Include And Exclude Acls; Virtual Ip Address Filtering; Port Number-Based Filtering; Hot-Standby - Cisco Nexus 9000 Series Configuration Manual

Include and Exclude ACLs

Include and Exclude ACLs
The include ACL feature allows you to assign an access control list (ACL) to an ITD service. For each access
control entry (ACE) with the permit method in the ACL, this feature filters the unwanted traffic and generates
IP access lists and a route map to load-balance the permitted traffic.
You can configure an exclude ACL to specify the traffic that you want ITD to exclude from the ITD load
balancer. Traffic selected by the exclude ACL is RIB routed and bypasses ITD. An exclude ACL can filter
based on both source and destination fields. The exclude ACL precedes the virtual IP address.

Virtual IP Address Filtering

A virtual IP address can be used to filter traffic for ITD. A virtual IP address and subnet mask combination
for traffic filtering is supported for the destination field only.

Port Number-Based Filtering

Port numbering can be used to filter traffic for ITD. The following methods are supported to filter traffic based
on Layer 4 ports (for example, port 80):
• Matching destination ports
• Matching source ports
• Matching multiple port numbers

Hot-Standby

The hot-standby feature reconfigures the switch to look for an operational hot-standby node and select the
first available hot-standby node to replace the failed node. ITD reconfigures the switch to redirect the traffic
segment that was originally headed toward the failed node to the hot-standby node. The service does not
impose any fixed mapping of hot-standby nodes to active nodes.
When the failed node becomes operational again, it is reinstated as an active node. The traffic from the acting
hot-standby node is redirected back to the original node, and the hot-standby node reverts to the pool of
standby nodes.
When multiple nodes fail, traffic destined to all failed nodes gets redirected to the first available hot-standby
node.
The hot-standby node can be configured only at the node level . At the node level, the hot-standby node
receives traffic only if its associated active node fails.
ITD supports N + M redundancy where M nodes can act as hot-standby nodes for N active nodes.
Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x
10
Any source or destination IP address with destination port 80 is matched. (For example: The virtual IP
address is configured as 0.0.0.0 0.0.0.0 tcp 80.)
Any port other than 80 bypasses ITD, and port 80 is redirected. (For example: The exclude ACL is
configured as permit tcp any neq 80 any.)
Multiple virtual IP address lines in ITD can be configured, one for each port.
Configuring ITD