Beginning with Cisco NX-OS Release 10.5(1)F, users can redirect traffic flows between endpoints part of different Security-Groups. The redirection can happen through a single service function (as a firewall or a load-balancer) or through a chain of service functions. Beginning with Cisco NX-OS Release 10.5(2)F, users can include up to 5 service functions in a service chain. A given service function is built with one or more endpoints, representing the service devices performing such function. Traffic flows can be load-balanced across these service endpoints, while ensuring that both directions of traffic flow symmetrically use the same service endpoint. The onboarding of these service-devices, health monitoring mechanisms, and the user intent of chaining and load-balancing the traffic based on the properties of these service devices is captured and enforced through ePBR. To know more about micro-segmentation configuration, See Micro-segmentation for VXLAN Fabrics Using Group Policy Option (GPO).

You must first create a service function, which is defined with one or more endpoints with their specific attributes. Service endpoints are the service appliances such as firewall, IPS, and so on, that are available in the network to which traffic needs to be redirected. You can also define probes to monitor the health of the service endpoints. ePBR also supports load balancing along with service-chaining. ePBR allows you to configure multiple service endpoints as a part of a specific service function and would load-balance traffic among these endpoints, always ensuring that the two legs of the same traffic flow are using the same service endpoint. This is required when the different service endpoints defined for a given service function are not clustered and hence do not share connection states between them.

You must specify the VRF context for the service as the context in which the service endpoints are reachable.

After creating one (or more) ePBR services, you must create an ePBR service-chain. The ePBR service-chain allows you to define the service function (or the chain of service functions) through which traffic should be redirected along with the order in which this needs to be done.

Services used in a chain are identified by a sequence number. In NXOS 10.5(1)F, only a single service function may be specified inside a service-chain, thereby supporting only redirection and load-balancing capabilities to a single service functions before traffic is permitted to its destination.

In every service sequence, you can define the fail-action method such as drop, forward, and bypass indicating the action that needs to be taken in the event of failures of all endpoints in the service. If no fail-action is configured, the default behavior is to drop the traffic when the service is considered as failed.

The ePBR service-chain also allows you to specify the manner in which traffic needs to be load-balanced amongst the endpoints inside a service.

Beginning with Cisco NX-OS Release 10.5(2)F, ePBR multi-node service-chains are supported with Group Policy Options. A maximum of 5 service functions (nodes) can be configured in a service chain. Multi node service chain can contain firewall, load balancer, NAT, IPS and other devices.

Beginning with Cisco NX-OS Release 10.5(2)F, sources and destinations for the contracts using ePBR single node or multi node service-chains may be distributed across multiple sites using VXLAN Group Policy Options.

Beginning with Cisco NX-OS Release 10.5(2)F,ePBR multi-node service-chains and multi-site features are supported with sources and destinations in different VRF contexts. Service devices can belong to source VRF, destination VRF, or any other VRF.

You must configure security-group identifiers, as services can also be deployed in one arm mode of ePBR services in order to use the service for VxLAN GPO based redirection and chaining. This configuration is required to correctly steer the traffic to the service devices and through the chain.

These security-groups must be defined in the system as selector of type layer4-7. Each of the connected interfaces for the service endpoints inside the service must be mapped to the correct security-group as match interface selectors. For more details, see Creating a Security Group on Micro-segmentation for VXLAN Fabrics Using Group Policy Option (GPO).

Connected interfaces for all the forward arms of the service endpoints must be mapped to the same identifier that is specified as the forward security-group for the ePBR service.

Connected interfaces for all the reverse arms of the service endpoints must be mapped to the same identifier that is specified as the reverse security-group for the ePBR service.

Only one security-group identifier should be configured for ePBR services with one-arm endpoints.

Two unique forward and reverse security-group identifiers should be configured for ePBR services with dual-arm endpoints. See figure 1 for a topology that explains the micro-segmentation based redirection and chaining.

ePBR service-chain with GPO can provide traffic redirection using GPO policies and contracts. Service-chain can be enabled for security contracts by attaching it to match class-maps inside policies used by contracts. For more details about the configuration, see Micro-segmentation for VXLAN Fabrics Using Group Policy Option (GPO).

ePBR monitors the health of the endpoints by provisioning IP SLA probes and object tracks to track the IP SLA reachability when you apply the probe configuration.

ePBR supports various probes for protocols such as ICMP, TCP, UDP, DNS, and HTTP. ePBR also supports user defined tracks, which allows you to create tracks with various parameters including millisecond probes and associate them with ePBR endpoints.

