Ingress Policy. Agenda – New Features Feature Summary Data Plane Flow of current model Policy enforcement for current model Limitations of current model.

Slides:



Advertisements
Similar presentations
Virtual Trunk Protocol
Advertisements

MPLS VPN.
Chapter 9: Access Control Lists
RIB Reduction in Virtual Subnet draft-xu-bess-virtual-subnet-rib-reduction-00 Xiaohu Xu (Huawei) Susan Hares (Individual) Yongbing Fan (China.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Troubleshooting MPLS VPNs.
Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.
CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
Routing and Routing Protocols Introduction to Static Routing.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
Routing of Outgoing Packets with MP-TCP draft-handley-mptcp-routing-00 Mark Handley Costin Raiciu Marcelo Bagnulo.
FIB Reduction in Virtual Subnet draft-xu-l3vpn-virtual-subnet-fib-reduction-00 Xiaohu Xu (Huawei) Susan Hares Yongbing Fan (China Telecom)
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
Lecture Week 8 The Routing Table: A Closer Look
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Static Routing Routing Protocols and Concepts – Chapter 2.
1 Internet Addresses (You should read Chapter 4 in Forouzan) IP Address is 32 Bits Long Conceptually the address is the pair ( NETID, HOSTID ) Addresses.
1 Version 3.1 Module 4 Learning About Other Devices.
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
CGNAT on VSM in What is VSM? Virtualized Services Module(VSM) is virtualized platform in ASR9K to host multiple Service applications. This document.
© 2002, Cisco Systems, Inc. All rights reserved..
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 3 EIGRP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing and Switching Essentials.
Inter AS option D (draft-mapathak-interas-option-d-00) Manu Pathak Keyur Patel Arjun Sreekantiah November 2012.
Basic Routing Principles V1.2. Objectives Understand the function of router Know the basic conception in routing Know the working principle of router.
Routing and Routing Protocols
Switching Topic 2 VLANs.
Copyright 2003 CCNA 3 Chapter 4 EIGRP By Your Name.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 3 EIGRP.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 3 EIGRP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing and Switching Essentials.
IP Traffic Engineering RSP draft-shen-ip-te-rsp-01.txt Naiming Shen Albert Tian Jun Zhuang
CHAPTER 6: STATIC ROUTING Static Routing 2 nd semester
VS (Virtual Subnet) draft-xu-virtual-subnet-03 Xiaohu Xu IETF 79, Beijing.
Source NAT Configuration Example Alcatel-Lucent Security Products Configuration Example Series.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
Segment Routing: An Architecture build with SDN in mind and addressing the evolving network requirements Brian Meaney Cisco SP Consulting Team.
Micro-Segmentation Support For Vmware vDS Part 2.
BGP. BGP Configuration Create Fabric ASN Enable BGP on a given Tenant & VRF Create BGP Neighbor and associated config eBGP Vs iBGP Route Maps BGP over.
AVS Brazos : IPv6. Agenda AVS IPv6 background Packet flows TSO/TCO Configuration Demo Troubleshooting tips Appendix.
Shared Layer 3 Outside. Agenda – Shared Layer3 Outside Overview & Description Configuration Troubleshooting Other Related Documents.
APIC NXOS CLI – Vlan Domains
Static Routing CCNA Routing and Switching Semester 2 Chapter 6
VRealize ACI Plugin.
Shared Layer 3 Out.
VRF, Interface Configuration. Enable VRF On A Leaf Command Syntax: Enabling VRF on leaf is a pre-requisite for most of the L3 configuration on that leaf.
External – Layer3 Use Cases. Advertise BD Subnet Through OSPF Step 1: Configure Vlan Domain. apic1(config)# vlan-domain dom400 apic1(config-vlan)# vlan.
Intra EPG Isolation Support For AVS
Analysis on Two Methods in Ingress Local Protection.
Instructor Materials Chapter 7: EIGRP Tuning and Troubleshooting
Instructor Materials Chapter 7: Access Control Lists
Instructor Materials Chapter 4: Access Control Lists
Scaling Service Provider Networks
Instructor Materials Chapter 6: VLANs
Revisiting Ethernet: Plug-and-play made scalable and efficient
Virtual Aggregation (VA)
Routing and Routing Protocols: Routing Static
Chapter 5: Inter-VLAN Routing
Introduction to Networking
CCNA 2 v3.1 Module 6 Routing and Routing Protocols
Chapter 4: Access Control Lists (ACLs)
Enabling Static Routing
Routing and Routing Protocols: Routing Static
Chapter 2: Static Routing
EVPN Interworking with IPVPN
Rick Graziani Cabrillo College
Presentation transcript:

Ingress Policy

Agenda – New Features Feature Summary Data Plane Flow of current model Policy enforcement for current model Limitations of current model Data Plane Flow for Ingress Policy model Policy enforcement for Ingress Policy model Information Flow for Ingress Policy model Policy enforcement for pcEnfDir=egress Troubleshooting Ingress Policy User Configuration Restrictions for Ingress Policy model

Feature Summary Saves resources on border leaf. Reduces SG TCAM (zone-rule) consumption on border TOR Policy will be only applied on Non-Border TOR with this model For backward compatibility, PcEnfDir (ingress/egress) knob provided on per VRF level. Alleviates some of the policy and tenant configuration scale issues incurred during WAN configuration in ACI External prefixes configured under L3out on Border leaf will be leaked onto Non- Border leaf with “remote” flag for policy application purpose.

