Inline Services for VirtualWire


The Inline Service feature manages service chains for Layer 1 VirtualWire switches. The term, Inline Services, refers to services attached to a Layer 1 VirtualWire switch such as Next-Generation Firewall (NGFW), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Distributed Denial of Service attack (DDoS) Prevention.


When an Inline Service fails, a policy determines if traffic is allowed to bypass the Inline Services or if the traffic is blocked until the Inline Services recovers.


Security services such as NGFW, IDS, IPS, and DDoS are important for any network deployment. Inline Services provide continuous monitoring of the network for improved security. Inline security services can fail due to power failure, maintenance or other reasons. An Inline Service failure has the potential to affect the flow of traffic in the network, potentially bringing the network down. This requires continues monitoring of services on network for better security.


To safeguard against such failures, the Inline Service feature provides a way to steer traffic around the failed Inline Service so traffic is not impacted. During a failure, the network is not protected by the service provided by the Inline Service.


The Inline Service recover and failure is detected by the port link states, UP and DOWN, between the Layer 1 VirtualWire switch and the Inline Service.


However a device connected to the switch can fail without the port sending an UP or Down link state. In such cases, Netvisor One relies on a heartbeat, or a probe in a form of a pre-defined packet, sent to an attached device.



Figure  1 - Example of Inline Services


You configure the order of the Inline Services using the port-association-service-* commands.


If an inline service is configured with the parameter, fail-open, Netvisor One sends traffic and skips any Inline Services failing on the network.


For example, if you configure Inline Services with the chain 1->2->3->4->5, and the Inline Service 3 fails, the new chain is 1->2->4->5.


If an Inline Service is configured with the parameter, fail-close, and any Inline Service fails, network traffic is blocked.


For example, if you configure the chain 1->2->3->4->5, and any Inline Service such as 2, 3, or 4 fails, network traffic does not flow through the chain, and network traffic flow stops.


Configuring Heartbeat Service


Netvisor One generates a packet from the CPU to send to the receive port of an Inline Service and the Netvisor One vFlow configured for snooping is not port-specific, as Netvisor One accepts the response from either the receive port or the transmit port. You configure the heartbeat as an additional parameter for a specific Inline Service.


For example, to create a heartbeat detection service named FW-Probe, use the following syntax:


CLI (network-admin@Spine1) > service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type normal payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00


In this example, you define the frequency of the heartbeats as well as the number of missed probes before Netvisor One detects the service with this heartbeat is down.


To add the Heartbeat Service to Inline Services, FW-1 and FW-2, use the following syntax:


CLI (network-admin@Spine1) > inline-service-create name FW1 tx-port 11 rx-port 11 heartbeat FW_probe


CLI (network-admin@Spine1) > inline-service-create name FW2 tx-port 9 rx-port 10 heartbeat FW_probe


Netvisor One counts the missed heartbeats separately for FW-1 and FW-2.


Configuring the Payload


Specify the payload as a packet including Ethertype of the packet, but excluding the CRC at the end. For example, an ARP packet uses this format:


Payload(including CRC):


0:  ffff ffff ffff 0011 0100 0001 0806 0001    ................

16: 0800 0604 0001 0011 0100 0001 0101 0101    ................

32: 0000 0000 0000 0101 0102 0000 0000 0000    ................

48: 0000 0000 0000 0000 0000 0000 2160 cc6b    ............!`.k


A heartbeat service, HB_4 for this ARP packet has the following syntax:


CLI (network-admin@Spine1) > service-heartbeat-create name HB4_arp interval 1s retry 10 vlan 1 src-mac 00:11:01:00:00:01 dst-mac ff:ff:ff:ff:ff:ff payload "0806 0001 0800 0604 0001 0011 0100 0001 0101 0101 0000 0000 0000 0101 0102 0000 0000 0000 0000 0000 0000 0000"


When you create the Heartbeat Service, Netvisor One installs a specific vFlow in the vFlow table.


Netvisor One verifies the functionality of the Inline Service using two methods: 1) a normal heartbeat, and 2) a pass-through heartbeat. When you configure the parameter, type, you specify the type of heartbeat for the service as normal, a request-response heartbeat indicating the service responds to the heartbeat. If you specify pass-through as the heartbeat, Netvisor One sends the packet and returns it the switch through the service.

