Network Virtualization using Extreme Fabric Connect

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesHigh-end Wiring Closet Switches

161

162

163

164

165

166

167

168

169

170

Table Of Contents

Table of Contents
Table of Contents
Table of Contents
Table of Figures
Table of Figures
Table of Tables
Conventions
Introduction
Reference Architecture
- Shortest Path Bridging Fabric
- Layer 3 Virtualization Overview
- Layer 2 Virtualization Overview
- Data Center Virtualization Overview
- Fabric Connect Positioning
Guiding Principles
- Fabric Connect and Fabric Attach
- Fabric Extend
- Data Center Architecture
Architecture Components
- User to Network Interface
- Network to Network Interface
- Backbone Core Bridge
- Backbone Edge Bridge
- Customer MAC Address
- Backbone MAC Address
- SMLT-Virtual-BMAC
- IS-IS Area
- IS-IS System ID
- IS-IS Overload Function
- SPB Bridge ID
- SPBM Nick-name
- Dynamic Nick-name Assignment
- Customer VLAN
- Backbone VLAN
- Virtual Services Networks
- I-SID
- Inter-VSN Routing
- Fabric Area Network
- Fabric Attach / Auto-Attach
- FA Server
- FA Client
- FA Proxy
- FA Standalone Proxy
- VPN Routing and Forwarding Instance
- Global Router Table
- Distributed Virtual Routing
  - DVR Domain
  - DVR Controller
  - DVR Leaf
  - DVR Backbone
- Zero Touch Fabric (ZTF)
Foundations for the Service Enabled Fabric
- SPB Service primitives
- SPB Equal Cost Trees (ECT)
IP Routing and L3 Services over Fabric Connect
- Core IGP / GRT IP Shortcuts
- Virtualized L3 VPNs / L3 VSNs
- VPN Security Zones / IP IS-IS Accept Policies
- ISIS IP Route Types and Protocol Preference
L2 Services Over SPB IS-IS Core
- E-LAN / L2 VSNs with CVLAN/Switched UNI
- E-LINE / L2 VSNs with Transparent UNI
- E-TREE / L2 VSNs with Private-VLAN UNI
Fabric Attach
- FA Element Signalling
- FA Service Assignment (I-SID) Signalling
- FA Message Authentication
- FA Zero Touch Provisioning
IP Multicast Enabled VSNs
- Initial Considerations
- IP Multicast Over SPB
- Multicast Services
- SPB Multicast PIM Gateway
  - Deployment Model with PIM-SM
  - PIM Gateway with PIM-SSM
- Inter VSN IP Multicast
Extending the Fabric Across the WAN
- Fabric Extend
- Fabric Extend over IPVPN Service
- Fabric Extend over the Public Internet with IPSec
- Fabric Extend over E-LAN/VPLS Service
- Fabric Extend over E-LINE Service
- VSN Extend with VXLAN Gateway
Distributed Virtual Routing
- Traffic Tromboning Challenges
- DVR Deployment Model
- DVR Host Tracking and Traffic Forwarding
- Eliminating North-South Tromboning
- DVR limitations and Design Alternatives
Quality of Service
- Initial Considerations
- QoS Implementation Over SPB
- QoS Considerations with Fabric Extend
Consolidated Design Overview
- Campus Distribution
- Data Center Distribution
- Data Center Access
High Availability
- System Level Resiliency
  - Hardware Component Redundancy
  - High-Availability Mode
- Network Level Resiliency
- Human Level Resiliency
  - Loop Detection and Protection Mechanisms
Fabric and VSN Security
- Address Space, Routing, and Traffic Separation
- Concealment of the Core Infrastructure
  - Extreme’s Fabric Connect Stealth Networking
- Resistance to Attacks
- Impossibility of Spoofing Attacks
- Stealth Networking Design Guidelines
Fabric as Best Foundation for SDN
Glossary
Reference Documentation
Revisions

Network Virtualization Using Extreme Fabric Connect

Tip

As a matter of comparison, consider that there are two basic ways an MPLS core can be

attacked: by attacking the provider-edge router, or by attacking the signalling

mechanisms of MPLS. Both types of attacks require specific router configuration via ACLs

to be repelled.

In the Fabric Connect model the latter is simply not applicable nor possible. The former

(attacking the L3 VSN BEB) is equally applicable, though by default the VRF IPs have the

highest levels of protection enabled, without requiring additional configuration.

Impossibility of Spoofing Attacks

Packet spoofing and replay attacks are a form of impersonation attacks whereby an attacker uses a false

identity (or spoofs the identity of another legitimate device) to obtain unauthorized access to a VSN and its

associated services. This is equally possible at Layer 2 (in L2 VSNs) and Layer 3 (in L3 VSNs) where the

attacker will try to generate packets spoofing either an L2 MAC address or an L3 IP address. If the receiver

accepts the spoofed packets, this could allow the attack to either fool the network, or the receiver, into

forwarding to it traffic flows that the attacker can then scan for authentication sequences, which ultimately

could lead to unauthorized access.

In an L3 VSN service, spoofing VSN IP routes would require the attacker to be able to inject invalid IP routes

into the BEB’s VRF. For this to happen, the attacker would need to try to poison the VRF routing table

using a dynamic routing protocol.

Tip

In the Extreme Networks Fabric Connect implementation, by default, no IP routing

protocol instances exist on VRFs; these are not needed for SPB L3 VSNs to operate. Do

not activate any IP routing protocols on VRF local VLAN IP interfaces where users may

reside (subnet mask smaller than 30 bits).

If a dynamic IP routing protocol (such as OSPF, RIP, BGP) does need to be enabled on a

VRF terminating an L3 VSN (because an authorized traditional IP router needs to be

connected to the VSN), connect these routers using point-to-point 30-bit IP subnets and

always use protocol authentication options (e.g., HMAC-MD5).

Spoofing other IP users’ IP addresses within the same access user subnet can be easily done using ARP

spoofing techniques. The only way to repel these types of attacks is to ensure that standard edge security

features are deployed on access switches.

Tip

Use these Layer 3 security access features:

• IPv4

• DHCP Snooping

• Dynamic ARP Inspection

• IP Source Guard

• IPv6 - First Hop Security (FHS) - RIPE 554

• DHCPv6 guard

• Router Advertisement filtering (RA guard)

• Dynamic Neighbour solicitation or advertisement inspection

• Neighbour reachability detection inspection

• Duplicate Address Detection (DAD) inspection