Configuring the Inline Services for VirtualWire™
The Inline Service feature manages service chains for Layer 1 VirtualWire switches. The term, Inline Services, refers to services attached to a Layer 1 VirtualWire switch such as Next-Generation Firewall (NGFW), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Distributed Denial of Service attack (DDoS) Prevention.
When an Inline Service fails, a policy determines if traffic is allowed to bypass the Inline Services or if the traffic is blocked until the Inline Services recovers.
Security services such as NGFW, IDS, IPS, and DDoS are important for any network deployment. Inline Services provide continuous monitoring of the network for improved security. Inline security services can fail due to power failure, maintenance or other reasons. An Inline Service failure has the potential to affect the flow of traffic in the network, potentially bringing the network down. This requires continues monitoring of services on network for better security.
To safeguard against such failures, the Inline Service feature provides a way to steer traffic around the failed Inline Service so traffic is not impacted. During a failure, the network is not protected by the service provided by the Inline Service.
The Inline Service recover and failure is detected by the port link states, UP and DOWN, between the Layer 1 VirtualWire switch and the Inline Service.
However a device connected to the switch can fail without the port sending an UP or Down link state. In such cases, Netvisor One relies on a heartbeat, or a probe in a form of a pre-defined packet, sent to an attached device.
Figure 1-13 - Example of Inline Services
You configure the order of the Inline Services using the port-association-service-* commands.
If an inline service is configured with the parameter, fail-open, Netvisor One sends traffic and skips any Inline Services failing on the network.
For example, if you configure Inline Services with the chain 1->2->3->4->5, and the Inline Service 3 fails, the new chain is 1->2->4->5.
If an Inline Service is configured with the parameter, fail-close, and any Inline Service fails, network traffic is blocked.
For example, if you configure the chain 1->2->3->4->5, and any Inline Service such as 2, 3, or 4 fails, network traffic does not flow through the chain, and network traffic flow stops.
Configuring Heartbeat Service
Netvisor One generates a packet from the CPU to send to the receive port of an Inline Service and the Netvisor One vFlow configured for snooping is not port-specific, as Netvisor One accepts the response from either the receive port or the transmit port. You configure the heartbeat as an additional parameter for a specific Inline Service.
For example, to create a heartbeat detection service named FW-Probe, use the following syntax:
CLI (network-admin@Spine1) > service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type normal payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00
In this example, you define the frequency of the heartbeats as well as the number of missed probes before Netvisor One detects the service with this heartbeat is down.
To add the Heartbeat Service to Inline Services, FW-1 and FW-2, use the following syntax:
CLI (network-admin@Spine1) > inline-service-create name FW1 tx-port 11 rx-port 11 heartbeat FW_probe
CLI (network-admin@Spine1) > inline-service-create name FW2 tx-port 9 rx-port 10 heartbeat FW_probe
Netvisor One counts the missed heartbeats separately for FW-1 and FW-2.
Configuring the Payload
Specify the payload as a packet including Ethertype of the packet, but excluding the CRC at the end. For example, an ARP packet uses this format:
Payload(including CRC):
0: ffff ffff ffff 0011 0100 0001 0806 0001 ................
16: 0800 0604 0001 0011 0100 0001 0101 0101 ................
32: 0000 0000 0000 0101 0102 0000 0000 0000 ................
48: 0000 0000 0000 0000 0000 0000 2160 cc6b ............!`.k
A heartbeat service, HB_4 for this ARP packet has the following syntax:
CLI (network-admin@Spine1) > service-heartbeat-create name HB4_arp interval 1s retry 10 vlan 1 src-mac 00:11:01:00:00:01 dst-mac ff:ff:ff:ff:ff:ff payload "0806 0001 0800 0604 0001 0011 0100 0001 0101 0101 0000 0000 0000 0101 0102 0000 0000 0000 0000 0000 0000 0000"
When you create the Heartbeat Service, Netvisor One installs a specific vFlow in the vFlow table.
Netvisor One verifies the functionality of the Inline Service using two methods: 1) a normal heartbeat, and 2) a pass-through heartbeat. When you configure the parameter, type, you specify the type of heartbeat for the service as normal, a request-response heartbeat indicating the service responds to the heartbeat. If you specify pass-through as the heartbeat, Netvisor One sends the packet and returns it the switch through the service.
