ipv6 2001:db8::10:1:1:2 probe icmp ip 192.168.10.12 IPv6 Node With this feature, IPv6 ITD can now support failure-handling of nodes. IPv4 Probe BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Nexus 7000/7700 : 7.2(0)D1(1) Node-Level Probe Node-level Probing allows each node to be configured with its own probe for further customization. itd device-group Servers node ip 192.168.1.10 probe icmp frequency 10 retry-down-count 5 node ip 192.168.1.20 probe icmp frequency 5 retry-down-count 5 node ip 192.168.1.30 probe icmp frequency 20 retry-down-count 3 Prior to this feature probe-configuration was done at the device-group level. Per-node Probes BRKDCT-1017 Node-level probes are useful in scenarios where each node has to be monitored differently for failure conditions. For Ex. IPv6 device-groups need specific IPv4 probes per-node. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Nexus 7000/7700 : 7.2(0)D1(1) Exclude ACL Exclude-ACL specifies traffic that will bypass ITD. Traffic selected by the Exclude-ACL will get RIB-Routed without ITD functionality. Itd Service_Test device-group test-group ingress interface Vlan10 Exclude Access-list exclude access-list ITDExclude no shut ip access-list ITDExclude 10 permit ip 5.5.5.0 255.255.255.0 any 20 permit ip 192.168.100.0 255.255.255.0 192.168.200.0 BRKDCT-1017 Note: Ø  The Exclude ACL supports only “permit” statements. Ø  Traffic that is matched by a PermitACE in Exclude-ACL bypasses ITD. Exclude example: Developer-VLANs and Testbed-VLANs not needing Firewall inspection can bypass ITD. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Nexus 7000/7700 : 7.2(1)D1(1) ITD-Destination NAT for SLB •  ITD now supports Server-Load Balancing using NAT on Nexus 7000/7700 •  Traffic from the Client-IP -> VIP is translated to the real IP addresses of the servers. •  Without ITD, external load-balancers are required for this functionality. BRKDCT-1017 Prior to ITD-NAT, SLB was possible only using DSR mode which required VIP configuration on the Servers. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Nexus 7000/7700 : 7.2(1)D1(1) Multiple device-groups per Service Destination •  With this feature, a single ITD-Service can have multiple Device-groups in it. •  Each Device-group is separated/filtered via its Virtual-IP address/range. •  An ITD service still generates one route-map, with different sequences pointing to different device-groups Clients Device-group 1 Device-group 2 BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Nexus 7000/7700 : 7.2(1)D1(1) Multiple device-groups per Service •  Caters to different types of traffic requiring different services, but arriving on the same ingress-interface •  VIP-address is used to differentiate between the different device-groups. •  Supporting multiple device-groups per service on the same interface allows ITD to scale. BRKDCT-1017 Web Servers Auth Servers Example with Multiple device-groups © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Nexus 7000/7700 : 7.3(0)D1(1) Enhancements •  Include-ACL for traffic selection •  Optimized Node insertion/removal BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Nexus 7000/7700 : 7.3(0)D1(1) Include-ACL for traffic selection* •  VIP can only match Destination fields(IP/ Ports). Source fields cannot be matched/ filtered by VIP. •  “Include ACL” feature defines a user-defined ACL for selecting traffic requiring ITDredirection. VIP does not use Source-IP or Src-Port numbers. For traffic-selection requiring Src(or) {Src & Dst} filtering, ITDIncludeACL feature is used. * Refer 7.x configuration guide for guidelines and limitations BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Nexus 7000/7700 : 7.3(0)D1(1) Optimized node Insertion/Removal •  Allows users to add or remove nodes when ITD service is UP. •  Maintains an intermittent state of nodes when nodes are deleted or added. •  Currently once ITD service is created, adding or removing node requires the service to be in shut state •  Shutting down ITD service will cause 100% packet loss •  Buckets are reprogrammed once user has completed node addition/removal. BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 ITD on Nexus 9000 BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Nexus 9000: 7.0(3)I1(2) ITD features Supported N9K Platforms: 9300: Cisco Nexus 9332PQ, 9372PX, 9372TX, 9396PX, 9396TX, 93120TX, and 93128TX 9500: X9432PQ, X9464PX, X9464TX, X9536PQ, X9564PX, X9636PQ, and X9564TX line cards License: N93-SERVICES1K9 N95-SERVICES1K9 * - Not an exhaustive list BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Nexus 9000: Recent feature additions •  •  •  •  •  •  Include-ACL for traffic selection