Inline Services for Virtual Wire
The Inline Service feature manages service chains for Layer 1 Virtual Wire switches. The term, Inline Services, refers to services attached to a Layer 1 Virtual Wire switch such as Next-Generation Firewall (NGFW), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Distributed Denial of Service attack (DDoS) Prevention.
When an Inline Service fails, a policy determines if traffic is allowed to bypass the Inline Services or if the traffic is blocked until the Inline Services recovers.
Security services such as NGFW, IDS, IPS, and DDoS are important for any network deployment. Inline Services provide continuous monitoring of the network for improved security. Inline security services can fail due to power failure, maintenance or other reasons. An Inline Service failure has the potential to affect the flow of traffic in the network, potentially bringing the network down. This requires continues monitoring of services on network for better security.
To safeguard against such failures, the Inline Service feature provides a way to steer traffic around the failed Inline Service so traffic is not impacted. During a failure, the network is not protected by the service provided by the Inline Service.
The Inline Service recover and failure is detected by the port link states, UP and DOWN, between the Layer 1 Virtual Wire switch and the Inline Service.
However a device connected to the switch can fail without the port sending an UP or Down link state. In such cases, Netvisor relies on a heartbeat, or a probe in a form of a pre-defined packet, sent to an attached device.
Figure 2: Example of Inline Services
You configure the order of the Inline Services using the port-association-service-* commands.
If an inline service is configured with the parameter, fail-open, Netvisor sends traffic and skips any Inline Services failing on the network.
For example, if you configure Inline Services with the chain 1->2->3->4->5, and the Inline Service 3 fails, the new chain is 1->2->4->5.
If an Inline Service is configured with the parameter, fail-close, and any Inline Service fails, network traffic is blocked. For example, if you configure the chain 1->2->3->4->5, and any Inline Service such as 2, 3, or 4 fails, network traffic does not flow through the chain, and network traffic flow stops.
Configuring Heartbeat Service
Netvisor generates a packet from the CPU to send to the receive port of an Inline Service and the Netvisor vFlow configured for snooping is not port-specific, as Netvisor accepts the response from either the receive port or the transmit port. You configure the heartbeat as an additional parameter for a specific Inline Service.
For example, to create a heartbeat detection service named FW-Probe, use the following syntax:
(CLI network-admin@Spine1)>service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type normal payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00
 
In this example, you define the frequency of the heartbeats as well as the number of missed probes before Netvisor detects the service with this heartbeat is down.
To add the Heartbeat Service to Inline Services, FW-1 and FW-2, use the following syntax:
(CLI network-admin@Spine1)>inline-service-create name FW1 tx-port 11 rx-port 11 heartbeat FW_probe
(CLI network-admin@Spine1)>inline-service-create name FW2 tx-port 9 rx-port 10 heartbeat FW_probe
 
Netvisor counts the missed heartbeats separately for FW-1 and FW-2.
 
Configuring the Payload
Specify the payload as a packet including Ethertype of the packet, but excluding the CRC at the end. For example, an ARP packet uses this format:
Payload(including CRC):
 
0: ffff ffff ffff 0011 0100 0001 0806 0001 ................
16: 0800 0604 0001 0011 0100 0001 0101 0101 ................
32: 0000 0000 0000 0101 0102 0000 0000 0000 ................
48: 0000 0000 0000 0000 0000 0000 2160 cc6b ............!`.k
 
A heartbeat service, HB_4 for this ARP packet has the following syntax:
(CLI network-admin@Spine1)>service-heartbeat-create name HB4_arp interval 1s retry 10 vlan 1 src-mac 00:11:01:00:00:01 dst-mac ff:ff:ff:ff:ff:ff payload "0806 0001 0800 0604 0001 0011 0100 0001 0101 0101 0000 0000 0000 0101 0102 0000 0000 0000 0000 0000 0000 0000"
 
When you create the Heartbeat Service, Netvisor installs a specific vFlow in the vFlow table.
Netvisor verifies the functionality of the Inline Service using two methods: 1) a normal heartbeat, and 2) a passthrough heartbeat. When you configure the parameter, type, you specify the type of heartbeat for the service as normal, a request-response heartbeat indicating the service responds to the heartbeat. If you specify pass-through as the heartbeat, Netvisor sends the packet and returns it the switch through the service.
Configuring Inline Services with a Heartbeat Service
To configure the example topology displayed inFigure 2  Example of Inline Servicesuse the following steps:
1. Configure the North-South port association, use the following syntax:
(CLI network-admin@Spine1)>port-association-create name NorthToSouth master-ports 1 slave-ports 8 virtual-wire no-bidir
 
