hit counter script
Cisco Nexus 9000 Series Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. Nexus 9000 Series
  6. Configuration manual

Cisco Nexus 9000 Series Configuration Manual

Nx-os intelligent traffic director configuration guide, release 9.x
Hide thumbs Also See for Nexus 9000 Series:
Table of Contents

Advertisement

Quick Links

See also: Troubleshooting Manual , Configuration Manual
Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director
Configuration Guide, Release 9.x
First Published: 2015-07-02
Last Modified: 2018-11-05
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Nexus 9000 Series

Summary of Contents for Cisco Nexus 9000 Series

  • Page 1 Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x First Published: 2015-07-02 Last Modified: 2018-11-05 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 This product includes software written by Tim Hudson (tjh@cryptsoft.com). Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    Device Groups Multiple Device Groups in an ITD Service VRF Support Router ACLs Include and Exclude ACLs Virtual IP Address Filtering Port Number-Based Filtering Hot-Standby Multiple Ingress Interfaces Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 4 Configuration Example: Firewall on a Stick ITD Services ASA VLANs Flow Symmetry Link Failures Configuration Example Configuration Example: Firewall in Dual-Switch Sandwich Mode with vPCs Configuration Example: Firewall in Layer 3 Clustering Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 5 Contents Related Documents Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 6 Contents Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 7: Preface

    Documentation Feedback, on page viii • Obtaining Documentation and Submitting a Service Request, on page viii Audience This publication is for network administrators who install, configure, and maintain Cisco Nexus switches. Document Conventions Command descriptions use the following conventions: Convention...

  • Page 8: Related Documentation For Cisco Nexus 9000 Series Switches

    An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. Related Documentation for Cisco Nexus 9000 Series Switches The entire Cisco Nexus 9000 Series switch documentation set is available at the following URL: http://www.cisco.com/en/US/products/ps13386/tsd_products_support_series_home.html Documentation Feedback To provide technical feedback on this document, or to report an error or omission, please send your comments to nexus9k-docfeedback@cisco.com.

  • Page 9: Chapter

    New and Changed Information, on page 1 New and Changed Information This table summarizes the new and changed features for the Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x and tells you where they are documented.
  • Page 10 New and Changed Information New and Changed Information Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 11: Configuring Itd

    C H A P T E R Configuring ITD This chapter describes how to configure the Intelligent Traffic Director (ITD) on the Cisco NX-OS device. • About ITD, on page 3 • Licensing Requirements for ITD, on page 12 •...
  • Page 12 • Scale the WAAS / WAE solution. Traffic redirection mechanism for the Wide Area Application Services (WAAS) or Web Accelerator Engine (WAE) solution • Scale the VDS-TC (video-caching) solution • Scale Layer-7 load-balancers, by distributing traffic to L7 LBs Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 13: Deployment Modes

    ITD supports an appliance pool connected to a virtual port channel (vPC). The ITD service runs on each switch, and ITD programs each switch to provide flow-coherent traffic passing through the nodes. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 14: Sandwich Deployment Mode

    • A destination IP address load-balancing scheme where the ITD service operates on the interface that connects to the servers in the ingress direction. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 15: Server Load-Balancing Deployment Mode

    VIP will be load balanced to the active nodes. The ITD service is not a stateful load balancer. Note You need to configure the ITD service manually and in a similar manner on each switch. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 16: Device Groups

    Multiple Device Groups in an ITD Service Beginning with Cisco NX-OS Release 7.0(3)I3(1), multiple device groups are supported in an ITD service (as shown in the figure below). An ITD service generates a single route map with different sequences that point to different device groups.

  • Page 17: Vrf Support

    ITD. This functionality helps you to filter and load distribute selected traffic. Note ITD statistics do not function if you configure an RACL on an ITD ingress interface. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 18: Include And Exclude Acls

    The hot-standby node can be configured only at the node level . At the node level, the hot-standby node receives traffic only if its associated active node fails. ITD supports N + M redundancy where M nodes can act as hot-standby nodes for N active nodes. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 19: Multiple Ingress Interfaces

    ITD service to redirect traffic arriving on different interfaces to a group of nodes. Beginning with Cisco NX-OS Release 7.0(3)I7(3), the same ingress interface can be included in two ITD services, allowing one IPv4 ITD service and one IPv6 ITD service.

  • Page 20: Failaction Reassignment

    ITD requires a Network Services license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply licenses, see the Cisco NX-OS Licensing Guide. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 21: Guidelines And Limitations For Itd

    • ITD is supported on the following platforms: ITDv4 support • Cisco Nexus 9500 Series switches with Cisco Nexus X9432PQ, X9464PX, X9464TX, X9536PQ, X9564PX, X9564TX, and X9636PQ line cards. • Cisco Nexus 9332PQ, 9372PX, 9372PX-E, 9372TX, 9372TX-E, 9396PX, 9396TX, 93120TX, and 93128TX switches.

