Configuring Third-party Services

Services in the DANZ Monitoring Fabric

Services in the DANZ Monitoring Fabric (DMF) refer to packet modification operations provided by third-party network packet brokers (NPBs), referred to as service nodes. Services can include operations that refine or modify the data stream delivered to analysis tools.

Each service instance is assigned a numeric identifier because multiple services can be specified for a given policy. Services are applied sequentially, applying a service with a lower sequence number first.

Service nodes are optional devices that process interesting traffic before forwarding it to the delivery ports specified by the policy. Example services include time-stamping packets, packet slicing, or payload obfuscation. To configure a service node:

  • Create all the pre-service and post-service interfaces used with the service.
  • Use the DMF interface names to create a service node and add pre-service and post-service interfaces.
Figure 1. Using Services with a Policy
In the figure above, the time-stamping service is applied first, followed by the packet-slicing service. The illustration shows the CLI commands that associate the service with a specific policy. For the illustrated policy, the packet path is as follows:
  1. Filter interface (F3)
  2. Time-stamping service node (pre-service and post-service interfaces)
  3. (optional) Packet-slicing service node (pre-service and post-service interfaces)
  4. Delivery-interface (D2)

Once a policy includes a service, it is only optional if defined explicitly as optional. If not defined as optional in the policy, packet forwarding does not occur when the service is unavailable. For example, configuring the packet-slicing service as optional and a pre-service or post-service interface assigned to that service node is down, the service is skipped, and the packets are delivered to the D2 delivery interface after the time-stamping service is completed. However, if at least one pre-service and post-service interface is unavailable for the time-stamping service, this policy does not forward packets to the delivery interfaces.

Configure all the service interfaces before creating a service definition that uses them.
Note: Before defining a service, first create the service interface names. Otherwise, the service might enter an inconsistent state. If that happens, delete the service definition, create the interfaces, and then re-create the service definition. Alternatively, re-create the service definition without the nonexistent interfaces.
A DMF service can have multiple pre-service and post-service interfaces. Use a Link Access Group (LAG) as a pre-service or a post-service interface.
Note: Arista Networks strongly recommends configuring the post-service and pre-service interfaces on the same switch for any DMF service.

Using the GUI to Configure a DMF Unmanaged Service

To create a DANZ Monitoring Fabric (DMF) unmanaged service, perform the following steps:

  1. Select Monitoring > Services.
    The system displays the following table:
    Figure 2. DMF Unmanaged Service

    This table lists the services configured for the DMF. Add, delete, or modify existing services as required.

  2. To create a new service, click the provision control (+) in the table.
    The system displays the following dialog:
    Figure 3. Create Service Dialog: Info
  3. Type a unique name for the service and optional text description, then click Next.
    The system displays the following dialog:
    Figure 4. Create Service Dialog: Pre-service Interfaces

    This table lists the interfaces assigned as pre-service interfaces for the current service.

  4. To add a pre-service interface, click the provision control (+) in the table.
    The system displays the following dialog:
    Figure 5. Select Pre-service Interfaces

    This table lists the interfaces available for assignment as pre-service interfaces. To configure a new interface, click the provision control (+) in the table. The system displays a dialog for adding a service interface.

  5. Enable the checkbox for one or more interfaces to assign as a pre-service interface for the current service and click Append Selected.
  6. On page two of the Create Service Interface dialog, click Next.
    The system displays the following dialog:
    Figure 6. Create Service Dialog: Post-service Interfaces

    This table lists the interfaces assigned as post-service interfaces for the current service.

  7. To add a post-service interface, click the provision control (+) in the table.
    The system displays the following dialog.
    Figure 7. Select Post-service Interfaces

    This table lists the interfaces available for assignment as post-service interfaces.

    To configure a new interface, click the provision control (+) in the table. The system displays a dialog for adding a service interface, as described in the Configuring DMF Unmanaged Services section.

  8. Enable the checkbox for one or more interfaces to assign as a post-service interface for the current service and click Append Selected.
  9. Click Save on page three of the Create Service Dialog.

Using the CLI to Configure a DMF Unmanaged Service

In the DANZ Monitoring Fabric (DMF), third-party tools that provide packet manipulation services, such as time stamping and packet slicing, are called DMF Unmanaged Services. These optional devices process traffic from filter interfaces before being forwarded to delivery interfaces.
Note: After adding a service to a policy, it is no longer optional unless specifically defining it as optional. If not defined as optional, the policy does not forward packets if the service is unavailable.

