Network Virtualization using Extreme Fabric Connect

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesHigh-end Wiring Closet Switches

161

162

163

164

165

166

167

168

169

170

Table Of Contents

Table of Contents
Table of Contents
Table of Contents
Table of Figures
Table of Figures
Table of Tables
Conventions
Introduction
Reference Architecture
- Shortest Path Bridging Fabric
- Layer 3 Virtualization Overview
- Layer 2 Virtualization Overview
- Data Center Virtualization Overview
- Fabric Connect Positioning
Guiding Principles
- Fabric Connect and Fabric Attach
- Fabric Extend
- Data Center Architecture
Architecture Components
- User to Network Interface
- Network to Network Interface
- Backbone Core Bridge
- Backbone Edge Bridge
- Customer MAC Address
- Backbone MAC Address
- SMLT-Virtual-BMAC
- IS-IS Area
- IS-IS System ID
- IS-IS Overload Function
- SPB Bridge ID
- SPBM Nick-name
- Dynamic Nick-name Assignment
- Customer VLAN
- Backbone VLAN
- Virtual Services Networks
- I-SID
- Inter-VSN Routing
- Fabric Area Network
- Fabric Attach / Auto-Attach
- FA Server
- FA Client
- FA Proxy
- FA Standalone Proxy
- VPN Routing and Forwarding Instance
- Global Router Table
- Distributed Virtual Routing
  - DVR Domain
  - DVR Controller
  - DVR Leaf
  - DVR Backbone
- Zero Touch Fabric (ZTF)
Foundations for the Service Enabled Fabric
- SPB Service primitives
- SPB Equal Cost Trees (ECT)
IP Routing and L3 Services over Fabric Connect
- Core IGP / GRT IP Shortcuts
- Virtualized L3 VPNs / L3 VSNs
- VPN Security Zones / IP IS-IS Accept Policies
- ISIS IP Route Types and Protocol Preference
L2 Services Over SPB IS-IS Core
- E-LAN / L2 VSNs with CVLAN/Switched UNI
- E-LINE / L2 VSNs with Transparent UNI
- E-TREE / L2 VSNs with Private-VLAN UNI
Fabric Attach
- FA Element Signalling
- FA Service Assignment (I-SID) Signalling
- FA Message Authentication
- FA Zero Touch Provisioning
IP Multicast Enabled VSNs
- Initial Considerations
- IP Multicast Over SPB
- Multicast Services
- SPB Multicast PIM Gateway
  - Deployment Model with PIM-SM
  - PIM Gateway with PIM-SSM
- Inter VSN IP Multicast
Extending the Fabric Across the WAN
- Fabric Extend
- Fabric Extend over IPVPN Service
- Fabric Extend over the Public Internet with IPSec
- Fabric Extend over E-LAN/VPLS Service
- Fabric Extend over E-LINE Service
- VSN Extend with VXLAN Gateway
Distributed Virtual Routing
- Traffic Tromboning Challenges
- DVR Deployment Model
- DVR Host Tracking and Traffic Forwarding
- Eliminating North-South Tromboning
- DVR limitations and Design Alternatives
Quality of Service
- Initial Considerations
- QoS Implementation Over SPB
- QoS Considerations with Fabric Extend
Consolidated Design Overview
- Campus Distribution
- Data Center Distribution
- Data Center Access
High Availability
- System Level Resiliency
  - Hardware Component Redundancy
  - High-Availability Mode
- Network Level Resiliency
- Human Level Resiliency
  - Loop Detection and Protection Mechanisms
Fabric and VSN Security
- Address Space, Routing, and Traffic Separation
- Concealment of the Core Infrastructure
  - Extreme’s Fabric Connect Stealth Networking
- Resistance to Attacks
- Impossibility of Spoofing Attacks
- Stealth Networking Design Guidelines
Fabric as Best Foundation for SDN
Glossary
Reference Documentation
Revisions

Network Virtualization Using Extreme Fabric Connect

Figure 95 L3 VSN Topology as Seen by IP Scanning Tools

Resistance to Attacks

By resistance to attacks we intend the ability of the core to withstand any denial of service (DoS) attacks

from the outside. It is essential that the core itself should not be accessible for such attacks and that if the

attack is launched from within a VSN, no other VSNs be attained by it. An attack originating on an L2 VSN

service that is not provisioned with any IP interfaces can only target other end-stations within the same

VSN service.

An attack originating on an L3 VSN service will be able to target the gateway IP interfaces on the VRF

where the VSN service is terminated. However, there are no open ports (sockets) on these interfaces with

the exception of DHCP (for the relay agent) and possibly of some routing protocol (e.g., OSPF, RIP, BGP),

but only if an instance of these protocols has been created on the VRF and enabled on the IP interface in

question. By default, the VRF IP interface will only respond to ARP and ICMP, as such any attack will be

limited to ARP poisoning and spoofing (covered in next section).

An attack originating on GRT IP Shortcuts routing domain does instead present some risks, as the network

IP interfaces within this domain are activated for device management and bound to many sockets used for

management protocols (e.g. SSH, SNMP, HTTPs). Extreme’s recommendation is therefore that the GRT IP

Shortcuts routing domain be reserved exclusively for management of the Fabric Connect infrastructure by

only extending it to a management subnet where the Network Management stations reside on one side and

to the SPB nodes on the other. By doing so, this routing domain need not be extended to any user VLAN on

the network access ports.