2014-04-18
1
For Programmers: Basic Network Training James Jongseog Ahn
Senior Managing DirectorNAIM [email protected]
April, 2014
2
table of contents
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
2014-04-18
2
3
LAN Extension and Virtualization using Layer 3 Protocols
Virtual Bridging for DC Carrier Ethernet Data Center Ethernet
table of contents
4
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
2014-04-18
3
Brief history of the Internet
5
Programing without Architecture • Application• Network• Terminal
Jobs for SDN Programmer
2014-04-18
4
The 4 Layer Internet Model
7
Peer layers communicate
Program Program
• SDN: Enabling a shift from protocols to applications
Database
Protocol
Program
What is SDN for programmers?
2014-04-18
5
Why is the Network Layer often called “Layer3”?
9
The TCP Segment Format
10
$ python tcp_sixteen.py serverListening at ('127.0.0.1', 1060)We have accepted a connection from ('127.0.0.1', 58185)Socket connects ('127.0.0.1', 1060) and ('127.0.0.1', 58185)The incoming sixteen-octet message says 'Hi there, server'Reply sent, socket closedListening at ('127.0.0.1', 1060)
2014-04-18
6
Connection oriented: 3-‐way handshake
11
Typical SYN Attack
2014-04-18
7
The TCP Service Model
13
User Datagram Protocol (UDP)
14
2014-04-18
8
UDP and TCP port numbers - 3 ranges
• “Well-Known Ports” (0–1023) are for the most important and widely-used protocols. On many Unix-like operating systems, normal user programs cannot use these ports, which prevented troublesome undergraduates on multi-user machines from running programs to masquerade as important system services. Today the same protections apply when hosting companies hand out command line Linux accounts.
• “Registered Ports” (1024–49151) are not usually treated as special by operating systems—any user can write a program that grabs port 5432 and pretends to be a PostgreSQL database, for example—but they can be registered by the IANA for specific protocols, and the IANA recommends that you avoid using them for anything but their assigned protocol.
• The remaining port numbers (49152–65535) are free for any use. They, as we shall see, are the pool on which modern operating systems draw in order to generate
Internet Assigned Numbers Authority (IANA)
TCP vs UDP
2014-04-18
9
CPU Utilization for I/O Interrupt
$ python big_sender.py guinnessThe message did not make itMTU: 1500
$ python big_sender.py localhostThe message did not make itMTU: 16436
UDP Fragmentation
18
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
2014-04-18
10
IEEE 802.3 Ethernet Overview
19
Ethernet Type Cable Minimum Length
Between Nodes
Maximum
Segment Length
10BaseT UTP 2.5 100
10BaseFL Fiber N/A 4000
100BaseT UTP 2.5 100
100BaseFX Fiber N/A 2000
1000BaseT UTP (CAT‐5 Minimum) 2.5 100
1000BaseSX Fiber (Multi‐Mode) N/A 225‐550
1000BaseLX Fiber (Multi‐Mode) N/A 550
1000BaseLX Fiber (Single‐Mode) N/A 5000
10GBASE‐SR Fiber (Multi‐Mode) N/A 300
10GBASE‐LR Fiber (Single‐Mode) N/A 10000
IEEE 802.3 Ethernet Overview
• Ethernet at the Data Link layer has two responsibilities:
– Ethernet addressing, also known as hardware addressing, and most commonly as MAC addressing.
– Framing packets received from the Network layer and preparing them for transmission on the local network via the Ethernet contention media access method.
20
$ python big_sender.py guinnessThe message did not make itMTU: 1500
$ python big_sender.py localhostThe message did not make itMTU: 16436
PPPoE is 1492
2014-04-18
11
Ethernet Speeds
IEEE 802.3ba-2010 (40G/100G) standard 10Mbps, 100 Mbps, 1 Gbps versions have both CSMA/CD
and Full-duplex versions No CSMA/CD in 10G and up No CSMA/CD in practice now even at home or at 10 Mbps 1 Gbps in residential, enterprise offices 1 Gbps in Data centers, moving to 10 Gbps and 40 Gbps 100G in some carrier core networks 100G is still more expensive than 10×10G Note: only decimal bit rates are used in networking No cheating like binary byte values used in storage
(Buy 256 GB Disk = 238.4 GB storage)
CDMA/CD
Carrier Sense Multiple Access With Collision Detection (CSMA/CD)
sender needs to wait 2T sec before detecting collision for 2500 m length, 51.2 μs round-trip time (2T) fact enforce 51.2 μs slot time at 10 Mbps, 512 bits; i.e., minimum frame size 64 Bytes assures collision detection
2014-04-18
12
Extensions of Ethernet
• Interfaces for 10 Gigabit Ethernet Connections• 802.3ae defines two PHY types:
– LAN PHY– WAN PHY
23
Polarization Mode Dispersion (PMD)
Extensions of Ethernet
• 802.3z Gigabit Ethernet Overview• CSMA/CD• 802.3ae 10 Gigabit Ethernet Overview
24
2014-04-18
13
Extensions of Ethernet
• Gigabit Ethernet Auto-Negotiation– Duplex mode– Flow control type
• Pause feature for flow control– Symmetric: This station is capable of transmitting and
receiving pause frames.– Asymmetric TX: This station is capable of transmitting pause
frames, but will not receive pause frames.– Asymmetric RX: This station is capable of receiving pause
frames, but will not transmit pause frames.– Disabled: This station is not capable of transmitting or
receiving pause frames.
25
Extensions of Ethernet
• Two primary types of media for Gigabit Ethernet:– 1000BaseSX (short wave)
• This media type is intended for short-haul operations.• Operates in the 850 nanometer (nm) window over multi-mode
fiber (MMF), as follows:– 50 micron multi-mode fiber-optic cable (500 to 550 meters maximum)– 62.5 micron multi-mode fiber-optic cable (220 to 275 meters)
• Utilizes a Class 1 laser as an optical driver.
– 1000BaseLX (long wave)
26
2014-04-18
14
Extensions of Ethernet
• Two primary types of media for Gigabit Ethernet:– 1000BaseSX (short wave)– 1000BaseLX (long wave)
• This media type is intended for long-haul operations.• Operates in the 1300 nm window.• Utilizes a Class 1 laser as an optical driver.• Can operate over both single-mode fiber (SMF) and multi-mode
fiber (MMF). However, the use of a mode-conditioning patch cord is required if MMF is used.
• 1000BaseLX implements long-wavelength laser transmissions with links up to 550 meters over multi-mode fiber-optic cable, and 3,000 meters over single-mode fiber-optic cable.
• MGBIC-08 is a Mini-Gigabit Ethernet port interface with one 1000Base-LX/LH port via LC connector at distances up to 70 kilometers
27
Extensions of Ethernet
• Mode-Conditioning Patch Cords
28
2014-04-18
15
Extensions of Ethernet
• LAN Applications of 10 Gigabit Ethernet
29
SDN for WAN??
Market: Residential vs. Data Center Ethernet
bit error rate or bit error ratio (BER)
2014-04-18
16
ARP
• Address Resolution Protocol (ARP) is a mechanism used by IP to find the hardware address of a host from an IP address.
• When IP is trying to send a datagram to the Data Link Layer (layer 2), Ethernet will be informed to look for the hardware address, also known as MAC Address, of the destination in the local network. Since Ethernet is using hardware addresses to identify source and destination, ARP will be used to obtain the hardware address by broadcasting the specified IP address. Then the machine that matched the specified IP address will reply with the requested hardware address.
31
Replacing with ‘broadcast MAC address’ for SDN
IEEE 802.3 Ethernet Overview
32
• Ethernet Data Frames (Frame Types)
2014-04-18
17
Bridges and Switches
• Source Address Table (SAT)– Static database: Contains source addresses that are entered by
a network administrator.– Learned database: Consists of source addresses that
accumulate as part of the learning process.
33
class L2Switch(app_manager.RyuApp):def __init__(self, *args, **kwargs):super(L2Switch, self).__init__(*args, **kwargs)@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)def packet_in_handler(self, ev):msg = ev.msgdp = msg.datapathofp = dp.ofprotoofp_parser = dp.ofproto_parserin_port = msg.match['in_port’]
• Mac address table• Port up/down events• VLANs• LLDP• ???
