Transcript CA Technical Support Training NPI Template Usage

Intelligent Traffic Director
(ITD)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
ITD Overview
Mouli Vytla
Samar Sharma
Rajendra Thirumurthi
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
ITD: Multi-Terabit Load-balancing with N5k/6k/7k/9k
1.
ASIC based L4 load-balancing at line-rate
2.
Every Nexus 5k/6k/7k/9k port can be used for load-balancing
3.
Redirect line-rate traffic to any devices, for example web cache engine, Web
Accelerator Engine (WAE), WAAS, VDS-TC, etc.
4.
No service module or external L4 load-balancer needed
5.
Provides IP-stickiness, resiliency (like resilient-ECMP)
6.
NAT (available for EFT). Allows non-DSR deployments.
7.
Weighted load-balancing
8.
Provides the capability to create clusters of devices, for e.g., Firewalls, IPS, or Web
Application Firewall (WAF)
9.
Performs health monitoring and automatic failure handling
10.
Provides ACL along with redirection and load balancing simultaneously.
11.
Order of magnitude reduction in configuration and ease of deployment
12.
The servers/appliances don’t have to be directly connected to Nexus switch
13.
Supports both IPv4 and IPv6
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
ITD Deployment example
Redirect
loadbalance
ACL to
select traffic
ITD
Select the
traffic destined
to VIP
Clients
Po-5
Po-6
Po-7
Po-8
Note: the devices don’t have to be directly connected to Nexus switch
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
ITD feature Advantages
slide 1 of 3
• Scales to large number of Nodes
• Significant reduction of Configuration Complexity
• eg, 32 node cluster would require ~300 configuration lines without ITD
• ITD configuration requires only 40 lines
• N + M redundancy. Health Monitoring of servers/appliances
• DCNM Support
• IP-stickiness, resiliency
• Supports both IPv4 and IPv6, with VRF awareness
• Zero-Touch Appliance deployment
• No certification, integration, or qualification needed between the
appliances and the Nexus switch.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
ITD feature Advantages
slide 2 of 3
• Simultaneously use heterogeneous appliances (different models /
vendors)
• Flow coherent symmetric traffic distribution
•
Flow coherency for bidirectional flows. Same device receives the forward and reverse
traffic
• Traffic Selection:
•
ACL
•
VIP/Protocol/Port
• Not dependent on N7k HW architecture
•
Independent of Line-card types, ASICs, Nexus 7700, Nexus 5k/6k, etc.
•
Customer does not need to be aware of “hash-modulo”, “rotate” options for PortChannel configuration
•
Note: IPv6 supported on F3 (7000/ 7700) and F2E (7700) modules only
• ITD feature does not add any load to the supervisor CPU
• ITD uses orders of magnitude less hardware TCAM resources than
WCCP
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
ITD feature Advantages
slide 3 of 3
• CAPEX : Wiring, Power, Rackspace and Cost savings
• Automatic Failure Handling
• Dynamically reassign traffic (going towards failed node) to Standby node
• No manual configuration or intervention required if a link or server fails
• Migration from N7000 to N7700 and F3
• Customer does not need to be concerned about upgrading to N7700 and F3
• ITD feature is hardware agnostic, feature works seamlessly after upgrade
• Complete transparency to the end devices
• Simplified provisioning and ease of deployment
• Debuggability: ITD doesn't have WCCP-like handshake
messages
• The solution handles an unlimited number of flows
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Why & Where Do We
Need This Feature
Network Deployment Examples
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
ITD use-cases
• Use with clustering (Services load-balancing)
Eg, Firewall, Hadoop/Big Data, Web application Firewalls (WAF), IPS, loadbalance to Layer 7 load-balancers.
• Redirecting
Eg. Web accelerator Engines (WAE), Web caches
• Server Load-balancing
Eg, application servers, web servers, VDS-TC (Video transparent caching)
• Replace PBR
• Replace ECMP, Port-channel
• DCI Disaster Recovery
Please note that ITD is not a replacement for Layer-7 load-balancer (URL,
cookies, SSL, etc).
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
ITD Use-case: Clustering
 Performance gap between Switch and Servers/Appliances
 Appliance vendors try to scale capacity by stacking or clustering. Both
models have deficiencies
Stacking Solution (port-channel, ECMP) drawbacks:
1. Manual configuration with large number of steps
2. Application level node failure not detected
3. Ingress/Egress Failure handling across pair of switches requires manual intervention
4. Traffic black-holing can easily occur.
5. Doesn’t scale for large number of nodes
Clustering solution drawbacks:
1. Redirection of traffic among cluster nodes
2. Doesn’t scale typically above 8 nodes
3. Dedicated control link between nodes
4. Dedicated port(s) reserved on each node for control link traffic
5. Very complex to implement and debug
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
ITD comparison with Port-channel, ECMP, PBR
Feature/Benefit
Port Channel
ECMP
PBR
ITD
Link Failure detection
✓
✓
✓
✓
Appliance/server failure detection
✗
✗
✓
✓
Weighted load-balancing
✗
✗
✗
✓
NAT
✗
✗
✗
VIP, advertisement
✗
✗
✗
✓
Auto re-configuration of N7k (s) in case of
failures
✗
✗
✗
✓
Hot standby support – N+M redundancy
✗
✗
✗
✓
Resilient: Non-Disruptive to existing flows
✗
✗
✗
✓
Quick failure detection/convergence
✗
✗
✗
✓
Max # of nodes for scaling
16
16
16
256
Ease of configuration, troubleshooting
✗
✗
✗
✓
✗
(complex)
✗
(complex)
✗
(complex)
✓
(simple)
Avoid Traffic Black-holing in Sandwich
Mode Topology
✗
✗
✗
✓
Adaptive flow distribution, auto-sync for
bi-directional flow coherency
© 2010 Cisco and/or its affiliates. All rights reserved.
