Setup Layer 4-Layer 7 service accceleration
Licensing requirements
The service acceleration feature requires you to be on the Premier licensing tier. You require a separate Cisco Hypershield license for Layer-4 stateful segmentation capabilities and security use cases.
Workflow for Layer 4 - Layer 7 service acceleration
Perform these steps to enable the Layer 4 - Layer 7 service acceleration features provided by the DPU.
-
Bring up the switch by installing the software on the switch.
-
Configure VRF contexts and Layer 3 interfaces with VRF members.
-
Configure loopback interface for Hypershield source-interface.
-
Enable service acceleration feature
-
Request the token from Hypershield Security Cloud Control.
-
Add the configuration to connect to the Hypershield.
-
Configure traffic inspection for traffic in required VRFs.
-
Enable the firewall service functionality.
Guidelines and limitations
Recommendation on VRF usage and IP address configuration
The recommendations provide guidance on VRF usage and reserved IP-address ranges.
-
Use VRF-lite to keep traffic separate and for redirection to assign the traffic of each VRF to a specific DPU.
Allocate one or more VRFs (in addition to the default VRF) for traffic that requires filtering with the DPU.
-
The IP-address range 169.254.x.x should not be used. It is used for communications to the DPU within the switch.
-
In addition to the normal IP addresses requirements (like the mgmt0 IP), you need assign a loopback IP address for the Hypershield Agent running on the Cisco N9300 Series Smart switch.
Restrictions and considerations for firewall service configuration
These restrictions and considerations address limitations and best practices for operating the firewall service, covering traffic inspection behavior, protocol interactions, and service acceleration VRF functionality.
-
The Hypershield management traffic uses the default VRF. You cannot configure default VRF and management VRF for traffic inspection under service firewall.
-
The connectivity to the Hypershield requires the use of a front panel interface, and it cannot use the mgmt0 interface.
-
Once a loopback interface is used as the source interface for the service instance, the loopback IP address cannot be used for any other purpose other than communication between the agent and the Hypershield.
This loopback IP address cannot be reused for any control protocols running on the switch. Any attempt to test reachability to other destinations using ICMP echo from the NXOS CLI fails, when the loopback IP address is specified as the source.
Use the troubleshooting commands instead to verify the connectivity between the Hypershield Agent and the Hypershield Controller. For more information, see Cisco N9300 Series Smart Switches Troubleshooting.
-
If a VRF is configured under the service firewall configuration (that means the VRF is subject to traffic filtering), and if the service firewall is not “in-service”, the IPv4 and IPv6 traffic routed by this VRF is dropped until the service firewall is “in-service” (and until a security rule to allow that traffic is in place).
Note
The control protocol traffic in the VRFs configured for service-acceleration, that is destined to the supervisor of the Cisco N9300 Smart switch is not inspected. Hence it is not dropped regardless of whether service firewall is “in-service” or not, and regardless of security rules are configured.
-
The firewall service does not inspect multicast traffic, traffic destined for the local switch, traffic originating from the supervisor, BFD echo packets, the default and management VRFs, and any VRFs that are not added under service firewall.
-
When the service firewall is not in "in-service" state, and the DPU is not ready to inspect traffic, the Layer 3 routing protocols ensure graceful insertion and removal (GIR) behavior.
To achieve this, the service-acceleration VRFs isolate the switch from the network by altering the route advertisement behavior. Protocols supporting this functionality include Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF).The protocols resume regular route advertisement behavior once the service firewall is ready for use and is in "in-service" state.
These features are not available in Cisco Nexus NX-OS Release 10.5(3s)F.
-
Inter-VRF flows are not supported: the traffic being filtered must be entering and existing the smart switch from the same VRF.
-
Cisco Nexus NX-OS Release 10.5(3s)F only supports Layer 3 physical interfaces and port-channels, as well as physical and port-channel subinterfaces. Only incoming traffic is supported on the Layer 3 physical interfaces.
-
High availability features such as redundancy, stateful failover is not supported. If you use ECMP for traffic distribution, you need to make sure that traffic is sent symmetrically to the switch.
-
Layer 2 features such as access or trunk ports, VLAN extension across networks, and MAC address table management are not supported.
-
VRF sharing feature that enables route exchange between different VRFs using import or export policies configured with route maps is not supported.
-
Virtual Port Channels (vPCs) that allow links across two devices to appear as a single port channel, are not supported.
-
Switch virtual interfaces (SVI) are not supported; You can use Layer 3 interfaces for routing traffic.
-
Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) protocols that provide seamless failover are not supported.
-
VXLAN and EVPN features are not supported.
-
The feature service-acceleration command is a hardware-intensive feature. When enabled, NXOS powers up the DPUs, which takes some time. As a result, NXOS prevents the execution of no feature service-acceleration command until the DPUs are fully powered up and reach a terminal state. These statements hold true:
-
The feature service-acceleration command cannot be disabled until all DPUs in the system have been powered on.
-
The feature service-acceleration command can only be re-enabled, once it has been disabled, after a switch reboot.
If you use the configure replace feature (see Performing Configuration Replace), the success of configure replace may depend on the timing of the configuration relative to when service-acceleration was enabled or disabled.
-
-
Management traffic from Hypershield Agent to Hypershield system is not supported over IPv6.
Configure and assign the VRF to an interface
Perform this task to configure a VRF on an interface.
Procedure
Step 1 |
Create a new VRF using the vrf context vrf-name command. Example:
|
Step 2 |
Configure a Layer 3 interface using the interface interface-typeslot/port command Example:
|
Step 3 |
Assign the VRF to the interface using the vrf member vrf-name command. Example:
This removes any existing IPv4/IPv6 address already configured on the interface. |
Step 4 |
Configure an IP address for the interface using the ip address ip-address/length command. You must do this step after you assign this interface to a VRF. Example:
|
Example
Verify the VRF contexts and Layer 3 interface configuration.
switch# show run
..
vrf context red
vrf context green
vrf context blue
!