Non-disruptive add/delete (new nodes) Multiple device-groups TCP, UDP, DNS Probes Node-state Synchronization between services Support for 40G ports Roadmap Features under evaluation: •  •  •  •  •  Destination-NAT SLB IPv6 ITD support L2 mode ITD N3k/92XX support HTTP support Note: Roadmap Items are tentative only BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 # ITD Feature Matrix across N5/6/7/9k SR Feature 1 2 3 4 5 6 IPv4 L3/L4 Traffic Distribution IPv6 L3/L4 Traffic Distribution Weighted load-balancing IP Persistence Traffic Distribution with destination NAT Probe ICMP TCP/UDP IP SLA based HTTP 7 Exclude feature (ACL to deny traffic) 8 VRF support for ITD service 9 Include ACL (ACL to select traffic) 10 Non-disruptive add/delete node 11 DCNM Support * Based on latest releases in each train N5K 7.2* 6.2* N7K 7.2* 7.3 N9K 7.0(3)I3 Yes No Yes Yes No Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No Yes No No No No Yes No No No Yes Yes Yes No Yes Yes No No Yes Yes Yes Yes No Yes Yes No No Yes Yes Yes Yes TBD Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes - # For exhaustive list, refer ITD configuration guides in reference slide BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Agenda 1.  ITD: An Introduction 2.  New ITD capabilities in NxOS 3.  ITD Deployment designs 4.  Q&A 5.  Nexus Hardware Update (7K,5K,2K) 6.  Q&A BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 ITD: Deployment Designs BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 ITD Use-cases •  Server Load balancing •  Server farms, Application servers, Web Servers •  Services Load balancing, Clustering •  Firewall, IDS, IPS, L7 Server LB, WAF, VDS-TC (Transparent Caching) •  Traffic Steering, Redirection •  Web accelerator Engine (WAE), Web Caches, Web Proxy BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Server Load-Balancing (SLB) Clients A P P L I C A T I O N Server-1 •  Application requests are Load-balanced across multiple servers. •  In the Direct Server Return(DSR) mode, the Servers respond back to the clients directly without involving the load-balancing system. Server-2 •  In Destination NAT method, ITD performs NAT + load-balancing towards the Servers. Server-N BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 ITD – SLB with DSR mode •  All Servers are configured with the VIP as the Loopback IP address(same on all servers). •  Client sends packet to VIP. ITD load-balances these requests to different servers. Typical Deployment of ITD for SLB-DSR BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 ITD – SLB with Destination NAT ITD-NAT Clients Virtual-IP ITD NAT With SLB-NAT using ITD, NAT + ITD redirection is done on the Nexus switch. Real Servers SLB-Destination NAT with ITD BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 ITD – SLB with Destination NAT Client-1: 10.1.1.10 Server-1: 30.1.1.10 VIP: 20.1.1.10 Client -> Server Src IP 20.1.1.10 Src IP 10.1.1.10 Dst IP 10.1.1.10 Dst IP 20.1.1.10 NAT Src IP 10.1.1.10 NAT Src IP 30.1.1.10 Dst IP 10.1.1.10 Dst IP 30.1.1.10 Client ß Server Unlike DSR mode, ITD DestinationNAT requires no separate configuration on the servers. This makes it easier for deploy for SLB applications. ITD-NAT address translation BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 ITD – SLB with Destination NAT Guidelines and Limitations: Ø  NAT-SLB with VIP-Port is also supported. Ø  NAT Functionality is limited to ITD for SLB, not for Carriergrade NAT as a feature itself. Ø  Only Destination-NAT is supported. Ø  Currently only supported on Nexus 7000/7700 Ø  Note: For the return-traffic, the next-hop on the Nexus Switch needs to be manually configured within ITD. BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Summary ITD Summary •  HW based L3-L4 Traffic-distribution Solution •  No additional overheads to forwarding •  Multi-Terabit solution •  Health Monitoring and Node Failover •  Appliance agnostic ITD Benefits ITD Benefits •  ASA, Firewalls, Security Appliances •  Server Load-balancing •  WAN acceleration/HTTP/Web Services •  Video Caching Services •  CAPEX & OPEX savings •  Scalable to high traffic loads •  Easier manageability BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Agenda 1.  ITD: An Introduction 2.  New ITD capabilities in NxOS 3.  ITD Deployment designs 4.  Q&A 5.  Nexus Hardware Update (7K,5K,2K) 6.  Q&A BRKDCT-1017 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Thank you.

Virtual Tech Update ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K)

Related documents

Products

Support

Virtual Tech Update ITD: Intelligent Traffic Director Nexus Hardware Update (7K/5K/2K)

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib