A couple months ago we released the new Cisco Innovated Intelligent Traffic Distribution (ITD) features on NX-OS 9.3.1. In this latest addition to Nexus 9000, we introduced ITD over VXLAN and ITD with destination NAT. The Cisco ITD feature in NX-OS was developed to addresses concerns with respect to capacity limitation on network service appliances in a multi-terabit environment, while providing a hardware-based scalable solution for Layer 3 and Layer 4 traffic distribution and redirection. These are the primary use cases for ITD a L3-L4 based load balancing across network service nodes or web servers and traffic redirection and distribution to WAN Optimizers or Web Proxies.
Benefits of ITD includes:
- Simplified provisioning during scaling of services nodes(scale-up);
- Provides line rate traffic load balancing;
- Health monitoring, failure detection and recovery; and
- Unlike ECMP, ITD provides even distribution of traffic and more granular control on traffic distribution
ITD over VXLAN
In a VXLAN fabric architecture, the endpoints, such as clients, physical servers, and virtual servers, are distributed across the fabric. Traffic flow from and to these clients and servers needs to be load-balanced in this fabric environment. With this ITD release, the single-switch ITD solution has been expanded to the VXLAN fabric so that now the fabric will act as a massive load-balancer. The NX-OS 9.3.1 release covers only the VIP-based load balancing mechanism in a VXLAN scenario, which means servers and clients can be connected anywhere in the fabric and glean the benefit of this fabric-based load-balancing function.
ITD with NAT
Due to security reasons and a need for IP space conservation, customers look at NAT solutions to reuse the private IP address and hide the real-IP of the servers or services. Prior to this release, ITD was supported with Direct Server Return (DSR) mode. DSR mode is where clients have the visibility into the real-IP address of the servers/services. These servers were configured with the same public Virtual IP address (VIP), and servers reply directly to clients with the VIP as source IP bypassing the ITD. With this feature in NX-OS 9.3.1, clients no longer have visibility into real-IP’s of servers/services endpoints. Now, ITD on the switch will perform load balancing as well as NAT functionality, and ITD with destination NAT changes the destination address of the IP header. This helps redirecting the incoming packets with a destination of public IP to a real server private IP inside the network. The reverse path of the packet flow also follows the same approach, such as translating source address/real server IP to the VIP address, and then forwarding the traffic to the clients. ITD with destination NAT is applicable only in standalone switch today. ITD w/ NAT will be supported over VXLAN fabric in future releases.
In the above example, clients send the traffic to the ITD virtual IP address (22.214.171.124), assuming it as real destination IP of the server. ITD switch translates and load balances the traffic to one of the server’s private IP address by adding its own IP as the source IP. The return traffic from the server is translated by ITD to its own VIP as source IP and forwarded back to the client. This way the traffic gets load balanced across the servers behind NAT without exposing the real-IP of servers to clients.
ITD over VXLAN helps customers distribute the service nodes anywhere in the fabric and still achieve the benefits of traffic distribution and load balancing. Pairing ITD with NAT provides additional security benefits, on top of the benefits achieved from load balancing by not exposing the real-IP of the service nodes/servers in a network.
Stay tuned for future NX-OS releases covering additional ITD features, scale improvements, and fast convergence improvements.
Can’t wait? Click on the following links for more information:
- NX-OS 9.3.1 Release notes – NX-OS 9.3.1 Release notes
- Nexus 9000 ITD Configuration – ITD configuration guide