MAC Address Format
34
SDN programmer can see MAC Address!!And, can make personal tables.
2014-04-18
18
Building a Source Address Table
SATMAC A Port 1MAC B Port 2MAC C Port 3etc
35
SDN programmer can see Port and MAC Address!!And, can make personal tables.
Link Layer Discovery Protocol (LLDP)
2014-04-18
19
Bootstrapping for SDN Switch
Switches require initial configuration: Switch IP address,
Controller IP address, Default gateway
Switches connect to the controller
Switch provides configuration information about ports
Controller installs a rule to forward LLDP responses to
controller and then sends a LLDP request which is
forwarded to all neighbors.
Controller determines the topology from LLDP responses
37
LLDP for SDN Controller
2014-04-18
20
39
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
The Internet Protocol
40
2014-04-18
21
IP Header
IPv4 Datagram
42
2014-04-18
22
IPv4
• IPv4 Addressing Notation– Four bytes (32 bits) of address– Computers see binary
• 00001010 00000000 00000000 00000001
– Dotted decimal notation is used for human readability• 10.0.0.1
• Full range of IP addresses is from 0.0.0.0 through 255.255.255.255– Represents a total of 4,294,967,296 possible IP addresses
43
10 0 0 1
8 bits . 8 bits . 8 bits . 8 bits
IPv4 Classes
44
2014-04-18
23
IPv4 Classes
• IP Network Numbering
45
IPv4 Classes
• Special addresses– IP Loopback Address 127.0.0.1– Zero Addresses 0.0.0.0 through 0.255.255.255– Private Addresses: 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16
46
Class A addresses begin with 0xxx, or 1 to 126 decimal. Example 120.10.100.45 255.0.0.0
120.10.100.45/8Class B addresses begin with 10xx, or 128 to 191 decimal.
Example 172.102.16.241 255.255.0.0 172. 102.16.241/16
Class C addresses begin with 110x, or 192 to 223 decimal.Example 198.178.102.2 255.255.255.0
198.178.102.2/24Class D addresses begin with 1110, or 224 to 239 decimal. Class E addresses begin with 1111, or 240 to 254 decimal
Classes D and E are reserved and are not used for general IP address allocation
2014-04-18
24
Subnet Masks and Subnetting
47
176 203 126 143
Decimal 128
64
32
16
8 4 2 1 128
64
32
16
8 4 2 1 128
64
32
16
8 4 2 1 128
64
32
16
8 4 2 1
Binary 1 0 1 1 0 0 0 0 1 1 0 0 1 0 1 1 0 1 1 1 1 1 1 0 1 0 0 0 1 1 1 1
Network Mask (classful)
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
176 . 203 . 126 . 143
255 255 0 0
176 203 0 0
Classful Network 1 0 1 1 0 0 0 0 1 1 0 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Subnet Masks and Subnetting
• Problems with the partitioning of IPv4 Address space– Problem 1: Lack of support for mid-sized organizations
• Class B addresses support 64k host per network, too large• Class C addresses support 256 hosts per network, too small
– Problem 2: Route table size getting too large• Roughly 2 million plus networks for all class C address
– Solution: • Variable Length Subnet Masking (VLSM) • Classless Inter-Domain Routing (CIDR)
48
2014-04-18
25
Classless InterDomain Routing - CIDR
• Classless InterDomain Routing. CIDR was invented several years ago to keep the Internet from running out of IP addresses.
• People realised that addresses could be conserved if the class system was eliminated. By accurately allocating only the amount of address space that was actually needed, the address space crisis could be avoided for many years
• So now if someone has a class A address but wants to restrict the number of hosts they can use CIDR or subnetting.
Example 120.10.100.45/8 can become 120.10.100.45/24. This then restricts the number of uses on this network to 254.
This is because 120.10.100.0 is the network address and 120.10.100.255 is the broadcast address
How many hosts would be allowed on the network with the following address?20.10.100.45 255.255.255.240
Or 20.10.100.45 / 28
49
IPv6 Addressing Notation
• IPv6 Addressing Notation– 16 bytes (128 bits) long – Full notation depicts pairs of IPv6 bytes are separated by a
colon and each byte in turn, is represented as a pair of hexadecimal numbers: E3D7:0000:0000:0000:51F4:9BC8:C0A8:6420
– Shorthand notation removes bytes with a zero value from the text representation (though the bytes are still present in the actual network address) as follows: E3D7::51F4:9BC8:C0A8:6420
– Mixed notation is used when IPv6 addresses are extensions of IPv4 addresses - the rightmost four bytes of an IPv6 address (the rightmost two byte pairs) may be rewritten in the IPv4 notation as follows: E3D7::51F4:9BC8:192.168.100.32
• This larger size means that IPv6 supports more than 300,000,000,000,000,000,000,000,000,000,000,000,000 possible addresses
50
2014-04-18
26
51
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
IEEE 802.1Q VLAN Overview
• What is a VLAN?
– A Virtual Local Area Network– A VLAN is a logical Layer 2 boundary for containing all
traffic associated to it– VLAN members do not have to be physically connected
to the same switch– VLAN members can be dispersed throughout a switched
network
52
Think about VLAN for SDN!!
2014-04-18
27
IEEE 802.1Q VLAN Overview
• Benefits of VLANs
– Broadcast (traffic) containment– Simplify administrative adds, moves, and changes– Shared resources are not bound by physical location– Bandwidth management– Security
53
IEEE 802.1Q VLAN Overview
• Compare Traditional Network Design
• Versus VLAN Design
54
Layer 2/3 Switch
What is Router?
2014-04-18
28
IEEE 802.1Q VLAN Overview
• VLAN ID (VID)• VLAN name• PVID• Filtering Database (FDB)• FID• VLAN Tag• Tagged Frame• Default VLAN• Access Port• Trunk Port• Generic Attribute Registration Protocol VLAN Registration
Protocol (GVRP)
55
Think about VLAN ID for OpenFlow!!
TagProtocolIdentifier
TagControl
Info
8 Bytes
6 Bytes 6 Bytes
46 - 1500 Bytes
4Bytes2
68 - 1522 Bytes
1
PreambleSFD
MAC DA MAC SALorT
Data CRCLLC
2
TPI
TCI
22
Q Tag
81 00
Priority
CFIVLAN ID (VID)
16 Bits 12 Bits3 1
IEEE 802.1Q Tagging
56
212 = 4,096
2014-04-18
29
IEEE 802.1Q VLAN Overview
• Preparing for VLAN Configuration
– What is the purpose of the VLAN design? (ie: Security containers, Traffic broadcast containment)
– How many VLANs will be required?– What stations (end users, servers, etc.) will belong to
them?– What ports on the switch are connected to those
stations?
57
IEEE 802.1Q VLAN Overview
• Plan for Default VLAN and Number of Supported VLANs– By default, all ports on all switches are:
• Assigned to VLAN ID 1• Have egress list on VLAN 1 is set to untagged
– The number of VLANs and Range (VIDs) supported varies depending on the device
– IEEE 802.1Q specifies 4094 VLAN IDs with the allowable user-configurable range for VLAN IDs (VIDs) is from 1 through 4094
– VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priority info rather than a VLAN identifier
• It cannot be configured as a port VLAN ID (PVID)
– VID 1 is designated as the default Port VLAN IDentifier(PVID) and cannot be deleted
– VID 4095 is reserved by IEEE
58
2014-04-18
30
IEEE 802.1Q VLAN Overview
• There are 2 ways for a switch to learn & use VLAN addressing info:
– Independent Virtual Local Area Network (VLAN) Learning (IVL): Each VLAN uses its own filtering database.
– Shared Virtual Local Area Network (VLAN) Learning (SVL): Two or more VLANs are grouped to share source address info.
