HP Service Insertion Guide Wired Switches K/KA/WB 15.15 Abstract This document describes the general steps and individual commands for enabling Service Insertion on HP Switches.
© Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Service Insertion.........................................................................................4 Hardware IP Tunnels.................................................................................................................4 Tunnel Creation...................................................................................................................5 Tunnel Deletion................................................................................................................
1 Service Insertion Service Insertion is transparently inserting an external service into a traffic flow or into the traffic processing pipeline: • Flows are re-directed to a service for inspection and then re-injected to the forwarding pipeline • Possible services include IPS, HP Network Protector SDN Application, Web filtering, and traffic analyzers Service Insertion is handled by the ASIC via a tunnel or Fast Path, and does not incur any CPU processing overhead.
are encapsulated, the path that the encapsulated packet traverses must be configured with a larger MTU. Up to 16 unique tunnel interfaces can be created to actively forward traffic. NOTE: Tunnels are IPv4 only. IPv6 tunnels are not supported in the current version. Tunnel Creation Tunnels can be created using SNMP. The switch manages tunnels, with each tunnel being represented by a unique interface index.
these virtual ports in line with the OpenFlow 1.3 Specification. The controller has to remove these flow rules or modify them appropriately.
Figure 4 Integration with OpenFlow OpenFlow and Service Tunnel Restrictions 1. 2. A tunnel interface cannot be part of a multi-port output action. A flow-rule’s output action of sending packets to a tunnel cannot be combined with “Normal” or “SendToController” actions. 3. A tunnel interface cannot be part of FLOOD action. 4. Re-directing packets to SI tunnels on an OpenFlow 1.0 instance is not supported. Tunnels are only supported on OpenFlow 1.3 instances. 5.
Service Tunnel restrictions with other features 1. 2. 3. 4. 5. Multicast routing cannot be enabled on a device when Service Tunnels are configured and vice-versa. Distributed trunking cannot be configured on a device when Service Tunnels are configured and vice-versa. MESH cannot be configured on a device when Service Tunnels are configured and vice-versa. MAC-Mirror cannot be configured on a device when Service Tunnels are configured and vice-versa.
MTU : 1280 Status Interface State Interface Down Reason Destination Address Route Next Hop IP Next Hop Interface Next Hop IP Link Status Source Address Egress Port : Up : : : : : : : Example ‘show interface tunnel type intercept statistics’ displays all the tunnel statistics.
Tx 5 Minute Weighted Average Rate (Pkts/sec): 0 Rx Heartbeat : 0 Tx Heartbeat : 0 Last Recv Heartbeat Timestamp : 01/01/90 00:00:00 show interface tunnel command Example ‘show interface tunnel’ command displays the tunnel information with supported fields. Unsupported fields are indicated with /n/a’.
TOS TTL IPv6 MTU : : : n/a : Current Tunnel Status : Tunnel State : Destination Address Route: Next Hop IP : Next Hop Interface : Next Hop IP Link Status : Source Address : Egress Port : Up 0.0.0.0/0 120.92.48.129 vlan-1 Up 1.1.1.1 A1 Example ‘display interface brief’ displays the tunnel information with supported fields. Unsupported fields are indicated with n/a’.
Encapsulation is TUNNEL, Service-loopback-group ID n/a Tunnel source 10.10.10.1, destination 10.10.10.2 Tunnel bandwidth n/a Tunnel protocol/transport GRE/IP Last clearing of counters:n/a Last 300 seconds input:n/a Last 300 seconds output:n/a 0 packets input, 0 bytes 0 input error 0 packets output, 0 bytes 0 output error Clear command The Clear command is used to delete the service tunnels and clear the statistics on the switch.
Interface Index Name Key Local Address Remote Address Interface State : : : : : : 100663626 ServiceTunnel-01 212 41.30.30.30 57.50.50.
VLAN -------------------DEFAULT_VLAN VLAN5 VLAN6 | | + | | | IP Config ---------DHCP/Bootp Manual Manual Proxy ARP IP Address Subnet Mask Std Local --------------- --------------- ---------10.0.0.1 41.30.30.30 255.255.255.0 255.255.255.
----------------------------------------------PvGre Tunnel Entries at Tunnel Glue ifIndex : 100663627 TGstatus : ESTABLISHED FDstatus : ESTABLISHED TCAMstatus : ESTABLISHED UPORTstatus : ESTABLISHED Before : 0 After : 16 Uport : 0 HwLogPort : 209 gatewayIf : 0 outLPortIf : 0 GRE_key : 212 encapType : 4 vlan_id : 1 gatewayMacAddr: 000000-000000 srcMacAddr : 2C59E5-0F20C0 TTL : 64 MTU : 1468 TOS : 0 Bandwidth : 1024 Tunnel Status : Down No Route Current Rx Counter Rate(HIT): 0 Packets per second Current Tx Co
Number of Remote Mirror Tunnels: 0 IfIndex Type Prot Flags Vrf ------- ----- ----- ------ ----100663626 5 47 0x000a 100663627 5 47 0x000a ipamShowTnlProbe 2 Sentinel Tunnels: IP : 120.92.32.129 VLAN : 1 unresolved: 0 16 IP : VLAN : unresolved: 120.92.32.129 1 0 IP : VLAN : unresolved: 0.0.0.0 0 0 IP : VLAN : unresolved: 0.0.0.0 0 0 IP : VLAN : unresolved: 0.0.0.0 0 0 IP : VLAN : unresolved: 0.0.0.0 0 0 IP : VLAN : unresolved: 0.0.0.0 0 0 IP : VLAN : unresolved: 0.0.0.
