In an application-centric data center, the network needs to have maximum agility to manage workloads and incorporate services such as firewalls, load balancers, proxies and optimizers. These network services enhance compliance, security, and optimization in virtualized data centers and cloud networks. Data center ops teams need an elegant method to insert service nodes and have the ability to automatically redirect traffic using predefined rules as operations change.

Enterprises running their data centers on the Nexus 9000 and NX-OS platform can now seamlessly integrate service nodes into their data center and edge deployments using the new Cisco Enhanced Policy Based Redirect (ePBR) to easily define and manage rules that control how traffic is redirected to individual services.

Challenges with Service Insertion and Service Chaining

The biggest challenge when it comes to introducing service nodes in a data center is onboarding them into the fabric, and subsequently creating the traffic redirection rules. Today, there are two ways of implementing traffic redirection rules – by influencing the traffic path using routing metrics, or by selective traffic redirection using policy-based routing.

The challenge with using routing to influence the forwarding path is that all traffic traverses the same path. This often ends up making the service node a bottle neck. The only practical way to achieve scale is by vertically scaling the node, which is expensive and  limited by the extent the node can be expanded.

Policy Based Routing (PBR) rules are also complex to maintain since separate rules are needed for forward and reverse traffic directions in order to maintain symmetry for stateful service nodes. In addition, when there are multiple service nodes in a chain, maintaining PBR rules to redirect traffic across them increases complexity even more.

Introducing Enhanced Policy Based Redirect

NX-OS version 9.3(5) provides Enhanced Policy Based Redirect. The goal of ePBR is to solve some of the challenges with existing redirection rules. In a nutshell, ePBR:

  • Simplifies onboarding service nodes into the network
  • Creates selective traffic redirection rules across a single node or a chain of service nodes
  • Auto-generates reverse redirection rules to maintain symmetry across a service node chain
  • Provides the ability to redirect and load-balance
  • Supports pre-defined and customizable probes to monitor the health of service nodes
  • Supports the ability to either drop traffic, bypass a node, or fallback to routing lookup when a node in a chain fails

ePBR supports all of these capabilities across a fabric running VXLAN with BGP EVPN, as well as a classic core, aggregation, access data center deployment, at line rate switching, with no penalty to throughput or performance. Let’s look at three ePBR use cases.

Use Case 1: ePBR for Selective Traffic Redirection

Various applications may require redirection across different sets of service nodes. With ePBR, redirection rules can match application traffic using Source Destination IP and L4 ports and redirect them across different service nodes or service chains. In the diagram below, client traffic for Application 1 traverses the firewall and IPS, whereas Application 2 traverses the proxy before reaching the server. This flexibility that ePBR enables customers to on-board multiple applications on their network and comply with security requirements.

Use Case 1: ePBR for Selective Traffic Redirection
Use Case 1: ePBR for Selective Traffic Redirection

Use Case 2: Selective Traffic Redirection Across Active/Standby Service Node Chain

In this use case, traffic from clients is redirected to a firewall and load-balancer service chain, before being sent to the server. Using probes, ePBR intelligently tracks which node in each cluster is active and automatically redirects the traffic to a new active node if the original active node fails. In this example, the service chain is inserted in a fabric running VXLAN. As a result, traffic from clients is always redirected to the active firewall and then the active load-balancer.

Use Case 2: Selective Traffic Redirection Across Active/Standby Service Node Chain
Use Case 2: Selective Traffic Redirection Across Active/Standby Service Node Chain

Use Case 3: Load-Balancing Across Service Nodes

With exponential growth in traffic, ePBR can intelligently load-balance across service nodes in a cluster, providing the ability to horizontally scale the network. ePBR ensures symmetry is maintained for a given flow by making sure that traffic in both forward and reverse directions is redirected to the same service node in the cluster. The example below shows how traffic inside a mobile packet core is load-balanced across a cluster of TCP optimizers.

Use Case 3: Load-Balancing Across Service Nodes
Use Case 3: Load-Balancing Across Service Nodes

Improving Operational Efficiency with Innovations in Cisco ASICs and NX-OS

Cisco continues to provide value to our customers by fully leveraging capabilities designed into Cisco ASICs and innovations in NX-OS software. ePBR enables the rapid on-boarding of a variety of services into data center networks, and simplifies how traffic chaining rules are setup, thus reducing time spent provisioning services and improving overall operational efficiency. To learn more about ePBR refer to the Cisco Nexus 9000 Series NX-OS ePBR Configuration Guide.


Yousuf Khan

Vice President of Technical Marketing

Intent Based Networking Group