  • Page 22: Itd Support Summary

    ITDv6 introduced in Cisco NX-OS Release • ICMP • ICMPv3 7.0(3)I7(3) • HTTP • UDP • DNS Per Node-Probe Level Hot-Standby Introduced in Cisco NX-OS Release 7.0(3)I7(3) Weight Non-Disruptive Operation Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 23: Default Settings For Itd

    Cisco Nexus 9500Series switches. Cisco Nexus X9432PQ, X9464PX, X9464TX, X9536PQ, X9564PX, X9564TX, and X9636PQ line cards. Default Settings for ITD This table lists the default settings for ITD parameters. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 24: Configuring Itd

    Configuring a Device Group You can create an ITD device group and then specify the group's nodes and probe. Beginning with Cisco NX-OS Release 7.0(3)I3(1), you can configure multiple device groups. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 25 Configuring a Device Group Before you begin Ensure that the ITD feature is enabled. If your device is running Cisco NX-OS Release 7.0(3)I3(1) or later, ensure that the following commands are configured: feature sla sender and feature sla responder. Procedure...

  • Page 26: Configuring An Itd Service

    Configuring an ITD Service Before you begin Ensure that the ITD feature is enabled. Ensure that the device group to be added to the ITD service has been configured. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 27 2 to 256. If you configure more buckets Note than the number of nodes, the buckets are applied in a round-robin fashion across all the nodes. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 28 This command is not supported for standby nodes. For IPv6 ITD, the failaction bucket Note distribute command is available in CLI but it is not supported. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 29: Assigning An Acl To An Itd Service

    (ACE) with the permit method in the ACL, this feature filters the unwanted traffic and generates IP access lists and a route map to load-balance the permitted traffic. Load balancing is supported using either the source or destination IP address. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 30 The range is from 2 to 256. Note If you configure more buckets than the number of nodes, the buckets are applied in a round-robin fashion across all the nodes. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 31: Nondisruptively Adding Or Deleting Nodes

    Enters global configuration mode. Example: switch# configure terminal switch(config)# Step 2 itd session device-group device-group-name Creates an ITD session for the specified device group. Example: switch(config)# itd session device-group switch(config-session-device-group)# Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 32 ITD session for the specified device group. Example: switch(config)# show itd session device-group dg1 Step 6 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 33: Nondisruptively Adding Or Deleting Aces In Include Or Exclude Acls

    Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Verifying the ITD Configuration To display the ITD configuration, perform one of the following tasks: Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 34 ------------------------------ ------------ ------ --------- WEB_itd_pool Po-1 Virtual IP Netmask/Prefix Protocol Port ---------------------------------------- ---------- ----- 10.10.10.100 / 255.255.255.255 Node Config-State Weight Status Track_id ------------------------- ------------ ------ ---------- --------- 10.10.10.11 Active Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 35 (50.17%) switch# show running-config services version 7.0(3)I1(2) feature itd itd device-group WEB-SERVERS node ip 10.10.10.11 node ip 10.10.10.12 probe icmp itd WEB device-group WEB-SERVERS virtual ip 10.10.10.100 255.255.255.255 Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 36: Configuration Examples For Itd