59
VLAN Database and Forwarding
60
Port 4 is in egress
queue of VLAN
20 as untagged
Packet exists port
4 as untagged
Untagged frame
enters port 3
Port 3 has a
PVID = 20
Port 4 is in
egress queue of
VLAN 20 as
tagged
Packet exists port
4 as tagged
Port 4 is not
egress queue
of VLAN 20
Packet is not
transmitted
out of port 4
It can be a program for SDN!!
class L2Switch(app_manager.RyuApp):def __init__(self, *args, **kwargs):super(L2Switch, self).__init__(*args, **kwargs)@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)def packet_in_handler(self, ev):msg = ev.msgdp = msg.datapathofp = dp.ofprotoofp_parser = dp.ofproto_parserin_port = msg.match['in_port’]
2014-04-18
31
Packet Forwarding
• Here you can see a simple network connection. In this scenario the network administrator will want to place the traffic from the phones into a different VLAN to that of the data– The PC traffic is in VLAN 20– The Phone traffic is in VLAN 30
• How is VLAN integrity maintained?– Modern IP telephones are a small
switch and have the ability to tag traffic
• The next 2 slides will show how the PC traffic is handled differently from the phone traffic
PC1PC2
PC3
PhoneA
PhoneB
Switch Two
Switch One
Port 8 Port 48
Port 47Port 26
Port 40
Considering OpenFlow switch in enterprise environment for SDN.
61
GVRP
• Switch 1 and 4 have VLAN 60 configured and the edge ports to PC1 and PC2 have a PVID of 60
• Switch 1’s uplink to Switch is configured for VLAN 60 as tagged, the same for Switch 4• If PC1 starts to ping PC2, Switch 1 declares VLAN 60 to Switch 2• Switch 2 registers VLAN 60 and tags the ingress port it received the packet for VLAN
60• Switch 2 then tags the port to Switch 3 for VLAN 60 and declares VLAN 60 to Switch 3• Switch 3 then repeats the process• If GVRP was disabled on Switches 2 and 3 then VLAN 60 would disappear from
Switches 2 and 3.
62
VID = 60
VID = 60
PC1
PC2
Switch 1
Switch 2
Switch 3
Switch 4
D
DR
R D
GVRP works on a declaration and registration process. When a VLAN is declared, the information is transmitted out of GVRP enabled ports on the device in a GARP formatted frame. (the GVRP multicast MAC address 01-80-C2-00-00-21.)
Generic Attribute Registration Protocol VLAN Registration Protocol (GVRP)
2014-04-18
32
IEEE 802.1Q VLAN Overview
• 802.1Q Trunk
63
What is a FDB?A FDB is a Filtering Database, which is a lookup table within the switch that keeps track of the association between MAC addresses, VLANs and port numbers.
64
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
2014-04-18
33
Spanning Tree
• Network Loops
65
Port 1MAC A
B2 SAT
Port 1MAC A
B1 SAT
Port 2MAC A
B2 SAT
Port 2MAC A
B1 SAT
How IEEE 802.1D Spanning Tree operates
• Calculating the Spanning Tree based on the Lowest STP IDs and Costs– Always compare these values in this order. If they are equal move on
to the next comparison
66
Root Bridge ID
Path Cost to Root
Designated Bridge ID
Designated Port ID
Root Port ID
2014-04-18
34
IEEE 802.1D Spanning Tree
• 802.1D Operation– Elect a root bridge as the reference point for the network
• Bridge with lowest bridge ID becomes the root– Bridge ID = (2 byte Bridge priority + 6 byte Bridge MAC address)– Example: 80-00-00-E0-63-12-34-56 (where 80-00 is the default bridge priority value
and 00-E0-63-12-34-56 is the bridge MAC address)
67
Root Bridge
IEEE 802.1D Spanning Tree
• 802.1D Operation– Assign path costs to the links
• Path cost value is relative to bandwidth rate (port speed).
68
Root Bridge
4
4
19
19
100
Path Cost to Root BridgeBridge ID 80-00:2Bridge ID 80-00:3Bridge ID 80-00:4Bridge ID 80-00:5Bridge ID 80-00:6
4 + 19 = 23
4
4
4 + 19 = 23
4 + 19 + 100 = 123
100100
Link Speed in MbpsRecommended Path Cost:
802.1D -1998Recommended Path Cost: 802.1D-2004
4 250 5,000,00010 100 2,000,00016 62 1,250,000100 19 200,0001000 4 20,0002,000 3 10,00010,000 2 2,000
2014-04-18
35
IEEE 802.1D Spanning Tree
• Maintaining the topology– Hello timer – Max Age timer– Forward Delay timer
• Spanning Tree Bridge Port States– Blocking
• Not participating in frame transmission• Continues to monitor for management and STA information (still receives BPDUs)
– Listening• Only processes frames addressed to it• Listens to BPDUs to ensure no loops occur on the network• BPDUs received shall be processed, as required by the STA
– Learning• Bridge is passively building its SAT but does not forward frames
– Forwarding• Able to send and receive data• Participating in frame transmission
69
IEEE 802.1D Spanning Tree
• 802.1D Operation Summary– Elect a root bridge: Bridge 1– Assign path costs to the links:
• Bridge ID 2 has path cost of 4 • Bridge ID 3 has path cost of (4 + 19)= 23 • Bridge ID 4 has path cost of 4 • Bridge ID 5 has path cost of (4 + 19)= 23 • Bridge ID 6 has path cost of (4 + 19 + 100)= 123
• Determine the designated bridge:• Bridge 1 is the designated bridge for Bridge 2, Bridge 4• Bridge 2 is the designates bridge for Bridge 3, Bridge 5 • Bridge 3 is the designates bridge for Bridge 6 • Bridge 4, Bridge 5, and Bridge 3 are the designated bridges for all respective downstream links
– Identify root and designated ports & block redundant links: as shown below
70
2014-04-18
36
Spanning Tree
71
• As of 2004, the IEEE 802.1D-1998 version of spanning tree wasremoved from the specification
• STP has now been superseded by the IEEE 802.1D-2004 specification, which incorporates IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)
• All current switches also support 802.1s, Multiple Spanning Tree, by default
802.1w, Rapid Spanning Tree
• IEEE 802.1w, Rapid Spanning Tree Protocol (RSTP), is built upon the original IEEE 802.1D Spanning Tree Protocol parameters.
• IEEE 802.1w and IEEE 802.1D Spanning Tree algorithms will interoperate.
– An RSTP switch detects the STP version when it is connected to an 802.1D STP switch.
– When the RSTP port is initialized, it transmits RSTP Bridge Protocol Data Units (BPDUs) for three seconds, it then transitions to sending STP BPDUs if it receives STP
72
Spanning Tree
2014-04-18
37
802.1w, Rapid Spanning Tree
• Port Roles– Root Port: The one port that is used to
connect to the Root Bridge • The Root Port is elected based on its
least “path-cost” to the Root Bridge
– Alternate Port: Any redundant upstream port that provides an alternate path to the Root Bridge (other than the Root Port)
– Designated Port: Any downstream port that provides a path back to the Root Bridge for a downstream bridge
– Backup Port: A port that acts as a redundant Designated Port for a downstream bridge.
– Edge Port: A port that has no other bridges connected to this port (i.e. User Port)
• This is automatically configured by the Bridge Detection State Machine (802.1t Clause 18)
73
Spanning Tree
• There are two types of BPDUs, serving three functions
• Configuration BPDUs – 1) determine the Spanning Tree topology– 2) maintain the Spanning Tree topology
• Topology Change Notification (TCN) BPDUs – 3) announce a change in the bridged topology by
toggling the change bit
74
2014-04-18
38
802.1w Rapid Spanning Tree
• New BPDU type (BPDU type 2) to distinguish RST BPDUs from STP configuration and topology change BPDUs– Version 1 BPDUs are accommodated in the version 2 format
by means of a placeholder of zero length for the version 1 protocol information
• New BPDU handling– Origination of BPDUs on a port-by-port basis, instead of
transmission on designated ports, following reception of information from the root. With RSTP, BPDUs are sent every “hello-time,” not simply relayed as with STP.
– Faster aging of information: With RSTP, a bridge considers that it has lost connectivity to its direct neighboring root or designated bridge if it fails to receive three consecutive BPDUs. This fast aging of information allows quick failure detection in case of physical link failures.
– Accepting inferior BPDUs: If a designated port receives an inferior BPDU (higher bridge ID, higher path cost, and so forth, than currently stored for the port) with a designated port role, it immediately replies with its own information.
