Network Virtualization using Extreme Fabric Connect

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesHigh-end Wiring Closet Switches

161

162

163

164

165

166

167

168

169

170

Table Of Contents

Table of Contents
Table of Contents
Table of Contents
Table of Figures
Table of Figures
Table of Tables
Conventions
Introduction
Reference Architecture
- Shortest Path Bridging Fabric
- Layer 3 Virtualization Overview
- Layer 2 Virtualization Overview
- Data Center Virtualization Overview
- Fabric Connect Positioning
Guiding Principles
- Fabric Connect and Fabric Attach
- Fabric Extend
- Data Center Architecture
Architecture Components
- User to Network Interface
- Network to Network Interface
- Backbone Core Bridge
- Backbone Edge Bridge
- Customer MAC Address
- Backbone MAC Address
- SMLT-Virtual-BMAC
- IS-IS Area
- IS-IS System ID
- IS-IS Overload Function
- SPB Bridge ID
- SPBM Nick-name
- Dynamic Nick-name Assignment
- Customer VLAN
- Backbone VLAN
- Virtual Services Networks
- I-SID
- Inter-VSN Routing
- Fabric Area Network
- Fabric Attach / Auto-Attach
- FA Server
- FA Client
- FA Proxy
- FA Standalone Proxy
- VPN Routing and Forwarding Instance
- Global Router Table
- Distributed Virtual Routing
  - DVR Domain
  - DVR Controller
  - DVR Leaf
  - DVR Backbone
- Zero Touch Fabric (ZTF)
Foundations for the Service Enabled Fabric
- SPB Service primitives
- SPB Equal Cost Trees (ECT)
IP Routing and L3 Services over Fabric Connect
- Core IGP / GRT IP Shortcuts
- Virtualized L3 VPNs / L3 VSNs
- VPN Security Zones / IP IS-IS Accept Policies
- ISIS IP Route Types and Protocol Preference
L2 Services Over SPB IS-IS Core
- E-LAN / L2 VSNs with CVLAN/Switched UNI
- E-LINE / L2 VSNs with Transparent UNI
- E-TREE / L2 VSNs with Private-VLAN UNI
Fabric Attach
- FA Element Signalling
- FA Service Assignment (I-SID) Signalling
- FA Message Authentication
- FA Zero Touch Provisioning
IP Multicast Enabled VSNs
- Initial Considerations
- IP Multicast Over SPB
- Multicast Services
- SPB Multicast PIM Gateway
  - Deployment Model with PIM-SM
  - PIM Gateway with PIM-SSM
- Inter VSN IP Multicast
Extending the Fabric Across the WAN
- Fabric Extend
- Fabric Extend over IPVPN Service
- Fabric Extend over the Public Internet with IPSec
- Fabric Extend over E-LAN/VPLS Service
- Fabric Extend over E-LINE Service
- VSN Extend with VXLAN Gateway
Distributed Virtual Routing
- Traffic Tromboning Challenges
- DVR Deployment Model
- DVR Host Tracking and Traffic Forwarding
- Eliminating North-South Tromboning
- DVR limitations and Design Alternatives
Quality of Service
- Initial Considerations
- QoS Implementation Over SPB
- QoS Considerations with Fabric Extend
Consolidated Design Overview
- Campus Distribution
- Data Center Distribution
- Data Center Access
High Availability
- System Level Resiliency
  - Hardware Component Redundancy
  - High-Availability Mode
- Network Level Resiliency
- Human Level Resiliency
  - Loop Detection and Protection Mechanisms
Fabric and VSN Security
- Address Space, Routing, and Traffic Separation
- Concealment of the Core Infrastructure
  - Extreme’s Fabric Connect Stealth Networking
- Resistance to Attacks
- Impossibility of Spoofing Attacks
- Stealth Networking Design Guidelines
Fabric as Best Foundation for SDN
Glossary
Reference Documentation
Revisions

Network Virtualization Using Extreme Fabric Connect

establish the initial service path (sections thereof), all additional path notions such as BGP and MPLS are

dependent upon, it meaning that these networks are potentially vulnerable to IP scanning techniques.

Strong access control lists can mask the environment from the general routed core, but this carries with it

its own set of conundrums in that path behavior is dependent upon reachability, as such there is only so

much that can be masked. Certain nodes will need to ‘see’ the IP reachability information, so all of this leads

to a scenario very similar to the trail brushing analogy.

But consider a bird. A bird can arrive at that given location. It will most certainly take a path to get there as

well as one to leave. It will also leave footprints where it lands; this would be its ‘point of presence’ on the

ground. Beyond this, however, there is no trace of the path that the bird took even though it did indeed

take one. No amount of tracking on the ground will effectively yield the path information.

This is because the paths for the bird are occurring on a different plane. Here the analogy to Fabric Connect

is also very strong. In Fabric Connect, path behavior is created at the Ethernet Switched Path level

(hereafter referred to as ESPs). All ESP knowledge is handled within resident link-state databases in each

Fabric Connect switch node. As a result, IP simply becomes a service around the edge of the Fabric

Connect Cloud.

Much like the bird footprints, an IP subnet becomes a ‘service point of presence’. Explicit path information

however is totally obscured from the perspective of IP because the path is not a routed IP hop-by-hop

path; it is held as an ESP at the Ethernet Shortest Path Bridging level.

Tip

The definition of a Stealth Network Topology is as follows:

“A network that is self-contained, with no ingress in or out of it except by strictly

controlled secure access points. The network must also be dark and not visible to IP or

other topological scanning techniques. As such the potential surface for any such activities

is either highly mitigated and protected or totally eliminated due to true isolation.”

In the Extreme Networks Fabric Connect architecture the different VSN types have slightly different stealth

attributes. These are listed in Table 13. By virtue of running over SPB, they all share the stealth property that

the core’s topology cannot be inferred.

Table 13 - Stealth Properties for SPB VSN Types

Stealth Properties

L3 VSN

I-SID ➔ VRF

L2 VSN

I-SID ➔

VLAN

IP Shortcuts

GRT

(VRF-0)

Core’s topology cannot be inferred

✓

✓**

IP interfaces need not exist



✓*



IP interfaces only exist at the edge as

gateways for IP end users in subnet

✓

n/a

✓

All remote IP subnets are 1 hop away

✓

n/a

✓

Network IP interfaces are not bound to any

socket (e.g., SSH, SNMP, HTTPS)

✓

n/a



* NOTE: Any IP interfaces provisioned will expose the L2 VSN to the routing instance to which that IP

interface belongs (i.e., GRT IP Shortcuts or VRF which may or may not be part of an L3 VSN).

** NOTE: While the core topology cannot be determined, the individual switch elements can still be

enumerated through the IS-IS Source IP addresses.