This disclosure relates in general to the field of communications and, more particularly, to service chaining without any additional packet headers.
End users have more communications choices than ever before. A number of prominent technological trends are currently afoot (e.g., more computing devices, more online video services, more Internet video traffic), and these trends are changing the network delivery landscape. One of these trends is service chaining. Service chaining is an emerging set of technologies and processes that enable operators to configure network services dynamically in software without having to make changes to the network at the hardware level.
Overview
Presented herein are service chaining techniques for selective traffic redirection based on Access Control List (ACL) configurations on switches. A switch may redirect network traffic to one or more applications configured to perform a network service function. The applications may be specified in the service chain using different modes in a multi-mode configuration. The switch and one or more applications may be independently configured in L2 or L3 mode. In one embodiment, a method involves storing, in at least one hardware module of a network device having a plurality of ports, attributes for at least one access control list and associated actions that cause network packets received at one of the plurality of ports that match the attributes for the at least one access control list, to be directed into a service chain that includes at least a first network processing application specified according to a port and a second network processing application specified according to an internet protocol (IP) address. The method also involves directing a received network packet that matches the attributes for the at least one access control list into the service chain.
Presented herein are techniques for service chaining without any additional packet headers. This allows for health monitoring and automatic failure handling and transparent insertion of appliances (configurations not required) with wire-speed performance. These techniques may be implemented on existing Application Specific Integrated Circuits (ASICs) and linecards in datacenter switches, and allow for selective traffic redirection based on ACL configuration. For example, if traffic matches an entry in an ACL, that traffic may be forwarded as indicated in the ACL, e.g., to an application configured to provide one or more network services. As provided herein, redirecting traffic based on ACL configuration also permits specifying applications using different modes in a service chain. As provided herein, redirecting traffic based on ACL configuration also permits hybrid services insertion, where a switch is configured in one mode (e.g., Layer 2 (L2)) and an application providing a service is configured in another mode (e.g., Layer 3 (L3)).
The path that each type of network traffic follows through the application(s) connected to the switch 102 is referred to as a service chain (or “chain”).
An L2 chain has elements that are specified in a set of port groups (e.g., a list of interfaces). An example port group is:
In the example of
L2 mode may also be referred to as “transparent mode” or “bump in the wire mode” because no information in the packet (Media Access Control (MAC) address, Internet Protocol (IP) address, etc.) is rewritten.
An L3 chain has elements that are specified in a set of device groups. An example device group is:
In the example of
L3 mode may also be referred to as “routed mode” because the MAC address in the packet is rewritten.
As described herein, both modes (L2 and L3) may coexist in the same service chain. This is referred to herein as a “multi-mode” configuration, in which at least one application in the service chain runs in L2 mode, and at least one application in the service chain runs in L3 mode.
Example Command Line Interface (CLI) commands for the multi-mode configuration of
In this example, the network traffic proceeds along in the service chain in the forward (not the reverse) direction. As specified in the CLI above, if the traffic matches “access-list Forward,” and if the traffic arrives on ingress-port-group L2-pg1, the traffic is forwarded to egress-port-group L2-pg2. Here, ingress-port-group L2-pg1 includes eth 1/4, and egress-port-group L2-pg2 includes eth 1/17. Thus, as shown in
As further specified in the CLI above, if the traffic matches “access-list PBR_Forward,” and if the traffic arrives on ingress-port-group L3-pg1, the traffic is forwarded to egress-device-group DG1. Here, ingress-port-group L3-pg1 includes eth 1/18, and egress-device-group DG1 includes node ip 5.5.5.2. Thus, as shown in
In the example of
A switch interface may be configured as L2 by the command—switch(config-if)# switchport.
An interface may be configured as L3 by the command—switch(config-if)# no switchport.
For chaining, a packet ingressing the switch on a switchport (e.g., an L2 interface) and that matches attributes for at least one access control list (on the switch) is applicable to be directed into a service chain that includes at least one network processing application specified according to a port (and/or port-group).
For chaining, a packet ingressing the switch on a “no switchport” (e.g., a L3 interface) and that matches attributes for at least one access control list (on the switch) is applicable to be directed into a service chain that includes at least one network processing application specified according to a device address, node address and/or IP-address (and/or device-group).
In addition to L2 and L3 modes, other modes may be used to specify applications in a multi-mode configuration. For example, Network Address Translation (NAT) mode and Generic Routing Encapsulation (GRE) mode may be included in a multi-mode service chain. NAT mode involves modifying both the MAC address and the IP address of a packet, and GRE mode involves using GRE encapsulation. In NAT mode, the switch rewrites one or more IP addresses, and in GRE mode, the switch adds (or removes) a GRE header.