!
switch# show run interface 1/1
interface Ethernet1/1
vrf member red
ip address 192.0.2.1/16
no shutdown
<…etc…>
...!
Create a loopback interface
Perform this task to create a loopback interface, and associate this loopback interface with the Hypershield agent in the service system Hypershield configuration.
Procedure
Step 1 |
Create a loopback interface for the Hypershield source-interface using the interface loopback instance command. Example:
|
||||
Step 2 |
Configure an IP address for the interface using the ip address ip-address/length command. Example:
For more information about IP addresses, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide. ip-address/length : Sets a IP address for the loopback
|
Example
Verify the loopback interface configuration.
switch# show run
!
interface loopback100
ip address 192.0.2.1/32
Enable service acceleration
Perform this task to enable power up the DPU in the switch.
Procedure
Enable the feature service-acceleration command to power up the DPUs. Example:
If the feature service-acceleration command is not configured, the DPUs are powered off. The switch functions as a NXOS switch.
|
Verify service acceleration
Perfrom this task to verify service acceleration enablement.
Procedure
Step 1 |
Verify the service acceleration status using the show run service-acceleration | grep feature command. Example:
|
Step 2 |
Use the show interfaces brief command to view the status of the interfaces. Example:
|
All DPUs power up when the feature service-acceleration is enabled.
Example
You can verify the DPUs are powered up and online using the show module command.
switch# show module
Mod Ports Module-Type Model Status
--- ----- ------------------------------------------------ --------------------- --------
1 24 24x40/100G QSFP28 Ethernet Module N9324C-SE1U ok
27 0 Virtual Supervisor Module N9324C-SE1U active *
<…snip…>
* this terminal session
Mod DPU Module-Type Model Status
--- --- ------------- --------------------- --------
1 1 DPU N9324C-SE1U-DPU ok
1 2 DPU N9324C-SE1U-DPU ok
1 3 DPU N9324C-SE1U-DPU ok
1 4 DPU N9324C-SE1U-DPU ok
Mod DPU Sw Hw Serial-Num Online Diag Status
--- --- ------------- ---------- ------------ ------------------
1 1 1.5.3.s 1.0 FDO285215F3 Pass
1 2 1.5.3.s 1.0 FDO285215F4 Pass
1 3 1.5.3.s 1.0 FDO285215F5 Pass
1 4 1.5.3.s 1.0 FDO285215F6 Pass
Disable service-acceleration feature
Procedure
Disable service-acceleration feature and Layer 4-7 services on the switch, for it to function in DPU powered-off state, using the using the no feature service-acceleration command. Example:
|
Register the Cisco N9300 Smart switch with Hypershield
You should obtain a one time password (OTP) token from Hypershield. The token includes the information on how to reach Hypershield.
This token must be entered on the switch to establish communication between the switch and Hypershield.
Procedure
Establish communication between the switch and Hypershield with the obtained token using the service system hypershield register otp command. Example:
Execute this comamnd at the EXEC level. otp : Indicates the token string (maximum size 4094). Type the token without any quotes. |
Verify Hypershield connection status
Procedure
Verify the status of the connectivity using the show service-acceleration status details command. Example:
|
Configure Hypershield connectivity
Perform this task to connect to to establish connectivity between the Hypershield Agent in the Cisco N9300 Smart switch and the Hypershield system.
Procedure
Step 1 |
Enable the service system hypershield command to set up the Hypershield instance. Example:
|
||
Step 2 |
Configure the source-interface command to assign the loopback interface with the IP address to the Hypershield Agent. Example:
The loopback IP address must be configured in the default VRF. See Create a loopback interface.
|
Example
The example shows service acceleration feature configuration.
switch# show run service-acceleration
!
feature service-acceleration
service system hypershield register 34C58A…
!
service system hypershield
source-interface loopback 100
...!
Configure VRFs for traffic redirection to the firewall service
Peform this task to specify the VRFs whose traffic must be firewalled.
Procedure
Step 1 |
Enable the service firewall command. Example:
|
Step 2 |
Configure the VRF under the service firewall to redirect the traffic in the VRF for inspection by the firewall service using the vrf vrf-name command. Example:
The switch decides which DPU must inspect the traffic in the VRF, when module-affinity dynamic is used. The VRF context and other required networking configuration is entered as usual on the switch. |
Step 3 |
(Optional) Configure a specific DPU number to indicate that traffic in the VRF must be inspected by the firewall service in that DPU using the module-affinity command. Example:
Traffic in the VRF blue is inspected by DPU1. |
This is a sample configuration example of a VRF for traffic redirection to the DPU.
Switch(config-svc-sys)# service firewall
Switch(config-svc-sys-fw)# vrf red module-affinity dynamic
Switch(config-svc-sys-fw)# vrf blue module-affinity 1
Example
The example shows service acceleration with firewalling enabled.
switch# show run service-acceleration
!
feature service-acceleration
service system hypershield register 34C58A…
!
service system hypershield
source-interface loopback 100
service firewall
vrf blue module-affinity 1
vrf red module-affinity dynamic
Enable traffic inspection with in-service for service firewalls
The in-service command enables the service firewall functionality, and allows traffic inspection by the DPUs.
You can also use the no service firewall no in-service commands to trigger maintenance mode for the firewall functionality and, to modify the service firewall DPUs and VRF pinning.
Procedure
Enable the in-service command to enable the service firewall to redirect specific traffic. Example:
|