✗
✗
✗
✓11
Deployment complexity
✓(soon)
post 6.2(10)
Cisco Confidential
11
ITD use-case : Web Accelerator Engines
 Traffic redirection to devices such as web caches, Video caches
 Appliance vendors try to redirect using WCCP or PBR. Both models
have deficiencies
WCCP Solution drawbacks:
1. Appliance has to support WCCP protocol
2. Explosion in the number of TCAM entries due to WCCP
3. Complex protocol between switch and appliance
4. Troubleshooting involves both switch and appliance
5. User cannot choose the load-balancing method
6. Appliances have to be aware of health of other appliances.
7. Supervisor CPU utilization becomes high
8. Only IPv4 supported on N7k. WCCP not supported on N9k.
PBR solution drawbacks:
1. Very manual and error prone method
2. Very limited probing
3. No automatic failure detection and correction (failaction)
4. Doesn't scale
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
ITD comparison with WCCP
Feature/Benefit
N7k WCCP
N7k ITD
Appliance is unaware of the protocol
No
Yes
Protocol support
IPv4
IPv4, IPv6
Number of TCAM entries
(say, 100 SVI, 8 nodes, 20 ACEs)
Very High
16000
Very low
160
Weighted load-balancing
No
Yes
User can specify which bits to use for load-balancing
No
Yes
Number of nodes
32
256
Support for IPSLA probes
No
Yes
Support for Virtual IP
No
Yes
Support for L4-port load-balancing
No
Yes
Capability to choose src or dest IP for load-balancing
No
Yes
Customer support needs to look at switch only, or
both the switch and appliance
Both
Switch only
Adaptive flow distribution
No
Yes (post 6.2.8)
Sup CPU Overhead
High
None
Egress ACL
Yes
Yes (post 6.2.8)
DCNM Support
No
Yes
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
ITD use-case : Server Load-Balancing
 Server migration from 1G to 10G
 Largest load-balancers today can support ~100G
 Large data centers need multi-Terabit load-balancing
 ITD can perform (ACL + VIP + Redirection + LB) on each packet at line-
rate.
 ITD also provides support for advertising the VIP to the network.
 ITD allows wild-card VIP and L4 port number
 Server health monitoring
 Eg, Load-balance traffic to 256 servers of 10G each.
 Weighted Load balancing to distribute load proportionately
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
ITD comparison with Traditional Load-balancer
Feature/Benefit
Traditional L4 loadbalancer
ITD
Number of moving parts
External appliance
needed
No appliance or service
module needed
Hardware
Typically Network
processor based
ASIC based
10G Server migration
Doesn’t scale
Scales well
Bandwidth
~100 Gb
~10 Tb
User can specify which bits to
use for load-balancing
Typically No
Yes
ACL + VIP + Redirection + LB
Performance
Degradation
Line-rate
Customer support needs to
look at switch only, or both the
switch and appliance
Both
Switch only
Wiring, Power, Rackspace,
Cost
Extra
Not needed
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
ITD Clustering: one-ARM mode Topology
src-ip
loadbalance
ITD
Clients
Po-5
Po-6
Po-7
Po-8
Note: the devices don’t have to be directly connected to Nexus switch
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
ITD Clustering: Sandwich Mode topology
Outside
Inside
dst-ip
loadbalance
src-ip
loadbalance
ITD
N7k-1
ITD
N7k-2
Clients
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
ITD Clustering: Sandwich Mode with NAT
Outside
Inside
dst-ip
loadbalance
src-ip
loadbalance
ITD
ITD
Src IP = VIP
Dest IP = Client
Src IP = Client N7k-1
Dest IP = VIP
Src IP = client IP
Dest IP = RS
N7k-2
Src IP = RS
Dest IP = Client
Clients
External
© 2010 Cisco and/or its affiliates. All rights reserved.
Internal
Mobile dev
Cisco Confidential
18
ITD Clustering: Sandwich Mode (two VDCs)
Outside
Inside
src-ip
loadbalance
dst-ip
loadbalance
Clients
ITD
ITD
VDC 1
VDC 2
Clients
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
ITD Clustering: one-ARM mode, VPC Topology
ITD
N7k-1
Po-1
© 2010 Cisco and/or its affiliates. All rights reserved.
ITD
N7k-2
Po-2
Po-3
Po-4
Cisco Confidential
20
ITD Load-balancing: VIP mode
ITD
Po-1
Po-2
Po-3
Clients
© 2010 Cisco and/or its affiliates. All rights reserved.
Loadbalancing
VIP:
210.10.10.100
Cisco Confidential
21
ITD: Load-balance selective Traffic (ACL + VIP + Redirect + LB)
Src-IP
loadbalance
Redirect
ACL to
select traffic
ITD
Select the
traffic destined
to VIP
Clients
Po-5
Po-6
Po-7
Po-8
Web-cache/video-cache/CDN
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Traditional Data center (without ITD)
Outside
Firewall
LB
Clients
Inside
Server
L4 LB
Web
servers
© 2010 Cisco and/or its affiliates. All rights reserved.
