Configuring ePBR L2

Information About ePBR L2

Enhanced Policy-based Redirect Layer2 (ePBR) in Elastic Services Re-direction (ESR) provides transparent service redirection and service chaining of Layer1/ Layer2 service appliances by leveraging Port ACL and VLAN translation. This action helps achieve service chaining and load-balancing capabilities without adding extra headers and avoids latency in using extra headers.

ePBR enables application-based routing and provides a flexible, device-agnostic policy-based redirect solution without impacting application performance. The ePBR service flow includes the following tasks:

Configuring ePBR Service and Policy

You must first create an ePBR service which defines the attributes of service end points. Service end points are the service appliances such as firewall, IPS, etc., that can be associated with switches. You can also define probes to monitor the health of the service end points and can define the forward and reverse interfaces where the traffic policies are applied. ePBR also supports load balancing along with service chaining. ePBR allows you to configure multiple service end points as a part of the service configuration.

After creating the ePBR service, you must create an ePBR policy. The ePBR policy allows you to define traffic selection, redirection of traffic to the service end point and various fail-action mechanisms on the end point health failure. You may use IP access-list end points with permit access control entries (ACE) to define the traffic of interest to match and take the appropriate action.

The ePBR policy supports multiple ACL match definitions. A match can have multiple services in a chain which can be sequenced by a sequence number. This allows flexibility to add, insert, and modify elements in a chain in a single service policy. In every service sequence, you can define the fail action method such as drop, forward, and bypass. The ePBR policy allows you to specify source or destination-based load balancing and bucket counts in order to have granular load balancing of traffic.

Applying ePBR to an L2 Interface

After creating the ePBR policy you need to apply the policy on an interface. This allows you to define the interface at which the traffic ingresses the NX-OS switch and the interface through which traffic needs to exit the switch after redirection or service-chaining. You can also apply the policy in both the forward and reverse directions into the NX-OS switch.

Enabling Production Interfaces as Access Port

If the service-chaining switch is inserted in between the two L3 routers for traffic redirection, the production interfaces are enabled as access port with the following limitations:

  • You must use the VLAN of the port as part of the match configuration.

  • It is limited to mac-learn disable mode.

Enabling Production Interfaces as Trunk Ports

Production interfaces may be configured as trunk ports. The VLANs of the incoming traffic that needs to be service-chained that is trunked by the interfaces must be configured as part of the match configuration.

Alternatively, using 'vlan all' in the match configuration will allow any traffic pertaining to any incoming VLANs on the interface to be matched and service chained.

Creating Bucket and Load Balancing

ePBR computes the number of traffic buckets based on the service that has maximum number of service-end-points in the chain. If you configure the load balance buckets, your configuration will have the precedence. ePBR supports load balancing methods of source IP and destination IP but does not support L4-based source or destination load balancing methods.

ePBR Object Tracking, Health Monitoring, and Fail-Action

Layer-2 ePBR performs link state monitoring of the service end-points by default. The user may additionally enable CTP (Configuration Testing Protocol) if supported by the service.

You can configure the ePBR probe options for a service or for each of the forward or reverse end points. You can also configure frequency, timeout, and retry up and down counts. The same track objects is re-used for all policies using the same ePBR service.

If no probe method is defined at the end point level, the probe method configured for the service level will be used.

ePBR supports the following fail-action mechanisms for its service chain sequences:

  • Bypass

  • Drop on Fail

  • Forward

Bypass of a service sequence indicates that the traffic must be redirected to the next service sequence when there is a failure of the current sequence.

Drop on fail of a service sequence indicates that the traffic must be dropped when all the service-end-points of the service become unreachable.

Forward is the default option and indicates that upon failure of the current service, traffic should forward to the egress interface. This is the default fail-action mechanism.


Note


Symmetry is maintained when fail-action bypass is configured for all the services in the service chain. In other fail-action scenarios, when there are one or more failed services, symmetry is not maintained in the forward and the reverse flow.


ePBR Session-based Configuration

ePBR sessions allow addition, deletion or modification of the following aspects of in-service services or policies. The in-service refers to a service that is associated with a policy that has been applied to an active interface or a policy that is being modified and currently configured on an active interface.

