Configuring Copy Services

About Copy Services

Unlike SPAN that duplicates all of the traffic, the Cisco Application Centric Infrastructure (ACI) copy services feature enables selectively copying portions of the traffic between endpoint groups, according to the specifications of the contract. Broadcast, unknown unicast and multicast (BUM), and control plane traffic that are not covered by the contract are not copied. In contrast, SPAN copies everything out of endpoint groups, access ports or uplink ports. Unlike SPAN, copy services do not add headers to the copied traffic. Copy service traffic is managed internally in the switch to minimize impact on normal traffic forwarding.

A copy service is configured as part of a Layer 4 to Layer 7 service graph template that specifies a copy cluster as the destination for the copied traffic. A copy service can tap into different hops within a service graph. For example, a copy service could select traffic between a consumer endpoint group and a firewall provider endpoint group, or between a server load balancer and a firewall. Copy clusters can be shared across tenants.

Copy services require you to do the following tasks:

  • Identify the source and destination endpoint groups.

  • Configure the contract that specifies what to copy according to the subject and what is allowed in the contract filter.

  • Configure Layer 4 to Layer 7 copy devices that identify the target devices and specify the ports where they attach.

  • Use the copy service as part of a Layer 4 to Layer 7 service graph template.

  • Configure a device selection policy that specifies which device will receive the traffic from the service graph. When you configure the device selection policy, you specify the contract, service graph, copy cluster, and cluster logical interface that is in copy device.

Copy Services Limitations

The following limitations apply when using the copy services feature:

  • Copy services are only supported only on Cisco Nexus 9000-series switches with names that end in "-EX" or later, such as N9K-C93180LC-EX, N9K-C93108TC-FX, or N9K-93240YC-FX2.

  • For data path traffic that is copied to the local and remote analyzer port, the Class of Service (CoS) and Differentiated Services Code Point (DSCP) values are not preserved in the copied traffic. This is because the contract with the copy action can be hit on either the ingress or egress leaf switch before or after the actual COS or DSCP value gets modified.

    When policing the data path traffic at a given endpoint ingress direction, the traffic that is copied is the actual incoming traffic before the traffic is policed. This is due to an ASIC limitation in the N9K-C93108TC-EX and N9K-C93180YC-EX switches.

  • Copy services support only one device per copy cluster.

  • A copy cluster supports only one logical interface.

  • You can configure copy analyzers in the consumer endpoint or provider endpoint only in N9K-C93108TC-EX and N9K-C93180YC-EX switches.

  • The tn-common/ctx-copy VRF instance, also known as the copy VRF instance, is a system-reserved context for a copy service. The copy VRF instance is auto-configured by the system during the boot up sequence. The copy VRF instance cannot be configured nor deleted by the user.

  • Copy services with a vzAny contract is not supported.

  • Copy service is not supported when deployed on local leaf and when source or destination is on the remote leaf. In this scenario routable TEP IP address is not allocated for local leaf switch.

  • When using a separate copy device for each direction of a flow, you must have two different unidirectional filters.

Configuring Copy Services Using the GUI

This procedure uses the GUI to configure copy services.


Note


When you configure a copy device, the context aware parameter is not used. The context aware parameter has a default value of single context, which can be ignored.


Procedure


Step 1

Create one or more copy devices.

For information about creating a copy device, see Creating a Copy Device Using the GUI.

Step 2

Create a service graph template to use for copy services.

For information about creating a service graph template, see Configuring a Service Graph Template Using the GUI.

  1. If you want to create one or more service nodes, drag Layer 4 to Layer 7 service devices from the Device Clusters section to in-between the consumer endpoint group and provider endpoint group.

  2. Create one or more copy nodes by dragging copy devices from the Device Clusters section to in-between any two objects.

    The location where you drop the copy device becomes the point in the data flow from where the copy device will copy the traffic.

Step 3

Apply the Layer 4 to Layer 7 service graph template.

For information about applying a service graph template, see Applying a Service Graph Template to Endpoint Groups Using the GUI.