You can configure ePBR probe options for a service if all the endpoints of the service require similar probing methods and protocols. If one or more endpoints require a different probing mechanism, you can configure probe options specific to those forward and reverse endpoints. You can also configure frequency, timeout, retry up and down counts. For service-endpoints distributed in a VXLAN environment, users must configure source loopback interfaces for the endpoints or service probes. The IP Addresses of these loopback interfaces are used as the unique source IP for the IP SLA sessions established with these endpoints.

When probes are configured for the service, forward and reverse arms do not need to have a unique loopback. They can share the same loopback or a different loopback can be provided.

You can define tracks separately and assign the track ID to the forward and reverse arm of each service-endpoint in ePBR. These track IDs should not be re-used across different endpoints in the same or different ePBR service but may be shared between the forward and reverse arms of the endpoint. If you do not assign any user-defined track to an endpoint, ePBR will create a track using the probe method for the endpoint. If no probe method is defined at the endpoint level, the probe method configured for the service level will be used.

In events of device failures, traffic that was redirecting to the failed devices will redirect to other reachable devices, until the service is detected as failed. Resilient hashing is supported during device failures for a service function deployed with multiple service endpoints. Traffic that was always being redirected to a specific service endpoint continues to redirect to the same device in events of failures of other service endpoints part of the same service fucntion.

ePBR supports the following fail-action mechanisms for its service chain sequences:

• Drop

• Forward

• Bypass

Drop indicates that the traffic must be dropped when the service in the current sequence is considered as failed. This is the default behavior when no fail-action is configured.

Forward indicates that upon failure of the service in the current sequence, traffic should use the regular routing.  This fail-action mechanism is only supported when a single service function is defined in the chain.

Bypass indicates that the traffic must be redirected to the next service function in the chain when the service in the current sequence is considered as failed. For a service-chain with a single sequence, when using bypass traffic would use regular routing like the fail-action option of forward.

Beginning with Cisco NX-OS 10.5(1)F, ePBR with GPO supports load-balancing traffic between service endpoints that are part of the same service function. Load-balance method may be configured for a service-chain if the same load-balance mechanism is desired for every service function in the chain. If one or more service functions or sequences inside the chain require a different load-balancing mechanism, this may be configured for the specific sequence inside the chain. Traffic may be load-balanced using source IP parameters, destination-IP parameters or source IP, destination IP along with the protocol indications available in the IP headers. ePBR with micro-segmentation ensures traffic is symmetrically load-balanced to the same service device in both directions.

Beginning with Cisco NX-OS 10.5(1)F, ePBR with GPO supports redirection of traffic to service devices that modify the destination and/or source IP addresses of the traffic. These devices may be external load-balancers, NATTing firewalls and CGNAT devices.  

Service devices may perform only destination NAT (load-balancers with SNAT disabled), only source NAT (CGNAT devices for return traffic) or both (load-balancers with SNAT enabled).  

Traffic to devices such as external load-balancers performing destination NAT in the forward direction do not need policy-based redirection but need to be permitted in order to reach the VIP address exposed by the load-balancer.  

Similarly, traffic in the reverse direction returning to devices such as external load-balancers or CGNAT devices, that have performed Source NAT in the forward direction, do not need policy-based redirection, but need to be permitted.  

Traffic to devices such as external load-balancers that do not have source NAT enabled, require policy-based redirection for traffic in the reverse direction. 

As described above, traffic to these services needs to be handled in different ways based on their NAT capabilities. Additionally, due to the modification of the IP addresses of the traffic by these appliances, the destination and/or source security-group tags may be different before and after redirection to these services.  Handling these variances may ordinarily require complex asymmetric, uni-directional contracts. 

ePBR simplifies the contract creation for the user by allowing the user to indicate that the service function in the ePBR service-chain at a particular sequence, has destination and/or source NAT capabilities. This is done by configuring an action for the service inside the chain, for the forward and reverse directions of traffic.

• Services that only perform destination NAT on the traffic only are configured with action of route for the forward direction.

• Services that only perform both destination and source NAT on the traffic, are configured with action of route for both directions of traffic.