  • Service endpoints with their interfaces and probes

  • Reverse endpoints and probes

  • Matches under policies

  • Load-balance methods for matches

  • Match sequences and fail-action


Note


In ePBR Sessions, you cannot move interfaces from one service to another service in the same session. To move interfaces from one service to another service, perform the following steps:

  1. Use a session operation to first remove it from the existing service.

  2. Use a second session operation to add it to the existing service.


ACL Refresh

ePBR session ACL refresh allows you to update the policy generated ACLs, when the user-provided ACL gets modified or added or deleted with ACEs. On the refresh trigger, ePBR will identify the policies that are impacted by this change and create or delete or modify the buckets’ generated ACLs for those policies.

For ePBR scale values, see Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

Guidelines and Limitations for ePBR L2

ePBR has the following guidelines and limitations:

  • When fail-action is specified in any match statement, probe is mandatory in the configuration.

  • To disable MAC learning on the switch, use the command mac-learn disable .

  • Do not share the same user defined ACL across multiple match statements in the ePBR configuration.

  • Symmetry in traffic is maintained only when fail-action bypass is configured for ePBR Service. For the other fail-actions such as forward/drop in the service chain, symmetry is not maintained for the forward and reverse flow of traffic.

  • Feature ePBR and feature ITD cannot co-exist with the same ingress interface.

  • With scaled ePBR configuration, it is recommended to remove the policies before you use the no feature epbr command.

  • ePBRv6 over VXLAN is not supported on Cisco Nexus 9500 series switches.

  • If you want to remove the ePBR service endpoint which is configured to a port-channel that is removed from the system, perform the following steps:

    1. Delete the existing ePBR policy.

    2. Delete the existing ePBR service.

    3. Reconfigure the ePBR service endpoint to the required port-channel.

  • Please do not modify the dynamically created access-list entries of ePBR that begin with the name “epbr_”. These access-lists are reserved for ePBR internal use.


    Note


    Modifying these prefix strings can cause the ePBR to not function properly and would impact ISSU.


  • All redirection rules are programmed in ACL TCAM using ing-ifacl region. This region needs to be carved and allocated prior to the application of ePBR L2 policies.


    Note


    For steps on how to carve TCAM region, refer to the Configuring IP ACLs section of Cisco Nexus 9000 Series NX-OS Security Configuration Guide.


  • ePBR policies require at least one match with redirect action.

  • ePBR L2 requires a VLAN range to be reserved for VLAN translation and Q-in-Q. It is recommended that this range does not overlap with the VLANs used for traffic match configuration.

  • The ePBR 'infra' VLANs should be reserved prior to the application of the ePBR Layer-2 policies.

  • For production interfaces configured as trunk ports, enable VLAN trunking only for the VLANs specified in the ePBR 'infra vlan' range.

  • ePBR L2 expects the service appliance to be configured to forward the packet as is without modifying or stripping the VLAN headers.

  • ePBR L2 policies can only be applied on a single interface in the forward and single interface in the reverse direction. The policy will need to be replicated in order to similarly service chain on a different pair of interfaces.

  • Each match in an ePBR L2 policy needs to have a unique match VLAN or unique VLAN range when applied on trunk interfaces. Only a single match with 'vlan all' can exist in a policy that is applied on trunk interfaces.

  • ePBR L2 policy definition can be applied to a maximum of 32 interfaces of supported interface types across forward and reverse directions.

  • In order to load-balance between multiple service devices and uniquely detect failure of these devices via CTP health-checks, each service device should be defined as a unique endpoint in the ePBR service.

  • Bucket-based load-balance is not supported for layer-2 matches in the ePBR policy.

  • In order to service-chain or redirect IPv6 traffic such as Neighbor discovery, ICMPv6 aces with protocol types of ND-NA and ND-NS should be explicitly defined in the user-defined match access-list.

  • In order to service-chain or redirect Layer-2 traffic for protocols such as ARP (0x806), VN-tag (0x8926), FCOE (0x8906), MPLS Unicast (0x8847), MPLS Multicast (0x8848), the protocol information should be explicitly added to the ACEs inside the user-defined match access-list.

