In today’s virtualized data center, Layer 4-Layer 7 network service appliances such as firewalls, load-balancers, proxies, and optimizers play a critical role in the secure and efficient operation of the network. Our previous blog post, Dynamic Service Chaining in a Data Center with Nexus Infrastructure, explored how Cisco Nexus enhanced Policy-Based Redirect (ePBR) enables service insertion and service chaining across these appliances within a single data center fabric. This post continues the discussion on how ePBR enables service chaining across multi-site fabrics.

Expanding Network Functionality

Over the years, many organizations have experienced growing requirements to manage and operate applications in a highly distributed environment that spans multiple sites and availability zones to meet the needs for business continuity and disaster recovery. Alongside, with the massive year-over-year increase in east-west data center traffic, organizations are continually looking at ways to increase data center capacity by scaling horizontally and adding additional fabrics.

This increased scope in turn drives the scale and high availability requirements for network service appliances provisioned across these fabrics. Hence, networks must be able to stitch and chain traffic between multiple data center fabrics through such services to have a connected and secure data center where application performance is always optimal.

ePBR Innovations

The new set of innovations from ePBR available with Cisco NX-OS release 10.2(1) – addresses the requirements for service chaining and load balancing between service nodes located across multiple data center fabrics interconnected through VXLAN EVPN Multi-Site architecture. ePBR with VXLAN Multi-Site support empowers deployments with varied application traffic (both intra- and inter-tenant) in multiple fabrics to traverse different service chains and service nodes.

Figure 1 shows how certain application traffic (from host A in Site 1 to host B in Site 2) can be selectively redirected and service chained first towards the active firewall and then load-balanced across a cluster of TCP optimizers using ePBR. ePBR tracks the current active firewall across the sites and automatically redirects the traffic towards it.

Figure 1. Fwd flow: HostA -> Firewall -> TCP_optimizer cluster -> HostB
Figure 1. Fwd flow: HostA -> Firewall -> TCP_optimizer cluster -> HostB

If the reverse policy is enabled, ePBR autogenerates reverse rules for return traffic (from host B in Site 2 to host A in Site 1 – Refer Figure 2). It reverses the order in which the traffic traverses the chain and reverses the Access Control List (ACL) matching the traffic. ePBR also ensures symmetry is maintained for a given flow by making sure that traffic in both forward and reverse directions is redirected to the same service node in the TCP optimizer cluster.

Figure 2. Rev flow: HostB -> TCP_optimizer cluster -> Firewall -> HostA
Figure 2. Rev flow: HostB -> TCP_optimizer cluster -> Firewall -> HostA

Additionally, if the TCP optimizer exceeds its capacity, customers can spawn a new TCP optimizer service at a new location in either of the sites, in a scalable manner. Supporting this capability would just require the customer to onboard the new service endpoint onto ePBR and all the redirection rules required for distributing the traffic are automatically created with zero-touch rebalancing.

Service Chaining and Load-Balancing @Scale

ePBR with its advanced traffic steering capabilities, ensures application performance is always optimal. It enables customers to deploy and manage massively scalable applications across multiple fabrics securely and with unprecedented ease. In today’s world of programmable and virtualized networks, the service-chaining and load-balancing capabilities of ePBR are key to provisioning agile, flexible, and scalable network services across single or multiple sites.

Key benefits of ePBR include:

  • Simplified service appliance onboarding and service chain creation
  • Optimized utilization of services through selective traffic redirection
  • Ability to scale with symmetric load balancing capabilities
  • Flexible health monitoring of service appliances and failover mechanisms
  • Line rate traffic forwarding with no impact to throughput and performance

What’s Next?

Cisco Nexus has some exciting developments with ePBR capabilities coming onboard to Data Center Network Manager and Nexus Dashboard Insights in upcoming releases. Stay tuned!

To learn more about ePBR, checkout: Layer 4 to Layer 7 Service Redirection with Enhanced Policy-Based Redirect White Paper



Krithika Krishna Moorthy

Lead, Technical Marketing Engineer

Cloud Networking