Server
L4 LB
App
servers
Cisco Confidential
23
ITD enabled Data center
App
servers
Server
L4 LB
ITD
Firewall
LB
Server
L4 LB
Clients
Web
servers
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
N7K ITD: NAT with VIP
Client-1: 10.1.1.10
ITD
1
2
30.1.1.10
Po-1
Clients
4
Loadbalancing
VIP: 20.1.1.10
3
Step
dst-mac
src-mac
src-ip
dst-ip
1
N7K MAC
Router MAC
10.1.1.10
20.1.1.10
2
Server MAC
N7K MAC
10.1.1.10
30.1.1.10
3
N7K MAC
Server MAC
30.1.1.10
10.1.1.10
4
Router MAC
N7K MAC
20.1.1.10
10.1.1.10
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
N7K ITD: NAT With VIP Port
Client-1: 10.1.1.10
ITD
1
2
30.1.1.10
Po-1
Clients
4
Client-2: 10.1.1.20
VIP1 20.1.1.10 TCP80
VIP2 20.1.1.20 TCP443
NAT for Client-1: 10.1.1.10
30.1.1.20
NAT for Client-2: 10.1.1.20
dst-mac
src-mac
src-ip
dst-ip
1
N7K MAC
Router MAC
10.1.1.10
20.1.1.10 TCP 80
2
Server MAC
N7K MAC
10.1.1.10
3
N7K MAC
Server MAC
4
Router MAC
N7K MAC
© 2010 Cisco and/or its affiliates. All rights reserved.
3
dst-mac
src-mac
src-ip
dst-ip
1
N7K MAC
Router MAC
10.1.1.20
20.1.1.20 TCP443
30.1.1.10 TCP 80
2
Server MAC
N7K MAC
10.1.1.20
30.1.1.20 TCP443
30.1.1.10 TCP 80
10.1.1.10
3
N7K MAC
Server MAC
30.1.1.20 TCP 443
10.1.1.20
20.1.1.10 TCP 80
10.1.1.10
4
Router MAC
N7K MAC
20.1.1.20 TCP 443
10.1.1.20
Cisco Confidential
26
N7K ITD: NAT configuration:
 itd device-group webserver
node ip 30.1.1.10
node ip 30.1.1.20
 itd test
device-group webserver
virtual ip 20.1.1.10 tcp 80
virtual ip 20.1.1.20 tcp 443
nat destination
no shut
Note:
For reverse NAT translation (server IP to VIP), ITD uses the protocol/port configured part of VIP to
match the reverse traffic(server to client). This allows rest of the server to server, as well as server to
client traffic can work independently.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
ITD Clustering: Use with VMs
Web Server
210.10.10.100
Clients
ITD
VLAN 2000
e3/1
Cisco
UCS
vNIC / vSwitch
210.10.10.11
vNIC / vSwitch
210.10.10.12
vNIC / vSwitch
210.10.10.13
vNIC / vSwitch
vNIC / vSwitch
vNIC / vSwitch
210.10.10.14
VLAN 2000
220.10.10.10
© 2010 Cisco and/or its affiliates. All rights reserved.
220.10.10.20
220.10.10.30
220.10.10.40
Cisco Confidential
28
Feature Specs & Details
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
ITD Feature Sizing
Resource Type
Max
Limit
Nodes per Device Group
256
Ingress Interfaces per ITD service
512
VIP per ITD Service
16
Probes per VDC
500
Number of ITD Services per VDC
32
ITD Services per N7k
32 x
(#of
VDCs)
Note : These are for 6.2(10) NX-OS release.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
Configuration &
Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
ITD: Enabling Feature
Command Syntax:
[no] feature itd
• Executed in CLI config mode
• Enables/Disables ITD feature
N7k# conf t
Enter configuration commands, one per line.
N7k(config)# feature itd
End with CNTL/Z.
N7k# sh feature | grep itd
itd
© 2010 Cisco and/or its affiliates. All rights reserved.
1
enabled
Cisco Confidential
32
ITD: Service Creation steps
 Three Primary steps to configure an ITD Service
① Create Device group
② Create ITD service
③ Attach Device group to ITD Service
NOTE:
•
ITD is a conditional feature and needs to be enabled via “feature itd”
•
EL2 license required
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
ITD: Creating a Device group
 Provide a template to group devices. Device Group contains:
① Node IP address
② Active or Standby mode of a node.
