Inline Services for Virtual Wire

The Inline Service feature manages service chains for Layer 1 Virtual Wire switches. The term, Inline Services, refers to services attached to a Layer 1 Virtual Wire switch such as Next-Generation Firewall (NGFW), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Distributed Denial of Service attack (DDoS) Prevention.

When an Inline Service fails, a policy determines if traffic is allowed to bypass the Inline Services or if the traffic is blocked until the Inline Services recovers.

Security services such as NGFW, IDS, IPS, and DDoS are important for any network deployment. Inline Services provide continuous monitoring of the network for improved security. Inline security services can fail due to power failure, maintenance or other reasons. An Inline Service failure has the potential to affect the flow of traffic in the network, potentially bringing the network down. This requires continues monitoring of services on network for better security.

To safeguard against such failures, the Inline Service feature provides a way to steer traffic around the failed Inline Service so traffic is not impacted. During a failure, the network is not protected by the service provided by the Inline Service.

The Inline Service recover and failure is detected by the port link states, UP and DOWN, between the Layer 1 Virtual Wire switch and the Inline Service.

However a device connected to the switch can fail without the port sending an UP or Down link state. In such cases, Netvisor relies on a heartbeat, or a probe in a form of a pre-defined packet, sent to an attached device.

inline-services-VW.png

 

Figure 1: Example of Inline Services

You configure the order of the Inline Services using the port-association-service-* commands.

If an inline service is configured with the parameter, fail-open, Netvisor sends traffic and skips any Inline Services failing on the network.

For example, if you configure Inline Services with the chain 1->2->3->4->5, and the Inline Service 3 fails, the new chain is 1->2->4->5.

If an Inline Service is configured with the parameter, fail-close, and any Inline Service fails, network traffic is blocked. For example, if you configure the chain 1->2->3->4->5, and any Inline Service such as 2, 3, or 4 fails, network traffic does not flow through the chain, and network traffic flow stops.

Configuring Heartbeat Service

Netvisor generates a packet from the CPU to send to the receive port of an Inline Service and the Netvisor vFlow configured for snooping is not port-specific, as Netvisor accepts the response from either the receive port or the transmit port. You configure the heartbeat as an additional parameter for a specific Inline Service.

For example, to create a heartbeat detection service named FW-Probe, use the following syntax:

(CLI network-admin@Spine1)>service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type normal payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00

 

In this example, you define the frequency of the heartbeats as well as the number of missed probes before Netvisor detects the service with this heartbeat is down.

To add the Heartbeat Service to Inline Services, FW-1 and FW-2, use the following syntax:

(CLI network-admin@Spine1)>inline-service-create name FW1 tx-port 11 rx-port 11 heartbeat FW_probe

(CLI network-admin@Spine1)>inline-service-create name FW2 tx-port 9 rx-port 10 heartbeat FW_probe

 

Netvisor counts the missed heartbeats separately for FW-1 and FW-2.

 

Configuring the Payload

Specify the payload as a packet including Ethertype of the packet, but excluding the CRC at the end. For example, an ARP packet uses this format:

Payload(including CRC):

 

0:  ffff ffff ffff 0011 0100 0001 0806 0001    ................

16: 0800 0604 0001 0011 0100 0001 0101 0101    ................

32: 0000 0000 0000 0101 0102 0000 0000 0000    ................

48: 0000 0000 0000 0000 0000 0000 2160 cc6b    ............!`.k

 

A heartbeat service, HB_4 for this ARP packet has the following syntax:

(CLI network-admin@Spine1)>service-heartbeat-create name HB4_arp interval 1s retry 10 vlan 1 src-mac 00:11:01:00:00:01 dst-mac ff:ff:ff:ff:ff:ff payload "0806 0001 0800 0604 0001 0011 0100 0001 0101 0101 0000 0000 0000 0101 0102 0000 0000 0000 0000 0000 0000 0000"

 

When you create the Heartbeat Service, Netvisor installs a specific vFlow in the vFlow table.