Creating a Copy Device Using the GUI

A copy device is used as part of the copy services feature to create a copy node. A copy node specifies at which point of the data flow between endpoint groups to copy traffic.

This procedure only creates a copy device and does not configure anything else that is required to use the copy services feature. For information about configuring copy services, see Configuring Copy Services Using the GUI.

Before you begin

You must have configured a tenant.

Procedure


Step 1

On the menu bar, choose Tenants > All Tenants.

Step 2

In the Work pane, double-click the tenant's name.

Step 3

In the Navigation pane, choose Tenant tenant_name > Services > L4-L7 > Devices.

Step 4

In the Work pane, choose Actions > Create Copy Devices.

Step 5

In the Create Copy Devices dialog box, in the General section, complete the following fields:

Name

Description

Name field

Enter a name for the copy device.

Device Type buttons

The device type. A copy device can only be a physical device.

Physical Domain drop-down list

Choose the physical domain for the device.

Step 6

In the Device 1 section, click + to add a device interface, complete the following fields, and then click Update:

Name

Description

Name field

Enter a name for the device interface.

Path drop-down list

Choose a port, port channel, or virtual port channel for the device interface to use. The copy device connects to that port, port channel, or virtual port channel and copies traffic from it.

Step 7

In the Cluster section, click + to add a cluster interface, complete the following fields, and then click Update:

Name

Description

Name field

Enter a name for the cluster interface.

Concrete Interfaces drop-down list

Choose one or more concrete interfaces for the cluster interface to use.

Encap field

Enter a VLAN to use for encapsulation. The VLAN name format is as follows:

vlan-#

# is the VLAN's ID. For example:

vlan-12

Step 8

Click Submit.


Configuring Copy Services Using the NX-OS-Style CLI

This procedure provides examples of using the CLI to configure copy services.


Note


When you configure a copy device, the context aware parameter is not used. The context aware parameter has a default value of single context, which can be ignored.


Procedure


Step 1

Create a copy cluster.

Example:

    l4l7 cluster name Copy_1 type physical vlan-domain phys_scale_copy service COPY function none
      cluster-device Copy_1_Device_1
      cluster-interface Tap_copy vlan 3644
        member device Copy_1_Device_1 device-interface int1
          interface ethernet 1/15 leaf 104
          exit
        member device Copy_1_Device_1 device-interface int2
          interface ethernet 1/15 leaf 105
          exit
        member device Copy_1_Device_1 device-interface int3
          interface ethernet 1/20 leaf 105
          exit
        exit
      exit

Step 2

Create an abstract graph and device context, and then apply the graph.

Example:

    l4l7 graph g5 contract c5
      service CP1 device-cluster-tenant t1 device-cluster Copy_1 mode OTHER service COPY
        connector copy cluster-interface Tap_copy
          exit
        exit
      connection C1 terminal consumer terminal provider copyservice CP1 connector copy
      Exit

Step 3

Attach the contract to the graph.

Example:

    contract c5
      scope tenant
      subject Subject
        access-group default both
        l4l7 graph g5
        exit
      Exit

Step 4

Attach the endpoint groups to the contract.

Example:

      epg epg2210
        bridge-domain member bd5
        contract consumer c5
        exit
      epg epg2211
        bridge-domain member bd5
        contract provider c5
        Exit

Example

The following example creates a firewall service graph with a copy device on both sides:

  tenant tenant_cmd_line
    l4l7 graph graph_fire contract fire
      service Fire device-cluster-tenant tenant_cmd_line device-cluster Fire mode FW_ROUTED
        connector consumer cluster-interface Outside_cmdline
          bridge-domain tenant tenant_cmd_line name Consumer_BD_1
          exit
        connector provider cluster-interface Inside_cmdline
          bridge-domain tenant tenant_cmd_line name Provider_BD1
          exit
        exit
      service CP2 device-cluster-tenant tenant_cmd_line device-cluster copy1 mode OTHER
       service COPY
        connector copy cluster-interface int1
          exit
        exit
      service CP3 device-cluster-tenant tenant_cmd_line device-cluster copy1 mode OTHER
       service COPY
        connector copy cluster-interface int1
          exit
        exit
      connection C1 terminal consumer service Fire connector consumer copyservice CP2
       connector copy
      connection C2 terminal provider service Fire connector provider copyservice CP3
       connector copy
      exit
    Exit