75
802.1w Rapid Spanning Tree
• Topology changes and address flushing– Only non-edge ports that move to the forwarding state
cause a topology change– Topology Change Notifications (TCNs) in RSTP refer to both
802.1d & 802.1w TCNs– When a switch receives a TCN (Rx TCN) it:
• Clears the FDB for all active ports except the port on which it received the TCN
• Sends TCNs out its other Designated ports and its Root port– If a port detects a Topology Change (TC) the switch:
• Clears the FDB for all its non-edge Designated ports and its Root port
• Sends TCNs out all its non-edge Designated ports and its Root port– If a Port goes from Forwarding to Discarding, all Filter Datab
ase Entries are flushed for that port– If a Port goes from Discarding to Forwarding, all Filter Datab
ase Entries are flushed for all other active ports – All ports that transmit original TCNs flush their dynamic filteri
ng database entries
76
2014-04-18
39
802.1w Rapid Spanning Tree
• Port States and Roles Comparison
77
IEEE 802.1s Multiple Spanning Tree (MST)
• The original 802.1D standard treats the overall topology as a single network, while switches treat VLANs as completely separate networks – IEEE 802.1s is a supplement to IEEE 802.1Q– Ability to map 1 or more VLANs to each spanning tree instance– MST is built on top of 802.1w Rapid Reconfiguration
• 802.1s is supported on most of their current platforms– 802.1s Principle Objective: to increase bandwidth utilization
• To allows frames assigned to different VLANs to follow different data routes• To allow ports to block for some Spanning Trees and forward for others• To have every ISL (Inter Switch Link) in the topology forwarding for at least
one spanning tree
– The ability to create Spanning Tree instances for each VLAN – Fault tolerant network design with automatic reconfiguration
78
2014-04-18
40
802.1D/w
VLAN Green
VLAN Red
Blocked Port
Data Flow
IEEE 802.1s Multiple Spanning Tree (MST)
79
2 3
1 Root Over utilised bandwidth
Non utilised Bandwidth (only redundant)
802.1s
1 Root
Excellent Balance of Bandwidth Utilisation
3 Root2 Root
VLAN Blue
Over utilised bandwidth
Considering OpenFlow switch in enterprise environment for SDN.
Spanning Tree Summary
• Network Loops• Introduction to the Spanning Tree Algorithm (STA)• How Spanning Tree Operates• IEEE 802.1w Rapid Spanning Tree• 802.1s• Summary
– Redundant links and how they can cause network loops– How the IEEE 802.1D Spanning Tree Algorithm (STA) and Spanning
Tree Protocol (STP) operate to resolve network loops– The IEEE 802.1w, Rapid Spanning Tree Algorithm and Protocol
(RSTP), which speeds the configuration time it takes the network to converge after a failed link/restoration
– A comparison of IEEE 802.1D Spanning Tree to IEEE 802.1w RSTP, including the differences in BPDUs, port roles, and port states
80
2014-04-18
41
Shortest Path Bridging
• IEEE 802.1aq-2012 • Allows all links to be
used Better CapEx
• IS-IS link state protocol (similar to OSPF) is used to build shortest path trees for each node to every other node within the SPB domain
• Equal-cost multi-path(ECMP) used to distribute load
IS-IS Protocol
• Intermediate System to Intermediate System (IS-IS) is a protocol to build routing tables. Link-State routing protocol => Each nodes sends its connectivity (link state) information to all nodes in the network
• Dijkstra’s algorithm is then used by each node to build its routing table.
• Similar to OSPF (Open Shortest Path First).• OSPF is designed for IPv4 and then extended for
IPv6. IS-IS is general enough to be used with any type of addresses
• OSPF is designed to run on the top of IPIS-IS is general enough to be used on any transport Adopted by Ethernet
2014-04-18
42
83
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
Introduction
• Link Aggregation and other port aggregation algorithms are all methods of:
84
– Bonding together two or more data channels into a single channel that appears as a single, higher-bandwidth logical link
– Increasing bandwidth in a cost-effective way
– Providing redundancy and fault tolerance
Link Aggregation makes multiple physical links appear as a single logical link to Spanning Tree
2014-04-18
43
If you want to use STP on OF Switches
• OpenFlow Switches can do STP function and LACP
……….
IEEE 802.3ad Link Aggregation
• IEEE 802.3ad Link Aggregation is a standards-based method of dynamically grouping multiple physical ports on a network device into one logical link
• The IEEE 802.3ad is a protocol allows the switch to:– determine which links are eligible to aggregate – to configure them automatically
• Link Aggregation is supported on full duplex Ethernet ports:– 10Mbps – 100Mbps– 1000Mbps – And Higher Speed
86
2014-04-18
44
IEEE 802.3ad Link Aggregation
• Key Benefits– By taking multiple LAN connections and treating them as
a unified aggregated logical link, you can achieve practical benefits in many applications.
– The key benefits of IEEE 802.3ad Link Aggregation are:
• Dynamic configuration: Determines which links are eligible for aggregation, configures them automatically, and provides rapid reconfiguration.
• Higher link availability: Provides higher link availability. The failure of a single link effects only that single link.
• Increased bandwidth: The capacity of an aggregated link is higher than an individual link alone.
• Support of existing IEEE 802.3 MAC clients: Requires no change to higher-layer protocols or applications.
• Backwards compatible with 802.3ad-unaware devices: Links that cannot take part in Link Aggregation operate as normal, individual IEEE 802.3 links.
87
Link Aggregation Control Protocol
• Link Aggregation Control Protocol (LACP)
– Allows communication of aggregation capabilities between switches, and automatic configuration of links between a switch and its link partner.
– Maintains configuration information (reflecting the inherent properties of the individual links, as well as those manually established by management) to control aggregation.
– LACP exchanges configuration information with other devices to allocate the link to a Link Aggregation Group (LAG).
• A given link is allocated to, at most, one LAG at a time.
88
Considering OpenFlow switch in enterprise environment for SDN.
2014-04-18
45
Link Aggregation Scenarios
• There are two scenarios in which link aggregation may be
useful in a network, as described below.
– Switch-to-switch connections:
Multiple ports on a switch are joined
to form an aggregated link. Aggregation
of multiple links achieves higher speed
connections between switches without
hardware upgrade.
Switch-to-station (server or router) connections:
Many server platforms can saturate a single 10/100/1000 Mbps
link. Thus, link capacity limits overall system performance. You can
aggregate switch-to-station connections to improve performance.
89
Link Aggregation Rules
• Rules & Recommendations:– Ports must be running full duplex to aggregate.– A link aggregation cannot be split among systems.
Logically, it is a single pipe and, as such, is treated as a single point-to-point connection.
– Link Aggregation is supported only on links using the IEEE 802.3 MAC.
– All links in a LAG must operate at the same data rate.
• IEEE 802.3ad is supported on all current Switches
90
2014-04-18
46
SDN Program for LACP
……….
92
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
2014-04-18
47
Switching vs Routing
• Bridges / Layer 2 Switching:– Switch packets within the same physical network, based upon Data
Link-layer (MAC) addressing– Flood all MAC-layer broadcasts out all attached ports in the same
physical network– Are protocol transparent (i.e. -- unaware of IP, IPX, etc., protocols
embedded in the datagrams)– Do not support packet fragmentation– Support multiple Physical- and Mac-layer packet encapsulation types,
and have the ability to translate from one type to another
93
• Routers / Layer 3 Switching:– Switch packets between different physical networks, based upon
Network-layer addressing– Do not flood MAC-layer broadcasts from one attached network to
another– Are protocol dependent (IP routed to IP; IPX routed to IPX, etc.)– Support packet fragmentation– Support multiple Physical- and Mac-layer packet encapsulation types,
and have the ability to translate from one type to another
• Legacy Story• OF Switch for Which Layer?
Why routing protocol is needed?
• Routing protocol is used to dynamically learn routing information so routers know where to send packets. The only other option is to manually define all routers
• If we could not use routing protocols, what would be happened to us ??? SDN could replace the routing protocol?
2014-04-18
48
When Should Routing be Implemented?
