네트워크 기본 교육

2014-04-18

1

For Programmers: Basic Network Training James Jongseog Ahn

Senior Managing DirectorNAIM [email protected]

April, 2014

2

table of contents

1 Network Architecture2 IEEE 802.3 Ethernet3 Internet Protocol4 VLAN5 Spanning Tree6 LACP7 Routing (Basic, BGP)8 SNMP9 Network Applications

2014-04-18

2

3

LAN Extension and Virtualization using Layer 3 Protocols

Virtual Bridging for DC Carrier Ethernet Data Center Ethernet

table of contents

4


2014-04-18

3

Brief history of the Internet

5

Programing without Architecture • Application• Network• Terminal

Jobs for SDN Programmer

2014-04-18

4

The 4 Layer Internet Model

7

Peer layers communicate

Program Program

• SDN: Enabling a shift from protocols to applications

Database

Protocol

Program

What is SDN for programmers?

2014-04-18

5

Why is the Network Layer often called “Layer3”?

9

The TCP Segment Format

10

$ python tcp_sixteen.py serverListening at ('127.0.0.1', 1060)We have accepted a connection from ('127.0.0.1', 58185)Socket connects ('127.0.0.1', 1060) and ('127.0.0.1', 58185)The incoming sixteen-octet message says 'Hi there, server'Reply sent, socket closedListening at ('127.0.0.1', 1060)

2014-04-18

6

Connection oriented: 3-‐way handshake

11

Typical SYN Attack

2014-04-18

7

The TCP Service Model

13

User Datagram Protocol (UDP)

14

2014-04-18

8

UDP and TCP port numbers - 3 ranges

• “Well-Known Ports” (0–1023) are for the most important and widely-used protocols. On many Unix-like operating systems, normal user programs cannot use these ports, which prevented troublesome undergraduates on multi-user machines from running programs to masquerade as important system services. Today the same protections apply when hosting companies hand out command line Linux accounts.

• “Registered Ports” (1024–49151) are not usually treated as special by operating systems—any user can write a program that grabs port 5432 and pretends to be a PostgreSQL database, for example—but they can be registered by the IANA for specific protocols, and the IANA recommends that you avoid using them for anything but their assigned protocol.

• The remaining port numbers (49152–65535) are free for any use. They, as we shall see, are the pool on which modern operating systems draw in order to generate

Internet Assigned Numbers Authority (IANA)

TCP vs UDP

2014-04-18

9

CPU Utilization for I/O Interrupt

$ python big_sender.py guinnessThe message did not make itMTU: 1500

$ python big_sender.py localhostThe message did not make itMTU: 16436

UDP Fragmentation

18


2014-04-18

10

IEEE 802.3 Ethernet Overview

19

Ethernet Type Cable Minimum Length

Between Nodes

Maximum

Segment Length

10BaseT UTP 2.5 100

10BaseFL Fiber N/A 4000

100BaseT UTP 2.5 100

100BaseFX Fiber N/A 2000

1000BaseT UTP (CAT‐5 Minimum) 2.5 100

1000BaseSX Fiber (Multi‐Mode) N/A 225‐550

1000BaseLX Fiber (Multi‐Mode) N/A 550

1000BaseLX Fiber (Single‐Mode) N/A 5000

10GBASE‐SR Fiber (Multi‐Mode) N/A 300

10GBASE‐LR Fiber (Single‐Mode) N/A 10000


• Ethernet at the Data Link layer has two responsibilities:

– Ethernet addressing, also known as hardware addressing, and most commonly as MAC addressing.

– Framing packets received from the Network layer and preparing them for transmission on the local network via the Ethernet contention media access method.

20

$ python big_sender.py guinnessThe message did not make itMTU: 1500

$ python big_sender.py localhostThe message did not make itMTU: 16436

PPPoE is 1492

2014-04-18

11

Ethernet Speeds

IEEE 802.3ba-2010 (40G/100G) standard 10Mbps, 100 Mbps, 1 Gbps versions have both CSMA/CD

and Full-duplex versions No CSMA/CD in 10G and up No CSMA/CD in practice now even at home or at 10 Mbps 1 Gbps in residential, enterprise offices 1 Gbps in Data centers, moving to 10 Gbps and 40 Gbps 100G in some carrier core networks 100G is still more expensive than 10×10G Note: only decimal bit rates are used in networking No cheating like binary byte values used in storage

(Buy 256 GB Disk = 238.4 GB storage)

CDMA/CD

Carrier Sense Multiple Access With Collision Detection (CSMA/CD)

sender needs to wait 2T sec before detecting collision for 2500 m length, 51.2 μs round-trip time (2T) fact enforce 51.2 μs slot time at 10 Mbps, 512 bits; i.e., minimum frame size 64 Bytes assures collision detection

2014-04-18

12

Extensions of Ethernet

• Interfaces for 10 Gigabit Ethernet Connections• 802.3ae defines two PHY types:

– LAN PHY– WAN PHY

23

Polarization Mode Dispersion (PMD)


• 802.3z Gigabit Ethernet Overview• CSMA/CD• 802.3ae 10 Gigabit Ethernet Overview

24

2014-04-18

13


• Gigabit Ethernet Auto-Negotiation– Duplex mode– Flow control type

• Pause feature for flow control– Symmetric: This station is capable of transmitting and

receiving pause frames.– Asymmetric TX: This station is capable of transmitting pause

frames, but will not receive pause frames.– Asymmetric RX: This station is capable of receiving pause

frames, but will not transmit pause frames.– Disabled: This station is not capable of transmitting or

receiving pause frames.

25


• Two primary types of media for Gigabit Ethernet:– 1000BaseSX (short wave)

• This media type is intended for short-haul operations.• Operates in the 850 nanometer (nm) window over multi-mode

fiber (MMF), as follows:– 50 micron multi-mode fiber-optic cable (500 to 550 meters maximum)– 62.5 micron multi-mode fiber-optic cable (220 to 275 meters)

• Utilizes a Class 1 laser as an optical driver.

– 1000BaseLX (long wave)

26

2014-04-18

14


• Two primary types of media for Gigabit Ethernet:– 1000BaseSX (short wave)– 1000BaseLX (long wave)

• This media type is intended for long-haul operations.• Operates in the 1300 nm window.• Utilizes a Class 1 laser as an optical driver.• Can operate over both single-mode fiber (SMF) and multi-mode

fiber (MMF). However, the use of a mode-conditioning patch cord is required if MMF is used.

• 1000BaseLX implements long-wavelength laser transmissions with links up to 550 meters over multi-mode fiber-optic cable, and 3,000 meters over single-mode fiber-optic cable.

• MGBIC-08 is a Mini-Gigabit Ethernet port interface with one 1000Base-LX/LH port via LC connector at distances up to 70 kilometers

27


• Mode-Conditioning Patch Cords

28

2014-04-18

15


• LAN Applications of 10 Gigabit Ethernet

29

SDN for WAN??

Market: Residential vs. Data Center Ethernet

bit error rate or bit error ratio (BER)

2014-04-18

16

ARP

• Address Resolution Protocol (ARP) is a mechanism used by IP to find the hardware address of a host from an IP address.

• When IP is trying to send a datagram to the Data Link Layer (layer 2), Ethernet will be informed to look for the hardware address, also known as MAC Address, of the destination in the local network. Since Ethernet is using hardware addresses to identify source and destination, ARP will be used to obtain the hardware address by broadcasting the specified IP address. Then the machine that matched the specified IP address will reply with the requested hardware address.