Configuring Inline Services with a Heartbeat Service
To configure the example topology displayed in Figure 1 - Example of Inline Services - use the following steps:
1) Configure the North-South port association, use the following syntax:
CLI (network-admin@Spine1) > port-association-create name NorthToSouth master-ports 1 slave-ports 8 virtual-wire no-bidir
2) Define and configure the Heartbeat Service parameters:
CLI (network-admin@Spine1) > service-heartbeat-create name FW_probe interval 5s retry 3 vlan-id 10 src-mac 64:6e:11:1c:11:11 dst-mac 01:1b:11:01:01:01 type pass-through payload 54 63 82 ff 01 46 12 ce a2 d4 00 00 00 00 00 00 00 00
3) Configure the Inline Services chain:
CLI (network-admin@Spine1) > port-association-service-add port-association-name NorthToSouth inline-service IPS order 2 policy-action fail-open
CLI (network-admin@Spine1) > port-association-service-add port-association-name NorthToSouth inline-service DDoS order 3 policy-action fail-open
CLI (network-admin@Spine1) > port-association-service-add port-association-name NorthToSouth inline-service NGWF order 4 policy-action fail-closed
Netvisor One uses new commands to configure Heartbeat Services:
CLI (network-admin@Spine1) > service-heartbeat-create
name name-string |
Specify a name for the Heartbeat Service. |
interval duration: #d#h#m#s |
Specify the interval between heartbeat packets. |
retry retry-number |
Specify the number of times to retry sending a packet. |
vlan vlan-id5 |
Specify a VLAN ID. |
src-mac mac-address |
Specify the source port MAC address. |
dst-mac mac-address |
Specify the destination MAC address. |
type normal|pass-through |
Specify the type of heartbeat response as normal or pass-through. A normal response indicates that the Inline Service sends the response. A pass-through response indicates that Netvisor One sends the response and returns it to the Inline Service. |
payload payload-string |
Specify the payload for the heartbeat packet. |
CLI (network-admin@Spine1) > service-heartbeat-delete
name name-string |
Specify a name for the Heartbeat Service. |
CLI (network-admin@Spine1) > service-heartbeat-modify
name name-string |
Specify a name for the Heartbeat Service. |
interval duration: #d#h#m#s |
Specify the interval between heartbeat packets. |
retry retry-number |
Specify the number of times to retry sending a packet. |
CLI (network-admin@Spine1) > service-heartbeat-show
name name-string |
Displays the name for the Heartbeat Service. |
interval duration: #d#h#m#s |
Displays the interval between heartbeat packets. |
retry retry-number |
Displays the number of times to retry sending a packet. |
vlan vlan-id5 |
Displays a VLAN ID. |
src-mac mac-address |
Displays the source port MAC address. |
dst-mac mac-address |
Displays the destination MAC address. |
type normal|pass-through |
Displays the type of heartbeat response as normal or pass-through. A normal response indicates that the Inline Service sends the response. A pass-through response indicates that Netvisor One sends the response and returns it to the Inline Service. |
payload payload-string |
Displays the payload for the heartbeat packet. |
Configuring Service Chains
A service chain is configured using port-association-service-* commands. The services in the chain are managed using inline-service-* commands.
Inline Services are configured using the following commands:
CLI (network-admin@Spine1) > port-association-service-add
port-association-name name-string |
Specify the name of the port association to apply the service. |
switch name-string |
Specify the switch name where the service is located. |
inline-service inline-service-name |
Specify the name of the Inline Service. |
order number |
Specify a number to designate the order of the service. This is a value between 1 and 65535 |
policy-action fail-open|fail-closed |
Specify a policy action when the service fails on the network. |
CLI (network-admin@Spine1) > port-association-service-modify
port-association-name name-string |
Specify the name of the port association to apply the service. |
switch name-string |
Specify the switch name where the service is located. |
inline-service inline-service-name |
Specify the name of the Inline Service. |
order number |
Specify a number to designate the order of the service. This is a value between 1 and 65535 |
policy-action fail-open|fail-closed |
Specify a policy action when the service fails on the network. |
CLI network-admin@Spine1) > port-association-service-remove
port-association-name name-string |
Specify the name of the port association to apply the service. |
switch name-string |
Specify the switch name where the service is located. |
inline-service inline-service-name |
Specify the name of the Inline Service. |
CLI (network-admin@Spine1) > port-association-service-show
port-association-name name-string |
Displays the name of the port association to apply the service. |
switch name-string |
Displays the switch name where the service is located. |
inline-service inline-service-name |
Displays the name of the Inline Service. |
order number |
Displays a number to designate the order of the service. This is a value between 1 and 65535 |
policy-action fail-open|fail-closed |
Displays a policy action when the service fails on the network. |
CLI (network-admin@Spine1) > inline-service-create
name name-string |
Specify a name for the Inline Service. |
tx-port port-list |
Specify the transmit port for the Inline Service. |
rx-port port-list |
Specify the receive port for the Inline Service. |
CLI (network-admin@Spine1) > inline-service-delete
name name-string |
Specify a name for the Inline Service. |
CLI (network-admin@Spine1) > inline-service-show
name name-string |
Specify a name for the Inline Service. |
tx-port port-list |
Specify the transmit port for the Inline Service. |
rx-port port-list |
Specify the receive port for the Inline Service. |