• Services that perform only source NAT on the traffic are configured with action of route only for the reverse direction of traffic.

The configuration options of route allow users to create a single contract from consumer to provider ESGs. This configuration reduces the burden of creating separate contracts between consumer to load- balancer then from load-balancer to the provider ESG due to the change in destination ESG.

When no action is configured for any direction, the service functions inside the chain are treated as requiring redirection in both directions. Fail-action and threshold features will not be supported for service functions in the service-chain that have action of route configured for either the forward or reverse directions.

Beginning with Cisco NX-OS Release 10.5(2)F, traffic flows between endpoints of different security-groups belonging to multiple sites may be redirected to a service-chain by enabling multi-site mode for the service-chain. These single node or multi-node service-chains may consist of service functions such as firewall, load balancer, NAT, IPS, TCP optimizer and so on. Using this feature, users can interconnect and manage Security Group with service-chaining across different NX-OS VXLAN EVPN fabrics, whether those are physically collocated or geographically dispersed.

Sites 1 and 2 have their own service functions, and service chains are created between SG-A and SG-B, and SG-C and SG-D using the service functions FW 1 and FW 2 respectively within the same site. The failover service chain for site 1 can be created using FW2 from site 2, and for site 2 using FW1 from site 1.

If there are no service functions available within the same site, users can use service functions available in the remote sites to create service chain using contract.

While configuring service chain for workloads that span over multiple sites, select a service chain that is either located at the source site or the destination site. The ePBR policy is enforced on the site that has smaller security group.

Inter-site workload with service chain inspection, where the service chain is only present in one site. Both forward and reverse flows should traverse the same chain. In the event of service chain failure, there should be a subsequent failover to the third-site service chain for both forward and reverse flows.

Inter-site workload with service chain inspection, where the service chain is not present in source or destination sites but only present in third site. Both forward and reverse flows should traverse the same chain.

ePBR with micro-segmentation has the following guidelines and limitations: 

• In NXOS 10.5(1)F SGACL based service redirection is only supported to a single service function in the chain. The service function may contain one or more layer-3 one-arm or dual-arm service endpoints.

• Load-balancer service functions inside an GPO based ePBR service-chain may only consist of a single load-balancer endpoint.

• Service functions with a mix of one-arm and dual-arm service endpoints are not supported.

• The sum total of weights across all active endpoints in the ePBR service cannot exceed 128.

• For the external load-balancer to monitor the health of the server cluster, contracts with permit action must be explicitly created between the layer4-7 security-tags of the load-balancer service and the servers.

• Service with one-arm devices must not be configured with a reverse security-group identifier.

• Services with dual-arm devices must be configured with a reverse security-group identifier that is different from the forward security-group. 

• Services with dual-arm devices should use different service VLANs for the forward and reverse arms of the endpoints. The forward arms of one or more service endpoints in the service function can share one service VLAN and the reverse arms of one or more service endpoints can use a different service VLAN.

• Users must ensure that service VLANs are used exclusively for the service endpoints and are not used for any other host traffic. Hosts cannot be connected to such VLANs. This is required to avoid incorrect classification of such traffic.

• The forward and reverse security groups defined inside an ePBR service must be defined as layer4-7 security group selectors on the VXLAN leaf switches that have the connected interfaces (interface VLANs) configured.

• In NXOS 10.5(1)F service endpoint connected interfaces used in services must be interface VLANs only.  Endpoint connected interfaces cannot be layer-3 physical interfaces, subinterfaces , layer-3 port-channels or port-channel subinterfaces, or any other interfaces that are supported for IPACL EPBR.

• While security-groups and service VLANs may be shared between ePBR services, users must ensure that the contracts that use these services in chains do not have conflicting match filters or actions.

• In NXOS 10.5(1)F, the service that the traffic is redirected to, must be configured in the same VRF context as the contract. 

• Match class-maps for IPv4 traffic must be configured with service-chains containing IPv4 services and match class-maps for IPv6 traffic must be configured with service-chains containing IPv6 traffic.

• Unique layer-4 source and destination port parameters should be specified for the match class-map filters, if traffic is required to match any-any source and destination security-groups in the contract and the service in the chain is a dual-arm service. 

• Users must ensure that multiple contracts using the same source and destination security-groups are not configured with policies and match class-maps having different service redirection results for the same traffic flows.