③ Probe to use for health monitoring of node
N7k(config)# itd device-group FW-INSPECT
N7k(config-device-group)# node ip 4.4.4.4
N7k(config-device-group)# node ip 5.5.5.5 mode hot-standby
 Creating a device group
 Configuring an active node
 Configuring standby node
N7k(config-device-group)# probe ?
icmp
ITD probe icmp
tcp
ITD probe tcp
udp
ITD probe udp
dns
ITD DNS probe
N7k(config-device-group)# probe icmp frequency 10 retry-count 5 timeout 3
N7k(config-device-group)# probe tcp port 80 frequency 10 retry-count 5 timeout 5
N7k(config-device-group)# probe udp port 53 frequency 10 retry-count 5 timeout 5
Note: for TCP/UDP probes, destination port number can be specified
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
ITD: Configuring Device Group
Command Syntax:
[no] itd device-group <device-group-name>
• Executed in CLI config mode
• Creates/Deletes Device Group
N7k(config)# feature itd
N7k(config)# itd device-group WEBSERVERS
N7k(config-device-group)# node ip 20.20.20.2
N7k(config-device-group)# node ip 20.20.20.3
N7k(config-device-group)# node ip 20.20.20.4
N7k(config-device-group)# node ip 20.20.20.5
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
ITD: Configuring Device Group
w/ group-level standby
Command Syntax:
[no] itd device-group <device-group-name>
• Executed in CLI config mode
• Creates/Deletes Device Group
N7k(config)# feature itd
N7k(config)# itd device-group WEBSERVERS
N7k(config-device-group)# node ip 20.20.20.2
N7k(config-device-group)# node ip 20.20.20.3
N7k(config-device-group)# node ip 20.20.20.4
N7k(config-device-group)# node ip 20.20.20.5
N7k(config-device-group)# node ip 20.20.20.6 mode hot-standby
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
ITD: Configuring Device Group
w/ node-level standby
Command Syntax:
[no] itd device-group <device-group-name>
• Executed in CLI config mode
• Creates/Deletes Device Group
N7k(config)# feature itd
N7k(config)# itd device-group WEBSERVERS
N7k(config-device-group)# node ip 20.20.20.2 standby 20.20.20.6
N7k(config-device-group)# node ip 20.20.20.3
N7k(config-device-group)# node ip 20.20.20.4
N7k(config-device-group)# node ip 20.20.20.5
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
ITD: Configuring Device Group
w/ weights for load distrbution
Command Syntax:
[no] itd device-group <device-group-name>
• Executed in CLI config mode
• Creates/Deletes Device Group
N7k(config)# feature itd
N7k(config)# itd device-group WEBSERVERS
N7k(config-device-group)# node ip 20.20.20.2 weight 2
N7k(config-device-group)# node ip 20.20.20.3 weight 4
N7k(config-device-group)# node ip 20.20.20.4
N7k(config-device-group)# node ip 20.20.20.5
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
ITD: Configuring Probe
Command Syntax:
[no] probe icmp [ frequency <freq> | timeout <timeout> |
retry-count <retry-count>]
[no] probe [tcp | udp] <port-num> [ frequency <freq> |
timeout <timeout> | retry-count <retry-count> ]
• Executed in CLI config mode
• Executed as sub-mode of ITD device-group CLI
• Used for health monitoring of nodes
N7k(config)# itd device-group WEBSERVERS
N7k(config-device-group)# node ip 20.20.20.2
N7k(config-device-group)# node ip 20.20.20.3
N7k(config-device-group)# node ip 20.20.20.4
N7k(config-device-group)# node ip 20.20.20.5
N7k(config-device-group)# probe icmp
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
ITD: Creating ITD Service
ITD service attributes:


device-group
 Associate Device Group with service

ingress interface
 Specify list of ingress interfaces

load-balance
 Select Load distribution method

virtual
 Configuring virtual IP
N7k(config)# itd <service-name> ?
device-group
ITD device group
failaction
ITD failaction
ingress
ITD Ingress interface
load-balance
ITD Loadbalance scheme
peer
Peer for sandwich mode
virtual
ITD virtual ip configuration
vrf
ITD service vrf
nat
Network Address Translation
N7k(config-itd)# load-balance method ?
dst
Destination based parameters
src
Source based parameters
N7k(config-itd)# load-balance method src ?
ip
IP
ip-l4port
IP and L4 port
N7k(config-itd)# virtual ip 4.4.4.4 255.255.255.255 ?
advertise
Advertise
tcp
TCP Protocol
udp
UDP Protocol
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
ITD: Configuring a Service
Command Syntax:
[no] itd <service-name>
• Executed in CLI config mode
• Creates/Deletes ITD service
N7k(config)# itd WebTraffic
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
ITD: Configuring Ingress Interface
Command Syntax:
[no] ingress interface <interface 1>, <interface 2>,
<interface range>
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Specify list of ingress interfaces for ITD service
N7k(config)# itd WebTraffic
N7k(config-itd)# ingress interface e3/1, e4/1-10
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
ITD: Associating Device Group
Command Syntax:
[no] device-group <device group name>
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Specify Device Group to associate with ITD service
N7k(config)# itd WebTraffic
N7k(config-itd)# ingress interface e3/1, e4/1-10
N7k(config-itd)# device-group WEBSERVERS
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
ITD: Configuring Loadbalance method
Command Syntax:
[no] load-balance method [src | dst ] [ip | ip-l4port [tcp |
udp] range start end]]
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Specify Loadbalancing method
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
load-balance method src ip
Cisco Confidential
44
ITD: Configuring Loadbalance buckets
Command Syntax:
[no] load-balance method [src | dst] buckets <bucket>
mask-position <mask>
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Specify Loadbalancing method
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
load-balance buckets 16
Cisco Confidential
45
Loadbalance Bucket
• Load balance bucket option provides user to specify the number of ACLs
created per service.
• The bucket value must be configured in powers of 2.
• When buckets are configured more than the configured Active nodes,
the buckets are applied in Round Robin.
