Network Virtualization using Extreme Fabric Connect

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesHigh-end Wiring Closet Switches

161

162

163

164

165

166

167

168

169

170

Table Of Contents

Table of Contents
Table of Contents
Table of Contents
Table of Figures
Table of Figures
Table of Tables
Conventions
Introduction
Reference Architecture
- Shortest Path Bridging Fabric
- Layer 3 Virtualization Overview
- Layer 2 Virtualization Overview
- Data Center Virtualization Overview
- Fabric Connect Positioning
Guiding Principles
- Fabric Connect and Fabric Attach
- Fabric Extend
- Data Center Architecture
Architecture Components
- User to Network Interface
- Network to Network Interface
- Backbone Core Bridge
- Backbone Edge Bridge
- Customer MAC Address
- Backbone MAC Address
- SMLT-Virtual-BMAC
- IS-IS Area
- IS-IS System ID
- IS-IS Overload Function
- SPB Bridge ID
- SPBM Nick-name
- Dynamic Nick-name Assignment
- Customer VLAN
- Backbone VLAN
- Virtual Services Networks
- I-SID
- Inter-VSN Routing
- Fabric Area Network
- Fabric Attach / Auto-Attach
- FA Server
- FA Client
- FA Proxy
- FA Standalone Proxy
- VPN Routing and Forwarding Instance
- Global Router Table
- Distributed Virtual Routing
  - DVR Domain
  - DVR Controller
  - DVR Leaf
  - DVR Backbone
- Zero Touch Fabric (ZTF)
Foundations for the Service Enabled Fabric
- SPB Service primitives
- SPB Equal Cost Trees (ECT)
IP Routing and L3 Services over Fabric Connect
- Core IGP / GRT IP Shortcuts
- Virtualized L3 VPNs / L3 VSNs
- VPN Security Zones / IP IS-IS Accept Policies
- ISIS IP Route Types and Protocol Preference
L2 Services Over SPB IS-IS Core
- E-LAN / L2 VSNs with CVLAN/Switched UNI
- E-LINE / L2 VSNs with Transparent UNI
- E-TREE / L2 VSNs with Private-VLAN UNI
Fabric Attach
- FA Element Signalling
- FA Service Assignment (I-SID) Signalling
- FA Message Authentication
- FA Zero Touch Provisioning
IP Multicast Enabled VSNs
- Initial Considerations
- IP Multicast Over SPB
- Multicast Services
- SPB Multicast PIM Gateway
  - Deployment Model with PIM-SM
  - PIM Gateway with PIM-SSM
- Inter VSN IP Multicast
Extending the Fabric Across the WAN
- Fabric Extend
- Fabric Extend over IPVPN Service
- Fabric Extend over the Public Internet with IPSec
- Fabric Extend over E-LAN/VPLS Service
- Fabric Extend over E-LINE Service
- VSN Extend with VXLAN Gateway
Distributed Virtual Routing
- Traffic Tromboning Challenges
- DVR Deployment Model
- DVR Host Tracking and Traffic Forwarding
- Eliminating North-South Tromboning
- DVR limitations and Design Alternatives
Quality of Service
- Initial Considerations
- QoS Implementation Over SPB
- QoS Considerations with Fabric Extend
Consolidated Design Overview
- Campus Distribution
- Data Center Distribution
- Data Center Access
High Availability
- System Level Resiliency
  - Hardware Component Redundancy
  - High-Availability Mode
- Network Level Resiliency
- Human Level Resiliency
  - Loop Detection and Protection Mechanisms
Fabric and VSN Security
- Address Space, Routing, and Traffic Separation
- Concealment of the Core Infrastructure
  - Extreme’s Fabric Connect Stealth Networking
- Resistance to Attacks
- Impossibility of Spoofing Attacks
- Stealth Networking Design Guidelines
Fabric as Best Foundation for SDN
Glossary
Reference Documentation
Revisions

Network Virtualization Using Extreme Fabric Connect

By default, all innate IP services are based on the GRT. This is the only viable channel of management

communication without the use of dedicated VSNs and physical loopback of management interfaces, which

quickly results in an obtuse implementation. By removing the client user and device communities from the

GRT we provide for a very clean and dedicated IP environment for the management of the fabric and

security infrastructure. No security demarcation interfaces should be allowed between the GRT and the

user community domains. (If any are allowed, proper security exception procedures should be followed and

maintained.)

Access to the GRT should be based on strong multifactor authentication as required by the environmental

security policies of the organization. Ideally, the administrator should possess two separate devices for

access. One device would be dedicated for access to the GRT with associated separate user credentials for

administrative concerns and another for normal user access with separate user credentials for normal

access. While virtualization can be used to achieve same device separation, it is outside of the scope of any

separation that the fabric provides and therefore is a potential point of exposure to the GRT. Best security

practices for the given virtualization environment should be followed. Given that we have made

accommodations for the isolation of the GRT we will now address the various user level services that the

fabric has available.

Layer 2 Virtual Service Networks

As covered earlier, L2 VSNs are nothing more than VLANs at the service edge associated with I-SIDs in the

service core. Note that at the very basic primitive the L2 VSN is a true Layer 2 phenomenon. It can exist

completely on its own without the use of any IP whatsoever. Moreovver, these services can be extended

farther and more extensively than any traditional tagged VLAN approach. By default, they have no

association to any VRF. As such they result in totally isolated L2 domains of interest that are totally ‘dark’

because there is simply no IP against the context of the topology.

Figure 97 DHCP Services for L2 Virtual Service Networks

As the figure above illustrates, you can even run DHCP services within the L2VSN and provide for a default

gateway for a complete IP user environment but the only point of exposure is the default gateway. There is

no other way in or out for the service. There is an obvious ‘data corralling’ effect that occurs in this scenario

and it allows for a security demarcation for the service and any allowed external traffic. This is a great

approach for controlled access environments such as captive portals for guests or contractors or in highly

regulated environments such as PCI.

Note however that if any VLAN termination assigned to the given I-SID were provisioned with an IP

address, it would appear in the GRT and have access to the network control plane as shown in the

illustration below.