The following example creates a firewall and load balance in one-arm mode with copy devices attached in all the links:

    l4l7 graph Graph_LB_Firewall contract c1_firewall
      service Fire device-cluster-tenant Tenant_Firewall_LB device-cluster Firewall_1 mode
       FW_ROUTED
        connector consumer cluster-interface Outside_Firewall
          bridge-domain tenant Tenant_Firewall_LB name BD1_Consumer
          exit
        connector provider cluster-interface Inside_Firewall
          bridge-domain tenant Tenant_Firewall_LB name BD2_Provider
          exit
        exit
      service LB device-cluster-tenant Tenant_Firewall_LB device-cluster LB_1 mode ADC_ONE_ARM
        connector consumer cluster-interface LB_Inside
          bridge-domain tenant Tenant_Firewall_LB name BD2_Provider
          exit
        connector provider cluster-interface LB_Inside
          bridge-domain tenant Tenant_Firewall_LB name BD2_Provider
          exit
        Exit
      service CP6 device-cluster-tenant Tenant_Pass2 device-cluster Copy_pass2 mode OTHER
       service-type COPY
        connector copy cluster-interface tap_copy
          exit
        Exit
      service CP7 device-cluster-tenant Tenant_Pass2 device-cluster Copy_pass2 mode OTHER
       service-type COPY
        connector copy cluster-interface tap_copy
          exit
        Exit
      service CP8 device-cluster-tenant Tenant_Pass2 device-cluster Copy_pass2 mode OTHER
       service-type COPY
        connector copy cluster-interface tap_copy
          exit
        exit
      connection C1 terminal consumer service Fire connector consumer copyservice CP6
       connector copy
      connection C2 intra-service service1 Fire connector1 provider service2 LB connector2
       consumer copyservice CP7 connector copy
      connection C3 terminal provider service LB connector provider copyservice CP8
       connector copy
      exit
    exit

Configuring Copy Services Using the REST API

A copy device is used as part of the copy services feature to create a copy node. A copy node specifies at which point of the data flow between endpoint groups to copy traffic.

This procedure provides examples of using the REST API to configure copy services.


Note


When you configure a copy device, the context aware parameter is not used. The context aware parameter has a default value of single context, which can be ignored.


Before you begin

You must have configured a tenant.

Procedure


Step 1

Create a copy device.

Example:

<vnsLDevVip contextAware="single-Context" devtype="PHYSICAL" funcType="None" isCopy="yes"
  managed="no" mode="legacy-Mode" name="copy0" svcType="COPY" trunking="no">
    <vnsRsALDevToPhysDomP tDn="uni/phys-phys_scale_copy"/>
    <vnsCDev devCtxLbl="" name="copy_Dyn_Device_0" vcenterName="" vmName="">
        <vnsCIf name="int1" vnicName="">
            <vnsRsCIfPathAtt tDn="topology/pod-1/paths-104/pathep-[eth1/15]"/>
        </vnsCIf>
        <vnsCIf name="int2" vnicName="">
            <vnsRsCIfPathAtt tDn="topology/pod-1/paths-105/pathep-[eth1/15]"/>
        </vnsCIf>
    </vnsCDev>
    <vnsLIf encap="vlan-3540" name="TAP">
        <vnsRsCIfAttN tDn="uni/tn-t22/lDevVip-copy0/cDev-copy_Dyn_Device_0/cIf-[int2]"/>
        <vnsRsCIfAttN tDn="uni/tn-t22/lDevVip-copy0/cDev-copy_Dyn_Device_0/cIf-[int1]"/>
    </vnsLIf>
</vnsLDevVip>

Step 2

Create a logical device context (also known as a device selection policy).