• When communication is needed between VLANs
• When MAC-layer multicast/broadcast traffic is adversely effecting network performance
• When packet switching based upon upper-layer protocols (ie. -- IP, IPX, AppleTalk, etc.) is desired
• Where multiple active paths between systems is required
95
OpenFlow for active multiple paths??
Check SDN
Check SDN
Forget it
Check SDN
Router Advantages
• Isolation of MAC-layer broadcast traffic. Routers allow VLANs to communicate but prevent the flow of broadcast traffic from one physical LAN to another
• Path Selection. Routers can use the best path which physically exists between source and destination systems. Some routers allow for load balancing over redundant paths
• Flexibility. Routers can support any desired network topology
• The total size of the network interconnected with routers is, for all practical purposes, unlimited
96
Where is router for virtualized network?? OpenFlow and router??
Check SDN
Check SDN
Check SDN
Check SDN
2014-04-18
49
Router Disadvantages
• Protocol Dependence. Routers operate in the OSI Network layer and must be aware of the protocol(s) they are configured to route. A router will ignore traffic it is not configured to handle
• Configuration complexity. Routers require a lot more configuration and some protocols require workstation address configuration
• Cost. Routers are typically more complex devices than bridges and can be more expensive
97
Enterprise Routing – Basic Routing Config
• Routers use routing protocols to maintain their routing tables. Routing tables can be maintained either statically or dynamically.
• Static Routes– Static routes are manually configured and entered into a switch’s
routing table. Static routes take default precedence over routes chosen by dynamic routing protocols.
• Dynamic Routes– Dynamic routes are learned when routers send routing table
information to each other. – The three forms of dynamic routing that are most commonly used
are Distance Vector, Link State and Path vector protocols.• Distance Vector Protocols
– RIPv1 and RIPv2– DVMRP
• Link State Protocols– OSPFv2– IS-IS
• Path Vector Protocols– BGP4
98
Static and Dynamic Routing Support
2014-04-18
50
Where is routing at the SDN Controller?
• ‘Ryu’ One of SDN Controllers
• ‘OpenContrail’ One of SDN Controllers
Where is routing at the SDN Controller?
2014-04-18
51
Where is routing at the SDN Controller?
Enterprise Routing – Basic Routing Config
• RIP is a standard-based form of distance-vector routing protocol.• Two versions of RIP are available for routing IPv4:
– RIP version 1, defined by RFC 1058 (STD 34) 6/88– RIP version 2, defined by RFC 2453 (STD 56) 8/99
• Routing decision is select shortest path based on “hop count.”– Each router is one “hop.”– RIP has a 15 hop-count limitation.
• RIP updates occur every 30 seconds and sends the entire routing table contents.– IP/UDP port 520– Up to 25 routes per packet
• Subsequent to topology change, convergence time increases significantly with network size
• RIPv2 Differences from RIPv1:– Includes the network mask which supports variable-length subnet masking.– Transmits RIPv2 updates as multicast, rather than broadcast (both are supported).– Provides an authentication mechanism not supported by RIPv1.
102
RIP Overview
2014-04-18
52
Enterprise Routing - OSPF
• OSPF primary characteristics:– It is “open” in that its specification is in the public domain
– It is based on Dijkstra’s Shortest Path First algorithm
• Developed by the Interior Gateway Protocol (IGP) working group of the IETF (mid-1980s)– RFC 2328
– RFC 1583
• OSPF was created because RIP was increasingly unable to serve large, heterogeneous networks– Routing loops occurred with sudden topology changes
– Using distance metric to determine reachability resulted in count to Infinity delays
– Slow convergence
• Uses the best effort transport mechanism of IP– Protocol number 89
– Uses both IP Unicast and Multicast addresses• 224.0.0.5 (AllSPFRouters)
• 224.0.0.6 (AllDRRouters)
103
Overview of OSPF Routing Protocol
Overview of OSPF Routing Protocol
• Faster convergence than distance vector algorithms• A more descriptive routing metric
– Configurable per outbound interface– Interface value between 1 and 65,535
• Equal-cost multipath– If multiple equal cost paths to a destination exist, the paths are
inserted in routing table– Load balancing among the routes– Default path costs are 10
104
2014-04-18
53
Dijkstra’s shortest path first algorithm
• The algorithm
105
Overview of OSPF Routing Protocol
• Routing Hierarchy– Routing domain can be divided into areas for ease of management
and control– Support for route summarization and aggregation by area
• Security– Simple or MD5 Authentication
106
2014-04-18
54
Enterprise Routing - OSPF
• Link State Advertisements (LSA’s)– Describe local piece of routing topology
– As accumulated from all routers in area/domain, form a link state database
• Link State Database– Describes complete routing topology
– Identical for all the routers within the same area, when a network has converged
– Distributed, replicated database model
– Routing table is re-computed from database only when topology changes occur
• Distribution of LSAs uses reliable flooding– Link State Update’s advertise topology changes and keep entries up-to-date
– Large RIP update packets advertise entire route table every 30 seconds age out in 90 sec
– Individual entries are refreshed every 30 minutes – age out after 60 minutes
– Uses multicasting to minimize network disruption
– Has its own acknowledgement protocol to ensure reliable packet delivery
107
Overview of OSPF Routing Protocol
Overview of OSPF Routing Protocol
• The network topology must appear consistent - the link state database must be identical on all routers
• All entities in the routing domain use unique 32 bit numbers for identification– Routers are assigned a ‘router ID’ normally based on their IP
address
– Networks either use their network id or IP address of a router interface on that network
– Areas are strictly administratively assigned
• Routers use OSPF Hello protocol to identify neighbors and maintain neighbor relationships– Hello protocol uses 5 packet types:
• OSPF Packet Type 1: a keep-alive
• OSPF Packet Type 2: initiates adjacency
• OSPF Packet Type 3: requests LSAs from DR
• OSPF Packet Type 4: floods LSAs
• OSPF Packet Type 5: acknowledges flooded LSAs
108
SDN can build its DB with LLDP and events from OF switch.
2014-04-18
55
Overview of OSPF Routing Protocol
• Only Routers in an “adjacency” state of are permitted to exchange link state information– The necessity of ensuring consistency in the LSDB prohibits simple
broadcasting on route information.
– Flooding information uses a split horizon technique
• In multi-access networks, a Designated Router (DR) is ‘elected’ to ensure reliable distribution of LSA’s.– Backup Designated Router (BDR) is also elected
109
Enterprise Routing – OSPF
110
• Advanced OSPF configuration– Redistribute Routes– Setting the Router ID to the loopback address– Set the Designated Router– Setup Stub Areas
• Stub• NSSA
– Configure summarization– Setup Authentication
• Simple• MD5
Advanced Configuration Process
2014-04-18
56
Multi-Area Configuration Example
111
• OSPF Configuration Lab– Create IP Interfaces– Add IP Address to IP interfaces– Add Secondary IP Addresses– Add Static Routes– Set the Router ID to Loopback
Interface
– Create OSPF Instance– Add IP OSPF Networks and Areas– Set the Designated Router– Redistribute Static Routes– Setup Summarization– Setup Authentication
SimpleMD5
RID 1.1.1.1 RID 2.2.2.2RID 3.3.3.3
Routing – BGP Topics
• Border Gateway Protocol (BGP)– The Protocol and Its Use– Autonomous Systems– BGP Messaging (Neighbor Establishment and
Termination)– Internal Border Gateway Protocol/External Border
Gateway Protocol – BGP Basic Configuration– Route Injection– BGP Attributes & Route Selection– Route Aggregation – BGP Monitoring & Clearing– Advanced Topics
112
Considering OpenFlow switch in SP environment for SDN.
