Network Virtualization using Extreme Fabric Connect

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesHigh-end Wiring Closet Switches

161

162

163

164

165

166

167

168

169

170

Table Of Contents

Table of Contents
Table of Contents
Table of Contents
Table of Figures
Table of Figures
Table of Tables
Conventions
Introduction
Reference Architecture
- Shortest Path Bridging Fabric
- Layer 3 Virtualization Overview
- Layer 2 Virtualization Overview
- Data Center Virtualization Overview
- Fabric Connect Positioning
Guiding Principles
- Fabric Connect and Fabric Attach
- Fabric Extend
- Data Center Architecture
Architecture Components
- User to Network Interface
- Network to Network Interface
- Backbone Core Bridge
- Backbone Edge Bridge
- Customer MAC Address
- Backbone MAC Address
- SMLT-Virtual-BMAC
- IS-IS Area
- IS-IS System ID
- IS-IS Overload Function
- SPB Bridge ID
- SPBM Nick-name
- Dynamic Nick-name Assignment
- Customer VLAN
- Backbone VLAN
- Virtual Services Networks
- I-SID
- Inter-VSN Routing
- Fabric Area Network
- Fabric Attach / Auto-Attach
- FA Server
- FA Client
- FA Proxy
- FA Standalone Proxy
- VPN Routing and Forwarding Instance
- Global Router Table
- Distributed Virtual Routing
  - DVR Domain
  - DVR Controller
  - DVR Leaf
  - DVR Backbone
- Zero Touch Fabric (ZTF)
Foundations for the Service Enabled Fabric
- SPB Service primitives
- SPB Equal Cost Trees (ECT)
IP Routing and L3 Services over Fabric Connect
- Core IGP / GRT IP Shortcuts
- Virtualized L3 VPNs / L3 VSNs
- VPN Security Zones / IP IS-IS Accept Policies
- ISIS IP Route Types and Protocol Preference
L2 Services Over SPB IS-IS Core
- E-LAN / L2 VSNs with CVLAN/Switched UNI
- E-LINE / L2 VSNs with Transparent UNI
- E-TREE / L2 VSNs with Private-VLAN UNI
Fabric Attach
- FA Element Signalling
- FA Service Assignment (I-SID) Signalling
- FA Message Authentication
- FA Zero Touch Provisioning
IP Multicast Enabled VSNs
- Initial Considerations
- IP Multicast Over SPB
- Multicast Services
- SPB Multicast PIM Gateway
  - Deployment Model with PIM-SM
  - PIM Gateway with PIM-SSM
- Inter VSN IP Multicast
Extending the Fabric Across the WAN
- Fabric Extend
- Fabric Extend over IPVPN Service
- Fabric Extend over the Public Internet with IPSec
- Fabric Extend over E-LAN/VPLS Service
- Fabric Extend over E-LINE Service
- VSN Extend with VXLAN Gateway
Distributed Virtual Routing
- Traffic Tromboning Challenges
- DVR Deployment Model
- DVR Host Tracking and Traffic Forwarding
- Eliminating North-South Tromboning
- DVR limitations and Design Alternatives
Quality of Service
- Initial Considerations
- QoS Implementation Over SPB
- QoS Considerations with Fabric Extend
Consolidated Design Overview
- Campus Distribution
- Data Center Distribution
- Data Center Access
High Availability
- System Level Resiliency
  - Hardware Component Redundancy
  - High-Availability Mode
- Network Level Resiliency
- Human Level Resiliency
  - Loop Detection and Protection Mechanisms
Fabric and VSN Security
- Address Space, Routing, and Traffic Separation
- Concealment of the Core Infrastructure
  - Extreme’s Fabric Connect Stealth Networking
- Resistance to Attacks
- Impossibility of Spoofing Attacks
- Stealth Networking Design Guidelines
Fabric as Best Foundation for SDN
Glossary
Reference Documentation
Revisions

Network Virtualization Using Extreme Fabric Connect

The most stealth VSN is an L2 VSN where no IP interface has been defined, as this is a totally closed L2

environment where nothing can enter or exit unless otherwise provisioned. It is invisible to the IP protocol

as IP is not being used. IP can still run ‘inside’ the L2 VSN but with the IP subnet being established by the

devices that are attaching into it. This type of service is useful for protocols that are used for control and

management of security critical infrastructure such as power grids, subways, and trains as well as

automated production and manufacturing floors. These environments are extremely sensitive and

providing a totally closed L2 environment for these types of applications is very important.

Note

An L2 VSN where IP address(es) are defined on the VLAN of the terminating BEB(s) will

expose the L2 VSN to the routing domain (GRT IP Shortcuts, or VRF which may or may

not be part of an L3 VSN) to which that IP interface belongs. In this case, we would

consider the stealthness of that routing domain service.

With L3 VSN and IP Shortcuts, each IP subnet is advertised from its point of presence into IS-IS. Within

these service types, IP routing happens exclusively at ingress and egress of the SPB fabric. Each subnet

views itself as one hop away even though in reality there are a wide variety of potential ESPs involved in

the actual data transits. The core of the network is consequently ‘dark’ to the IP protocol.

As such, IP scanning yields little information, and no sense of topology. Even the IP routing table, which

clearly exists in the GRT / VRF where the service is terminated will show all the IP routes known within the

service, but those routes which are reachable across the Fabric Connect crucially do not have a next-hop IP

address. The next-hop is in fact the IS-IS System-ID (BMAC) of the SPB node where that destination subnet

has its point of presence. This is illustrated for the GRT below .

Figure 94 Stealth Networking with IP Shortcuts (L3 VSN)

An L3 VSN will present additional stealth properties due to the fact that, in the Extreme Networks VSP

series platforms, VRF IP interfaces are not bound to any higher layer sockets (no management access) and

hence cannot be used to gain any additional information from such interfaces and any interaction with

them will be mostly limited to ARP and ICMP.