Cisco NSH Service Chaining Configuration Guide

Available Languages

Download Options

PDF (1.3 MB)
View with Adobe Reader on a variety of devices

Updated:July 28, 2016

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

NSH Service Chaining

Contents
NSH Service Chaining
Information About NSH-Service-Chaining
NSH Service Chaining
Benefits of Using NSH Service Chaining
How to Configure NSH-Service-Chaining
Configuring Service Function Forwarder
Configuring Service Function
Configuring Service Path
Configuring Service-Chain Policy
Applying Service-Chain Policy to an Interface
Use Cases for NSH Service Chaining
Dynamic Service Insertion
Service Chaining to Internet
Troubleshooting Tips
Conditional Debugging
Additional References for NSH Service Chaining
Feature Information for NSH Service Chaining
NSH Service Chaining

Service chaining allows multiple service nodes to be included in a service path so that the packets that belong to a particular flow can travel through all the virtual service nodes in the service chain. NSH Service Chaining feature uses Network Service Header (NSH), a service plane protocol, to create dynamic service chains. NSH Service Chaining allows you to place and dynamically add services anywhere in the network, and gives flexibility in the network for service provisioning.

Information About NSH-Service-Chaining
NSH Service Chaining

In common deployment models, Service Functions (SFs) are inserted into the data-forwarding path of peers communicating with each other. However, with the introduction of service chaining functionality, SFs are not required to be located on the direct data path, rather the network traffic is routed through required SFs, wherever they are deployed.

Classification

NSH Service Chaining allows traffic flows to be classified so that only the desired flows are passed to the service. Moreover, classification enables network traffic to be dynamically moved to different service functions and service function paths without the need for major configuration changes or topology rewiring.

Network Service Header (NSH)

NSH is added to network traffic, in the packet header, to create a dedicated service plane that is independent of the underlying transport control protocol. In general, NSH contains path identification information, which is needed to realize a service path. In addition, NSH adds the metadata information about the packet, service chain or both to an IP packet, depending on the header type configured.

Enterprise Policy Application (EPA)

NSH Service Chaining feature can be configured either by using the Command Line Interface (CLI), or by using Enterprise Policy Application (EPA). EPA is an application that is hosted on controllers such as Application Policy Infrastructure Controller Enterprise Module (APIC-EM). You can use EPA GUI to configure a service chain based on services available in the network and apply a classifier to that chain. This information is then pushed to the controller (APIC-EM) to be applied to the network.

Benefits of Using NSH Service Chaining

NSH Service Chaining provides the following benefits:

Agility: Services can be placed anywhere in the network, and dynamically added.

Service provisioning: NSH service chaining need not be provisioned for peak traffic. Traffic types are classified so that only the desired flows are passed to the service.

Flexibility: Easy to implement across a range of devices, both physical and virtual.

Topological Independence: Network traffic can be dynamically moved to different service functions without requiring any changes to the network topology.

How to Configure NSH-Service-Chaining
Configuring Service Function Forwarder
To configure local Service Function Forwarder:
service-chain service-function-forwarder local
  description local sff
  ip address 10.1.108.23
To configure remote Service Function Forwarder:
service-chain service-function-forwarder abc
ip address 10.10.108.1
Verifying the Service Function Forwarder Configuration

Use the show service-chain sff command to verify the SFF configuration.
Device# show service-chain sff all statistics

Service-Chaining SFF(local) Statistics Count
...........................................
Sent:
    Packets diverted: 39
    Packets copied  : 0
    Packets dropped : 0

Service-Chaining SFF(abc) Statistics Count
-----------------------
Sent:
    Packets diverted: 0
    Packets copied  : 0
    Packets dropped : 0
Configuring Service Function
To configure a Service Function (SF):
service-chain service-function load-balance
  description load-balancer VM
  ip address 10.1.108.45
  encapsulation gre
Configuring Service Path
To configure service path:
service-chain service-path 20
 service-index 2 service-function load-balance
Configuring Service-Chain Policy
To configure service-chain policy:
access-list 103 permit ip any any

class-map match-all all-ip
 match access-group 103
!
policy-map type service-chain dynamic
 class all-ip
  forward service-path 20 service-index 2
Applying Service-Chain Policy to an Interface
To apply service-chain policy to an interface:
interface GigabitEthernet1
 description Lab 10.1.108.0 on VMNet4
 ip address 10.1.108.23 255.255.255.0
 service-policy type service-chain input dynamic
Use Cases for NSH Service Chaining
Dynamic Service Insertion
Service functions can be inserted or deleted dynamically in a branch network. See the following figure for an illustration of dynamic service insertion scenario.