Example:

<vnsLDevCtx ctrctNameOrLbl="c0" descr="" graphNameOrLbl="g0" name="" nodeNameOrLbl="CP1">
    <vnsRsLDevCtxToLDev tDn="uni/tn-t22/lDevVip-copy0"/>
    <vnsLIfCtx connNameOrLbl="copy" descr="" name="">
        <vnsRsLIfCtxToLIf tDn="uni/tn-t22/lDevVip-copy0/lIf-TAP"/>
    </vnsLIfCtx>
</vnsLDevCtx>

Step 3

Create and apply the copy graph template.

Example:

<vnsAbsGraph descr="" name="g0" ownerKey="" ownerTag="" uiTemplateType="UNSPECIFIED">
    <vnsAbsTermNodeCon descr="" name="T1" ownerKey="" ownerTag="">
        <vnsAbsTermConn attNotify="no" descr="" name="1" ownerKey="" ownerTag=""/>
        <vnsInTerm descr="" name=""/>
        <vnsOutTerm descr="" name=""/>
    </vnsAbsTermNodeCon>
    <vnsAbsTermNodeProv descr="" name="T2" ownerKey="" ownerTag="">
        <vnsAbsTermConn attNotify="no" descr="" name="1" ownerKey="" ownerTag=""/>
        <vnsInTerm descr="" name=""/>
        <vnsOutTerm descr="" name=""/>
    </vnsAbsTermNodeProv>
    <vnsAbsConnection adjType="L2" connDir="provider" connType="external" descr="" name="C1"
      ownerKey="" ownerTag="" unicastRoute="yes">
        <vnsRsAbsConnectionConns tDn="uni/tn-t22/AbsGraph-g0/AbsTermNodeCon-T1/AbsTConn"/>
        <vnsRsAbsConnectionConns tDn="uni/tn-t22/AbsGraph-g0/AbsTermNodeProv-T2/AbsTConn"/>
        <vnsRsAbsCopyConnection tDn="uni/tn-t22/AbsGraph-g0/AbsNode-CP1/AbsFConn-copy"/>
    </vnsAbsConnection>
    <vnsAbsNode descr="" funcTemplateType="OTHER" funcType="None" isCopy="yes" managed="no"
      name="CP1" ownerKey="" ownerTag="" routingMode="unspecified" sequenceNumber="0"
      shareEncap="no">
        <vnsAbsFuncConn attNotify="no" descr="" name="copy" ownerKey="" ownerTag=""/>
        <vnsRsNodeToLDev tDn="uni/tn-t22/lDevVip-copy0"/>
    </vnsAbsNode>
</vnsAbsGraph>

Step 4

Define the relation to the copy graph in the contract that is associated with the endpoint groups.

Example:

<vzBrCP descr="" name="c0" ownerKey="" ownerTag="" prio="unspecified" scope="tenant"
  targetDscp="unspecified">
    <vzSubj consMatchT="AtleastOne" descr="" name="Subject" prio="unspecified"
      provMatchT="AtleastOne" revFltPorts="yes" targetDscp="unspecified">
        <vzRsSubjFiltAtt directives="" tnVzFilterName="default"/>
        <vzRsSubjGraphAtt directives="" tnVnsAbsGraphName="g0"/>
    </vzSubj>
</vzBrCP>

Step 5

Attach the contract to the endpoint group.

Example:

<fvAEPg name="epg2860">
    <fvRsCons tnVzBrCPName="c0"/>
    <fvRsBd tnFvBDName="bd0"/>
    <fvRsDomAtt tDn="uni/phys-phys_scale_SB"/>
    <fvRsPathAtt tDn="topology/pod-1/paths-104/pathep-[PC_int2_g1]" encap="vlan-2860"
      instrImedcy="immediate"/>
</fvAEPg>
<fvAEPg name="epg2861">
    <fvRsProv tnVzBrCPName="c0"/>
    <fvRsBd tnFvBDName="bd0"/>
    <fvRsDomAtt tDn="uni/phys-phys_scale_SB"/>
    <fvRsPathAtt tDn="topology/pod-1/paths-105/pathep-[PC_policy]" encap="vlan-2861"
      instrImedcy="immediate"/>
</fvAEPg>