    This example shows how to configure hot-standby nodes for IPv6. switch(config)# feature itd switch(config)# itd device-group dg6-101 switch(config-device-group)# probe tcp port 8001 frequency 1 timeout 1 switch(config-device-group)# node ipv6 2001::197:1:1:11 switch(config-dg-node)# node ipv6 2001::197:1:1:12 Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 37 ITD. switch(config)# feature itd switch(config)# itd Service_Test switch(config-itd)# device-group test-group switch(config-itd)# ingress interface vlan10 switch(config-itd)# exclude access-list ITDExclude switch(config-itd)# no shutdown switch(config)# ip access-list ITDExclude Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 38 STS Trk# Sla_id ------------------- ------- --- ---- ----- -------------- --- --- ------- 10.10.10.9 Active ICMP 10004 Bucket List -------------------------------------------------------------------------- test_itd_ace_1_bucket_3 Node Cfg-S WGT Probe Port Probe-IP STS Trk# Sla_id Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 39 -------------------------------------------------------------------------- test_itd_ace_1_bucket_4 Beginning with Cisco NX-OS Release 7.0(3)I7(3), ITD supports IPv6. This example shows how to create acl and assign it to an ITDv4 as well as ITDv6 service . The show commands display the generated IP access lists and route map.
  • Page 40 # Brought down Node 3, and the failed node buckets are send to Node 2. switch# show itd Legend: ST(Status): ST-Standby,LF-Link Failed,PF-Probe Failed,PD-Peer Down,IA-Inactive Name LB Scheme Status Buckets -------------- ---------- -------- ------- test src-ip ACTIVE Exclude ACL Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 41 !Time: Thu Sep 22 22:30:21 2016 version 7.0(3)I5(1) feature itd itd session device-group dg itd device-group dg probe icmp node ip 1.1.1.1 node ip 2.2.2.2 node ip 3.3.3.3 Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 42 This example shows how to create an ITD session to nondisruptively add nodes in the dg1 device group: switch(config)# feature itd switch(config)# itd device-group dg1 switch(config-device-group)# probe icmp switch(config-device-group)# node ip 1.1.1.1 switch(config-dg-node)# node ip 2.1.1.1 switch(config-dg-node)# node ip 3.1.1.1 switch(config-dg-node)# Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 43 ------------------- ------- --- ---- ----- --------------- -- --- ------- 3.1.1.1 Active 1 ICMP 10005 Bucket List -------------------------------------------------------------------------- test_itd_bucket_3 switch(config-itd)# show run service !Command: show running-config services !Time: Tue Sep 20 20:36:04 2016 version 7.0(3)I5(1) feature itd Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 44 ------------------- ------- --- ---- ----- --------------- -- --- ------- 3.1.1.1 Active 1 ICMP 10005 Bucket List -------------------------------------------------------------------------- test_itd_bucket_3 Node Cfg-S WGT Probe Port Probe-IP STS Trk# Sla_id ------------------- ------- --- ---- ----- --------------- -- --- ------- Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 45 Legend: ST(Status): ST-Standby,LF-Link Failed,PF-Probe Failed,PD-Peer Down,IA-Inactive Name LB Scheme Status Buckets -------------- ---------- -------- ------- test dst-ip ACTIVE Exclude ACL ------------------------------- Device Group Probe Port Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 46 1.1.1.1 node ip 2.1.1.1 node ip 3.1.1.1 node ip 4.1.1.1 itd test device-group dg1 ingress interface Eth1/11 load-balance method dst ip access-list acl1 no shut Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 47 Bucket List -------------------------------------------------------------------------- test_itd_bucket_3, 4 switch(config)# show run service !Command: show running-config services !Time: Tue Sep 20 20:41:07 2016 version 7.0(3)I5(1) feature itd itd device-group dg1 probe icmp Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 48 1.1.1.1 node ip 2.1.1.1 node ip 3.1.1.1 node ip 4.1.1.1 itd test device-group dg1 ingress interface Eth1/11 load-balance method dst ip access-list acl1 no shut Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 49 Legend: ST(Status): ST-Standby,LF-Link Failed,PF-Probe Failed,PD-Peer Down,IA-Inactive Name LB Scheme Status Buckets -------------- ---------- -------- ------- test dst-ip ACTIVE Exclude ACL ------------------------------- Device Group Probe Port -------------------------------------------------- ----- ------ Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 50 -------------- ---------- -------- ------- test dst-ip ACTIVE Exclude ACL ------------------------------- Device Group Probe Port -------------------------------------------------- ----- ------ ICMP Pool Interface Status Track_id ------------------------------ ------------ ------ --------- test_itd_pool Eth1/11 ACL Name ------------------------------ Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 51: Configuration Example: One-Arm Deployment Mode

    4.1.1.1 Active 1 ICMP 10006 Bucket List -------------------------------------------------------------------------- test_itd_bucket_4 switch(config)# sh run rpm Configuration Example: One-Arm Deployment Mode The configuration below uses the topology in the following figure: Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 52: Configuration Example: One-Arm Deployment Mode With Vpc

    1 switch(config-itd)# device-group DG switch(config-itd)# no shutdown Configuration Example: One-Arm Deployment Mode with vPC The configuration below uses the topology in the following figure: Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 53 Device 2 Step 1: Define the device group. switch(config)# itd device-group DG switch(config-device-group)# node ip 210.10.10.11 switch(config-device-group)# node ip 210.10.10.12 switch(config-device-group)# node ip 210.10.10.13 switch(config-device-group)# node ip 210.10.10.14 Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 54: Configuration Example: Sandwich Deployment Mode

    210.10.10.11 switch(config-device-group)# node ip 210.10.10.12 switch(config-device-group)# node ip 210.10.10.13 switch(config-device-group)# node ip 210.10.10.14 switch(config-device-group)# probe icmp Step 2: Define the ITD service. switch(config)# itd HTTP Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 55: Configuration Example: Server Load-Balancing Deployment Mode