 

Configuring Inline Services with a Heartbeat Service


To configure the example topology displayed in Figure 1 - Example of Inline Services - use the following steps:


1) Configure the North-South port association, use the following syntax:


CLI (network-admin@Spine1) > port-association-create name NorthToSouth master-ports 1 slave-ports 8 virtual-wire no-bidir

 

2) Define and configure the Heartbeat Service parameters:

 

CLI (network-admin@Spine1) > service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type pass-through payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00

 

3) Configure the Inline Services chain:

 

CLI (network-admin@Spine1) > port-association-service-add port-association-name NorthToSouth inline-service IPS order 2 policy-action fail-open


CLI (network-admin@Spine1) > port-association-service-add port-association-name NorthToSouth inline-service DDoS order 3 policy-action fail-open


CLI (network-admin@Spine1) > port-association-service-add port-association-name NorthToSouth inline-service NGWF order 4 policy-action fail-closed


 

Netvisor One uses new commands to configure Heartbeat Services:

 

CLI (network-admin@Spine1) > service-heartbeat-create


name name-string

Specify a name for the Heartbeat Service.

interval duration: #d#h#m#s

Specify the interval between heartbeat packets.

retry retry-number

Specify the number of times to retry sending a packet.

vlan vlan-id5

Specify a VLAN ID.

src-mac mac-address

Specify the source port MAC address.

dst-mac mac-address 

Specify the destination MAC address.

type normal|pass-through

Specify the type of heartbeat response as normal or pass-through. A normal response indicates that the Inline Service sends the response. A pass-through response indicates that Netvisor One sends the response and returns it to the Inline Service.

payload payload-string

Specify the payload for the heartbeat packet.

 

CLI (network-admin@Spine1) > service-heartbeat-delete

 

name name-string

Specify a name for the Heartbeat Service.

 

CLI (network-admin@Spine1) > service-heartbeat-modify


name name-string

Specify a name for the Heartbeat Service.

interval duration: #d#h#m#s

Specify the interval between heartbeat packets.

retry retry-number

Specify the number of times to retry sending a packet.

 

CLI (network-admin@Spine1) > service-heartbeat-show


name name-string

Displays the name for the Heartbeat Service.

interval duration: #d#h#m#s

Displays the interval between heartbeat packets.

retry retry-number

Displays the number of times to retry sending a packet.

vlan vlan-id5

Displays a VLAN ID.

src-mac mac-address

Displays the source port MAC address.

dst-mac mac-address 

Displays the destination MAC address.

type normal|pass-through

Displays the type of heartbeat response as normal or pass-through. A normal response indicates that the Inline Service sends the response. A pass-through response indicates that Netvisor One sends the response and returns it to the Inline Service.

payload payload-string

Displays the payload for the heartbeat packet.

 

Configuring Service Chains

 

A service chain is configured using port-association-service-* commands. The services in the chain are managed using inline-service-* commands.


Inline Services are configured using the following commands:

 

CLI (network-admin@Spine1) > port-association-service-add

 

port-association-name name-string

Specify the name of the port association to apply the service.

switch name-string

Specify the switch name where the service is located.

inline-service inline-service-name

Specify the name of the Inline Service.

order number

Specify a number to designate the order of the service. This is a value between 1 and 65535

policy-action fail-open|fail-closed

Specify a policy action when the service fails on the network.

 

CLI (network-admin@Spine1) > port-association-service-modify


port-association-name name-string

Specify the name of the port association to apply the service.

switch name-string

Specify the switch name where the service is located.

inline-service inline-service-name

Specify the name of the Inline Service.

order number

Specify a number to designate the order of the service. This is a value between 1 and 65535

policy-action fail-open|fail-closed

Specify a policy action when the service fails on the network.

 

CLI network-admin@Spine1) > port-association-service-remove


port-association-name name-string

Specify the name of the port association to apply the service.

switch name-string

Specify the switch name where the service is located.

inline-service inline-service-name

Specify the name of the Inline Service.

 

CLI (network-admin@Spine1) > port-association-service-show


port-association-name name-string

Displays the name of the port association to apply the service.

switch name-string

Displays the switch name where the service is located.

inline-service inline-service-name

Displays the name of the Inline Service.

order number

Displays a number to designate the order of the service. This is a value between 1 and 65535

policy-action fail-open|fail-closed

Displays a policy action when the service fails on the network.

 

CLI (network-admin@Spine1) > inline-service-create

 

name name-string

Specify a name for the Inline Service.

tx-port port-list

Specify the transmit port for the Inline Service.

rx-port port-list

Specify the receive port for the Inline Service.

 

CLI (network-admin@Spine1) > inline-service-delete


name name-string

Specify a name for the Inline Service.

 

CLI (network-admin@Spine1) > inline-service-show


name name-string

Specify a name for the Inline Service.

tx-port port-list

Specify the transmit port for the Inline Service.

rx-port port-list

Specify the receive port for the Inline Service.