As set forth above, L2 mode may also be referred to as “transparent mode” or “bump in the wire mode” because no information in the packet (Media Access Control (MAC) address, Internet Protocol (IP) address, etc.) is rewritten. L3 mode may also be referred to as “routed mode” because the MAC address in the packet is rewritten.
At least four different types of services insertion are presented:
(1) Switch configured in L2 mode and application configured in L2 mode.
(2) Switch configured in L2 mode and application configured in L3 mode.
(3) Switch configured in L3 mode and application configured in L2 mode.
All four types of service insertion may employ application-native high-availability (HA) techniques for improved resilience. HA features enable availability monitoring between applications, connection state tracking, and synchronization of configurations. Both active/standby (e.g., as explained in more detail with reference to
With regard to the data path, because both the switch 502 and the application 506 are configured in L2 mode, neither the switch 502 nor the application 506 modify any address in the packet header. With regard to the control path, the switch 502 may monitor the health of the link between the switch 502 and the application 506 to determine whether to continue forwarding traffic to the application 506.
With regard to the control path,
With regard to the data path,
As illustrated in
With regard to the control path,
At 1608, TCAM entries may be created based on the above actions. The TCAM entries may provide, for example, that if the network traffic matches a specified ACL, (1) the traffic should be forwarded to the application interface, and (2) the source and destination MAC addresses should be rewritten. At 1610, the switch 1302 may probe the application IP address (and optionally the L4 port number), and at 1612, may also optionally probe the application interface.
In this example, the network traffic proceeds in the service chain in the forward (not the reverse) direction. As specified in the CLI above, if the traffic matches “access-list Forward,” and if the traffic arrives on ingress-port-group L2-pg1, the traffic is forwarded to egress-port-group L2-pg2. Here, ingress-port-group L2-pg1 includes Eth 1/2, and egress-port-group L2-pg2 includes Eth 4/1. Thus, as shown in
As further specified in the CLI above, if the traffic matches “access-list PBR_Forward,” and if the traffic arrives on ingress-port-group L3-pg11, the traffic is forwarded to egress-device-group DG1. Here, ingress-port-group L3-pg11 includes Eth 3/1, and egress-device-group DG1 includes node ip 40.1.1.1. Thus, as shown in
As further specified in the CLI above, for the reverse direction, if the traffic matches “access-list PBR_Reverse,” and if the traffic arrives on ingress-port-group L23-pg6, the traffic is forwarded to egress-device-group DG3. Here, ingress-port-group L23-pg6 includes Eth 4/5, and egress-device-group DG3 includes node ip 60.1.1.1. Thus, the traffic (which matches access-list PBR_Reverse) arrives at Eth 4/5 and is forwarded to Application 6 at IP address 60.1.1.1 (e.g., in L3 mode). The traffic may also be forwarded to the other applications (e.g., in L2 and L3 modes) as the traffic proceeds through the service chain.
The service chaining module 2410 may be configured to perform selective traffic redirection based on ACL configuration, and may perform the functions of an application specification module (e.g., one or more of the application specification modules shown in
The software modules on the supervisor 2404 may be implemented on at least one memory 2408 and at least one processor 2406. The memory 2408 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory 2408 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., a memory device) encoded with software comprising computer executable instructions and when the software is executed (by the controller) it is operable to perform the operations described herein.
In one form, a method is provided comprising: storing, in at least one hardware module of a network device having a plurality of ports, attributes for at least one access control list and associated actions that cause network packets received at one of the plurality of ports that match the attributes for the at least one access control list, to be directed into a service chain that includes at least a first network processing application specified according to a port and a second network processing application specified according to an internet protocol (IP) address; and directing a received network packet that matches the attributes for the at least one access control list into the service chain.
Storing may comprise storing, in the at least one hardware module, attributes to define one or more port groups, each port group specifying at least one ingress port to the network device and/or at least one egress port from the network device. The directing may comprise directing the received network packet to a port group of the one or more port groups, the port group comprising the port according to which the first network processing application is specified. The directing may comprise directing the received network packet without modifying a source address or a destination address of a header of the received network packet.