• Bucket configuration is optional, by default the value is computed based
on the number of configured nodes.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
ITD: Configuring Loadbalance mask-position
Command Syntax:
[no] load-balance mask-position <mask>
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Specify Loadbalancing method
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
load-balance mask-position 8
Cisco Confidential
47
ITD: Configuring VIP
Command Syntax:
[no] virtual [ip | ipv6] <ip-address> [<net mask> |
<prefix>] [ip | tcp <port-num> | udp <port-num> ]
[advertise enable| disable]
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Used to host VIP on N7k
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
loadbalance method src-ip
virtual ip 210.10.10.100 255.255.255.255
Cisco Confidential
48
ITD: Configuring VIP with advertise
Command Syntax:
[no] virtual [ip | ipv6] <ip-address> [<net mask> |
<prefix>] [ip | tcp <port-num> | udp <port-num> ]
[advertise enable| disable]
•
•
•
•
•
Executed in CLI config mode
Executed as sub-mode of ITD service CLI
Used to host VIP on N7k, with advertise enable
Advertise enable is RHI for ITD, creates static routes for the configured VIP
The static routes can be redistributed, based on user configured routing protocol.
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
loadbalance method src-ip
virtual ip 210.10.10.100 255.255.255.255 advertise enable
Cisco Confidential
49
ITD: Configuring VIP with NAT
Command Syntax:
[no] nat destination
• Executed in CLI config mode
• Executed as sub-mode of ITD service CLI
• Used to translate destination-IP to VIP
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
loadbalance method src-ip
virtual ip 210.10.10.100 255.255.255.255 advertise enable
nat destination
Cisco Confidential
50
ITD: Configuring failaction node reassign
Command Syntax:
[no] failaction node reassign
•
•
•
•
•
Executed in CLI config mode
Executed as sub-mode of ITD service CLI
Used to reassign traffic to an Active node, on a node failure
ITD probe configuration is mandatory, also supported only for IPv4 addresses.
Once the failed node comes back, the recovered node starts getting traffic
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
© 2010 Cisco and/or its affiliates. All rights reserved.
WebTraffic
ingress interface e3/1, e4/1-10
device-group WEBSERVERS
failaction node reassign
Cisco Confidential
51
Failaction node reassign contd.
 Failaction reassign with Standby
• When the node goes down/probe failed, the traffic would be reassigned to
the first available Active node.
• When the node comes up/probe success from failed state, the node that
came up will start handling the connections.
• If all the nodes are down, the packets will be get routed automatically.
 Failaction reassign without Standby
•
When the node goes down/probe failed, and if there is a working Standby
node traffic is directed to the first available Standby node.
• When all nodes are down, including the Standby node. The traffic will be
reassigned to the first Available Active Nodes.
• When the node comes up/probe success from failed state, the node that
came up will start handling the connections.
• If all the nodes are down, the packets will be get routed automatically.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
No Failaction reassign
 With Probe
• ITD probe can detect the node failure or service reachability and brings
down the node.
• When the Node is failed, and Standby is configured. The standby node will
take over the connections.
• Node is failed and there is no Standby configuration. On failure, the traffic
would get routed and does not get reassigned, as failaction is not
configured.
• Once the Node recovers, and the recovered node starts handling the traffic.
 Without probe
• Without probe configuration, ITD cannot detect the node failure.
• When the Node is down, ITD does not reassign or redirect the traffic to a
different Active node
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
ITD : failaction node reassign
Failaction mode:
Bypass(default)
Or Reassign
Probe
Standby Behavior on node failure
configure configur
d (Y/N)
ed (Y/N)
Behavior on both node and
Standby failure
Bypass
N
N
Traffic gets routed
Traffic gets routed
Bypass
N
Y
Redirected to Standby
Traffic gets routed
Bypass
Y
N
Traffic gets routed
Traffic gets routed
Bypass
Y
Y
Redirected to Standby
Traffic gets routed
Reassign
N
N
Traffic gets routed
Traffic gets routed
Reassign
N
Y
Redirected to Standby
Traffic gets routed
Reassign
Y
N
Reassign
Y
Y
Redirected to first available
Active node.
Redirected to Standby
Redirected to first available
Active node.
Redirected to first available
Active node.
Note: When failed node comes back, resumes redirecting to the node.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
54
ITD: Configure a Service
N7k-1 Configuration
N7k-1(config)# feature itd
20.20.20.2
N7k-1(config)# device-group FW-INSPECT
120.20.20.2
N7k-1(config-device-group)# node ip 20.20.20.2
ITD
Service
N7k-1(config-device-group)# node ip 20.20.20.3
ITD
Service
N7k-1(config-device-group)# probe icmp
N7k-1(config)# itd WebTraffic
N7k-1(config-itd)# ingress interface e3/1
N7k-1(config-itd)# device-group FW-INSPECT
e 3/1
e 3/2
N7k-1
N7k-2
N7k-1(config-itd) load-balance method src ip
N7k-1(config-itd)# no shut
N7k-2 Configuration
N7k-2(config)# feature itd
N7k-2(config)# device-group FW-INSPECT
N7k-2(config-device-group)# node ip 120.20.20.2
N7k-2(config-device-group)# node ip 120.20.20.3
N7k-2(config-device-group)# probe icmp
N7k-2(config-itd)# itd WebTraffic
N7k-2(config-itd)# ingress interface e3/2
N7k-2(config-itd)# device-group FW-INSPECT
20.20.20.3
120.20.20.3
Configuration Steps:
① Enable ITD feature on both N7k
② Configure a Device Group
③ Configure an ITD Service
a) Configure Service Name
b) Specify Ingress Interface
c) Associate Device Group
d) Specify Load Distribution Scheme
e) Activate ITD Service
N7k-2(config-itd)# load-balance method dst ip
N7k-2(config-itd)# no shut
© 2010 Cisco and/or its affiliates. All rights reserved.