    Configuration Example: Server Load-Balancing Deployment Mode The configuration below uses the topology in the following figure: Figure 9: ITD Load Distribution with VIP Step 1: Define the device group. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 56: Configuration Example: Itd As Wccp Replacement (Web-Proxy Deployment Mode)

    With ITD for web-proxy deployments, ITD probes are used to check the availability of the web-proxy server, which is critical because traffic sent toward a failed proxy server is lost. The configuration below uses the topology in the following figure: Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 57 Vlan 10 failaction node reassign load-balance method src ip no shutdown If return traffic redirection is also required for any reason, the following additional configuration steps are needed. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 58: Configuration Example: Peer Synchronization For Sandwich Mode

    ITD service B is not notified, service B will continue to send traffic to APP #1, and the traffic will be dropped. The configuration below uses this topology: Figure 11: Peer Synchronization for Sandwich Mode Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 59 14.14.14.9 ---> Link to app #1 switch(config-device-group)# node ip 13.13.13.9 ---> Link to app #2 switch(config-device-group)# probe icmp Step 2: Define the ITD service with peer synchronization enabled. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 60: Configuration Example: Firewall On A Stick

    If the ASA interfaces are configured on the same VLANs as that of the switch, the traffic going to the switch from the firewall is redirected to the ASA due to the presence of an ITD service on another VLAN on the Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 61: Flow Symmetry

    Configuring these two ITD services in such a way that the value of the load-balance parameter remains the same for both services ensures that flow symmetry is maintained. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 62: Link Failures

    The ITD peer switch node state synchronization feature can resolve this issue by removing the remote side of the ASA from ITD and synchronizing the node states across the switches. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 63: Configuration Example

    ASAs to the switches. In this configuration, the inside and outside interfaces are dot1q subinterfaces (VLAN 100 and 200), and the switches have two VLANs or SVIs each in the inside and outside contexts without physical port separation between them. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 64 192.168.20.10/24 hsrp 20 ip address 192.168.20.1 interface vlan 100 description Inside_Vlan_to_ASA vrf member INSIDE ip address 192.168.100.10/24 hsrp 100 ip address 192.168.100.1 interface vlan 200 description Outside_Vlan_to_ASA Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 65 #To use the next available Active FW if an FW goes offline load-balance method src ip buckets 16 #distributes traffic into 16 buckets #load balances traffic based on Source IP. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 66 • In this topology, traffic is not lost upon physical link failure because the inside and outside interfaces are tied to the same physical or virtual interface on the ASA (dot1q subinterfaces). Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 67: Configuration Example: Firewall In Dual-Switch Sandwich Mode With Vpcs

    Figure 16: Dual-Switch Sandwich Mode with vPCs Step 1: Configure the two switches. switch #1: interface vlan 10 description INSIDE_VLAN ip address 192.168.10.10/24 interface vlan 100 description FW_INSIDE_VLAN Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 68 192.168.200.111 255.255.255.0 same-security-traffic permit inter-interface interface TenGigabitEthernet 0/6 description CONNECTED_TO_SWITCH-A-VPC channel-group 11 mode active no nameif no security-level interface TenGigabitEthernet 0/7 description CONNECTED_TO_SWITCH-B-VPC channel-group 11 mode active no nameif Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...

  • Page 69: Configuration Example: Firewall In Layer 3 Clustering

    A potential drawback to using ASA clustering with ITD is that backup flows and other cluster table operations consume memory and CPU resources that non-clustered firewalls do not. Therefore, firewall performance might improve when using non-clustered firewalls. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 70 Minimal additional traffic on the All flows are rehashed, and CCL. additional traffic redirection occurs on the CCL. Traffic to all ASA devices in the cluster might be affected. Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 71 100 description FW_INSIDE_VLAN ip address 192.168.100.10/24 interface port-channel 11 description To_ASA-1_INSIDE switchport mode access switchport access vlan 100 vpc 11 interface ethernet 4/1 description To_ASA-1_INSIDE switchport mode access Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 72 100 ip address 192.168.200.11 255.255.255.0 cluster-pool IP-OUTSIDE interface port-channel 31 description Clustering Interface lacp max-bundle 8 interface TenGigabitEthernet 0/6 channel-group 11 mode active no nameif Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 73 Similarly, a MAC address POOL is also configured and used under the corresponding inside or outside port channel. Related Documents Related Topic Document Title IP SLA Cisco Nexus 9000 Series NX-OS IP SLAs Configuration Guide Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 74 Configuring ITD Related Documents Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x...
  • Page 75 19, 22 ingress interface 19, 22 itd device-group itd session itd session device-group weight load-balance {method | buckets | mask-position} Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x IN-1...
  • Page 76 INDEX Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x IN-2...

Table of Contents