Storing may comprise storing, in the at least one hardware module, attributes to define one or more devices groups, each device group specifying an internet protocol (IP) address of a network processing application. Directing may comprise directing the received network packet to a device group of the one or more devices groups, the device group comprising the IP address according to which the second network processing application is specified. Directing may comprise modifying a source address and/or a destination address of a header of the received network packet, the source address being modified to an address associated with the network device and/or the destination address being modified to an address associated with the second network processing application. Modifying may comprise rewriting the destination address to a first media access control (MAC) address associated with the second network processing application and/or rewriting the source address to a second MAC address associated with the network device.
The port may be a physical port of the network device at which network packets are directed from the network device to the first network processing application.
The IP address may be an IP address of a device running the second network processing application.
In another form, an apparatus is provided comprising: at least one hardware module of a network device having a plurality of ports, the at least one hardware module configured to store attributes for at least one access control list and associated actions that cause network packets received at one of the plurality of ports that match the attributes for the at least one access control list, to be directed into a service chain that includes at least a first network processing application specified according to a port and a second network processing application specified according to an internet protocol (IP) address; and a processor configured to communicate with the at least one hardware module and to direct a received network packet that matches the attributes for the at least one access control list into the service chain.
The attributes may define one or more port groups, each port group specifying at least one ingress port to the network device and/or at least one egress port from the network device. The processor may be configured to direct the received network packet to a port group of the one or more port groups, the port group comprising the port according to which the first network processing application is specified. The processor may be configured to direct the received network packet without modifying a source address or a destination address of a header of the received network packet.
The processor may be configured to direct the received network packet to a device group of the one or more devices groups, the device group comprising an IP address according to which the second network processing application is specified.
In still another form, provided is one or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to: store, in at least one hardware module of a network device having a plurality of ports, attributes for at least one access control list and associated actions that cause network packets received at one of the plurality of ports that match the attributes for the at least one access control list, to be directed into a service chain that includes at least a first network processing application specified according to a port and a second network processing application specified according to an internet protocol (IP) address; and direct a received network packet that matches the attributes for the at least one access control list into the service chain.
The one or more non-transitory computer readable storage media of claim 16, wherein the attributes define one or more port groups, each port group specifying at least one ingress port to the network device and/or at least one egress port from the network device.
The instructions, when executed by the processor, may cause the processor to direct the received network packet to a port group of the one or more port groups, the port group comprising the port according to which the first network processing application is specified. The instructions, when executed by the processor, may cause the processor to direct the received network packet without modifying a source address or a destination address of a header of the received network packet.