31

Replacing with ‘broadcast MAC address’ for SDN


32

• Ethernet Data Frames (Frame Types)

2014-04-18

17

Bridges and Switches

• Source Address Table (SAT)– Static database: Contains source addresses that are entered by

a network administrator.– Learned database: Consists of source addresses that

accumulate as part of the learning process.

33

class L2Switch(app_manager.RyuApp):def __init__(self, *args, **kwargs):super(L2Switch, self).__init__(*args, **kwargs)@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)def packet_in_handler(self, ev):msg = ev.msgdp = msg.datapathofp = dp.ofprotoofp_parser = dp.ofproto_parserin_port = msg.match['in_port’]

• Mac address table• Port up/down events• VLANs• LLDP• ???

MAC Address Format

34

SDN programmer can see MAC Address!!And, can make personal tables.

2014-04-18

18

Building a Source Address Table

SATMAC A Port 1MAC B Port 2MAC C Port 3etc

35

SDN programmer can see Port and MAC Address!!And, can make personal tables.

Link Layer Discovery Protocol (LLDP)

2014-04-18

19

Bootstrapping for SDN Switch

Switches require initial configuration: Switch IP address,

Controller IP address, Default gateway

Switches connect to the controller

Switch provides configuration information about ports

Controller installs a rule to forward LLDP responses to

controller and then sends a LLDP request which is

forwarded to all neighbors.

Controller determines the topology from LLDP responses

37

LLDP for SDN Controller

2014-04-18

20

39


The Internet Protocol

40

2014-04-18

21

IP Header

IPv4 Datagram

42

2014-04-18

22

IPv4

• IPv4 Addressing Notation– Four bytes (32 bits) of address– Computers see binary

• 00001010 00000000 00000000 00000001

– Dotted decimal notation is used for human readability• 10.0.0.1

• Full range of IP addresses is from 0.0.0.0 through 255.255.255.255– Represents a total of 4,294,967,296 possible IP addresses

43

10 0 0 1

8 bits . 8 bits . 8 bits . 8 bits

IPv4 Classes

44

2014-04-18

23

IPv4 Classes

• IP Network Numbering

45

IPv4 Classes

• Special addresses– IP Loopback Address 127.0.0.1– Zero Addresses 0.0.0.0 through 0.255.255.255– Private Addresses: 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16

46

Class A addresses begin with 0xxx, or 1 to 126 decimal. Example 120.10.100.45 255.0.0.0

120.10.100.45/8Class B addresses begin with 10xx, or 128 to 191 decimal.

Example 172.102.16.241 255.255.0.0 172. 102.16.241/16

Class C addresses begin with 110x, or 192 to 223 decimal.Example 198.178.102.2 255.255.255.0

198.178.102.2/24Class D addresses begin with 1110, or 224 to 239 decimal. Class E addresses begin with 1111, or 240 to 254 decimal

Classes D and E are reserved and are not used for general IP address allocation

2014-04-18

24

Subnet Masks and Subnetting

47

176 203 126 143

Decimal 128

64

32

16

8 4 2 1 128

64

32

16

8 4 2 1 128

64

32

16

8 4 2 1 128

64

32

16

8 4 2 1

Binary 1 0 1 1 0 0 0 0 1 1 0 0 1 0 1 1 0 1 1 1 1 1 1 0 1 0 0 0 1 1 1 1

Network Mask (classful)

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

176 . 203 . 126 . 143

255 255 0 0

176 203 0 0

Classful Network 1 0 1 1 0 0 0 0 1 1 0 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Subnet Masks and Subnetting

• Problems with the partitioning of IPv4 Address space– Problem 1: Lack of support for mid-sized organizations

• Class B addresses support 64k host per network, too large• Class C addresses support 256 hosts per network, too small

– Problem 2: Route table size getting too large• Roughly 2 million plus networks for all class C address

– Solution: • Variable Length Subnet Masking (VLSM) • Classless Inter-Domain Routing (CIDR)

48

2014-04-18

25

Classless InterDomain Routing - CIDR

• Classless InterDomain Routing. CIDR was invented several years ago to keep the Internet from running out of IP addresses.

• People realised that addresses could be conserved if the class system was eliminated. By accurately allocating only the amount of address space that was actually needed, the address space crisis could be avoided for many years

• So now if someone has a class A address but wants to restrict the number of hosts they can use CIDR or subnetting.

Example 120.10.100.45/8 can become 120.10.100.45/24. This then restricts the number of uses on this network to 254.

This is because 120.10.100.0 is the network address and 120.10.100.255 is the broadcast address

How many hosts would be allowed on the network with the following address?20.10.100.45 255.255.255.240

Or 20.10.100.45 / 28

49

IPv6 Addressing Notation

• IPv6 Addressing Notation– 16 bytes (128 bits) long – Full notation depicts pairs of IPv6 bytes are separated by a

colon and each byte in turn, is represented as a pair of hexadecimal numbers: E3D7:0000:0000:0000:51F4:9BC8:C0A8:6420

– Shorthand notation removes bytes with a zero value from the text representation (though the bytes are still present in the actual network address) as follows: E3D7::51F4:9BC8:C0A8:6420

– Mixed notation is used when IPv6 addresses are extensions of IPv4 addresses - the rightmost four bytes of an IPv6 address (the rightmost two byte pairs) may be rewritten in the IPv4 notation as follows: E3D7::51F4:9BC8:192.168.100.32

• This larger size means that IPv6 supports more than 300,000,000,000,000,000,000,000,000,000,000,000,000 possible addresses

50

2014-04-18

26

51


IEEE 802.1Q VLAN Overview

• What is a VLAN?

– A Virtual Local Area Network– A VLAN is a logical Layer 2 boundary for containing all

traffic associated to it– VLAN members do not have to be physically connected

to the same switch– VLAN members can be dispersed throughout a switched

network

52

Think about VLAN for SDN!!

2014-04-18

27


• Benefits of VLANs

– Broadcast (traffic) containment– Simplify administrative adds, moves, and changes– Shared resources are not bound by physical location– Bandwidth management– Security

53


• Compare Traditional Network Design

• Versus VLAN Design

54

Layer 2/3 Switch

What is Router?

2014-04-18

28


• VLAN ID (VID)• VLAN name• PVID• Filtering Database (FDB)• FID• VLAN Tag• Tagged Frame• Default VLAN• Access Port• Trunk Port• Generic Attribute Registration Protocol VLAN Registration

Protocol (GVRP)

55

Think about VLAN ID for OpenFlow!!

TagProtocolIdentifier

TagControl

Info

8 Bytes

6 Bytes 6 Bytes

46 - 1500 Bytes

4Bytes2

68 - 1522 Bytes

1

PreambleSFD

MAC DA MAC SALorT

Data CRCLLC

2

TPI

TCI

22

Q Tag

81 00

Priority

CFIVLAN ID (VID)

16 Bits 12 Bits3 1

IEEE 802.1Q Tagging

56

212 = 4,096

2014-04-18

29


• Preparing for VLAN Configuration

– What is the purpose of the VLAN design? (ie: Security containers, Traffic broadcast containment)

– How many VLANs will be required?– What stations (end users, servers, etc.) will belong to

them?– What ports on the switch are connected to those

stations?