Dataplane Flow For Current Model Host to WAN NorthStar Broadcom On Non Border Leaf Si Border Leaf Leafs Spines External Router Host WAN to Host NorthStar Broadcom On Border Leaf WAN to Host NorthStar Broadcom On Non-Border Leaf Host to WAN NorthStar Broadcom On Border Leaf

Policy Enforcement For Current Model Zone-rules installed on both Non-Border & Border leaf Assuming host & WAN on different TORs Host to WAN Policy is applied on Border TOR Destination class derivation cannot happen on Non-Border leaf in this case WAN to Host Policy is applied on Border TOR if destination host is learnt on Border TOR Policy is applied on Non-Border TOR otherwise WAN to WAN Policy is applied on ingress Border TOR Destination class derivation happens on ingress Border TOR in this case

Limitations Of Current Model For all the hosts that need WAN access, contract needs to be installed on both Non- Border as well as Border TOR for appropriate policy application. This causes a scale issue on the border leaf. Increased SG TCAM utilization on Border TOR. SG TCAM limit: 4k NorthStar ASIC/64k Donner ASIC.

Dataplane Flow For Ingress Policy Model Host to WAN NorthStar Broadcom On Non Border Leaf Si Border Leaf Leafs Spines External Router Host WAN to Host NorthStar Broadcom On Border Leaf WAN to Host NorthStar Broadcom On Non-Border Leaf Host to WAN NorthStar Broadcom On Border Leaf

Policy Enforcement For Ingress Policy Model Policy enforcement direction for VRF should be set to “Ingress” Zone-rules installed only on Non-Border leaf Assuming host & WAN on different TORs Host to WAN Policy is applied on Non-Border TOR Destination class derived on Non-Border leaf from “remote” actrlPfxEntry WAN to Host Policy is applied on Non-Border TOR irrespective of whether or not the EPG is learnt on BL WAN to WAN Policy is applied on ingress Border TOR Destination class derived on ingress Border leaf from “remote” actrlPfxEntry

Policy Enforcement For Ingress Policy Model APIC (PE) Policy Mgr Aclqos Shim NorthStar MTS msg sent from APIC to switch policy mgr process for prefix/rule add/modify/delete PPF session between SUP & LC process Aclqos requests shim/nsausd to program the entry in Northstar ASIC Shim programs the entry in h/w Switch

Policy Enforcement for PcEnfDir = Egress When PcEnfDir is set to egress, the behavior is same as old model (mentioned on slide # 4 & 5) Eltmc command to display VRF policy mode: FIB command to display VRF policy mode:

Troubleshooting Shared – L3 Out Troubleshooting ufib If each route is advertised by the VRF from multiple nexthops, we should see a q-in-q entry used in the data plane for each nexthop.

Troubleshooting Shared – L3 Out (cont.)

Troubleshooting broadcom / North-star (for host to WAN path) Identify the route from broadcom LPM, follow the nexthop and interface to identify q-in-q tag. Use q-in-q tag in NS to identify adjacency.

Troubleshooting Shared – L3 Out (cont.) # vsh_lc -c "show platform internal ns forwarding epg ingress" | grep fdb fdb S/D N/N c # vsh_lc -c "show platform internal ns forwarding adj 0xc ingress" ENCP T U USE D S RM S SRC POS SEG-ID PTR D P PCI M DST-MAC M IDX R SEG-ID CLSS ff :00:00:00:00:

Troubleshooting Ingress Policy On Border TOR: /24 is the actrlPfxEntry under consideration is VRF VNID. leaf102# vsh_lc module-1# show system internal aclqos prefix VrfVni AddrMaskScopeClassSharedRemote ======== ========== ====== ======= ===== ======= ======= ff449155FALSEFALSE leaf102# show zoning-rule | grep

Troubleshooting Ingress Policy (cont.) On Non-border TOR: leaf101# vsh_lc module-1# show system internal aclqos prefix VrfVni AddrMaskScopeClassSharedRemote ======= ========= ===== ===== ===== ====== ======= ff450266FALSETRUE leaf101# show zoning-rule | grep Rule IDSrcEPGDstEPGFilterIDoperStScopeActionPriority ======= ========= ========= ======= ======== ======= ====== ============ defaultenabled permitsrc_dst_any(5) defaultenabled permitsrc_dst_any(5)

User Configuration A new property named “PcEnfDir” i.e. Policy Enforcement Direction has been introduced on fvCtx (VRF). It has two possible values: Egress: Maintains the old behavior. −Actrl rules (represented by model class actrl::Rule) are installed on both border & non-border leaves. −Actrl Prefix Entry (represented by model class actrl::PfxEntry) are installed only on border leaf, other then the following case: Application EPG is in contract with an InstP named InstP-1 under L3Out named L3Out-1. If there is another outside (other then L3Out1 & InstP1) deployed on the EPGs tor or in EPGs VRF (if EPG and L3Out are in different VRF) then actrl prefix entry for the external subnets defined under InstP1 will also get installed on the EPGs tor or EPGs VRF (if EPG and L3Out are in different VRF). Ingress: New behavior −Actrl rules are installed only on the non-border leaf. −Actrl Prefix Entry are installed both on border and non-border leaf.

User Configuration It is used for defining policy enforcement direction for the traffic coming to or from an L3Out. Egress and Ingress directions are wrt L3Out. Default will be Ingress. But on the existing L3Outs during upgrade it will get set to Egress so that right after upgrade behavior doesn’t change for them. This also means that there is no special upgrade sequence needed for upgrading to the release introducing this feature. After upgrade user would have to change the property value to Ingress. Once changed, system will reprogram the rules and prefix entry. Rules will get removed from the egress leaf and will get installed on the ingress leaf. Actrl prefix entry, if not already, will get installed on the ingress leaf.

Restrictions For Ingress Policy Model This feature doesn’t work for the following cases: Transit: Rules already get applied at Ingress vzAny contract Taboo contract

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.