WB.15.15

1 Service Insertion

Service Insertion is transparently inserting an external service into a traffic flow or into the traffic

processing pipeline:

• Flows are re-directed to a service for inspection and then re-injected to the forwarding pipeline

• Possible services include IPS, HP Network Protector SDN Application, Web filtering, and

traffic analyzers

Service Insertion is handled by the ASIC via a tunnel or Fast Path, and does not incur any CPU

processing overhead. This feature is supported on the HP Series 2920 and 3800 switches, and

also on the v2 modules for HP Series 5400, 5400R, and 8200 switches. It is not supported in

V1-compatible mode.

The figure below shows Inspection Service.

Figure 1 Inspection Service

Hardware IP Tunnels

HW IP Tunnels are used to enable Service Insertion. They are presented as virtual ports to the

OpenFlow agent running on the switch. Once a tunnel is created (by the HP Network Protector

SDN Application, for example) the OpenFlow agent is notified about the presence of the new

interface. The OpenFlow agent communicates this interface as a new logical port to the SDN

controller. This logical port is advertised over all OpenFlow version 1.3 instances configured on

the switch.

If the OpenFlow output port action for a flow rule points to a tunnel logical port, the packets

matching that flow rule are diverted to the configured tunnel endpoint via the tunnel interface.

When a frame is encapsulated and sent to the controller, the frame includes the MAC headers

and the VLAN tag. Even if the original frame was not VLAN tagged, the switch VLAN tags this

frame with VLAN-ID set to the incoming port’s default VLAN before encapsulating it. Since frames

4 Service Insertion