INTELBRAS SDC 5850 Switch Series

Service Chain Configuration Guide

This configuration guide is applicable to the following switches and software versions: INTELBRAS SDC 5850 switch
series (Release 6628P48 and later)
Preface
This configuration guide describes the service chain fundamentals.
This preface includes the following topics about the documentation:
• Audience.
• Conventions.

Audience
This documentation is intended for:
• Network planners.
• Field technical support and servicing engineers.
• Network administrators working with the SDC 5850 switch series.

Conventions
The following information describes the conventions used in the documentation.
Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.

Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select a minimum of one.

Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface example, the New User window opens; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.
Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.

An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

Network topology icons

Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

T Represents a wireless terminator unit.

T Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL

VPN, IPS, or ACG module.

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
Contents
Configuring service chains···································································· 1
Overview··········································································································································1
Service chain functions ······················································································································1
Node types ·······································································································································1
Nodes supported by the switches ········································································································1
Using a switch as a proxy node ···········································································································1
Network framework·····················································································································1
How it works ······························································································································2
Using a switch as an access point ·······································································································2
Network framework·····················································································································2
Packet format ····························································································································3
How it works ······························································································································3
Configuring a service chain·················································································································4

i
Configuring service chains
Overview
Service chain is a forwarding technology used to guide network traffic through service nodes. It is
based on the Overlay technology and combines the software defined network (SDN) centralized
management theory. You can configure servic e chains by using a virtual converged framework
controller (VCFC).
A switch in a service chain can act as a proxy node or an access point.

Service chain functions

Service chain implements the following functions:
• Decoupling the tenant logical network and the physical network, and separating the control
plane from the forwarding plane.
• Service resource allocation and deployment on demand with no physical topology restrictions.
• Dynamic creation and automatic deployment of network function virtualization (NFV) resource
pools.
• Tenant-specific service arrangement and modification without affecting the physical topology
and other tenants.

Node types
A service chain can have the following types of nodes:
• Proxy node—A switch that uses service chain policies deploy ed by a VCFC to determi ne
whether to forward a packet into a service chain.
• Access point—A switch that acts as a VXLAN tunnel end point (VTEP). It uses routing policies
deployed by the VCFC to verify whether a packet is qualified to enter a service chain. If the
packet is qualified, the access point encapsulates the packet into a VXLAN packet.
• Service node—A physical device or a NFV device that applies services to the received traffic.
A service chain can contain multiple service nodes.

Nodes supported by the switches

A switch can act as a proxy node or an access point, but it cannot act as a service node.

Using a switch as a proxy node

Network framework
Figure 1 shows the framework of a service chain network with a switch acting as a proxy node.

1
 Figure 1 Network framework

Service node 2:
Service list: IPS
Service chain 1
Service node
Service node Service node
Service node 1: Service node 3:
Service list: FW Service list: LB
2

1
3
IP network
Packet Proxy node
Host A

VCF controller

How it works
The V CFC deploys service chain policies to the proxy node based on different tenant applications.
The proxy node us es the service chain policies to perform packet forwarding and service chain
processing as follows:
1. When the proxy node receives an IP packet, it uses a service chain policy to verify whether the
packet is qualified to enter a service chain.
 If the packet is qualified, the proxy node forwards the packet to a service node.
 If the packet is not qualified, the proxy node forwards the packet without service chain
processing.
2. When the service node receives the packet, it processes the packet and then forwards it back
to the proxy node.
3. When the proxy node receives the packet, it verifies whether the packet is qualified to enter
another service chain.
This procedure is repeated so that the packet can be processed by different service nodes.

Using a switch as an access point

Network framework
Figure 2 shows the framework of a service chain network with switches acting as access points.

2
 Figure 2 Network framework
Service node 2
Service list: NAT

VM VM
Service node 1 Service node 3
Service list: FW Service list: LB

Service node
IP packets VXLAN packets

Server Access point Service node Service node Access point Server

Site 1 Site 2

VCF controller

Packet format
Figure 3 shows the format of a VXLAN packet that carries service chain information.
Figure 3 Packet format

Outer UDP VXLAN

Outer IP header Original Layer 2 frame
header header

Flags Service chain

SRRRIRRR D Service path ID

VXLAN ID Reserved

A service chain uses the following fields in the VXLAN header to identify packets:
• Flags— W hen the S bit is set to 1, the Service chain field is valid. When the S bit is set to 0, the
Service chain field is invalid.
• Service chain—A 24- bi t fi el d that i ncl udes the D bit and s ervi c e path ID. W hen the D bit is s et
to 0, the packet is a forward packet. When the D bit is set to 1, the packet is a reverse packet.
The 23-bit service path ID is used to identify a service chain.

How it works
The VCFC deploys routing policies to access points and service nodes based on different tenant
applications. The access points and the service nodes use t he routing policies to perform packet
forwarding and service chain processing as follows:
1. When an access point receives an IP packet, it uses the routing policy to verify whether the
packet is qualified to enter a service chain.
 If the packet is qualified, the access point encapsulates the packet into a VXLAN packet and
adds service chain information to the VXLAN header. The packet is then forwarded to a
service node.
 If the packet is not qualified, the access point forwards the packet without service chain
processing.

3
 2. When the service node receives the VXLAN packet, it performs the following tasks:
a. Decapsulates the packet.
b. Performs a local lookup for a service chain matching the service path ID in the VXLAN
header of the packet. If a match is found, the service node applies the service to the packet.
c. Encapsulates the packet into a VXLAN packet and adds service chain information to the
VXLAN header of the packet according to the routing policy.
d. Forwards the packet to the next service node.
3. After the last service node completes processing the packet, it encapsulates the packet into a
VXLAN packet without adding service chain information to the VXLAN header. The packet is
then forwarded to the peer access point.

Configuring a service chain

You can configure a service chain only by using a VCFC. For more information, see the VCFC
configuration guide.