VLAN : unresolved: 0 0 Slot 1 tunnelRead slot a: ------| | | | | | | | | | | | | | | | | | | | | T | | | | | | | | | F | | | | | | | | T | U | | | | | | | | | R | | | | | | | | U | N | | | | | | | | | A | M | | | | | | | N | N | | | | | | | L | | M | T | | | | | | I | N | E | S | D | | | G | | O | | E | U | | | | | | F | E | L | R | S | S | D | R | | G | | | | | | | | | I | L | | C | T | R | S | E | | | E | C | C | | | | | | N | | P | | | C | T | | V | P | N | O | O | | | | | | D | R | O | M | M | | | K |
ID Issue Possible cause Troubleshooting help to be valid local endpoint addresses. HP-3800-SW# show ip Incorrect encapsulation parameters Do an SNMP walk on hpSwitchErrorMsgEntry MIB object. This will display a message as to why the SET request failed. All configured interface IP addresses get listed here. • If the remote endpoint IP The tunnel’s local IP address should be one of the IP address is a multicast address, addresses listed here. a tunnel cannot be created.
ID Issue Possible cause Troubleshooting help 4 User tries to create a service tunnel and gets the following SNMP error: # of tunnels limit Do an SNMP walk on hpSwitchErrorMsgEntry MIB object. This will display a message as to why the SET request failed. There is a limit on the number of tunnels that can be configured on a device and once that limit has SNMP_ERRORSTATUS_ been reached, any further tunnel RESOURCEUNAVAILABLE creation will be errored out.
Tunnel operational status ID Issue Possible cause 1 Tunnel’s operstatus is reported as DOWN in the CLI or Event logs or via OpenFlow. Network connectivity issue • • • • 2 Tunnel’s operstatus is reported as DOWN in the CLI or Event logs or OpenFlow. Troubleshooting help Run the following CLI command to check for tunnel endpoint IP resolution status. The tunnel endpoint is on a HP-3800-SW# show interface tunnel directly connected subnet but down (not responding to ARP type intercept Status requests).
ID Issue Possible cause Troubleshooting help Relevant MIB objects: tunnelInetConfigIfIndex (rfc4087 MIB) From an OF response perspective, the flow mod request will be rejected with error type="BAD_ACTION", code="BAD_OUT_PORT" 2 FlowMod failure when trying to program an OpenFlow rule that is diverting packets to a tunnel interface. OpenFlow 1.0 instance NA OpenFlow Forwarding to a tunnel interface is only supported on 1.3 instances. If the instance is a 1.0, the FlowMod will fail.
ID Issue Possible cause Troubleshooting help controller, it could be for one of the following reasons Service Tunnel Statistics MTU Violation Drop : 10 Relevant MIB objects: • MTU violation during encapsulation can cause packets hpicfServiceTunnelStatsTxMTUViolationDrop to be dropped. (hpicfServiceTunnels MIB) • Uplink interface drops (link If there are no MTU violation related congestion). drops, run the following command to know if there are uplink interface TX • Network congestion in the drops.
ID Issue Possible cause Troubleshooting help If this counter is incrementing, it means there is fragmented traffic inbound on one or more tunnels. Relevant MIB objects hpicfServiceTunnelStatsRxFragmentDrops (hpicfServiceTunnels MIB) 3 Decapsulated packets not forwarded out by the switch.
ID Purpose CLI command or other Interface Index : 100663874 Name : ServiceTunnel-01 Rx Packets : 0 Tx Packets : 0 Rx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Tx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Rx Heartbeat : 0 Tx Heartbeat : 0 Last Recv Heartbeat Timestamp : 01/01/90 00:00:00 3 4 Debug logging for various tunnel related events HP-E8206zl# debug tunnel intercept Show Tech command HP-E8206zl# show tech tunnel intercept Dumps all tunnel related information including • Statistics • ASI
2 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you call contact HP: • Technical support registration number (if applicable) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller
• Basic Operation Guide • IPv6 Configuration Guide • Management and Configuration Guide • Multicast and Routing Guide • Event Log Message Reference Guide • Comware CLI Commands in ProVision Software Websites HP product websites are available for additional information. • HP Switch Networking web site: http://www.hp.com/networking/support • HP Technical Support website: http://www.hp.
{} The contents are required in syntax. If the contents are a list separated by |, you must choose one of the items. ... The preceding element can be repeated an arbitrary number of times. Indicates the continuation of a code example. | Separates items in a list of choices. WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems.
For more information about the HP Customer Self Repair program, contact your local service provider. For the North American program, visit the HP website at http://www.hp.com/go/ selfrepair.
3 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com.) Include the document title and part number, version number, or the URL when submitting your feedback. NOTE: There has been a change to the style of the documentation with the newest release.
Index A applicable HP switches, 1 C clear interfaces tunnel, 12 D debug tunnel intercept, 12 documentation HP website, 25 providing feedback on, 29 H hardware IP tunnels, 4 I inspection service, 4 O OpenFlow and service tunnel restrictions, 7 OpenFlow and service tunnels, 6 S service insertion, 4 service tunnel restrictions with other features, 8 show interface tunnel, 8 show tech tunnel intercept, 12 T technical support, 26 troubleshooting, 17 tunnel Aliveness check using OpenFlow, 6 tunnel creation