57


• Plan for Default VLAN and Number of Supported VLANs– By default, all ports on all switches are:

• Assigned to VLAN ID 1• Have egress list on VLAN 1 is set to untagged

– The number of VLANs and Range (VIDs) supported varies depending on the device

– IEEE 802.1Q specifies 4094 VLAN IDs with the allowable user-configurable range for VLAN IDs (VIDs) is from 1 through 4094

– VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priority info rather than a VLAN identifier

• It cannot be configured as a port VLAN ID (PVID)

– VID 1 is designated as the default Port VLAN IDentifier(PVID) and cannot be deleted

– VID 4095 is reserved by IEEE

58

2014-04-18

30


• There are 2 ways for a switch to learn & use VLAN addressing info:

– Independent Virtual Local Area Network (VLAN) Learning (IVL): Each VLAN uses its own filtering database.

– Shared Virtual Local Area Network (VLAN) Learning (SVL): Two or more VLANs are grouped to share source address info.

59

VLAN Database and Forwarding

60

Port 4 is in egress

queue of VLAN

20 as untagged

Packet exists port

4 as untagged

Untagged frame

enters port 3

Port 3 has a

PVID = 20

Port 4 is in

egress queue of

VLAN 20 as

tagged

Packet exists port

4 as tagged

Port 4 is not

egress queue

of VLAN 20

Packet is not

transmitted

out of port 4

It can be a program for SDN!!

class L2Switch(app_manager.RyuApp):def __init__(self, *args, **kwargs):super(L2Switch, self).__init__(*args, **kwargs)@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)def packet_in_handler(self, ev):msg = ev.msgdp = msg.datapathofp = dp.ofprotoofp_parser = dp.ofproto_parserin_port = msg.match['in_port’]

2014-04-18

31

Packet Forwarding

• Here you can see a simple network connection. In this scenario the network administrator will want to place the traffic from the phones into a different VLAN to that of the data– The PC traffic is in VLAN 20– The Phone traffic is in VLAN 30

• How is VLAN integrity maintained?– Modern IP telephones are a small

switch and have the ability to tag traffic

• The next 2 slides will show how the PC traffic is handled differently from the phone traffic

PC1PC2

PC3

PhoneA

PhoneB

Switch Two

Switch One

Port 8 Port 48

Port 47Port 26

Port 40

Considering OpenFlow switch in enterprise environment for SDN.

61

GVRP

• Switch 1 and 4 have VLAN 60 configured and the edge ports to PC1 and PC2 have a PVID of 60

• Switch 1’s uplink to Switch is configured for VLAN 60 as tagged, the same for Switch 4• If PC1 starts to ping PC2, Switch 1 declares VLAN 60 to Switch 2• Switch 2 registers VLAN 60 and tags the ingress port it received the packet for VLAN

60• Switch 2 then tags the port to Switch 3 for VLAN 60 and declares VLAN 60 to Switch 3• Switch 3 then repeats the process• If GVRP was disabled on Switches 2 and 3 then VLAN 60 would disappear from

Switches 2 and 3.

62

VID = 60

VID = 60

PC1

PC2

Switch 1

Switch 2

Switch 3

Switch 4

D

DR

R D

GVRP works on a declaration and registration process. When a VLAN is declared, the information is transmitted out of GVRP enabled ports on the device in a GARP formatted frame. (the GVRP multicast MAC address 01-80-C2-00-00-21.)

Generic Attribute Registration Protocol VLAN Registration Protocol (GVRP)

2014-04-18

32


• 802.1Q Trunk

63

What is a FDB?A FDB is a Filtering Database, which is a lookup table within the switch that keeps track of the association between MAC addresses, VLANs and port numbers.

64


2014-04-18

33

Spanning Tree

• Network Loops

65

Port 1MAC A

B2 SAT

Port 1MAC A

B1 SAT

Port 2MAC A

B2 SAT

Port 2MAC A

B1 SAT

How IEEE 802.1D Spanning Tree operates

• Calculating the Spanning Tree based on the Lowest STP IDs and Costs– Always compare these values in this order. If they are equal move on

to the next comparison

66

Root Bridge ID

Path Cost to Root

Designated Bridge ID

Designated Port ID

Root Port ID

2014-04-18

34

IEEE 802.1D Spanning Tree

• 802.1D Operation– Elect a root bridge as the reference point for the network

• Bridge with lowest bridge ID becomes the root– Bridge ID = (2 byte Bridge priority + 6 byte Bridge MAC address)– Example: 80-00-00-E0-63-12-34-56 (where 80-00 is the default bridge priority value

and 00-E0-63-12-34-56 is the bridge MAC address)

67

Root Bridge


• 802.1D Operation– Assign path costs to the links

• Path cost value is relative to bandwidth rate (port speed).

68

Root Bridge

4

4

19

19

100

Path Cost to Root BridgeBridge ID 80-00:2Bridge ID 80-00:3Bridge ID 80-00:4Bridge ID 80-00:5Bridge ID 80-00:6

4 + 19 = 23

4

4

4 + 19 = 23

4 + 19 + 100 = 123

100100

Link Speed in MbpsRecommended Path Cost:

802.1D -1998Recommended Path Cost: 802.1D-2004

4 250 5,000,00010 100 2,000,00016 62 1,250,000100 19 200,0001000 4 20,0002,000 3 10,00010,000 2 2,000

2014-04-18

35


• Maintaining the topology– Hello timer – Max Age timer– Forward Delay timer

• Spanning Tree Bridge Port States– Blocking

• Not participating in frame transmission• Continues to monitor for management and STA information (still receives BPDUs)

– Listening• Only processes frames addressed to it• Listens to BPDUs to ensure no loops occur on the network• BPDUs received shall be processed, as required by the STA

– Learning• Bridge is passively building its SAT but does not forward frames

– Forwarding• Able to send and receive data• Participating in frame transmission

69


• 802.1D Operation Summary– Elect a root bridge: Bridge 1– Assign path costs to the links:

• Bridge ID 2 has path cost of 4 • Bridge ID 3 has path cost of (4 + 19)= 23 • Bridge ID 4 has path cost of 4 • Bridge ID 5 has path cost of (4 + 19)= 23 • Bridge ID 6 has path cost of (4 + 19 + 100)= 123

• Determine the designated bridge:• Bridge 1 is the designated bridge for Bridge 2, Bridge 4• Bridge 2 is the designates bridge for Bridge 3, Bridge 5 • Bridge 3 is the designates bridge for Bridge 6 • Bridge 4, Bridge 5, and Bridge 3 are the designated bridges for all respective downstream links

– Identify root and designated ports & block redundant links: as shown below

70

2014-04-18

36

Spanning Tree

71

• As of 2004, the IEEE 802.1D-1998 version of spanning tree wasremoved from the specification

• STP has now been superseded by the IEEE 802.1D-2004 specification, which incorporates IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)

• All current switches also support 802.1s, Multiple Spanning Tree, by default

802.1w, Rapid Spanning Tree

• IEEE 802.1w, Rapid Spanning Tree Protocol (RSTP), is built upon the original IEEE 802.1D Spanning Tree Protocol parameters.

• IEEE 802.1w and IEEE 802.1D Spanning Tree algorithms will interoperate.

– An RSTP switch detects the STP version when it is connected to an 802.1D STP switch.