• When fail-action is configured for a sequence inside a service-chain , it is recommended that probing is consistently enabled for the service via service-level or endpoint-level probes.

• It is recommended that probe traffic is classified in a separate CoPP class. Otherwise, probe traffic may use the default CoPP class and might be dropped causing continuous IP SLA state changes during spikes in supervisor traffic. For information on CoPP configuration for IP SLA, see Configuring CoPP for IP SLA Packets.

• ePBR administrative and operational out-of-service features are not supported for services used in service redirection with micro-segmentation. For more information, see Configuring ePBR L3.

• Endpoint states of the forward and reverse arms of dual-arm devices are not synchronized automatically. If this is needed, identical probe track configuration on the forward and reverse arms should be used.

• Probe tracks configured for endpoints may be shared between the forward and reverse arms of the same endpoints, but not across endpoints in the same or different services.

• Probe tracks must be used for any automatic synchronization of endpoint states across the forward and reverse arms of dual-arm devices.

• The service nodes can be part of either the source VRF or the destination VRF or in a separate VRF. If some of the service nodes are part of the source VRF and some are a part of the destination VRF, all consecutive elements following the source, must uniformly pertain to the source VRF. Once the VRF for an element in the chain pertains to the destination VRF, all consecutive elements following this until the end of the service-chain must pertain to the destination VRF.

• Dual-arm service end-points cannot have each arm in a different VRF.

Multinode Service-Chaining Guidelines and Limitations:

• A maximum of 5 service functions (nodes) are supported in a service chain.

• In multinode configuration, only bypass and drop fail-action options are supported. Fail-action option of forward is not supported.

• Only a single service function that performs IP address translation (load-balancer or CGNAT devices) may be configured inside a multi-node service-chain.

Multi-site Service-Chaining Guidelines and Limitations:

• All service functions for a given service chain should belong to a single site.

• A maximum of 5 fail-over service-chains are supported inside a failover group.

• A maximum of 10 sites are supported in a multi-site fabric that is using EPBR service-chains with VXLAN Group Policy Options.

• Multi-Site failover options are not supported with service-chains that consist of load-balancer devices because load-balancer devices have unique VIPs and failover to a different load-balancer implies a VIP changed which is outside the scope of the VTEP making the failover decision.

• `

• Load-balancer devices without Source NAT enabled, used in the service-chain, and the servers they are load-balancing to must co-exist in the same site.

• A service-chain and the fail-over service-chains it is configured to use must consist of the same number of service nodes. Each service node may, however, have a varying number of service-endpoints.

• Every service-node inside the service-chain and the failover service-chains it is configured to use must be configured with the same service security-groups.

See figure 5 for the configuration example showing SGACL service-chaining configuration.

1. Create layer4-7 selectors for the service.

   security-group 2010 name FWD 			 
     type layer4-7							   
     match interface vlan 24 
     match interface vlan 16  
   security-group 2011 name REV  
     type layer4-7 
     match interface vlan 25 
     match interface vlan 17 

2. Creating ePBR service and endpoints.

   epbr service fw 
     vrf tenant 
     security-group 2010 reverse 2011 
     probe tcp 80 frequency 5 timeout 3 source-interface 
      loopback10 reverse loopback11 
     service-end-point ip 10.0.1.1 
       reverse ip 10.0.1.2 
     service-end-point ip 10.0.0.1 
       reverse ip 10.0.0.2 

3. Create security-group selectors for host traffic.

   security-group 5051 name sec_5051 
     match connected-endpoints vrf tenant ipv4 151.1.1.0/24  
   
   security-group 5050 name sec_5050 
     match connected-endpoints vrf tenant ipv4 150.1.1.0/24   

4. Create security class-maps to define the layer3, layer-4 match criteria.

   class-map type security match-any class_ipv4_tcp 
     match ipv4 tcp dport 80 
     match ipv4 tcp dport 443 

5. Configure the ePBR service-chain. Configuration of class-maps, policy-maps and contracts under vrf need to be consistent on all leafs.

   epbr service-chain web 
     load-balance method src-dst-ipprotocol 
     10 set service fw fail-action drop
     

6. Configure the security policy-map and attach the service-chain to the required match class-map.

   policy-map type security web_policy 
     class type security class_ipv4_tcp 
       service-chain web 

7. Configure the contract.

   vrf context tenant 
     security contract source 5050 destination 5051 policy web_policy 

   For more details on moving the VRF context to enforced mode, see Configuring Security contracts between Security Groups.