DONE
Cisco Confidential
55
ITD: Complete Service Configuration
N7k-1(config)# feature itd
N7k-1(config)# device-group FW-INSPECT
N7k-1(config-device-group)# node ip 20.20.20.2
20.20.20.2
120.20.20.2
N7k-1(config-device-group)# node ip 20.20.20.3
N7k-1(config-device-group)# probe icmp
N7k-1(config)# itd WebTraffic
ITD
Service
N7k-1(config-itd)# ingress interface e3/1
ITD
Service
N7k-1(config-itd)# device-group FW-INSPECT
N7k-1(config-itd) load-balance method src ip
N7k-1(config-itd)# no shut
e 3/1
e 3/2
N7k-1
N7k-2
N7k-2(config)# feature itd
N7k-2(config)# device-group FW-INSPECT
N7k-2(config-device-group)# node ip 120.20.20.2
20.20.20.3
120.20.20.3
N7k-2(config-device-group)# node ip 120.20.20.3
N7k-2(config-device-group)# probe icmp
N7k-2(config-itd)# itd WebTraffic
N7k-2(config-itd)# ingress interface e3/2
N7k-2(config-itd)# device-group FW-INSPECT
N7k-2(config-itd)# load-balance method dst ip
N7k-2(config-itd)# no shut
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
56
ITD: RACL + ITD Loadbalancing Configuration
N7K Configuration
N7k(config)# ip access-list test
N7k(config-acl)# permit ip 1.1.1.1/32 2.2.2.2/16
N7k(config-acl)# permit ip 3.3.3.3/20 4.4.4.4/32
N7k(config-acl)# end
N7k(config)# int e3/1
N7k(config-if)# ip access-group test in
N7k(config-if)# end
3 simple steps to
configure RACL + ITD
1. Configure Access list
and apply on ingress
interface
N7k(config)# feature itd
N7k(config)# itd device-group FW-INSPECT
N7k(config-device-group)# node ip 20.20.20.2
N7K(config-device-group)# node ip 20.20.20.3
N7k(config-device-group)# probe icmp
N7k(config-device-group)# end
N7k(config)# itd
N7k(config-itd)#
N7k(config-itd)#
N7k(config-itd)#
WebTraffic
ingress interface e3/1
device-group FW-INSPECT
no shut
2. Configure Device
group
3. Create ITD service
Show run interface
57
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
57
ITD: VIP Service Configuration
N7k(config)# feature itd
20.20.20.2
N7k(config)# device-group WEB-SERVERS
N7k(config-device-group)# node ip 20.20.20.2
N7k(config-device-group)# node ip 20.20.20.3
ITD
20.20.20.3
N7k(config-device-group)# node ip 20.20.20.4
N7k(config-device-group)# node ip 20.20.20.5
N7k(config-device-group)# probe icmp
N7k(config)# itd WebTraffic
e 3/1
e 3/2
Loadbalancing
VIP:
210.10.10.100
20.20.20.4
N7k(config-itd)# ingress interface e3/1, e3/2
N7k(config-itd)# device-group WEB-SERVERS
N7k(config-itd)# virtual 210.10.10.100 255.255.255.255
20.20.20.5
N7k(config-itd)# no shut
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
DCNM : ITD Template support
ITD is supported in DCNM as a template
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
DCNM : Example ITD configuration
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
60
DCNM : Generated ITD configuration
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
Additional Information
Mailing Lists
• [email protected]
• [email protected]
CDETS
• Project: CSC.datacenter Product: n7k-platform Component: itd
•Config guide:
www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nxos/itd/configuration/guide/b-Cisco-Nexus-7000-Series-IntelligentTraffic-Director-Configuration-Guide-Release-6x.html
•Command reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nxos/itd/command/reference/n7k_itd_cmds/itd_cmds.html
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
62
Questions & Answers
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
Intelligent Traffic Director
(ITD)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
Case Study 1: ITD Clustering with Load-balancers
Clients
Web Server
20.20.20.2 - 20.20.20.254
210.10.10.100
ITD
service
e3/1
VLAN 2000
IXIA
Cisco
UCS
vNIC / vSwitch
210.10.10.11
vNIC / vSwitch
210.10.10.12
vNIC / vSwitch
vNIC / vSwitch
210.10.10.13
210.10.10.14
vNIC / vSwitch
vNIC / vSwitch
VLAN 2000
220.10.10.10
© 2010 Cisco and/or its affiliates. All rights reserved.
220.10.10.20
220.10.10.30
220.10.10.40
Cisco Confidential
65
Case Study 2: ITD Clustering with WAF appliances
Clients
Web Server
20.20.20.2 - 20.20.20.254
210.10.10.100
ITD
service
e3/1
VLAN 2000
IXIA
Cisco
UCS
vNIC / vSwitch
210.10.10.1
1
vNIC / vSwitch
210.10.10.1
2
vNIC / vSwitch
210.10.10.1
3
vNIC / vSwitch
vNIC / vSwitch
vNIC / vSwitch
210.10.10.1
4
VLAN 2000
220.10.10.10
© 2010 Cisco and/or its affiliates. All rights reserved.