– When the RSTP port is initialized, it transmits RSTP Bridge Protocol Data Units (BPDUs) for three seconds, it then transitions to sending STP BPDUs if it receives STP

72

Spanning Tree

2014-04-18

37

802.1w, Rapid Spanning Tree

• Port Roles– Root Port: The one port that is used to

connect to the Root Bridge • The Root Port is elected based on its

least “path-cost” to the Root Bridge

– Alternate Port: Any redundant upstream port that provides an alternate path to the Root Bridge (other than the Root Port)

– Designated Port: Any downstream port that provides a path back to the Root Bridge for a downstream bridge

– Backup Port: A port that acts as a redundant Designated Port for a downstream bridge.

– Edge Port: A port that has no other bridges connected to this port (i.e. User Port)

• This is automatically configured by the Bridge Detection State Machine (802.1t Clause 18)

73

Spanning Tree

• There are two types of BPDUs, serving three functions

• Configuration BPDUs – 1) determine the Spanning Tree topology– 2) maintain the Spanning Tree topology

• Topology Change Notification (TCN) BPDUs – 3) announce a change in the bridged topology by

toggling the change bit

74

2014-04-18

38

802.1w Rapid Spanning Tree

• New BPDU type (BPDU type 2) to distinguish RST BPDUs from STP configuration and topology change BPDUs– Version 1 BPDUs are accommodated in the version 2 format

by means of a placeholder of zero length for the version 1 protocol information

• New BPDU handling– Origination of BPDUs on a port-by-port basis, instead of

transmission on designated ports, following reception of information from the root. With RSTP, BPDUs are sent every “hello-time,” not simply relayed as with STP.

– Faster aging of information: With RSTP, a bridge considers that it has lost connectivity to its direct neighboring root or designated bridge if it fails to receive three consecutive BPDUs. This fast aging of information allows quick failure detection in case of physical link failures.

– Accepting inferior BPDUs: If a designated port receives an inferior BPDU (higher bridge ID, higher path cost, and so forth, than currently stored for the port) with a designated port role, it immediately replies with its own information.

75


• Topology changes and address flushing– Only non-edge ports that move to the forwarding state

cause a topology change– Topology Change Notifications (TCNs) in RSTP refer to both

802.1d & 802.1w TCNs– When a switch receives a TCN (Rx TCN) it:

• Clears the FDB for all active ports except the port on which it received the TCN

• Sends TCNs out its other Designated ports and its Root port– If a port detects a Topology Change (TC) the switch:

• Clears the FDB for all its non-edge Designated ports and its Root port

• Sends TCNs out all its non-edge Designated ports and its Root port– If a Port goes from Forwarding to Discarding, all Filter Datab

ase Entries are flushed for that port– If a Port goes from Discarding to Forwarding, all Filter Datab

ase Entries are flushed for all other active ports – All ports that transmit original TCNs flush their dynamic filteri

ng database entries

76

2014-04-18

39


• Port States and Roles Comparison

77

IEEE 802.1s Multiple Spanning Tree (MST)

• The original 802.1D standard treats the overall topology as a single network, while switches treat VLANs as completely separate networks – IEEE 802.1s is a supplement to IEEE 802.1Q– Ability to map 1 or more VLANs to each spanning tree instance– MST is built on top of 802.1w Rapid Reconfiguration

• 802.1s is supported on most of their current platforms– 802.1s Principle Objective: to increase bandwidth utilization

• To allows frames assigned to different VLANs to follow different data routes• To allow ports to block for some Spanning Trees and forward for others• To have every ISL (Inter Switch Link) in the topology forwarding for at least

one spanning tree

– The ability to create Spanning Tree instances for each VLAN – Fault tolerant network design with automatic reconfiguration

78

2014-04-18

40

802.1D/w

VLAN Green

VLAN Red

Blocked Port

Data Flow

IEEE 802.1s Multiple Spanning Tree (MST)

79

2 3

1 Root Over utilised bandwidth

Non utilised Bandwidth (only redundant)

802.1s

1 Root

Excellent Balance of Bandwidth Utilisation

3 Root2 Root

VLAN Blue

Over utilised bandwidth


Spanning Tree Summary

• Network Loops• Introduction to the Spanning Tree Algorithm (STA)• How Spanning Tree Operates• IEEE 802.1w Rapid Spanning Tree• 802.1s• Summary

– Redundant links and how they can cause network loops– How the IEEE 802.1D Spanning Tree Algorithm (STA) and Spanning

Tree Protocol (STP) operate to resolve network loops– The IEEE 802.1w, Rapid Spanning Tree Algorithm and Protocol

(RSTP), which speeds the configuration time it takes the network to converge after a failed link/restoration

– A comparison of IEEE 802.1D Spanning Tree to IEEE 802.1w RSTP, including the differences in BPDUs, port roles, and port states

80

2014-04-18

41

Shortest Path Bridging

• IEEE 802.1aq-2012 • Allows all links to be

used Better CapEx

• IS-IS link state protocol (similar to OSPF) is used to build shortest path trees for each node to every other node within the SPB domain

• Equal-cost multi-path(ECMP) used to distribute load

IS-IS Protocol

• Intermediate System to Intermediate System (IS-IS) is a protocol to build routing tables. Link-State routing protocol => Each nodes sends its connectivity (link state) information to all nodes in the network

• Dijkstra’s algorithm is then used by each node to build its routing table.

• Similar to OSPF (Open Shortest Path First).• OSPF is designed for IPv4 and then extended for

IPv6. IS-IS is general enough to be used with any type of addresses

• OSPF is designed to run on the top of IPIS-IS is general enough to be used on any transport Adopted by Ethernet

2014-04-18

42

83


Introduction

• Link Aggregation and other port aggregation algorithms are all methods of:

84

– Bonding together two or more data channels into a single channel that appears as a single, higher-bandwidth logical link

– Increasing bandwidth in a cost-effective way

– Providing redundancy and fault tolerance

Link Aggregation makes multiple physical links appear as a single logical link to Spanning Tree

2014-04-18

43

If you want to use STP on OF Switches

• OpenFlow Switches can do STP function and LACP

……….

IEEE 802.3ad Link Aggregation

• IEEE 802.3ad Link Aggregation is a standards-based method of dynamically grouping multiple physical ports on a network device into one logical link

• The IEEE 802.3ad is a protocol allows the switch to:– determine which links are eligible to aggregate – to configure them automatically

• Link Aggregation is supported on full duplex Ethernet ports:– 10Mbps – 100Mbps– 1000Mbps – And Higher Speed

86

2014-04-18

44

IEEE 802.3ad Link Aggregation

• Key Benefits– By taking multiple LAN connections and treating them as

a unified aggregated logical link, you can achieve practical benefits in many applications.

– The key benefits of IEEE 802.3ad Link Aggregation are:

• Dynamic configuration: Determines which links are eligible for aggregation, configures them automatically, and provides rapid reconfiguration.

• Higher link availability: Provides higher link availability. The failure of a single link effects only that single link.

• Increased bandwidth: The capacity of an aggregated link is higher than an individual link alone.

• Support of existing IEEE 802.3 MAC clients: Requires no change to higher-layer protocols or applications.

• Backwards compatible with 802.3ad-unaware devices: Links that cannot take part in Link Aggregation operate as normal, individual IEEE 802.3 links.