Figure 1. Dynamic Service Insertion

The following example shows how to configure the dynamic service insertion scenario:

Service Chain Configuration
service-chain service-function-forwarder local
  description local sff
  ip address 10.1.108.23

service-chain service-function waas
  description waas-lan
  ip address 10.1.108.45
  encapsulation gre 

service-chain service-function load-balance
  description Load Balancer VM
  ip address 10.1.108.46
  encapsulation gre

service-chain service-path 20
  service-index 255 service-function waas
  service-index 254 service-function load-balance
  service-index 253 terminate
Service Classifier Configuration
access-list 103 permit ip any any

class-map match-all all-ip
 match access-group 103

policy-map type service-chain dynamic
 class all-ip
  forward service-path 20 service-index 255

interface GigabitEthernet1
 description Lab 10.1.108.0 on VMNet4
 ip address 10.1.108.23 255.255.255.0
 service-policy type service-chain input dynamic
Service Chaining to Internet
You can classify the traffic destined or originated from the Internet, and pass the traffic through a set of security features without disrupting traffic on the branch network. See the following figure for an illustration of service chaining to Internet.

Figure 2. Service Chaining to Internet

The following example shows how to configure service chaining to internet.

Service Chain Configuration
service-chain service-function-forwarder local
  description local sff
  ip address 10.1.108.23

service-chain service-function wireshark
  description Wireshark VM
  ip address 10.1.108.45
  encapsulation gre 

service-chain service-function firewall
  ip address 10.1.108.19
  encapsulation none

service-chain service-function firewall-out
  ip address 10.40.108.19
  encapsulation none

service-chain service-path 40
  service-index 255 service-function wireshark
  service-index 254 service-function firewall
  service-index 253 terminate

service-chain service-path 41
  service-index 255 service-function firewall-out
  service-index 254 terminate
Service Classifier Configuration
access-list 103 permit ip any any

class-map match-all all-ip
 match access-group 103

policy-map type service-chain dia
 class all-ip
  forward service-path 40 service-index 255

policy-map type service-chain dia-out
 class all-ip
  forward service-path 41 service-index 255

interface GigabitEthernet1
 description Lab 10.1.108.0 on VMNet4
 ip address 10.1.108.23 255.255.255.0
 service-policy type service-chain input dia

interface GigabitEthernet2
 description FW WAN side
 ip address 10.40.108.23 255.255.255.0
 service-policy type service-chain input dia-out
Troubleshooting Tips
Conditional Debugging
NSH service chaining feature uses conditional debugging for troubleshooting any problems on the IOS-XE data plane side.

Conditional Debugging allows you to selectively enable debugging and logging for the feature based on the set of conditions you define.

Before You Begin

You need to understand these sequence of steps before you start conditional debugging on your system:

First, define a set of conditions. The common conditions examples are, interface, access list, IP address, and so on.

Secondly, enable conditional debugging for the specific set of features.

Finally, start the conditional debug on your system.

Defining Conditions
debug platform condition feature service-chain controlplane level verbose 
debug platform condition feature service-chain dataplane submode all level verbose
Enabling Conditional Debugging
debug platform condition [ingress | both]
 
Starting Conditional Debugging
debug platform condition start
Stopping Conditional Debugging
debug platform condition stop
The debug logs are stored in the platform shell of the specific Forwarding Processor (FP).

Verifying Conditional Debugging
show platform conditions
Note
Use the clear debug platform condition all command to remove the debug conditions applied to the platform.
Additional References for NSH Service Chaining

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Cisco IOS Wide-Area Networking Command Reference
Cisco IOS Wide-Area Networking Command Reference

Standards and RFCs

Standard/RFC

Title

RFC 7665

Service Function Chaining (SFC) Architecture

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/c/en/us/support/index.html

Feature Information for NSH Service Chaining

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for NSH Service Chaining

Feature Name

Releases

Feature Information

NSH Service Chaining

Cisco IOS XE Denali 16.3.1

Service chaining allows multiple service nodes to be included in a service path so that the packets that belong to a particular flow can travel through all the virtual service nodes in the service chain. NSH Service Chaining feature uses Network Service Header (NSH), a service plane protocol, to create dynamic service chains. NSH Service Chaining allows you to place and dynamically add services anywhere in the network, and gives flexibility in the network for service provisioning.

The following commands were introduced or modified by this feature: service-chain service-function-forwarder.
Copyright © , Cisco Systems, Inc. All rights reserved.

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Commands List, All Releases
Cisco IOS Wide-Area Networking Command Reference	Cisco IOS Wide-Area Networking Command Reference

Standard/RFC	Title
RFC 7665	Service Function Chaining (SFC) Architecture

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http://www.cisco.com/c/en/us/support/index.html

Table 1 Feature Information for NSH Service Chaining
Feature Name	Releases	Feature Information
NSH Service Chaining	Cisco IOS XE Denali 16.3.1	Service chaining allows multiple service nodes to be included in a service path so that the packets that belong to a particular flow can travel through all the virtual service nodes in the service chain. NSH Service Chaining feature uses Network Service Header (NSH), a service plane protocol, to create dynamic service chains. NSH Service Chaining allows you to place and dynamically add services anywhere in the network, and gives flexibility in the network for service provisioning. The following commands were introduced or modified by this feature: service-chain service-function-forwarder.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)