2014-04-18
57
Routing – BGP
• The Border Gateway Protocol (BGP) is an exterior gateway protocol (EGP) that is used to exchange routing information among routers in different autonomous systems (ASs)
• EGP and IGP differ in how best possible path is determined for a given route:– IGP determines best route by established metric for complete path– RIP utilizes hop count as a metric to determine best route– OSPF can use metrics such as various interface costs to determine
best route– EGP directs traffic from source AS to destination AS based on path
knowledge and path attributes. Path attributes are route parameters that can influence the direction traffic will flow in
113
The Protocol & Its Use
Routing – BGP
• The protocol is used to define an administrative boundary between autonomous systems
• The process of routing with BGP is often referred to as external routing
• BGP is a Path Vector Protocol• BGP routing information includes the complete route to each
destination along with detailed information on how the route should be handled
• Utilizes Classless Inter-Domain Routing (CIDR) which Eliminates shortcomings of original classful IP addressing by allowing aggregation of blocks of IP addresses to reduce size of routing tables
114
The Protocol & Its Use
2014-04-18
58
Routing – BGP
• A Autonomous System (AS) is collection of networks with the same routing policy
• Usually running a single routing protocol (IGP) within the interior
• Typically under a single ownership and administration• Originally identified by a unique AS numbers (1-65535) • As of January 2009 expanded to 4,294,967,296. (See RFC
4893, BGP Support for Four-octet AS Number Space)• AS numbers 64512 through 65534 are designated for
private use
115
Autonomous Systems
Autonomous System (AS)
116
Routers in the above diagram are under one authority for management
AS-100
Routing – BGPAutonomous Systems
2014-04-18
59
Interfacing Two ASs
117
AS-200
AS-100
EBGP
EBGP Neighbors/Peers
Routing – BGPAutonomous Systems
Application
Presentation
Session
TCP/UDP
Network
Data Link
Physical
7
6
5
4
3
2
1
Application
Presentation
Session
TCP/UDP
Network
Data Link
Physical
7
6
5
4
3
2
1
Peer Establishment / Packet ExchangeEstablish TCP session
Routing – BGP
118
2014-04-18
60
Open Message
119
Open
Keep Alive
NEIGHBORS
Routing – BGP
Neighbor Establishment & Termination
Keepalive Messages
120
Keepalives simply to let BGP neighbors know about the current state of the connection. They are used to maintain the link when routers have
no routing updates to exchange.
Routing – BGP
Neighbor Establishment & Termination
2014-04-18
61
Update Message
121
BGP uses Update Messages to exchanged or withdraw routes. Detailed information about the route is passed
using attributes which are present in the update packet.
Routing – BGP
Neighbor Establishment & Termination
Notification Message
122
I am going to have to close my link
Routing – BGP
Neighbor Establishment & Termination
2014-04-18
62
IBGP/EBGP
The BGP protocol specifies two types of BGP Neighbor Relationships IBGP and EGBP:
External Neighbors (EBGP) reside in different ASs
Internal Neighbors (IBGP) reside in the same AS
IBGP is used to carry BGP route information across an ISP backbone
EBGP is used to exchange BGP route information with different ASs
IBGP/EBGP
123
Routing – BGP
Basic IBGP/EBGP Model
124
1
2 3
4 5
6 7
AS-200 AS-300
AS-100
IGP=OSPF/BGP IGP=OSPF/BGP
IGP=OSPF/BGP
GE
GE
TGTG
GE GE
GE
GEGE
TGTG
GE
GEGE
EBGP EBGP
IBGP IBGP
IBGP
IBGP
IBGP
Routing – BGP
2014-04-18
63
AS-200
AS-100
BGP Neighbors
R1
R2
Enabling BGP & Identify Your Neighbors
125
Routing – BGPBasic Configuration
Configure:
− The AS the router belongs to− The BGP router ID− Neighbor IP address and remote AS− Route injection of a directly connected interface via network command
Enabling BGP & Identify Your Neighbors (EBGP)
VLAN 13192.168.13.0/24
AS-200
R2
AS-100
R1 VLAN 12192.168.12.0/24
.1 .2
VLAN 14192.168.14.0/24
126
Routing – BGPBasic Configuration
2014-04-18
64
Enabling BGP & Identify Your Neighbors (IBGP)
InitialPeering
AS-100
R1 .1
.2
VLAN 13192.168.13.0/24
AS-100
R3
VLAN 15192.168.15.0/24
OSPF
Loopback:1.1.1.1
Loopback:3.3.3.3
IGP Router
IGP Router
OSPF
OSPF
OSPF
VLAN 19192.168.19.0/24
VLAN 17192.168.17.0/24
.1
.1.1
.2
.2 .2
InitialPeering
X
AlternatePeering
AlternatePeering
127
Routing – BGPBasic Configuration
BGP Route Injection:
Condition 1 for announcing IP into BGP
The BGP process must be aware of the route.It can become aware of the route by:
A BGP Neighbor Redistributed from another routing protocolA local network statement
Condition 2
The Route must already be present in the IP Routing Table
Could be a Static RouteCould be a directly connected routeIt could have been installed by the IGP (OSPF, RIP, etc…)
Route Injection
128
Routing – BGPBasic Configuration
2014-04-18
65
BGP Attributes:
Routing information exchanged by BGP routers includes the complete route to each destination, as well as additional information about the route. This additional information is referred to as attributes
BGP attributes are a set of parameters that describe the characteristics of a route.
The BGP process uses attributes to select the best route to a destination
Attributes are categorized as being (Optional or Mandatory) and (Transitive or Non-Transitive)
Attributes
129
Routing – BGPBasic Configuration
Local preference: This attribute is used to influence a preferred exit pointfrom the local autonomous system (AS). The higher value will determine theexit point for the AS.
Routing – BGP
130
Attributes
2014-04-18
66
Multi-Exit Discriminator (MED): It is a suggestion to external neighborsabout the preferred path into an AS that has multiple entry points. The lowervalue MED will determine the entry point
131
Routing – BGPAttributes
No Aggregation:
132
Route Aggregation
Routing – BGP
2014-04-18
67
Route Reflection:
Router 1
Router 3
Router Reflector
Router 2
Router 3
Router 2
Router 1
Full Mesh IBGP
Route Reflection IBGP
AS 100
AS 100
133
Advanced Topics
Routing – BGP
Confederations:
AS 300
Confederation 100
Router 5
Router 6
Router 4
Full Mesh IBGP AS 65002
Router 3
Router 1
Full Mesh IBGP AS 65001
Router 2
EBGP
AS 200
EBGP
EBGP
134
Advanced Topics
Routing – BGP
2014-04-18
68
Implementing a BGP Route-Map:AS-Path Regular Expressions
135
Advanced Topics
Routing – BGP
Routing – Layer 3 Tunneling
136
Traffic Flow
2014-04-18
69
BGP for Middle Box
Some vendor recommends that you configure each traffic device as an iBGP route reflector client with each BGP router.
The following example specifies that the neighbors 200.10.1.2 and 200.10.2.2 are a clients of route reflector 1.1.1.1:
Router 1(rw-config)->router bgp 100Router 1(su-config-bgp)->bgp router-id 1.1.1.1Router 1(su-config-bgp)->bgp cluster-id 1.1.1.1Router 1(su-config-bgp)->neighbor 200.10.1.2 remote-as 100Router 1(su-config-bgp)->neighbor 200.10.1.2 route-reflector-clientRouter 1(su-config-bgp)->neighbor 200.10.2.2 remote-as 100Router 1(su-config-bgp)->neighbor 200.10.2.2 route-reflector-client
Router 2(rw-config)->router bgp 100Router 2(su-config-bgp)->bgp router-id 2.2.2.2Router 2(su-config-bgp)->neighbor 1.1.1.1 remote-as 100
RouterA(rw-config)-> interface tunnel 1RouterA(su-config-tun.0.1)->tunnel mode greRouterA(su-config-tun.0.1)->tunnel source 1.1.1.1RouterA(su-config-tun.0.1)->tunnel destination 1.1.1.2RouterA(su-config-tun.0.1)->ip address 10.1.1.1/30RouterA(su-config-tun.0.1)->no shutdownRouterA(su-config-tun.0.1)->exit
RouterB(rw-config)-> interface tunnel 1RouterB(su-config-tun.0.1)->tunnel mode greRouterB(su-config-tun.0.1)->tunnel source 1.1.1.2RouterB(su-config-tun.0.1)->tunnel destination 1.1.1.1RouterB(su-config-tun.0.1)->ip address 10.1.1.2/30RouterB(su-config-tun.0.1)->no shutdownRouterB(su-config-tun.0.1)->exit
MAC Source
MAC Dest.