87

Link Aggregation Control Protocol

• Link Aggregation Control Protocol (LACP)

– Allows communication of aggregation capabilities between switches, and automatic configuration of links between a switch and its link partner.

– Maintains configuration information (reflecting the inherent properties of the individual links, as well as those manually established by management) to control aggregation.

– LACP exchanges configuration information with other devices to allocate the link to a Link Aggregation Group (LAG).

• A given link is allocated to, at most, one LAG at a time.

88


2014-04-18

45

Link Aggregation Scenarios

• There are two scenarios in which link aggregation may be

useful in a network, as described below.

– Switch-to-switch connections:

Multiple ports on a switch are joined

to form an aggregated link. Aggregation

of multiple links achieves higher speed

connections between switches without

hardware upgrade.

Switch-to-station (server or router) connections:

Many server platforms can saturate a single 10/100/1000 Mbps

link. Thus, link capacity limits overall system performance. You can

aggregate switch-to-station connections to improve performance.

89

Link Aggregation Rules

• Rules & Recommendations:– Ports must be running full duplex to aggregate.– A link aggregation cannot be split among systems.

Logically, it is a single pipe and, as such, is treated as a single point-to-point connection.

– Link Aggregation is supported only on links using the IEEE 802.3 MAC.

– All links in a LAG must operate at the same data rate.

• IEEE 802.3ad is supported on all current Switches

90

2014-04-18

46

SDN Program for LACP

……….

92


2014-04-18

47

Switching vs Routing

• Bridges / Layer 2 Switching:– Switch packets within the same physical network, based upon Data

Link-layer (MAC) addressing– Flood all MAC-layer broadcasts out all attached ports in the same

physical network– Are protocol transparent (i.e. -- unaware of IP, IPX, etc., protocols

embedded in the datagrams)– Do not support packet fragmentation– Support multiple Physical- and Mac-layer packet encapsulation types,

and have the ability to translate from one type to another

93

• Routers / Layer 3 Switching:– Switch packets between different physical networks, based upon

Network-layer addressing– Do not flood MAC-layer broadcasts from one attached network to

another– Are protocol dependent (IP routed to IP; IPX routed to IPX, etc.)– Support packet fragmentation– Support multiple Physical- and Mac-layer packet encapsulation types,

and have the ability to translate from one type to another

• Legacy Story• OF Switch for Which Layer?

Why routing protocol is needed?

• Routing protocol is used to dynamically learn routing information so routers know where to send packets. The only other option is to manually define all routers

• If we could not use routing protocols, what would be happened to us ??? SDN could replace the routing protocol?

2014-04-18

48

When Should Routing be Implemented?

• When communication is needed between VLANs

• When MAC-layer multicast/broadcast traffic is adversely effecting network performance

• When packet switching based upon upper-layer protocols (ie. -- IP, IPX, AppleTalk, etc.) is desired

• Where multiple active paths between systems is required

95

OpenFlow for active multiple paths??

Check SDN

Check SDN

Forget it

Check SDN

Router Advantages

• Isolation of MAC-layer broadcast traffic. Routers allow VLANs to communicate but prevent the flow of broadcast traffic from one physical LAN to another

• Path Selection. Routers can use the best path which physically exists between source and destination systems. Some routers allow for load balancing over redundant paths

• Flexibility. Routers can support any desired network topology

• The total size of the network interconnected with routers is, for all practical purposes, unlimited

96

Where is router for virtualized network?? OpenFlow and router??

Check SDN

Check SDN

Check SDN

Check SDN

2014-04-18

49

Router Disadvantages

• Protocol Dependence. Routers operate in the OSI Network layer and must be aware of the protocol(s) they are configured to route. A router will ignore traffic it is not configured to handle

• Configuration complexity. Routers require a lot more configuration and some protocols require workstation address configuration

• Cost. Routers are typically more complex devices than bridges and can be more expensive

97

Enterprise Routing – Basic Routing Config

• Routers use routing protocols to maintain their routing tables. Routing tables can be maintained either statically or dynamically.

• Static Routes– Static routes are manually configured and entered into a switch’s

routing table. Static routes take default precedence over routes chosen by dynamic routing protocols.

• Dynamic Routes– Dynamic routes are learned when routers send routing table

information to each other. – The three forms of dynamic routing that are most commonly used

are Distance Vector, Link State and Path vector protocols.• Distance Vector Protocols

– RIPv1 and RIPv2– DVMRP

• Link State Protocols– OSPFv2– IS-IS

• Path Vector Protocols– BGP4

98

Static and Dynamic Routing Support

2014-04-18

50

Where is routing at the SDN Controller?

• ‘Ryu’ One of SDN Controllers

• ‘OpenContrail’ One of SDN Controllers


2014-04-18

51


Enterprise Routing – Basic Routing Config

• RIP is a standard-based form of distance-vector routing protocol.• Two versions of RIP are available for routing IPv4:

– RIP version 1, defined by RFC 1058 (STD 34) 6/88– RIP version 2, defined by RFC 2453 (STD 56) 8/99

• Routing decision is select shortest path based on “hop count.”– Each router is one “hop.”– RIP has a 15 hop-count limitation.

• RIP updates occur every 30 seconds and sends the entire routing table contents.– IP/UDP port 520– Up to 25 routes per packet

• Subsequent to topology change, convergence time increases significantly with network size

• RIPv2 Differences from RIPv1:– Includes the network mask which supports variable-length subnet masking.– Transmits RIPv2 updates as multicast, rather than broadcast (both are supported).– Provides an authentication mechanism not supported by RIPv1.

102

RIP Overview

2014-04-18

52

Enterprise Routing - OSPF

• OSPF primary characteristics:– It is “open” in that its specification is in the public domain

– It is based on Dijkstra’s Shortest Path First algorithm

• Developed by the Interior Gateway Protocol (IGP) working group of the IETF (mid-1980s)– RFC 2328

– RFC 1583

• OSPF was created because RIP was increasingly unable to serve large, heterogeneous networks– Routing loops occurred with sudden topology changes

– Using distance metric to determine reachability resulted in count to Infinity delays

– Slow convergence

• Uses the best effort transport mechanism of IP– Protocol number 89

– Uses both IP Unicast and Multicast addresses• 224.0.0.5 (AllSPFRouters)

• 224.0.0.6 (AllDRRouters)

103

Overview of OSPF Routing Protocol


• Faster convergence than distance vector algorithms• A more descriptive routing metric

– Configurable per outbound interface– Interface value between 1 and 65,535

• Equal-cost multipath– If multiple equal cost paths to a destination exist, the paths are

inserted in routing table– Load balancing among the routes– Default path costs are 10

104

2014-04-18

53

Dijkstra’s shortest path first algorithm

• The algorithm

105


• Routing Hierarchy– Routing domain can be divided into areas for ease of management

and control– Support for route summarization and aggregation by area

• Security– Simple or MD5 Authentication

106

2014-04-18

54

Enterprise Routing - OSPF

• Link State Advertisements (LSA’s)– Describe local piece of routing topology

– As accumulated from all routers in area/domain, form a link state database

• Link State Database– Describes complete routing topology

– Identical for all the routers within the same area, when a network has converged

– Distributed, replicated database model

– Routing table is re-computed from database only when topology changes occur

• Distribution of LSAs uses reliable flooding– Link State Update’s advertise topology changes and keep entries up-to-date

– Large RIP update packets advertise entire route table every 30 seconds age out in 90 sec

– Individual entries are refreshed every 30 minutes – age out after 60 minutes

– Uses multicasting to minimize network disruption

– Has its own acknowledgement protocol to ensure reliable packet delivery

107



• The network topology must appear consistent - the link state database must be identical on all routers

• All entities in the routing domain use unique 32 bit numbers for identification– Routers are assigned a ‘router ID’ normally based on their IP

address

– Networks either use their network id or IP address of a router interface on that network

– Areas are strictly administratively assigned

• Routers use OSPF Hello protocol to identify neighbors and maintain neighbor relationships– Hello protocol uses 5 packet types:

• OSPF Packet Type 1: a keep-alive

• OSPF Packet Type 2: initiates adjacency

• OSPF Packet Type 3: requests LSAs from DR

• OSPF Packet Type 4: floods LSAs

• OSPF Packet Type 5: acknowledges flooded LSAs

108

SDN can build its DB with LLDP and events from OF switch.