The instructions, when executed by the processor, may cause the processor to direct the received network packet to a device group of the one or more devices groups, the device group comprising an IP address according to which the second network processing application is specified.
The above description is intended by way of example only. Although the techniques are illustrated and described herein as embodied in one or more specific examples, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made within the scope and range of equivalents of the claims.
Number | Date | Country | Kind |
---|---|---|---|
201741035135 | Oct 2017 | IN | national |
This application claims priority to U.S. Provisional Application No. 62/568,017, filed Oct. 4, 2017, entitled HYBRID SERVICES INSERTION, and to Indian Provisional Application No. 201741035135, filed Oct. 4, 2017, entitled MULTI-MODE APPLICATION SERVICE CHAIN, the entirety of each of said applications is incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
6175874 | Imai et al. | Jan 2001 | B1 |
6182097 | Hansen et al. | Jan 2001 | B1 |
6259705 | Takahashi | Jul 2001 | B1 |
6601084 | Bhaskaran et al. | Jul 2003 | B1 |
6643260 | Kloth et al. | Nov 2003 | B1 |
6683873 | Kwok et al. | Jan 2004 | B1 |
6721800 | Basso et al. | Apr 2004 | B1 |
6735631 | Oehrke et al. | May 2004 | B1 |
6779039 | Bommareddy et al. | Aug 2004 | B1 |
6996615 | McGuire | Feb 2006 | B1 |
7062571 | Dale et al. | Jun 2006 | B1 |
7284053 | O'Rourke et al. | Oct 2007 | B1 |
7313667 | Pullela et al. | Dec 2007 | B1 |
7328237 | Thubert et al. | Feb 2008 | B1 |
7536476 | Alleyne | May 2009 | B1 |
7542423 | Morishige et al. | Jun 2009 | B1 |
7567504 | Darling et al. | Jul 2009 | B2 |
7623455 | Hilla et al. | Nov 2009 | B2 |
7808897 | Mehta et al. | Oct 2010 | B1 |
7852774 | Shen et al. | Dec 2010 | B2 |
8014278 | Subramanian et al. | Sep 2011 | B1 |
8259722 | Kharitonov | Sep 2012 | B1 |
8284664 | Aybay et al. | Oct 2012 | B1 |
8301645 | Crook | Oct 2012 | B1 |
8467294 | Raman et al. | Jun 2013 | B2 |
8510469 | Portolani | Aug 2013 | B2 |
8553552 | Hu et al. | Oct 2013 | B2 |
8611356 | Yu et al. | Dec 2013 | B2 |
8868726 | Tu et al. | Oct 2014 | B1 |
8937942 | Li et al. | Jan 2015 | B1 |
9178807 | Chua et al. | Nov 2015 | B1 |
9246998 | Kumar et al. | Jan 2016 | B2 |
9258243 | Guichard et al. | Feb 2016 | B2 |
9397946 | Yadav | Jul 2016 | B1 |
9432294 | Sharma et al. | Aug 2016 | B1 |
9444744 | Sharma et al. | Sep 2016 | B1 |
9565135 | Li et al. | Feb 2017 | B2 |
9755959 | Guichard et al. | Sep 2017 | B2 |
9825865 | Sharma et al. | Nov 2017 | B1 |
9853898 | Subramanian et al. | Dec 2017 | B1 |
10108791 | Masterman | Oct 2018 | B1 |
20020184368 | Wang | Dec 2002 | A1 |
20030056001 | Mate et al. | Mar 2003 | A1 |
20030097405 | Laux et al. | May 2003 | A1 |
20040004941 | Malan et al. | Jan 2004 | A1 |
20040258062 | Narvaez | Dec 2004 | A1 |
20040264481 | Darling et al. | Dec 2004 | A1 |
20040267920 | Hydrie et al. | Dec 2004 | A1 |
20050027858 | Sloth et al. | Feb 2005 | A1 |
20050125424 | Herriott et al. | Jun 2005 | A1 |
20050207420 | Shanklin et al. | Sep 2005 | A1 |
20050249199 | Albert et al. | Nov 2005 | A1 |
20050281205 | Chandwadkar et al. | Dec 2005 | A1 |
20050281257 | Yazaki et al. | Dec 2005 | A1 |
20060098573 | Beer et al. | May 2006 | A1 |
20060104286 | Cheriton | May 2006 | A1 |
20060133371 | Matoba | Jun 2006 | A1 |
20060155875 | Cheriton | Jul 2006 | A1 |
20060227705 | Chandwadkar et al. | Oct 2006 | A1 |
20070016670 | Cooper | Jan 2007 | A1 |
20070165622 | O'Rourke et al. | Jul 2007 | A1 |
20080084880 | Dharwadkar | Apr 2008 | A1 |
20090135722 | Boers et al. | May 2009 | A1 |
20090198724 | Valimaki et al. | Aug 2009 | A1 |
20090304007 | Tanaka et al. | Dec 2009 | A1 |
20100251128 | Cordasco | Sep 2010 | A1 |
20110055470 | Portolani | Mar 2011 | A1 |
20110110382 | Jabr et al. | May 2011 | A1 |
20110116443 | Yu et al. | May 2011 | A1 |
20110235508 | Goel et al. | Sep 2011 | A1 |
20110261811 | Battestilli et al. | Oct 2011 | A1 |
20110283013 | Grosser et al. | Nov 2011 | A1 |