  • Layer-2 ePBR does not support service-chaining or redirection, enforcement of exclude and deny actions for control traffic (IP, IPv6 and Layer-2) that is typically copied or redirected to the supervisor on Cisco NX-OS 9000 series switches.

  • Defaulting ePBR production and/or service interfaces while they are in use should be avoided to prevent any unintended behavior.

  • Configuration rollback and configuration replace are supported only when the ePBR policy is not associated with any interfaces and the ePBR service definitions are not used in any active ePBR policy in both the source and target configurations. However, configuration rollback and configuration replace do not support policy to interface association and disassociation.

The following guidelines and limitations apply to the match ACL feature:

  • Only ACEs with the permit method are supported in the ACL. ACEs with any other method (such as deny or remark) are ignored.

  • A maximum of 256 permit ACEs are supported in one ACL.

  • Layer-4 ACE rules with port operations other than port equality operations are not supported.

The following guidelines and limitations apply to inter-VRF service chaining:

  • Beginning with Cisco NX-OS Release 10.2(3)F, to minimize traffic disruptions during session operations of endpoint additions, service sequence additions, deletions, and modifications, it is recommended to have load-balance buckets configured ahead and avoid modification to the load-balance configuration. Ensure that the configured buckets for load-balance are greater than the number of endpoints configured in services for every sequence in the chain.

Configuring ePBR Service, Policy, and Associating to an Interface

The following section provides information about configuring the ePBR Service, ePBR Policy, and associating the policy on to an interface.

SUMMARY STEPS

  1. configure terminal
  2. [no] epbr infra vlans [vlan range]
  3. epbr service service-name type l2
  4. mode [full duplex | half duplex]
  5. probe {ctp} [frequency seconds] [timeout seconds] [retry-down-count count] retry-up-count count]
  6. service-endpoint [interface interface-name interface-number]
  7. reverse interface interface-name interface-number
  8. exit
  9. epbr policy policy-name
  10. match { [ip address ipv4 acl-name] | [ipv6 address ipv6 acl-name] | [l2 address l2 acl-name]} {drop | exclude | redirect | vlan{vlan | vlan range | all}}
  11. [no] load-balance [ method { src-ip | dst-ip}] [ buckets count]
  12. sequence-number set service service-name [ fail-action { bypass | drop | forward}]
  13. interface interface-name interface-number
  14. epbr {l2} policy policy-name egress-interface interface-name [reverse]
  15. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

[no] epbr infra vlans [vlan range]

VLAN range is using to indicate the VLANs reserved for selective dot1q translation while redirecting to the service devices.

Step 3

epbr service service-name type l2

Example:

switch(config)# epbr service firewall type l2

Creates a new ePBR L2 service.

Step 4

mode [full duplex | half duplex]

Configures the service to be in half-duplex or full-duplex mode.

Step 5

probe {ctp} [frequency seconds] [timeout seconds] [retry-down-count count] retry-up-count count]

Example:

switch(config)# probe icmp

Configures the probe for the ePBR service.

The options are as follows:

  • frequency—Specifies the frequency of the probe in seconds. The range is from 1 to 604800.

  • retry-down-count —Specifies the number of recounts undertaken by the probe when the node goes down. The range is from 1 to 5.

  • retry-up-count —Specifies the number of recounts undertaken by the probe when the node comes back up. The range is from 1 to 5.

  • timeout —Specifies the length of the timeout period in seconds. The range is from 1 to 604800.

Step 6

service-endpoint [interface interface-name interface-number]

Example:

switch(config-epbr-svc)# service-end-point interface Ethernet1/3

Configures service endpoint for the ePBR service.

You can repeat steps 2 to 5 to configure another ePBR service.

Step 7

reverse interface interface-name interface-number

Example:

switch(config-epbr-fwd-svc)# reverse interface Ethernet1/4

Defines the reverse interface where the traffic policies are applied.

Step 8

exit

Example:

switch(config-epbr-reverse-svc)# exit
switch(config-epbr-fwd-svc)# exit
switch(config-epbr-svc)# exit
switch(config)#

Exits ePBR service configuration mode and enters global configuration mode.

Step 9

epbr policy policy-name

Example:

switch(config)# epbr policy Tenant_A-Redirect

Configures the ePBR policy.