SourceIP
Dest.IP
SourceTCP Port
Dest. TCP Port
Action
* * * 192.168.10.20 80 * Port 7
MAC Source
MAC Dest.
SourceIP
Dest.IP
SourceTCP Port
Dest. TCP Port
Action
* * * 192.168.10.20 80 * Port 3
137
• By definition Virtual Routing and Forwarding (VRF) is the technologyencompassed in IP routers that allows the provisioning of multiple instancesof a routing table to exist on a router simultaneously.
• The process is achieved by creating multiple instances of “virtual/logical”routers on a single router. These multiple virtual router instances behave asif they where a physical router
• Since the virtual routers allow network paths to be segmented, additionalequipment in the form of physical routers are not required.
• IP traffic is automatically separated by maintaining separate routing tablesas opposed to one global routing table thus, increasing network securityand eliminating the need for encryption and authentication
138
Routing - VRFOverview
2014-04-18
70
• Global Route Table– Full access to Host Apps (SSH,
SNMP etc.)• Interfaces assigned to only one VRF• Overlapping IP Address supported• Independent RIB per VRF• Independent FIB per VRF• Protocols instanced by VRF• VRF aware Services• MIBs instanced by VRF
139
Routing - VRFOverview
Physical Router
140
global Internet
VRF 2VRF 1
VLAN 10
192.168.10.0/24
VLAN 101
192.168.11.0/24
In VRF, IP address ranges are passed separately
VLAN 11
192.168.11.0/24
VLAN 100
192.168.10.0/24
140
Routing - VRFOverview
2014-04-18
71
Deployment Scenarios and Configuration
141
Routing - VRF
142
Deployment Scenarios and Configuration
Routing - VRF
2014-04-18
72
143
143
Deployment Scenarios and Configuration
Routing - VRF
VRFs With Overlapping IP Networks
Enterprise Routing – LSNAT
• Load Sharing Network Address Translation
• LSNAT is a load balancing routing feature designed toprovide load sharing network services between multipleservers grouped into server farms
• It can be tailored to an individual server service withoutrequiring any modification to clients or servers.
• Examples of well‐known services are HTTP on port 80,SMTP (e‐mail) on port 25, or FTP on port 21.
144
LSNAT Overview: What is LSNAT?
2014-04-18
73
Enterprise Routing – LSNAT
145
LSNAT Overview: How Does It Work?
Why Would I Use LSNAT?
• Server Load Sharing– When a single server is not able to cope with the
demands of multiple client sessions
• Reliability– Sever reliability is increased by allowing you to take
individual servers offline without with out ongoing service operations
• Redundancy– Load sharing also provides redundancy in the case of a
server failure. LSNAT automatically removes the failed server from the selection process.
146
2014-04-18
74
Why Would I Use LSNAT? (Continued)
• Security– Security is improved since only the VIP is known, not the
real server IP addresses
• Performance– LSNAT improves network performance by leveling traffic
over many systems– Using LSNAT in conjunction with Aggregate Links
removes the performance bottleneck concerns of one physical link to a server by bundling multiple switch to server links
147
OpenFlow Based SDN can do it.
IP Access Control Lists
• Access Control Lists filter IP packets based upon specified characteristics
• Depending on the product ACLs may be applied to router interfaces as access groups, either inbound, outbound or both
• Routers support the configuration of both standard and extended ACLs.
• A standard ACL supports traffic control based on only the source IP address. • An extended ACL supports traffic control based on both the source and
destination IP address, as well as protocol and layer 4 port.• All ACLs are set with an implicit deny all rule as the last rule upon ACL
creation.• N/S/K Series Routers support the creation on both numbered and named
ACLs in Release 7.0
• ACLs may be created in two different ways • Standard and Extended, numbered and named ACL configuration rules can
be added, deleted, or modified through CLI commands from router configuration mode.
• Standard and Extended, numbered and named ACL configuration rules can be added, deleted, or modified using ACL Manager, which is accessible via NMS Console.
148
2014-04-18
75
Access Control List (ACL) Configuration
• An ACL Filters traffic permitting or denying on a packet basis
• Support for inbound or outbound filtering is based on platform
• Configuration Limits– Only one inbound and one outbound (if supported) ACL,
standard or extended, may be statically applied per interface.
– An ACL can contain up to a set maximum number of rules plus the implicit deny all rule.
– ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode or NMS ACL Manager.
149
ACLs and PBR
• Policy Based Routing (PBR)- Allows packets that meet an ACLs criteria to be looked up in a route map to determine the next hop.
• This allows packets that meet one criteria to go one direction while those that meet a different criteria to go another way, all without the use of a routing protocol.
150
Policy Based Routing
OpenFlow Based SDN can do it.
2014-04-18
76
Enterprise Routing – Multicast Routing
151
•Multicast Introduction
•IGMP
-Overview
•PIM-SM/PIM-SSM
-Overview
•PIM-SM Configuration
- IGMP/PIM-SM Configuration
- IGMP/PIM-SM Configuration Verification
192.18.0.32
Rendezvous Router
No receivers
Video Conferencing Source
Switch
Multicast dataflow
Sales
Last-Hop Router
Designated Router
Enterprise Routing – Multicast Routing
152
2014-04-18
77
Multicast Server
Multicast Routing : IGMP
153
Router 1
Switch 3
Network A
Switch 1
1. The multicast stream is sent to the switch by the host (server)
3. The router sends a query
4. The host response with a Join
Receiver 1
Receiver 2
Solicited Join
7. The router sends the stream
6. The host sends a Join
5. The router sends the stream
Unsolicited Join
& IGMP Leave
8. The host sends an IGMP Leave andstops receiving the stream
2. The switch floods multicast traffic (IGMP snooping is not enabled) to the router
Switch 2
PIM-SM Overview-Multicast Forwarding
154
2014-04-18
78
PIM-SM Overview– Message Types
PIM-SM version 1 messages are used within IGMP packets. PIM-SM version 2 messages are encapsulated in IP packets with a protocol number of 103. Initially, PIM-SM uses a shared tree for multicast distribution. A router is administratively elected as the rendezvous point in the network. New sources are required to register with the rendezvous point. Once this is done, then multicast packets are forwarded to receivers.PIM-SM enabled devices use the following message types:
155
Hello (Hold Time)
Hello (Designated router priority)
Register
Register-Stop
Join/Prune (J/P)
Bootstrap
Candidate RP messageAssert
PIM-SM Overview – Message Flow
156
2014-04-18
79
Enterprise Routing – VRRP
157
Virtual Router Redundancy Protocol (VRRP) provides a means for redundant access to remote destinations by associating multiple routers, physically connected to a common LAN segment, to one “virtual router.” Designed to eliminate single point of failure for hosts
on a shared LAN An election protocol to provide a virtual router
function for redundant access to remote destinations• A Master is elected to be responsible for forwarding
packets for hosts• Dynamic fail-over should the Master become
unavailable• LAN clients can then always use the virtual router as
the gateway
The virtual router is configured with a VRID, or Virtual Router Identifier. This VRID can range from 1 to 255 and is unique to each virtual router on a particular LAN segment.
Benefits High availability default path Does not require dynamic routing or router discovery
protocols on end-hosts Facilitate resilience and load sharing at the same time
Overview
Enterprise Routing – VRRP
Router’s Roles in VRRP Virtual Router (VR)
• VR Identifier (VRID)• VR Priority
IP Address Owner Virtual Router Master Virtual Router Backup
VR Master Election VRRP Advertisement
Normal Operation VR Master
• IP Address Owner if one exists
Failover when master not available
158
IP1
MAC1
IP2
MAC2
Gateway=IP1MAC(IP1)=VMAC1
Gateway=IP1MAC(IP1)=VMAC1
MasterVMAC1
VRRP cfg:VRID=1IP=IP1Pri=255
BackupNew Master
VRRP cfg:VRID=1IP=IP1Pri=100
MAC3
IP3
MAC4
IP4
AD
V
AD
V
Concepts and Definitions
2014-04-18
80
Enterprise Routing – VRRP
Critical IP functionality allows an administrator to force a VRRP failover if a specified interface goes down
For example, an interface used for internet access This is accomplished by monitoring the availability of a
defined path which is not physically connected to the VLAN being protected by the VRRP process
When the monitored path goes down, the current master sends an ADVERTISEMENT indicating the updated priority, (note, the VRID’s priority will decrease by the value of the critical-ip’s critical-priority). It then relinquishes its mastership for the VLAN
• When the path restores, so does the VR priority and the master will resume to master state if Preemption enabled
Consideration of IP address ownership IP Address Owner being a non-master no longer receives
traffic it’s supposed to• Thus may be considered down by other routers
Use different Virtual IP Addresses when using this feature
159
MasterADV(0)
New Master
Critical IP
160
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
2014-04-18
81
SNMP Overview
• MIB Hierarchy
161
SNMP Overview
• Object Identifiers (OIDs)– How will objects be accessed in the MIB? – What is going to be managed?
