Nexus 9000: ITD Configuration Example and Verification

Introduction

This document describes the configuration and validation of Intelligent Traffic Director (ITD) on Nexus 9000 platform.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Nexus 9000

• ITD

Components Used

The information in this document is based on these software and hardware versions:

• N9K-C 9372PX
• 7.0(3)I2(2a)
• Network Services License
• 7.0(3)I1(2) or later
• Cisco Nexus 9372PX, 9372TX, 9396PX, 9396TX, 93120TX, and 93128TX switches
• Cisco Nexus 9500 Series switches with Cisco Nexus X9464PX, X9464TX, X9564PX, and X9564TX line cards

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

Network Diagram

Consider this topology. Traffic that comes from the host in vlan 39 destined to www.google.com would normally ingress the Nexus 9000 and be forwarded to the Next hop in the Routing Table on vlan 800. However, the customer wants to be able to redirect this traffic that comes in on vlan 39 to the Web Proxy device (40.40.40.2) before it ultimately gets forwarded toward the Internet Service Provider (ISP). This deployment model is more commonly referred to as, One-Arm Deployment Mode.

F340.10.26-N9K-C9372PX-1# sh running-config services

!Command: show running-config services
!Time: Sat Feb  6 23:50:09 2016

version 7.0(3)I2(2a)
feature itd


itd device-group ITD_DEVICE_GROUP
  node ip 40.40.40.2


itd ITD_SERVICE
  device-group ITD_DEVICE_GROUP
  ingress interface Vlan39
  no shut

Configuration Caveats

• When you enable the ITD feature, an error message is reported with regards to the "NETWORK_SERVICES_PKG" which shows unused until the device is reloaded. This is due to the honor based licensing on the N9K platform.
• When you call an exclude access-list under the ITD service, you define all the traffic in this access-list that you wish to exclude from the redirection. Without calling this access-list, all the traffic that ingresses the switch on the ingress interface, gets redirected.
• When you deploy in Server Load Balancing mode, virtual IP address must be defined under the ITD service, only then the traffic destined to the Virtual IP Address is subject to redirection.
• The Nexus 9000 does not support Network Address Translation/Port Address Translation (NAT/PAT) natively within the ITD functionality. If the return traffic is to be seen/inspected by the device where the original packets were redirected to, then this needs to be take into account by the customer in their design.
• The device you perform redirection to must be Layer 2 adjacent to the Nexus 9000.
• The advertise {enable | disable} option specifies whether the virtual IP route is advertised to it's neighboring devices. This is done by the injection of a static route into the local routing table, which then can be distributed into the routing protocol.
• Prior to any configuration changes to the ITD service, you must first admin down the service.  This results in a fail open scenario and should not cause any service impact.

Verify

Use this section in order to confirm that your configuration works properly.

F340.10.26-N9K-C9372PX-1# sh itd

Name           Probe LB Scheme  Status   Buckets
-------------- ----- ---------- -------- -------
ITD_SERVICE    N/A   src-ip     ACTIVE   1

Device Group                                         VRF-Name
-------------------------------------------------- -------------
ITD_DEVICE_GROUP

Pool                           Interface    Status Track_id
------------------------------ ------------ ------ ---------
ITD_SERVICE_itd_pool           Vlan39       UP       -

  Node  IP                  Config-State Weight Status     Track_id  Sla_id
  ------------------------- ------------ ------ ---------- --------- ---------
  1     40.40.40.2          Active       1      OK           None      None

        Bucket List
        -----------------------------------------------------------------------
        ITD_SERVICE_itd_bucket_1

• This output is helpful in order to perform a quick check on what parameters around the ITD service have been configured and whether or not it is active.

Note: See Verifying the ITD Configuration: Before you can use this command in order to view ITD statistics, you must enable ITD statistics by using the itd statistics service_itd-name command.

F340.10.26-N9K-C9372PX-1# sh itd all statistics

Service                        Device Group
-----------------------------------------------------------
ITD_SERVICE                        ITD_DEVICE_GROUP
    0%

Traffic Bucket                                   Assigned to                    Mode                Original Node                   #Packets
---------------                                  --------------                 -----               --------------                  ---------
ITD_SERVICE_itd_bucket_1                         40.40.40.2                     Redirect            40.40.40.2                      1215022221(100.00%)

• This command is helpful in order to determine that if the traffic is redirected as per the ITD policy. In order for this command to provide any output you must first enable ITD statistics <ITD_SERVICE_NAME> for the service you want to monitor the statistics for.

Note: This CLI does not provide output when Access Control List (ACL) is used under ITD service. When ACL is used, you can enable pbr-statistics on system generated route-map.

F340.10.26-N9K-C9372PX-1# sh run int vlan 39

!Command: show running-config interface Vlan39
!Time: Thu Feb 18 02:22:12 2016

version 7.0(3)I2(2a)

interface Vlan39
  no shutdown
  ip address 39.39.39.39/24
  ip policy route-map ITD_SERVICE_itd_pool
  

F340.10.26-N9K-C9372PX-1# sh route-map ITD_SERVICE_itd_pool
route-map ITD_SERVICE_itd_pool, permit, sequence 10
Description: auto generated route-map for ITD service ITD_SERVICE
  Match clauses:
    ip address (access-lists): ITD_SERVICE_itd_bucket_1
  Set clauses:
    ip next-hop 40.40.40.2
	
	
F340.10.26-N9K-C9372PX-1# sh ip access-lists ITD_SERVICE_itd_bucket_1

IP access list ITD_SERVICE_itd_bucket_1
        10 permit ip 1.1.1.0 255.255.255.255 any

• These three commands are helpful in order to determe if the automatic configuration created by the ITD service was applied correctly and if the redirection is configured correctly.

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

F340.10.26-N9K-C9372PX-1# sh tech-support services detail | i "`show "
`show feature | grep itd`
`show itd`
`show itd brief`
`show itd statistics`
`show itd statistics brief`
`show running-config services`
`show route-map`
`show module`
`show system internal iscm event-history debugs`
`show system internal iscm event-history debugs detail`
`show system internal iscm event-history events`
`show system internal iscm event-history errors`
`show system internal iscm event-history packets`
`show system internal iscm event-history msgs`
`show system internal iscm event-history all`
`show port-channel summary`
`show interface brief`
`show accounting log`

• If there is a specific aspect of the ITD configuration that fails or it is believed that there is something wrong with the ITD component on the system it would be wise to collect a show tech services detail to assist with further investigation. The commands included in this show tech are listed as mentioned earlier.