2. Define and configure the Heartbeat Service parameters:
 
(CLI network-admin@Spine1)>service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type passthrough payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00
 
3. Configure the Inline Services chain:
 
(CLI network-admin@Spine1)>port-association-service-add port-association-name NorthToSouth inline-service IPS order 2 policy-action fail-open
(CLI network-admin@Spine1)>port-association-service-add port-association-name NorthToSouth inline-service DDoS order 3 policy-action fail-open
(CLI network-admin@Spine1)>port-association-service-add port-association-name NorthToSouth inline-service NGWF order 4 policy-action fail-closed
 
Netvisor uses new commands to configure Heartbeat Services:
(CLI network-admin@Spine1)>service-heartbeat-create
 
name name-string
Specify a name for the Heartbeat Service.
interval duration: #d#h#m#s
Specify the interval between heartbeat packets.
retry retry-number
Specify the number of times to retry sending a packet.
vlan vlan-id5
Specify a VLAN ID.
src-mac mac-address
Specify the source port MAC address.
dst-mac mac-address
Specify the destination MAC address.
type normal|pass-through
Specify the type of heartbeat response as normal or passthrough. A normal response indicates that the Inline Service sends the response. A passthrough response indicates that Netvisor sends the response and returns it to the Inline Service.
payload payload-string
Specify the payload for the heartbeat packet.
 
(CLI network-admin@Spine1)>service-heartbeat-delete
 
name name-string
Specify a name for the Heartbeat Service.
 
(CLI network-admin@Spine1)>service-heartbeat-modify
 
name name-string
Specify a name for the Heartbeat Service.
interval duration: #d#h#m#s
Specify the interval between heartbeat packets.
retry retry-number
Specify the number of times to retry sending a packet.
 
(CLI network-admin@Spine1)>service-heartbeat-show
 
name name-string
Displays the name for the Heartbeat Service.
interval duration: #d#h#m#s
Displays the interval between heartbeat packets.
retry retry-number
Displays the number of times to retry sending a packet.
vlan vlan-id5
Displays a VLAN ID.
src-mac mac-address
Displays the source port MAC address.
dst-mac mac-address
Displays the destination MAC address.
type normal|pass-through
Displays the type of heartbeat response as normal or passthrough. A normal response indicates that the Inline Service sends the response. A passthrough response indicates that Netvisor sends the response and returns it to the Inline Service.
payload payload-string
Displays the payload for the heartbeat packet.
 
Configuring Service Chains
A service chain is configured using port-association-service-* commands. The services in the chain are managed using inline-service-* commands.
Inline Services are configured using the following commands:
(CLI network-admin@Spine1)>port-association-service-add
 
port-association-name name-string
Specify the name of the port association to apply the service.
switch name-string
Specify the switch name where the service is located.
inline-service inline-service-name
Specify the name of the Inline Service.
order number
Specify a number to designate the order of the service. This is a value between 1 and 65535
policy-action fail-open|fail-closed
Specify a policy action when the service fails on the network.
(CLI network-admin@Spine1)>port-association-service-modify
 
port-association-name name-string
Specify the name of the port association to apply the service.
switch name-string
Specify the switch name where the service is located.
inline-service inline-service-name
Specify the name of the Inline Service.
order number
Specify a number to designate the order of the service. This is a value between 1 and 65535
policy-action fail-open|fail-closed
Specify a policy action when the service fails on the network.
 
(CLI network-admin@Spine1)>port-association-service-remove
 
port-association-name name-string
Specify the name of the port association to apply the service.
switch name-string
Specify the switch name where the service is located.
inline-service inline-service-name
Specify the name of the Inline Service.
 
(CLI network-admin@Spine1)>port-association-service-show
 
port-association-name name-string
Displays the name of the port association to apply the service.
switch name-string
Displays the switch name where the service is located.
inline-service inline-service-name
Displays the name of the Inline Service.
order number
Displays a number to designate the order of the service. This is a value between 1 and 65535
policy-action fail-open|fail-closed
Displays a policy action when the service fails on the network.
 
(CLI network-admin@Spine1)>inline-service-create
 
name name-string
Specify a name for the Inline Service.
tx-port port-list
Specify the transmit port for the Inline Service.
rx-port port-list
Specify the receive port for the Inline Service.
 
(CLI network-admin@Spine1)>inline-service-delete
 
name name-string
Specify a name for the Inline Service.
 
(CLI network-admin@Spine1)>inline-service-show
 
name name-string
Specify a name for the Inline Service.
tx-port port-list
Specify the transmit port for the Inline Service.
rx-port port-list
Specify the receive port for the Inline Service.