Step 10

match { [ip address ipv4 acl-name] | [ipv6 address ipv6 acl-name] | [l2 address l2 acl-name]} {drop | exclude | redirect | vlan{vlan | vlan range | all}}

Example:

switch (config) # match ip address WEB vlan 10

Matches an IPv4, or IPv6 address, or a mac address against an IP, or IPv6, or MAC ACLs. Redirect is the default action for a match traffic. Drop is used when the traffic needs to be dropped on the incoming interface. Exclude option is used to exclude certain traffic from service-chaining on the incoming interface.

You can repeat this step to match multiple ACLs based on the requirement.

Step 11

[no] load-balance [ method { src-ip | dst-ip}] [ buckets count]

Example:

switch(config)# load-balance method src-ip mask-position 3

Computes the load balance method and the number of buckets to be used by the ePBR service.

Step 12

sequence-number set service service-name [ fail-action { bypass | drop | forward}]

Example:

switch(config)# set service firewall fail-action drop 

Configures the fail-action mechanism.

Step 13

interface interface-name interface-number

Example:

switch(config)# interface Ethernet1/1

Enters into interface configuration mode.

Step 14

epbr {l2} policy policy-name egress-interface interface-name [reverse]

Example:

epbr l2 policy Tenant_A_Redirect egress-interface Ethernet1/2

An interface may be associated at any time with one forward policy and one reverse policy of the following:

  • an IPV4 policy in the forward direction

  • an IPv4 policy in the reverse direction

  • an IPv6 policy in the forward direction

  • an IPv6 policy in the reverse direction

  • a l2 policy in the forward direction

  • a l2 policy in the reverse direction

Step 15

exit

Example:

switch(config-if)# end

Exits policy configuration mode and returns to global mode.

Modifying a Service Using ePBR Session

The following steps explain how to modify a service using ePBR session.

SUMMARY STEPS

  1. epbr session
  2. epbr service service-name type l2
  3. [no] service-endpoint [interface interface-name]
  4. service-endpoint [interface interface-name]
  5. reverse [interface interface-name]
  6. commit
  7. abort

DETAILED STEPS

  Command or Action Purpose

Step 1

epbr session

Example:

switch(config)# epbr session

Enters ePBR session mode.

Step 2

epbr service service-name type l2

Example:

switch(config-epbr-sess)# epbr service TCP_OPTIMIZER

Specifies the configured ePBR service in the ePBR session mode.

Step 3

[no] service-endpoint [interface interface-name]

Example:

switch(config-epbr-sess-svc)# no service-end-point interface ethernet 1/3   

Disables the configured service endpoint for the ePBR service.

Step 4

service-endpoint [interface interface-name]

Example:

switch(config-epbr-sess-svc)# service-end-point interface ethernet 1/15    

Add a service endpoint to the service.

Step 5

reverse [interface interface-name]

Example:

switch(config-epbr-sess-fwd-svc)# reverse interface ethernet 1/4

Defines the reverse interfaces where the traffic policies are applied.

Step 6

commit

Example:

switch(config-epbr-sess)#commit

Completes the modification of the ePBR service using the ePBR session.

Note

 

Restart the ePBR session after you complete this step.

Step 7

abort

Example:

switch(config-epbr-sess)# abort

Aborts the session and clears or resets the current configuration under the session. Use this command to abandon the current session configuration in case of errors or unsupported configuration identified during commits.

Note

 

Restart a new ePBR session after this with the rectified configuration.

Modifying a Policy Using ePBR Session

The following steps explain how to modify a policy using ePBR Session.

SUMMARY STEPS

  1. epbr session
  2. epbr policy policy-name
  3. [no] match { [ip address ipv4 acl-name] | [ipv6 address ipv6 acl-name] | l2 address mac acl-name]} vlan {all | vlan-id | vlan-id-range
  4. match { [ip address ipv4 acl-name] | [ipv6 address ipv6 acl-name] | l2 address mac acl-name]} vlan {all | vlan-id | vlan-id-range]
  5. sequence-number set service service-name [ fail-action { bypass | drop | forward}]
  6. [no] load-balance [ method { src-ip | dst-ip}] [ buckets count]
  7. commit
  8. end

DETAILED STEPS

  Command or Action Purpose

Step 1

epbr session

Step 2

epbr policy policy-name

Example:

switch(config-epbr-sess)# epbr policy Tenant_A-Redirect

Specifies the configured ePBR policy in the ePBR session mode.