Netvisor verifies the functionality of the Inline Service using two methods: 1) a normal heartbeat, and 2) a passthrough heartbeat. When you configure the parameter, type, you specify the type of heartbeat for the service as normal, a request-response heartbeat indicating the service responds to the heartbeat. If you specify pass-through as the heartbeat, Netvisor sends the packet and returns it the switch through the service.

 

Configuring Inline Services with a Heartbeat Service

To configure the example topology displayed inFigure 1  Example of Inline Servicesuse the following steps:

1. Configure the North-South port association, use the following syntax:

(CLI network-admin@Spine1)>port-association-create name NorthToSouth master-ports 1 slave-ports 8 virtual-wire no-bidir

 

2. Define and configure the Heartbeat Service parameters:

 

(CLI network-admin@Spine1)>service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type passthrough payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00

 

3. Configure the Inline Services chain:

 

(CLI network-admin@Spine1)>port-association-service-add port-association-name NorthToSouth inline-service IPS order 2 policy-action fail-open

(CLI network-admin@Spine1)>port-association-service-add port-association-name NorthToSouth inline-service DDoS order 3 policy-action fail-open

(CLI network-admin@Spine1)>port-association-service-add port-association-name NorthToSouth inline-service NGWF order 4 policy-action fail-closed

 

Netvisor uses new commands to configure Heartbeat Services:

(CLI network-admin@Spine1)>service-heartbeat-create

name name-string

Specify a name for the Heartbeat Service.

interval duration: #d#h#m#s

Specify the interval between heartbeat packets.

retry retry-number

Specify the number of times to retry sending a packet.

vlan vlan-id5

Specify a VLAN ID.

src-mac mac-address

Specify the source port MAC address.

dst-mac mac-address 

Specify the destination MAC address.

type normal|pass-through

Specify the type of heartbeat response as normal or passthrough. A normal response indicates that the Inline Service sends the response. A passthrough response indicates that Netvisor sends the response and returns it to the Inline Service.

payload payload-string

Specify the payload for the heartbeat packet.

 

(CLI network-admin@Spine1)>service-heartbeat-delete

name name-string

Specify a name for the Heartbeat Service.

 

(CLI network-admin@Spine1)>service-heartbeat-modify

name name-string

Specify a name for the Heartbeat Service.

interval duration: #d#h#m#s

Specify the interval between heartbeat packets.

retry retry-number

Specify the number of times to retry sending a packet.

 

(CLI network-admin@Spine1)>service-heartbeat-show

name name-string

Displays the name for the Heartbeat Service.

interval duration: #d#h#m#s

Displays the interval between heartbeat packets.

retry retry-number

Displays the number of times to retry sending a packet.

vlan vlan-id5

Displays a VLAN ID.

src-mac mac-address

Displays the source port MAC address.

dst-mac mac-address 

Displays the destination MAC address.

type normal|pass-through

Displays the type of heartbeat response as normal or passthrough. A normal response indicates that the Inline Service sends the response. A passthrough response indicates that Netvisor sends the response and returns it to the Inline Service.

payload payload-string

Displays the payload for the heartbeat packet.

 

Configuring Service Chains

A service chain is configured using port-association-service-* commands. The services in the chain are managed using inline-service-* commands.

Inline Services are configured using the following commands:

(CLI network-admin@Spine1)>port-association-service-add

port-association-name name-string

Specify the name of the port association to apply the service.

switch name-string

Specify the switch name where the service is located.

inline-service inline-service-name

Specify the name of the Inline Service.

order number

Specify a number to designate the order of the service. This is a value between 1 and 65535

policy-action fail-open|fail-closed

Specify a policy action when the service fails on the network.

(CLI network-admin@Spine1)>port-association-service-modify

port-association-name name-string

Specify the name of the port association to apply the service.

switch name-string

Specify the switch name where the service is located.

inline-service inline-service-name

Specify the name of the Inline Service.

order number

Specify a number to designate the order of the service. This is a value between 1 and 65535

policy-action fail-open|fail-closed

Specify a policy action when the service fails on the network.