220.10.10.20
220.10.10.30
220.10.10.40
Cisco Confidential
66
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
67
Case-study 3 : VDS-TC-16B Network design (Blade Type)
4x 10GE
(Twinax 3m )
Nexus
7706
Internet
4x40GE
Uplinks
UCS
6248
FI
16 x 2 x
10GE
(Twinax 3m)
Distribution
VDC
4x40GE
Uplinks
4x 10GE
(Twinax 3m )
IOM
UCS
6248
FI
IOM
IOM
VDS-TC-16B cluster #2
UCS
6248
FI
IOM
4 x 8 x 10GE
(Twinax 3m)
IOM
16 x 2 x 10GE
(Twinax 3m)
UCS
6248
FI
Client
4x 10GE
(Twinax 3m )
© 2010 Cisco and/or its affiliates. All rights reserved.
IOM
4 x 8 x 10GE
(Twinax 3m)
Cache
B200 x 8
Cache
Cache
B200 x 8
Cache
5x IBM
Storage
DS3524
Nexus
2248TP
4x 10GE
(Twinax 3m )
Cache Mgr
UCS C220
Nexus
2248TP
4x
40GE
VDC#2
VDS-TC-16B cluster #1
Nexus
2248TP
VDC#1
4x
40GE
1x Analytics
UCS C240
IOM
IOM
Cache
B200 x 8
Cache
Cache
B200 x 8
Cache
4x 10GE
(Twinax 3m )
5x IBM
Storage
DS3524
Nexus
2248TP
Cache Mgr
UCS C220
Cisco Confidential
68
ITD comparison with Port-channel, ECMP, PBR
Feature/Benefit
Port Channel
ECMP
PBR
ITD
Link Failure detection
✓
✓
✓
✓
Appliance/server failure detection
✗
✗
✓
✓
Weighted load-balancing
✗
✗
✗
✓
NAT
✗
✗
✗
VIP, advertisement
✗
✗
✗
✓
Auto re-configuration of N7k (s) in case of
failures
✗
✗
✗
✓
Hot standby support – N+M redundancy
✗
✗
✗
✓
Resilient: Non-Disruptive to existing flows
✗
✗
✗
✓
Quick failure detection/convergence
✗
✗
✗
✓
Max # of nodes for scaling
16
16
16
256
Ease of configuration, troubleshooting
✗
✗
✗
✓
✗
(complex)
✗
(complex)
✗
(complex)
✓
(simple)
Avoid Traffic Black-holing in Sandwich
Mode Topology
✗
✗
✗
✓
Adaptive flow distribution, auto-sync for
bi-directional flow coherency
© 2010 Cisco and/or its affiliates. All rights reserved.
✗
✗
✗
✓69
Deployment complexity
✓(soon)
post 6.2(10)
Cisco Confidential
69
ITD comparison with WCCP
Feature/Benefit
N7k WCCP
N7k ITD
Appliance is unaware of the protocol
No
Yes
Protocol support
IPv4
IPv4, IPv6
Number of TCAM entries
(say, 100 SVI, 8 nodes, 20 ACEs)
Very High
16000
Very low
160
Weighted load-balancing
No
Yes
User can specify which bits to use for load-balancing
No
Yes
Number of nodes
32
256
Support for IPSLA probes
No
Yes
Support for Virtual IP
No
Yes
Support for L4-port load-balancing
No
Yes
Capability to choose src or dest IP for load-balancing
No
Yes
Customer support needs to look at switch only, or
both the switch and appliance
Both
Switch only
Adaptive flow distribution
No
Yes (post 6.2.8)
Sup CPU Overhead
High
None
Egress ACL
Yes
Yes (post 6.2.8)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
70
ITD comparison with Traditional Load-balancer
Feature/Benefit
Traditional L4 loadbalancer
ITD
Number of moving parts
External appliance
needed
No appliance or service
module needed
Hardware
Typically Network
processor based
ASIC based
10G Server migration
Doesn’t scale
Scales well
Bandwidth
~100 Gb
~10 Tb
User can specify which bits to
use for load-balancing
Typically No
Yes
ACL + VIP + Redirection + LB
Performance
Degradation
Line-rate
Customer support needs to
look at switch only, or both the
switch and appliance
Both
Switch only
Wiring, Power, Rackspace,
Cost
Extra
Not needed
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
ITD Benefits Summary
Feature/Benefit
Manual Config
SDN
ITD
Link Failure detection
✓
✓
✓
Appliance failure detection
✗
✓
✓
Adaptive flow distribution
✗
✗
✓
Auto re-configuration of N7k (s)
✗
✓
✓
Hot standby support – N+M redundancy
✗
✓
✓
Non-Disruption of existing flows
✓
✗
✓
Works without an external device/controller
✓
✗
✓
✗
(slow)
✓
(Faster)
Quick failure detection/convergence
✗
(slowest)
Introduces additional point of failure
(besides N7k/appliance)
✓
✗
(controller)
✓
8/16
8/16
No limit
Ease of troubleshooting
✗
✗
✓
Deployment complexity
✗
(complex)
✗
(complex)
✓
(simple)
✗
✗
✓
✗
(Not granular)
✗
(Not granular)
Max #of nodes for scaling
Automatic handling of route changes
Error reporting
© 2010 Cisco and/or its affiliates. All rights reserved.