Step 3

[no] match { [ip address ipv4 acl-name] | [ipv6 address ipv6 acl-name] | l2 address mac acl-name]} vlan {all | vlan-id | vlan-id-range

Example:

switch(config-epbr-sess-pol)# no match ip address WEB

Disables the match against IP, IPv6, or L2 ACLs.

Step 4

match { [ip address ipv4 acl-name] | [ipv6 address ipv6 acl-name] | l2 address mac acl-name]} vlan {all | vlan-id | vlan-id-range]

Example:

switch(config-epbr-sess-pol)# match ip address HR

Modifies the match against the IP, IPv6 or L2 ACLs.

Step 5

sequence-number set service service-name [ fail-action { bypass | drop | forward}]

Example:

switch(config-epbr-sess-pol-match)# set service firewall fail-action drop 

Configures the fail-action mechanism.

Step 6

[no] load-balance [ method { src-ip | dst-ip}] [ buckets count]

Example:

switch(config)# load-balance method src-ip mask-position 3

Configures the load-balance method and buckets for the match.

Note

 

On omitting this configuration in the session context while modifying the service-chain for an existing match, the load-balance configuration for the match will be reset to default.

Step 7

commit

Example:

switch(config-epbr-sess)#commit

Completes the modification of the ePBR policy using the ePBR session.

Step 8

end

Example:

switch(config-epbr-sess)#end

Exits the ePBR session mode.

Updating the Access-list Used by ePBR Policies

The following steps explain how to update the access-list used by ePBR policies:

SUMMARY STEPS

  1. epbr session access-list acl-name refresh
  2. end

DETAILED STEPS

  Command or Action Purpose

Step 1

epbr session access-list acl-name refresh

Example:

switch(config)# epbr session access-list WEB refresh

Updates or refreshes the policy generated ACLs.

Step 2

end

Example:

switch(config)# end

Exits the global configuration mode.

ePBR Show Commands

The following list provides the show commands associated with ePBR.

SUMMARY STEPS

  1. show epbr policy policy-name [reverse]
  2. show epbr statistics policy-name [reverse]
  3. show tech-support epbr
  4. show running-config epbr
  5. show startup-config epbr

DETAILED STEPS

  Command or Action Purpose

Step 1

show epbr policy policy-name [reverse]

Example:

switch# show epbr policy Tenant_A-Redirect

Displays information on the ePBR policy applied in forward or reverse direction.

Step 2

show epbr statistics policy-name [reverse]

Example:

switch# show ePBR statistics policy pol2

Displays the ePBR policy statistics.

Step 3

show tech-support epbr

Example:

switch# show tech-support epbr

Displays the technical support information for ePBR.

Step 4

show running-config epbr

Example:

switch# show running-config epbr

Displays the running configuration for ePBR.

Step 5

show startup-config epbr

Example:

switch# show startup-config epbr

Displays the startup configuration for ePBR

Verifying ePBR Configuration

To verify the ePBR configuration, use the following commands:

Command

Purpose

show ip access-list <access-list name> dynamic

Displays the traffic match criteria for a bucket access-list.

show ip sla configuration dynamic

Displays the IP SLA configuration generated by ePBR, for the service-end-points in the chain, when probes are enabled.

show track dynamic

Displays the tracks generated by ePBR, for the service-end-points in the chain, when probes are enabled.

show ip access-list summary

Displays the summary of the traffic match criteria for a bucket access-list.

show [ip | ipv6 | mac ] access-lists dynamic

Displays the dynamic entries of match criteria.