2014-04-18

55


• Only Routers in an “adjacency” state of are permitted to exchange link state information– The necessity of ensuring consistency in the LSDB prohibits simple

broadcasting on route information.

– Flooding information uses a split horizon technique

• In multi-access networks, a Designated Router (DR) is ‘elected’ to ensure reliable distribution of LSA’s.– Backup Designated Router (BDR) is also elected

109

Enterprise Routing – OSPF

110

• Advanced OSPF configuration– Redistribute Routes– Setting the Router ID to the loopback address– Set the Designated Router– Setup Stub Areas

• Stub• NSSA

– Configure summarization– Setup Authentication

• Simple• MD5

Advanced Configuration Process

2014-04-18

56

Multi-Area Configuration Example

111

• OSPF Configuration Lab– Create IP Interfaces– Add IP Address to IP interfaces– Add Secondary IP Addresses– Add Static Routes– Set the Router ID to Loopback

Interface

– Create OSPF Instance– Add IP OSPF Networks and Areas– Set the Designated Router– Redistribute Static Routes– Setup Summarization– Setup Authentication

SimpleMD5

RID 1.1.1.1 RID 2.2.2.2RID 3.3.3.3

Routing – BGP Topics

• Border Gateway Protocol (BGP)– The Protocol and Its Use– Autonomous Systems– BGP Messaging (Neighbor Establishment and

Termination)– Internal Border Gateway Protocol/External Border

Gateway Protocol – BGP Basic Configuration– Route Injection– BGP Attributes & Route Selection– Route Aggregation – BGP Monitoring & Clearing– Advanced Topics

112

Considering OpenFlow switch in SP environment for SDN.

2014-04-18

57

Routing – BGP

• The Border Gateway Protocol (BGP) is an exterior gateway protocol (EGP) that is used to exchange routing information among routers in different autonomous systems (ASs)

• EGP and IGP differ in how best possible path is determined for a given route:– IGP determines best route by established metric for complete path– RIP utilizes hop count as a metric to determine best route– OSPF can use metrics such as various interface costs to determine

best route– EGP directs traffic from source AS to destination AS based on path

knowledge and path attributes. Path attributes are route parameters that can influence the direction traffic will flow in

113

The Protocol & Its Use

Routing – BGP

• The protocol is used to define an administrative boundary between autonomous systems

• The process of routing with BGP is often referred to as external routing

• BGP is a Path Vector Protocol• BGP routing information includes the complete route to each

destination along with detailed information on how the route should be handled

• Utilizes Classless Inter-Domain Routing (CIDR) which Eliminates shortcomings of original classful IP addressing by allowing aggregation of blocks of IP addresses to reduce size of routing tables

114

The Protocol & Its Use

2014-04-18

58

Routing – BGP

• A Autonomous System (AS) is collection of networks with the same routing policy

• Usually running a single routing protocol (IGP) within the interior

• Typically under a single ownership and administration• Originally identified by a unique AS numbers (1-65535) • As of January 2009 expanded to 4,294,967,296. (See RFC

4893, BGP Support for Four-octet AS Number Space)• AS numbers 64512 through 65534 are designated for

private use

115

Autonomous Systems

Autonomous System (AS)

116

Routers in the above diagram are under one authority for management

AS-100

Routing – BGPAutonomous Systems

2014-04-18

59

Interfacing Two ASs

117

AS-200

AS-100

EBGP

EBGP Neighbors/Peers

Routing – BGPAutonomous Systems

Application

Presentation

Session

TCP/UDP

Network

Data Link

Physical

7

6

5

4

3

2

1

Application

Presentation

Session

TCP/UDP

Network

Data Link

Physical

7

6

5

4

3

2

1

Peer Establishment / Packet ExchangeEstablish TCP session

Routing – BGP

118

2014-04-18

60

Open Message

119

Open

Keep Alive

NEIGHBORS

Routing – BGP

Neighbor Establishment & Termination

Keepalive Messages

120

Keepalives simply to let BGP neighbors know about the current state of the connection. They are used to maintain the link when routers have

no routing updates to exchange.

Routing – BGP


2014-04-18

61

Update Message

121

BGP uses Update Messages to exchanged or withdraw routes. Detailed information about the route is passed

using attributes which are present in the update packet.

Routing – BGP


Notification Message

122

I am going to have to close my link

Routing – BGP


2014-04-18

62

IBGP/EBGP

The BGP protocol specifies two types of BGP Neighbor Relationships IBGP and EGBP:

External Neighbors (EBGP) reside in different ASs

Internal Neighbors (IBGP) reside in the same AS

IBGP is used to carry BGP route information across an ISP backbone

EBGP is used to exchange BGP route information with different ASs

IBGP/EBGP

123

Routing – BGP

Basic IBGP/EBGP Model

124

1

2 3

4 5

6 7

AS-200 AS-300

AS-100

IGP=OSPF/BGP IGP=OSPF/BGP

IGP=OSPF/BGP

GE

GE

TGTG

GE GE

GE

GEGE

TGTG

GE

GEGE

EBGP EBGP

IBGP IBGP

IBGP

IBGP

IBGP

Routing – BGP

2014-04-18

63

AS-200

AS-100

BGP Neighbors

R1

R2

Enabling BGP & Identify Your Neighbors

125

Routing – BGPBasic Configuration

Configure:

− The AS the router belongs to− The BGP router ID− Neighbor IP address and remote AS− Route injection of a directly connected interface via network command

Enabling BGP & Identify Your Neighbors (EBGP)

VLAN 13192.168.13.0/24

AS-200

R2

AS-100

R1 VLAN 12192.168.12.0/24

.1 .2

VLAN 14192.168.14.0/24

126


2014-04-18

64

Enabling BGP & Identify Your Neighbors (IBGP)

InitialPeering

AS-100

R1 .1

.2

VLAN 13192.168.13.0/24

AS-100

R3

VLAN 15192.168.15.0/24

OSPF

Loopback:1.1.1.1

Loopback:3.3.3.3

IGP Router

IGP Router

OSPF

OSPF

OSPF

VLAN 19192.168.19.0/24

VLAN 17192.168.17.0/24

.1

.1.1

.2

.2 .2

InitialPeering

X

AlternatePeering

AlternatePeering

127


BGP Route Injection:

Condition 1 for announcing IP into BGP

The BGP process must be aware of the route.It can become aware of the route by:

A BGP Neighbor Redistributed from another routing protocolA local network statement

Condition 2

The Route must already be present in the IP Routing Table

Could be a Static RouteCould be a directly connected routeIt could have been installed by the IGP (OSPF, RIP, etc…)

Route Injection

128


2014-04-18

65

BGP Attributes:

Routing information exchanged by BGP routers includes the complete route to each destination, as well as additional information about the route. This additional information is referred to as attributes

BGP attributes are a set of parameters that describe the characteristics of a route.

