NSH insertion is an optional action of the VAS filter when forwarding to the service chain. An additional header is inserted between the tunneling Ethernet header and the IP payload, as defined in RFC 8300, Network Service Header (NSH). VXLAN-GPE is not supported.
IP => UDP (port 4789) => VXLAN => Ethernet =>NSH => IP
The NSH header is populated with following values:
TTL in the base header is set to 63.
The service-path-id (24-bit number) and service-index (8-bit number) are filled in from the filter entry’s action.
The MD-Type is set to 1 and the 16-byte metadata is filled in. The source of this metadata is discussed below. If no metadata is provided, this field is zero.
The metadata can be specified in the filter entry’s action. The metadata can either be a 16-byte opaque data hex string (zero-padded if it is smaller than 16 bytes), or it can be derived from the subscriber string (in the Alc-Subsc-Id-Str VSA). In the latter case, the subscriber string is truncated after the first 16 bytes, and therefore, these first 16 bytes should be unique.
Alternatively, the opaque data string can be provided by AAA. This source has precedence over the filter entry’s action.