To configure an unmanaged service using the CLI, perform the following steps:

  1. Create one or more pre-service interfaces for delivering traffic to the NPB, as in the following example. 
    controller-1(config-switch-if)# switch DMF-CORE-SWITCH
controller-1(config-switch-if)# interface s9-eth1
controller-1(config-switch-if)# role service interface-name pre-serv-intf-1
  2. Create one or more post-service interfaces for receiving traffic from the NPB, as in the following example: 
    controller-1(config-switch-if)# interface s9-eth2
controller-1(config-switch-if)# role service interface-name post-serv-intf-1
  3. Create a service node and add at least one pre-service and at least one post-service interface using the DMF interface names, as in the following example: 
    controller-1(config)#controller-1(config)# unmanaged-service THIRD-PARTY-SERVICE-1
controller-1(config-unmanaged-srv)# description "this is a third-party unmanaged service"
controller-1(config-unmanaged-srv)# pre-service PRE-SERVICE-INTF-1
controller-1(config-unmanaged-srv)# post-service POST-SERVICE-INTF-1
To list the configured services in the DMF fabric, enter the show unmanaged-services command, as in the following example: 
controller-1# show unmanaged-service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Service NameMax from service bandwidth bps Max to service bandwidth bps Total from service bps Total to service bps
-|---------------------|------------------------------|----------------------------|----------------------|--------------------|
1 THIRD-PARTY-SERVICE-1 10Gbps 10Gbps --
~~~~~~~ Post-groups of Service Names ~~~~~~~
# Service NameDmf name
-|---------------------|-------------------|
1 THIRD-PARTY-SERVICE-1 POST-SERVICE-INTF-1
~~~~~~~ Pre-groups of Service Names ~~~~~~~
# Service NameDmf name
-|---------------------|------------------|
1 THIRD-PARTY-SERVICE-1 PRE-SERVICE-INTF-1
To display information about a service, specify the service name, as in the following example: 
controller-1 # show unmanaged-service THIRD-PARTY-SERVICE-1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Service NameMax from service bandwidth bps Max to service bandwidth bps Total from service bps Total to service bps
-|---------------------|------------------------------|----------------------------|----------------------|--------------------|
1 THIRD-PARTY-SERVICE-1 10Gbps 10Gbps --
~~~~~~~ Post-groups of Service Names ~~~~~~~
# Service NameDmf name
-|---------------------|-------------------|
1 THIRD-PARTY-SERVICE-1 POST-SERVICE-INTF-1
~~~~~~~ Pre-groups of Service Names ~~~~~~~
# Service Name SERVICE-1 PRE-SERVICE-INTF-1

Service Insertion and Chaining in a DMF Policy

To configure a DANZ Monitoring Fabric (DMF) policy that uses services provided by an NPB, add the use-service command to the policy. Services can be configured in series, called chaining, as shown below:
Figure 8. Service Insertion and Chaining

Because a given policy can specify multiple services, set a sequence number for each service instance so the services are applied in order for the policy traffic. A lower sequence number applies the service first.

To configure a DMF out-of-band policy that uses services provided by an NPB, use the use-service command from the config-policy submode to add the service to the policy.

The following are the configuration commands for implementing the illustrated example: 
controller-1(config)# policy DMF-POLICY-1
controller-1(config-policy)# use-service UMS-DEDUPLICATE-1 sequence 100
controller-1(config-policy)# use-service UMS-TIMESTAMP-1 sequence 101
In this example, the packet deduplication service is applied first, followed by time stamping. If all the pre-service or post-service interfaces for the packet-slicing service nodes are down, then this service is skipped if configured as optional. In this example, the time-stamping service is applied before the packet deduplication service, and the packet deduplication service is configured as optional. 
controller-1(config)# policy DMF-POLICY-1
controller-1(config-policy)# use-service UMS-TIMESTAMP-1 sequence 100
controller-1(config-policy)# use-service UMS-DEDUPLICATE-1 sequence 101 optional
.. note::
If a service is inserted, the policy can only become active and begin forwarding when at
least one delivery port is reachable from all the post-service interfaces defined for the service.

Enter the show policy command from any mode to display the run time services being applied.