The BGP process uses attributes to select the best route to a destination

Attributes are categorized as being (Optional or Mandatory) and (Transitive or Non-Transitive)

Attributes

129


Local preference: This attribute is used to influence a preferred exit pointfrom the local autonomous system (AS). The higher value will determine theexit point for the AS.

Routing – BGP

130

Attributes

2014-04-18

66

Multi-Exit Discriminator (MED): It is a suggestion to external neighborsabout the preferred path into an AS that has multiple entry points. The lowervalue MED will determine the entry point

131

Routing – BGPAttributes

No Aggregation:

132

Route Aggregation

Routing – BGP

2014-04-18

67

Route Reflection:

Router 1

Router 3

Router Reflector

Router 2

Router 3

Router 2

Router 1

Full Mesh IBGP

Route Reflection IBGP

AS 100

AS 100

133

Advanced Topics

Routing – BGP

Confederations:

AS 300

Confederation 100

Router 5

Router 6

Router 4

Full Mesh IBGP AS 65002

Router 3

Router 1

Full Mesh IBGP AS 65001

Router 2

EBGP

AS 200

EBGP

EBGP

134

Advanced Topics

Routing – BGP

2014-04-18

68

Implementing a BGP Route-Map:AS-Path Regular Expressions

135

Advanced Topics

Routing – BGP

Routing – Layer 3 Tunneling

136

Traffic Flow

2014-04-18

69

BGP for Middle Box

Some vendor recommends that you configure each traffic device as an iBGP route reflector client with each BGP router.

The following example specifies that the neighbors 200.10.1.2 and 200.10.2.2 are a clients of route reflector 1.1.1.1:

Router 1(rw-config)->router bgp 100Router 1(su-config-bgp)->bgp router-id 1.1.1.1Router 1(su-config-bgp)->bgp cluster-id 1.1.1.1Router 1(su-config-bgp)->neighbor 200.10.1.2 remote-as 100Router 1(su-config-bgp)->neighbor 200.10.1.2 route-reflector-clientRouter 1(su-config-bgp)->neighbor 200.10.2.2 remote-as 100Router 1(su-config-bgp)->neighbor 200.10.2.2 route-reflector-client

Router 2(rw-config)->router bgp 100Router 2(su-config-bgp)->bgp router-id 2.2.2.2Router 2(su-config-bgp)->neighbor 1.1.1.1 remote-as 100

RouterA(rw-config)-> interface tunnel 1RouterA(su-config-tun.0.1)->tunnel mode greRouterA(su-config-tun.0.1)->tunnel source 1.1.1.1RouterA(su-config-tun.0.1)->tunnel destination 1.1.1.2RouterA(su-config-tun.0.1)->ip address 10.1.1.1/30RouterA(su-config-tun.0.1)->no shutdownRouterA(su-config-tun.0.1)->exit

RouterB(rw-config)-> interface tunnel 1RouterB(su-config-tun.0.1)->tunnel mode greRouterB(su-config-tun.0.1)->tunnel source 1.1.1.2RouterB(su-config-tun.0.1)->tunnel destination 1.1.1.1RouterB(su-config-tun.0.1)->ip address 10.1.1.2/30RouterB(su-config-tun.0.1)->no shutdownRouterB(su-config-tun.0.1)->exit

MAC Source

MAC Dest.

SourceIP

Dest.IP

SourceTCP Port

Dest. TCP Port

Action

* * * 192.168.10.20 80 * Port 7

MAC Source

MAC Dest.

SourceIP

Dest.IP

SourceTCP Port

Dest. TCP Port

Action

* * * 192.168.10.20 80 * Port 3

137

• By definition Virtual Routing and Forwarding (VRF) is the technologyencompassed in IP routers that allows the provisioning of multiple instancesof a routing table to exist on a router simultaneously.

• The process is achieved by creating multiple instances of “virtual/logical”routers on a single router. These multiple virtual router instances behave asif they where a physical router

• Since the virtual routers allow network paths to be segmented, additionalequipment in the form of physical routers are not required.

• IP traffic is automatically separated by maintaining separate routing tablesas opposed to one global routing table thus, increasing network securityand eliminating the need for encryption and authentication

138

Routing - VRFOverview

2014-04-18

70

• Global Route Table– Full access to Host Apps (SSH,

SNMP etc.)• Interfaces assigned to only one VRF• Overlapping IP Address supported• Independent RIB per VRF• Independent FIB per VRF• Protocols instanced by VRF• VRF aware Services• MIBs instanced by VRF

139


Physical Router

140

global Internet

VRF 2VRF 1

VLAN 10

192.168.10.0/24

VLAN 101

192.168.11.0/24

In VRF, IP address ranges are passed separately

VLAN 11

192.168.11.0/24

VLAN 100

192.168.10.0/24

140


2014-04-18

71

Deployment Scenarios and Configuration

141

Routing - VRF

142


Routing - VRF

2014-04-18

72

143

143


Routing - VRF

VRFs With Overlapping IP Networks

Enterprise Routing – LSNAT

• Load Sharing Network Address Translation

• LSNAT is a load balancing routing feature designed toprovide load sharing network services between multipleservers grouped into server farms

• It can be tailored to an individual server service withoutrequiring any modification to clients or servers.

• Examples of well‐known services are HTTP on port 80,SMTP (e‐mail) on port 25, or FTP on port 21.

144

LSNAT Overview: What is LSNAT?

2014-04-18

73

Enterprise Routing – LSNAT

145

LSNAT Overview: How Does It Work?

Why Would I Use LSNAT?

• Server Load Sharing– When a single server is not able to cope with the

demands of multiple client sessions

• Reliability– Sever reliability is increased by allowing you to take

individual servers offline without with out ongoing service operations

• Redundancy– Load sharing also provides redundancy in the case of a

server failure. LSNAT automatically removes the failed server from the selection process.

146

2014-04-18

74

Why Would I Use LSNAT? (Continued)

• Security– Security is improved since only the VIP is known, not the

real server IP addresses

• Performance– LSNAT improves network performance by leveling traffic

over many systems– Using LSNAT in conjunction with Aggregate Links

removes the performance bottleneck concerns of one physical link to a server by bundling multiple switch to server links

147

OpenFlow Based SDN can do it.

IP Access Control Lists

• Access Control Lists filter IP packets based upon specified characteristics

• Depending on the product ACLs may be applied to router interfaces as access groups, either inbound, outbound or both

• Routers support the configuration of both standard and extended ACLs.

• A standard ACL supports traffic control based on only the source IP address. • An extended ACL supports traffic control based on both the source and

destination IP address, as well as protocol and layer 4 port.• All ACLs are set with an implicit deny all rule as the last rule upon ACL

creation.• N/S/K Series Routers support the creation on both numbered and named

ACLs in Release 7.0

• ACLs may be created in two different ways • Standard and Extended, numbered and named ACL configuration rules can

be added, deleted, or modified through CLI commands from router configuration mode.