Objects, or pieces of information that need to be managed, for example:
• sysUpTime 1.3.6.1.2.1.1.3 total up time for node
• sysContactnode contact person
• sysLocationdevice location
162
sysUpTime OIDiso(1).org(3).dod(6).
internet(1).mgmt(2).mib-II(1).system(1).
sysUpTime(3)
2014-04-18
82
SNMP Overview
• SNMP Communities
163
SNMP Overview
• SNMPv1 Communication
164
Manager
Agent
•Queries agents
•Configures devices
•Acknowledges faults
•Processes system data
•Provides security
•Responds to requests
•Sends unsolicited traps
•Stores and retrieves management data
•Can be a proxy for non-SNMP network nodes
Get
GetNext
Trap
GetResponse
Set
2014-04-18
83
SNMP Overview
• Efficiency Enhancements with SNMPv2
165
Manager/Agent
•Large table retrievals (router tables, for example)•10-20% increase in speed for table retrieval
•Confirmed event notification
•Shares information between NMS applications, agents, and agents and managers
Get
GetNext
Trap
GetResponse
Set
InformRequest
Manager/Agent
GetBulk
SNMP Overview
• Robust user-level authentication
• Message integrity checking
• Message encryption
• Role-based authorization
166
• Security Enhancements with SNMPv3
RFCs 2571-2575
2014-04-18
84
SNMP Overview
• SNMPv3 Architecture
167
Application(s)Command Generator
Notification Receiver
Proxy Forwarder
Command Responder
Notification Originator Other
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
Processing Subsystem
Security Subsystem
Access Control
Subsystem
SNM
P En
tity
SNMP Summary
• In-band and out-of-band management• SNMP components and functions (SNMPv1)• Enhancements provided by SNMPv2 and SNMPv3
168
2014-04-18
85
169
1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications
Network Applications
2014-04-18
86
DHCP Basics
• Designed to centralize network administration by automatically assigning valid IP addresses from a pool or a scope (range of IP address)
• The client (PC/Cable Modem/Printer) leases an address from the server for a period of time (routers do not usually get an address by DHCP)
• 4 step process that involves the following– Discover– Offer– Request– Acknowledgement
• Configuration options can be supplied to the requesting device– IP Address– Subnet– Default Gateway– Relay Agent
171
TFTP Basics
• TFTP uses the connectionless UDP transport protocol from the IP suite– Data packets are not larger than 512 bytes
• Has a one for one relationship at the application layer– One block of data sent one acknowledgement sent in response
to data block– If no response there is an attempt to send the data block again
up to a default 4 times at which point communication ends
• Uses a “client-server” model• Port 69 is the server port that the client’s request goes to• Unlike FTP, which uses four port connections, TFTP uses
only three port connections• Initially designed to Bootstrap “diskless” workstations, now
used to update network hardware in an Intranet
172
2014-04-18
87
HTTP Basics
• HTTP is a language spoken between a web browser (client software) and a web server (server software) so they can communicate with each other and exchange files.
• HTTP is a “Request-Response” protocol that specifies that the client will open a connection to a server then send a Request using a very specific format. The server will then Respond and close the connection.
• The key to a HTTP session is Hypertext. Hypertext is data that contains links to other data.
• A URL page with both words and pictures has two sessions: one for the text and one for pictures.
• HTTP is known as a “stateless” session. The session does not stay open for multiple requests.
173
HTTPS / SSL Basics
• Secure mode of moving data over an insecure transmission media
• Address issues of three key entities– Server– Client– Data
• Built into both Netscape and Internet Explorer• Encrypts only the data portion of the packet
– IP– TCP
174
2014-04-18
88
DNS Basics
• Distributed database used by the TCP/IP suite to resolve a name to an IP address; may provide other types of information– AP Engines = 208.185.160.9– Designated zones must run DNS servers in redundant mode– No single entity is responsible for the entire DNS model
• Caching is critical for keeping down network traffic• Within the DNS application is an entity known as the “Resolver” and it is the
responsibility of the Resolver to bind names to IP address• The DNS uses a Doman Name Server Tree to categorize top level domains. The
top level is the unnamed root represented by a .– .com (most valuable of names)– .edu– .org– .net– .mil– .gov
175
Telnet
• Allows a terminal service to operate over a network• Telnet comes in many flavors and the correct terminal
needs to be utilized– DEC VT series (common)– IBM 3270
• Advantage of telnet is it allows a user to login into a device from anywhere as long as security options are ok
• Works with multiple O/S system• Disadvantage of telnet is it is a portal into a network
176
2014-04-18
89
Telnet
• Telnet begins with the 3-way handshake at layer 4• After the 3-way handshake the devices must work on
synchronizing the session:– DOS uses CR-LF to terminate a line– UNIX uses a just a LF– Who will echo characters to the initiator of the telnet session
177
File Transfer Protocol (FTP)
• Data can be transferred by one of three means in the TCP/IP environment– Trivial File Transfer Protocol (TFTP)– Network File System (NFS)– File Transfer Protocol (FTP)
• FTP Requires the use of 4 socket ports– Well known ports 21 and 20– Two open ports greater than 1024
178
2014-04-18
90
FTP Ports
• Port 21 is used for initial setup and controls the session• Port 20 is used to actually transfer the data• Port 21 is opened any time a GET command is issued and
after the transfer of the file port 21 is closed
179
Network Device
Software
ASIC
Network Device
Software
ASIC
TCAM TCAM TCAM TCAM TCAM
Low-Level ASIC Interface
TCAMTCAM
Operating System (OS)
App App AppApp AppApp
Applications for Network Devices
180
2014-04-18
91
Enabling a shift from protocols to applications
Controller (콘트롤러: Openflow 콘트롤러 or SDN 콘트롤러)
Network Device (네트워크 장비)
Software (소프트웨어)
ASICTCAM TCAM TCAM TCAM TCAM
Low-Level ASIC InterfaceLow-Level ASIC Interface
TCAMTCAM
Operating System (OS)Operating System (OS)
App App AppApp AppApp
Network Device (네트워크 장비)
Software (소프트웨어)
ASICTCAM TCAM TCAM TCAM TCAM
Low-Level ASIC Interface
TCAMTCAM
Operating System (OS)Operating System (OS)
App App AppApp AppApp
Network Device (네트워크 장비)
Software (소프트웨어)
ASICTCAM TCAM TCAM TCAM TCAM
Low-Level ASIC Interface
TCAMTCAM
Operating System (OS)Operating System (OS)
App App AppApp AppApp
App App AppApp AppApp
Operating System (OS)
Separation of Applications
181
Network Device
Software
ASICTCAM TCAM TCAM TCAM TCAM
Low-Level ASIC InterfaceLow-Level ASIC Interface
TCAMTCAM
SDN Controller
Network Device
Software
ASICTCAM TCAM TCAM TCAM TCAM
Low-Level ASIC InterfaceLow-Level ASIC Interface
TCAMTCAM
Network Device
Software
ASICTCAM TCAM TCAM TCAM TCAM
Low-Level ASIC InterfaceLow-Level ASIC Interface
TCAMTCAM
FlowFlowFlow
App App AppApp AppApp
Operating System (OS)
Southbound• OpenFlow• NetConf• SNMP• Node Aware
Northbound• Code Base Automation• vBRAS, vCDN, vADC제어
Northbound
Southbound
Agent
AgentAgent
The All-Seeing Eye for Almighty
182
2014-04-18
92
Thank you very much
183
184