Configuration Example for Multi-node Single Site Service-chaining

Following is a configuration example that has three firewalls as services that are part of the service chain. Each firewall is implimented with multiple service endpoints.

1. Configuring ePBR service fw1

   epbr service fw1   
     vrf tenant 
     security-group 2010 reverse 2011 
     probe icmp frequency 2 retry-down-count 2 retry-up-count 1 timeout 1 source-interface loopback3 reverse loopback4 
     service-end-point ip 10.1.1.2 
       weight 10 
       reverse ip 11.1.1.2 
     service-end-point ip 18.1.1.2 
       reverse ip 19.1.1.2 
     service-end-point ip 20.1.1.2 
       mode hot-standby 
       reverse ip 21.1.1.2 
     service-end-point ip 253.1.1.2 
       mode hot-standby 
       weight 10 
       reverse ip 254.1.1.2 
     service-end-point ip 26.1.1.2 
       weight 5 
       reverse ip 27.1.1.2 
     service-end-point ip 34.1.1.2 
       mode hot-standby 
       weight 6 
       reverse ip 35.1.1.2 

2. Configuring ePBR service fw2

   epbr service fw2   
     vrf tenant 
     security-group 2013 
     probe icmp frequency 2 retry-down-count 2 retry-up-count 1 timeout 1 source-interface loopback3 reverse loopback4 
     service-end-point ip 255.1.1.2 
       mode hot-standby 
     service-end-point ip 50.1.1.2 
       weight 10 
     service-end-point ip 54.1.1.2 
       weight 5 
     service-end-point ip 58.1.1.2 
     service-end-point ip 59.1.1.2 
       mode hot-standby 
       weight 10 
     service-end-point ip 62.1.1.2 
       mode hot-standby 
       weight 6 

3. Configuring ePBR services fw3

   epbr service fw3   
     vrf tenant 
     security-group 2014 reverse 2015 
     probe icmp frequency 2 retry-down-count 2 retry-up-count 1 timeout 1 source-interface loopback3 reverse loopback4 
     service-end-point ip 12.1.1.2 
       weight 10 
       reverse ip 13.1.1.2 
     service-end-point ip 22.1.1.2 
       weight 10 
       reverse ip 23.1.1.2 
     service-end-point ip 32.1.1.2 
       weight 5 
       reverse ip 33.1.1.2 
     service-end-point ip 40.1.1.2 
       reverse ip 41.1.1.2 

4. Configure the ePBR multi-node service-chain

   epbr service-chain FW-chain-v4 
     load-balance method dst-ip 
     10 set service service1-v4-2arm fail-action bypass  
       load-balance method src-ip 
     20 set service service3-v4-1arm fail-action drop 
     30 set service service5-v4-2arm fail-action bypass  
       load-balance method src-dst-ipprotocol 

sh epbr service-chain FW-chain-v4 

 

Service-chain : FW-chain-v4  state:UP 

    service:fw1, sequence:10, fail-action:Bypass 

      load-balance:Source-Destination-ipprotocol, action:Redirect 

      state:UP 

      IP 10.1.1.2 track 1 [UP] 

      IP 18.1.1.2 track 2 [UP] 

      IP 26.1.1.2 track 3 [UP] 

      IP 20.1.1.2 track 4 [UP] [HOT-STANDBY] 

      IP 34.1.1.2 track 5 [UP] [HOT-STANDBY] 

      IP 253.1.1.2 track 6 [UP] [HOT-STANDBY] 

    service:fw2, sequence:20, fail-action:Drop 

      load-balance:Source-Destination-ipprotocol, action:Redirect 

      state:UP 

      IP 50.1.1.2 track 7 [UP] 

      IP 54.1.1.2 track 8 [UP] 

      IP 58.1.1.2 track 9 [UP] 

      IP 59.1.1.2 track 10 [UP] [HOT-STANDBY] 

      IP 62.1.1.2 track 11 [UP] [HOT-STANDBY] 

      IP 255.1.1.2 track 12 [UP] [HOT-STANDBY] 

    service:fw3, sequence:30, fail-action:Bypass 

      load-balance:Source-Destination-ipprotocol, action:Redirect 

      state:UP 

      IP 12.1.1.2 track 13 [UP] 