✓
(granular)72
Cisco Confidential
72
Show CLI: “show itd”
switch# sh itd
Name
Probe LB Scheme Status
Buckets
-------------- ----- ---------- -------- ------WEB
ICMP src-ip
ACTIVE
2
Device Group
VRF-Name
-------------------------------------------------- ------------WEB-SERVERS
Pool
Interface
Status Track_id
------------------------------ ------------ ------ --------WEB_itd_pool
Eth3/3
UP
3
Virtual IP
Netmask/Prefix Protocol
Port
------------------------------------------------------ ------------ ---------210.10.10.100 / 255.255.255.255
IP
0
Node IP
Config-State Weight Status
Track_id Sla_id
------------------------- ------------ ------ ---------- --------- --------1
210.10.10.11
Active
1
OK
1
10001
Bucket List
----------------------------------------------------------------------WEB_itd_vip_1_bucket_1
Node IP
Config-State Weight Status
Track_id Sla_id
------------------------- ------------ ------ ---------- --------- --------2
210.10.10.12
Active
1
OK
2
10002
Bucket List
----------------------------------------------------------------------WEB_itd_vip_1_bucket_2
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
73
Show CLI: “show itd statistics”
switch# sh itd WAF statistics
Service
Device Group
VIP/mask
#Packets
---------------------------------------------------------------------------------------WAF
WAF
50.50.50.49/255.255.255.255
662328271(100.00%)
Traffic Bucket
Assigned to
Mode
Original Node
#Packets
---------------------------------------------------------------------------------------WAF_itd_vip_1_bucket_1
50.50.50.11
Redirect
50.50.50.11
329348870(49.73%)
WAF_itd_vip_1_bucket_2
50.50.50.21
Redirect
50.50.50.21
332979401(50.27%)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
74
Show CLI for IPv6: “show itd”
switch(config)# show itd
Name
Probe LB Scheme Status
Buckets
---------- ----- ---------- -------- ------WEB-SERVERS N/A
src-ip
ACTIVE
8
Device Group
-------------------------------------------------IPV6_SERVER_FARM
Pool
Interface
Status Track_id
------------------------------ ------------ ------ --------WEB-SERVERS_itd_pool
Eth6/13
UP
9
Node IP
Config-State Status
Track_id Sla_id
----------------------------------------------------- ------------ ---------- --------- --------1
100:100::100:100
Active
OK
None
None
Bucket List
--------------------------------------------------------------------------WEB-SERVERS_itd_bucket_1
WEB-SERVERS_itd_bucket_5
Node IP
Config-State Status
Track_id Sla_id
----------------------------------------------------- ------------ ---------- --------- --------2
200:200::200:200
Active
OK
None
None
Bucket List
--------------------------------------------------------------------------WEB-SERVERS_itd_bucket_2
WEB-SERVERS_itd_bucket_6
Node IP
Config-State Status
Track_id Sla_id
----------------------------------------------------- ------------ ---------- --------- --------3
300:300::300:300
Active
OK
None
None
Bucket List
--------------------------------------------------------------------------WEB-SERVERS_itd_bucket_3
WEB-SERVERS_itd_bucket_7
Node IP
Config-State Status
Track_id Sla_id
----------------------------------------------------- ------------ ---------- --------- --------4
500:500::500:500
Active
OK
None
None
Bucket List
--------------------------------------------------------------------------WEB-SERVERS_itd_bucket_4
WEB-SERVERS_itd_bucket_8
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
• Load-balance traffic to 256 servers of 10Gbps each
• Load-balance to cluster of Firewalls
• Scale up NG IPS and WAF by load-balancing to standalone devices
• Scale the WAAS / WAE solution
• Scale the VDS-TC (video-caching) solution
• Replace ECMP/Port-channel to avoid re-hashing. ITD is resilient
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
76
Case Study 1: ITD Clustering with Load-balancers
Clients
Web Server
20.20.20.2 - 20.20.20.254
210.10.10.100
ITD
service
e3/1
VLAN 2000
IXIA
Cisco
UCS
vNIC / vSwitch
210.10.10.11
vNIC / vSwitch
210.10.10.12
vNIC / vSwitch
vNIC / vSwitch
210.10.10.13
210.10.10.14
vNIC / vSwitch
vNIC / vSwitch
VLAN 2000
220.10.10.10
© 2010 Cisco and/or its affiliates. All rights reserved.
220.10.10.20
220.10.10.30
220.10.10.40
Cisco Confidential
77
Case Study 2: ITD Clustering with WAF appliances
Clients
Web Server
20.20.20.2 - 20.20.20.254
210.10.10.100
ITD
service
e3/1
VLAN 2000
IXIA
Cisco
UCS
vNIC / vSwitch
210.10.10.1
1
vNIC / vSwitch
210.10.10.1
2
vNIC / vSwitch
210.10.10.1
3
vNIC / vSwitch
vNIC / vSwitch
vNIC / vSwitch
210.10.10.1
4
VLAN 2000
220.10.10.10
© 2010 Cisco and/or its affiliates. All rights reserved.
220.10.10.20
220.10.10.30
220.10.10.40
Cisco Confidential
78
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
79