 

(CLI network-admin@Spine1)>port-association-service-remove

port-association-name name-string

Specify the name of the port association to apply the service.

switch name-string

Specify the switch name where the service is located.

inline-service inline-service-name

Specify the name of the Inline Service.

 

(CLI network-admin@Spine1)>port-association-service-show

port-association-name name-string

Displays the name of the port association to apply the service.

switch name-string

Displays the switch name where the service is located.

inline-service inline-service-name

Displays the name of the Inline Service.

order number

Displays a number to designate the order of the service. This is a value between 1 and 65535

policy-action fail-open|fail-closed

Displays a policy action when the service fails on the network.

 

(CLI network-admin@Spine1)>inline-service-create

name name-string

Specify a name for the Inline Service.

tx-port port-list

Specify the transmit port for the Inline Service.

rx-port port-list

Specify the receive port for the Inline Service.

 

(CLI network-admin@Spine1)>inline-service-delete

name name-string

Specify a name for the Inline Service.

 

 

(CLI network-admin@Spine1)>inline-service-show

name name-string

Specify a name for the Inline Service.

tx-port port-list

Specify the transmit port for the Inline Service.

rx-port port-list

Specify the receive port for the Inline Service.

 

Configuring and Displaying Statistics

You can display standard statistics that consist of flow-based information collected and tracked continuously by the switch. To modify statistics logging, use the stats-log-modify command and disable or enable statistical logging as well as change the interval, in seconds, between statistical events.

To show connection-level statistics, traffic flows between a pair of hosts for an application service, including current connections and all connections since the creation of the fabric, enter the following CLI command at the prompt:

CLI network-admin@Leaf1 > connection-stats-show

switch:        pubdev02   

count:         0

mac:           64:0e:94:28:00:8e

vlan:          3

ip:            192.168.42.10

port:          25

iconns:        6

oconns:        0

ibytes:        224K

obytes:        10.5K

total-bytes:   235K

first-seen:    02-26,17:19:52

last-seen:     02-26,17:19:57

last-seen-ago: 17d14h6m5s

switch:        pubdev02

count:         0

mac:           64:0e:94:28:03:56

vlan:          3

ip:            192.168.42.30

port:          128

iconns:        0

oconns:        3946878

ibytes:        4.50M

obytes:        13.5M

total-bytes:   18.0M

first-seen:    01-06,09:23:07

last-seen:     08:25:20

last-seen-ago: 42s

 

/connection-stats

From the information displayed in the output, you can see statistics for each switch, VLANs, client and server IP addresses, as well as the services on each connection. Latency and other information is also displayed.

The latency (us) column displays the running latency measurement for the TCP connection in microseconds. It indicates end-to-end Round-Trip-Time (RTT) between TCP/IP session client and server and includes the protocol stack processing for the connected hosts and all intermediary network hops.

To display connection latency, use the connection-latency-show command:

CLI network-admin@Leaf1 > connection-latency-show

switch   min    max    num-conns percent avg-dur obytes ibytes total-bytes

-------- ------ ------ --------- ------- ------- ------ ------ -----------

switch-v 0.00ns 20.0us 67.5K     76%     17.12m  32.9K  18.0K  51.0K       

switch-v 20.0us 40.0us 2.74K     3%      1.64h   8.77M  123M   132M        

switch-v 40.0us 60.0us 10.4K     11%     1.40h   22.0M  403M   425M        

switch-v 60.0us 80.0us 1.85K     2%      1.10h   8.16M  127M   135M        

switch-v 80.0us 100us  901       1%      1.02h   3.39M  53.5M  56.9M       

switch-v 100us  120us  1.35K     1%      1.23h   5.49M  126M   132M        

switch-v 120us  140us  801       0%      1.06h   5.67M  39.2M  44.9M       

switch-v 140us  160us  545       0%      1.19h   1.88M  29.4M  31.3M       

switch-v 160us  180us  1.08K     1%      1.21h   5.04M  82.8M  87.8M       

switch-v 180us  200us  583       0%      56.77m  5.15M  72.7M  77.8M       

switch-v 200us         729       0%      48.51m  2.57G  184M   2.75G

 

/connection-latencies