20120163164 | Terry et al. | Jun 2012 | A1 |
20120163180 | Goel | Jun 2012 | A1 |
20120188891 | Vaelimaa et al. | Jul 2012 | A1 |
20120201135 | Ding et al. | Aug 2012 | A1 |
20120246637 | Kreeger et al. | Sep 2012 | A1 |
20120303809 | Patel et al. | Nov 2012 | A1 |
20120317276 | Muniraju | Dec 2012 | A1 |
20130044636 | Koponen et al. | Feb 2013 | A1 |
20130201989 | Hu et al. | Aug 2013 | A1 |
20130235868 | Owens et al. | Sep 2013 | A1 |
20130272305 | Lefebvre et al. | Oct 2013 | A1 |
20130298243 | Kumar et al. | Nov 2013 | A1 |
20130343408 | Cook et al. | Dec 2013 | A1 |
20140006535 | Reddy | Jan 2014 | A1 |
20140019602 | Murthy et al. | Jan 2014 | A1 |
20140025986 | Kalyanaraman et al. | Jan 2014 | A1 |
20140075108 | Dong et al. | Mar 2014 | A1 |
20140233564 | Lue et al. | Aug 2014 | A1 |
20140282611 | Campbell et al. | Sep 2014 | A1 |
20140307553 | Fung | Oct 2014 | A1 |
20140307580 | Fung | Oct 2014 | A1 |
20140321462 | Kancherla et al. | Oct 2014 | A1 |
20140341029 | Allan et al. | Nov 2014 | A1 |
20140372567 | Ganesh et al. | Dec 2014 | A1 |
20150081762 | Mason et al. | Mar 2015 | A1 |
20150085870 | Narasimha et al. | Mar 2015 | A1 |
20150117458 | Gurkan et al. | Apr 2015 | A1 |
20150124815 | Beliveau et al. | May 2015 | A1 |
20150207741 | Luo et al. | Jul 2015 | A1 |
20150215819 | Bosch et al. | Jul 2015 | A1 |
20150355946 | Kang | Dec 2015 | A1 |
20150381560 | Chippa | Dec 2015 | A1 |
20160087887 | Fung | Mar 2016 | A1 |
20160094643 | Jain et al. | Mar 2016 | A1 |
20160182378 | Basavaraja et al. | Jun 2016 | A1 |
20160182379 | Mehra et al. | Jun 2016 | A1 |
20160212048 | Kaempfer et al. | Jul 2016 | A1 |
20160218918 | Chu et al. | Jul 2016 | A1 |
20160241436 | Fourie et al. | Aug 2016 | A1 |
20160241491 | Tripathi | Aug 2016 | A1 |
20160251607 | Kloos | Sep 2016 | A1 |
20160261497 | Arisoylu et al. | Sep 2016 | A1 |
20160269295 | A S et al. | Sep 2016 | A1 |
20160283290 | Porat | Sep 2016 | A1 |
20160315814 | Thirumurthi et al. | Oct 2016 | A1 |
20160316005 | Thirumurthi et al. | Oct 2016 | A1 |
20160328159 | Coddington et al. | Nov 2016 | A1 |
20160337244 | Baveja et al. | Nov 2016 | A1 |
20170031704 | Sudhakaran | Feb 2017 | A1 |
20170093670 | Dinan et al. | Mar 2017 | A1 |
20170118069 | Sharma et al. | Apr 2017 | A1 |
20170118088 | Koizumi | Apr 2017 | A1 |
20170118116 | Baveja et al. | Apr 2017 | A1 |
20170149632 | Saltsidis et al. | May 2017 | A1 |
20170171343 | Venkataramanan | Jun 2017 | A1 |
20170214719 | Mohan | Jul 2017 | A1 |
20180091420 | Drake et al. | Mar 2018 | A1 |
Entry |
---|
Samar Sharma, “Catena”, https://blogs.cisco.com/datacenter/catena, Mar. 27, 2017, 8 pages. |
“Cisco Nexus 7000 Series Switches Command Reference: The Catena Solution”, Feb. 14, 2017, 48 pages. |
“Cisco Nexus 7000 Series Switches Configuration Guide: The Catena Solution”, Dec. 21, 2016, 28 pages. |
Zhang, et al., “L4-L7 Service Function Chaining Solution Architecture”, Open Networking Foundation, Version 1.0, ONF TS-027, Open Flow, Jun. 14, 2015, 36 pgs. |
Kumbhare, et al., “Opendaylight Service Function Chaining Use-Cases”, Ericsson, OpenDaylight SFC Use Cases, Oct. 14, 2014, 25 pgs. |
Su, et al., “An OpenFlow-based Dynamic Service Chaining Approach for Hybrid Network Functions Virtualization”, Proceedings of the 4th IIAE International Conference on Industrial Application Engineering 2016, DOI: 10.12792/iciac2016.019, the Institute of Industrial Applications Engineers, Japan, Mar. 26-30, 2016, 6 pgs. |
Blendin, et al., “Position Paper: Software-Defined Network Service Chaining”, European Workshop on Software Defined Networks, Sep. 2014, 6 pgs. |
Karadeniz, et al., “Hardware Design and Implementation of a Network-on-Chip Based Load Balancing Switch Fabric,” IEEE, 2012 International Conference on Reconfigurable Computing and FPGAs, Dec. 2012, 7 pages. |
Wang, et al., “Load-Balancing Behind Switch Fabrics,” EE Times, designlines, Wireless & Networking, Design How-To, Sep. 25, 2001, 5 pages. |
Parissis, Booking.com, “Distributed Load Balancing, Real Case Example Using Open Source on Commodity Hardware,” LinuxConf Berlin, Oct. 2016, 20 pages. |
Number | Date | Country | |
---|---|---|---|
20190104065 A1 | Apr 2019 | US |
Number | Date | Country | |
---|---|---|---|
62568017 | Oct 2017 | US |