      IP 22.1.1.2 track 14 [UP] 

      IP 32.1.1.2 track 15 [UP] 

      IP 40.1.1.2 track 16 [UP] 

Configuration example for multi-site ePBR with GPO

Site 1

1. Create security class-maps to define the layer3, layer-4 match criteria.

   class-map type security match-any web_class 
     match ipv4 tcp dport 80 

2. Configure the security policy-map and attach the service-chain to the required match class-map

   policy-map type security web 
     class type security web_class 
       service-chain site1-web-chain 

3. Creating ePBR service and endpoints.

   epbr service fw 
     security-group 100 
     probe icmp 
     service-end-point ip 10.1.1.2  
     service-end-point ip 20.1.1.2 
      mode hot-standby 
   
   epbr service fw2 
     security-group 100 
     probe icmp 
     service-end-point ip 11.1.1.2  
   
   epbr service fw3 
     security-group 100 
     probe icmp 
     service-end-point ip 13.1.1.2 

4. Configuring Multi-site mode and fail over group and chain

   epbr service-chain site1-web-chain 
     mode multisite failover-group fallback-web-chain1 
     load-balance method dst-ip 
     10 set service fw fail-action drop         
   
   epbr service-chain site2-web-chain 
     load-balance method dst-ip 
     10 set service fw2 fail-action drop      
   
   epbr service-chain site3-web-chain 
     load-balance method dst-ip 
     10 set service fw3 fail-action drop    
   
   epbr failover-group fallback-web-chain1 
     service-chain site2-web-chain preference 5 
     service-chain site3-web-chain preference 20 

Site 2

1. Create security class-maps to define the layer3, layer-4 match criteria.

    class-map type security match-any web_class 
     match ipv4 tcp dport 80 

2. Configure the security policy-map and attach the service-chain to the required match class-map.

   policy-map type security web 
     class type security web_class 
       service-chain site2-web-chain 

3. Creating ePBR service and endpoints.

   epbr service fw 
     security-group 100 
     probe icmp 
     service-end-point ip 10.1.1.2  
     service-end-point ip 20.1.1.2 
      mode hot-standby 
   
    epbr service fw2 
     security-group 100 
     probe icmp 
     service-end-point ip 11.1.1.2  
   
   epbr service fw3 
     security-group 100 
     probe icmp 
     service-end-point ip 13.1.1.2 

4. Configuring Multi-site mode and fail over group and chain

   epbr service-chain site1-web-chain 
     load-balance method dst-ip 
     10 set service fw fail-action drop          
   
   epbr service-chain site2-web-chain 
     mode multisite failover-group fallback-web-chain2 
     load-balance method dst-ip 
     10 set service fw2 fail-action drop      
   
   epbr service-chain site3-web-chain 
     load-balance method dst-ip 
     10 set service fw3 fail-action drop    
   
   epbr failover-group fallback-web-chain2 
     service-chain site1-web-chain preference 5 
     service-chain site3-web-chain preference 25 

Site 3

1. Create security class-maps to define the layer3, layer-4 match criteria.

   class-map type security match-any web_class 
     match ipv4 tcp dport 80 

2. Configure the security policy-map and attach the service-chain to the required match class-map

   policy-map type security web 
     class type security web_class 
       service-chain site3-web-chain 

3. Creating ePBR service and endpoints

   epbr service fw 
     security-group 100 
     probe icmp 
     service-end-point ip 10.1.1.2  
     service-end-point ip 20.1.1.2 
      mode hot-standby 
   
   
   epbr service fw2 
     security-group 100 
     probe icmp 
     service-end-point ip 11.1.1.2  
   
   epbr service fw3 
     security-group 100 
     probe icmp 
     service-end-point ip 13.1.1.2 

4. Configuring service-chain and multi-site

   epbr service-chain site1-web-chain 
     load-balance method dst-ip 
     10 set service fw fail-action drop         
   
   
   epbr service-chain site2-web-chain 
     load-balance method dst-ip 
     10 set service fw2 fail-action drop      
   
    epbr service-chain site3-web-chain 
     mode multisite failover-group fallback-web-chain3  
     load-balance method dst-ip 
     10 set service fw3 fail-action drop    

5. Configure failover group

   epbr failover-group fallback-web-chain3 
     service-chain site1-web-chain preference 20 
     service-chain site2-web-chain preference 25