Configuration Examples for ePBR

Example: ePBR NX-OS Configuration

The following topology illustrates ePBR NX-OS configuration:

Figure 1. ePBR NX-OS Configuration

Example: Service Configuration for Access and Trunk Ports

The following configuration example shows how to perform service configuration for access and trunk ports:

epbr infra vlans 100-200
 
epbr service app_1 type l2
   service-end-point interface Ethernet1/3
    reverse  interface Ethernet1/4
 
epbr service app_2 type l2
   probe ctp frequency 2 retry-down-count 1 retry-up-count 1 timeout 1
   service-end-point interface port-channel10
    reverse  interface port-channel11
 
epbr service app_3 type l2
   probe ctp frequency 2 retry-down-count 1 retry-up-count 1 timeout 1
   service-end-point interface Ethernet1/9
    reverse  interface Ethernet1/10
 
epbr service app_4 type l2
   probe ctp frequency 2 retry-down-count 1 retry-up-count 1 timeout 1
   service-end-point interface port-channel12
    reverse  interface port-channel13

Example: Configuring Access Ports

The following example shows how to configure access ports:

epbr policy p1
  statistics
  match ipv6 address flow2 vlan 10
    load-balance buckets 2
    10 set service app_1
    20 set service app_3
    25 set service app_4
    30 set service app_2
  match l2 address flow3 vlan 10
    20 set service app_2
    25 set service app_4
    50 set service app_3
  match ip address flow1 vlan 10
    10 set service app_1
    15 set service app_3
    20 set service app_2
 
interface Ethernet1/1
  switchport
  switchport access vlan 10
  no shutdown
  epbr l2 policy p1 egress-interface Ethernet1/2
 
interface Ethernet1/2
  switchport
  switchport access vlan 10
  no shutdown
  epbr l2 policy p1 egress-interface Ethernet1/1 reverse

Example: Configuring Trunk Ports

The following configuration example shows how to configure trunk ports:

epbr policy p3
  statistics
  match ip address flow1 vlan 10
    load-balance buckets 2
    10 set service app_1
    20 set service app_2
  match ipv6 address flow2 vlan 20
    load-balance buckets 2
    10 set service app_3
    20 set service app_4
  match l2 address flow3 vlan 30
    10 set service app_1
    20 set service app_2
 
interface Ethernet1/27
  switchport
  switchport mode trunk
  no shutdown
  epbr l2 policy p3 egress-interface Ethernet1/28
 
interface Ethernet1/28
  switchport
  switchport mode trunk
  no shutdown
  epbr l2 policy p3 egress-interface Ethernet1/27 reverse
 
Collecting statistics 
 

Collecting statistics:


itd-san-2# show epbr statistics policy p1
 
Policy-map p1, match flow2
 
    Bucket count: 2
 
      traffic match : bucket 1
        app_1 : 8986 (Redirect)
        app_3 : 8679 (Redirect)
        app_4 : 8710 (Redirect)
        app_2 : 8725 (Redirect)
      traffic match : bucket 2
        app_1 : 8696 (Redirect)
        app_3 : 8680 (Redirect)
        app_4 : 8711 (Redirect)
        app_2 : 8725 (Redirect)
 
Policy-map p1, match flow3
 
    Bucket count: 1
 
      traffic match : bucket 1
        app_2 : 17401 (Redirect)
        app_4 : 17489 (Redirect)
        app_3 : 17461 (Redirect)
 
Policy-map p1, match flow1
 
    Bucket count: 1
 
      traffic match : bucket 1
        app_1 : 17382 (Redirect)
        app_3 : 17348 (Redirect)
        app_2 : 17411 (Redirect)

Example: Viewing ePBR Policy

The following example shows how to view an ePBR policy:
show epbr policy p3

Policy-map : p3
Match clause:
ip address (access-lists): flow1
action:Redirect
service app_1, sequence 10, fail-action No fail-action
Ethernet1/3 track 4 [UP]
service app_2, sequence 20, fail-action No fail-action
port-channel10 track 10 [UP]
Match clause:
ipv6 address (access-lists): flow2
action:Redirect
service app_3, sequence 10, fail-action No fail-action
Ethernet1/9 track 13 [UP]
service app_4, sequence 20, fail-action No fail-action
port-channel12 track 3 [UP]
Match clause:
layer-2 address (access-lists): flow3
action:Redirect
service app_1, sequence 10, fail-action No fail-action
Ethernet1/3 track 4 [UP]
service app_2, sequence 20, fail-action No fail-action
port-channel10 track 10 [UP]
Policy Interfaces:
egress-interface Eth1/28