• Standard and Extended, numbered and named ACL configuration rules can be added, deleted, or modified using ACL Manager, which is accessible via NMS Console.

148

2014-04-18

75

Access Control List (ACL) Configuration

• An ACL Filters traffic permitting or denying on a packet basis

• Support for inbound or outbound filtering is based on platform

• Configuration Limits– Only one inbound and one outbound (if supported) ACL,

standard or extended, may be statically applied per interface.

– An ACL can contain up to a set maximum number of rules plus the implicit deny all rule.

– ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode or NMS ACL Manager.

149

ACLs and PBR

• Policy Based Routing (PBR)- Allows packets that meet an ACLs criteria to be looked up in a route map to determine the next hop.

• This allows packets that meet one criteria to go one direction while those that meet a different criteria to go another way, all without the use of a routing protocol.

150

Policy Based Routing

OpenFlow Based SDN can do it.

2014-04-18

76

Enterprise Routing – Multicast Routing

151

•Multicast Introduction

•IGMP

-Overview

•PIM-SM/PIM-SSM

-Overview

•PIM-SM Configuration

- IGMP/PIM-SM Configuration

- IGMP/PIM-SM Configuration Verification

192.18.0.32

Rendezvous Router

No receivers

Video Conferencing Source

Switch

Multicast dataflow

Sales

Last-Hop Router

Designated Router

Enterprise Routing – Multicast Routing

152

2014-04-18

77

Multicast Server

Multicast Routing : IGMP

153

Router 1

Switch 3

Network A

Switch 1

1. The multicast stream is sent to the switch by the host (server)

3. The router sends a query

4. The host response with a Join

Receiver 1

Receiver 2

Solicited Join

7. The router sends the stream

6. The host sends a Join

5. The router sends the stream

Unsolicited Join

& IGMP Leave

8. The host sends an IGMP Leave andstops receiving the stream

2. The switch floods multicast traffic (IGMP snooping is not enabled) to the router

Switch 2

PIM-SM Overview-Multicast Forwarding

154

2014-04-18

78

PIM-SM Overview– Message Types

PIM-SM version 1 messages are used within IGMP packets. PIM-SM version 2 messages are encapsulated in IP packets with a protocol number of 103. Initially, PIM-SM uses a shared tree for multicast distribution. A router is administratively elected as the rendezvous point in the network. New sources are required to register with the rendezvous point. Once this is done, then multicast packets are forwarded to receivers.PIM-SM enabled devices use the following message types:

155

Hello (Hold Time)

Hello (Designated router priority)

Register

Register-Stop

Join/Prune (J/P)

Bootstrap

Candidate RP messageAssert

PIM-SM Overview – Message Flow

156

2014-04-18

79

Enterprise Routing – VRRP

157

Virtual Router Redundancy Protocol (VRRP) provides a means for redundant access to remote destinations by associating multiple routers, physically connected to a common LAN segment, to one “virtual router.” Designed to eliminate single point of failure for hosts

on a shared LAN An election protocol to provide a virtual router

function for redundant access to remote destinations• A Master is elected to be responsible for forwarding

packets for hosts• Dynamic fail-over should the Master become

unavailable• LAN clients can then always use the virtual router as

the gateway

The virtual router is configured with a VRID, or Virtual Router Identifier. This VRID can range from 1 to 255 and is unique to each virtual router on a particular LAN segment.

Benefits High availability default path Does not require dynamic routing or router discovery

protocols on end-hosts Facilitate resilience and load sharing at the same time

Overview


Router’s Roles in VRRP Virtual Router (VR)

• VR Identifier (VRID)• VR Priority

IP Address Owner Virtual Router Master Virtual Router Backup

VR Master Election VRRP Advertisement

Normal Operation VR Master

• IP Address Owner if one exists

Failover when master not available

158

IP1

MAC1

IP2

MAC2

Gateway=IP1MAC(IP1)=VMAC1

Gateway=IP1MAC(IP1)=VMAC1

MasterVMAC1

VRRP cfg:VRID=1IP=IP1Pri=255

BackupNew Master

VRRP cfg:VRID=1IP=IP1Pri=100

MAC3

IP3

MAC4

IP4

AD

V

AD

V

Concepts and Definitions

2014-04-18

80


Critical IP functionality allows an administrator to force a VRRP failover if a specified interface goes down

For example, an interface used for internet access This is accomplished by monitoring the availability of a

defined path which is not physically connected to the VLAN being protected by the VRRP process

When the monitored path goes down, the current master sends an ADVERTISEMENT indicating the updated priority, (note, the VRID’s priority will decrease by the value of the critical-ip’s critical-priority). It then relinquishes its mastership for the VLAN

• When the path restores, so does the VR priority and the master will resume to master state if Preemption enabled

Consideration of IP address ownership IP Address Owner being a non-master no longer receives

traffic it’s supposed to• Thus may be considered down by other routers

Use different Virtual IP Addresses when using this feature

159

MasterADV(0)

New Master

Critical IP

160


2014-04-18

81

SNMP Overview

• MIB Hierarchy

161

SNMP Overview

• Object Identifiers (OIDs)– How will objects be accessed in the MIB? – What is going to be managed?

Objects, or pieces of information that need to be managed, for example:

• sysUpTime 1.3.6.1.2.1.1.3 total up time for node

• sysContactnode contact person

• sysLocationdevice location

162

sysUpTime OIDiso(1).org(3).dod(6).

internet(1).mgmt(2).mib-II(1).system(1).

sysUpTime(3)

2014-04-18

82

SNMP Overview

• SNMP Communities

163

SNMP Overview

• SNMPv1 Communication

164

Manager

Agent

•Queries agents

•Configures devices

•Acknowledges faults

•Processes system data

•Provides security

•Responds to requests

•Sends unsolicited traps

•Stores and retrieves management data

•Can be a proxy for non-SNMP network nodes

Get

GetNext

Trap

GetResponse

Set

2014-04-18

83

SNMP Overview

• Efficiency Enhancements with SNMPv2

165

Manager/Agent

•Large table retrievals (router tables, for example)•10-20% increase in speed for table retrieval

•Confirmed event notification

•Shares information between NMS applications, agents, and agents and managers

Get

GetNext

Trap

GetResponse

Set

InformRequest

Manager/Agent

GetBulk

SNMP Overview

• Robust user-level authentication

• Message integrity checking

• Message encryption

• Role-based authorization

166

• Security Enhancements with SNMPv3

RFCs 2571-2575

2014-04-18

84

SNMP Overview

• SNMPv3 Architecture

167

Application(s)Command Generator

Notification Receiver

Proxy Forwarder

Command Responder

Notification Originator Other

SNMP Engine (identified by snmpEngineID)

DispatcherMessage

Processing Subsystem

Security Subsystem

Access Control

Subsystem

SNM

P En

tity

SNMP Summary

• In-band and out-of-band management• SNMP components and functions (SNMPv1)• Enhancements provided by SNMPv2 and SNMPv3

168

2014-04-18

85

169


Network Applications

2014-04-18

86

DHCP Basics

• Designed to centralize network administration by automatically assigning valid IP addresses from a pool or a scope (range of IP address)

• The client (PC/Cable Modem/Printer) leases an address from the server for a period of time (routers do not usually get an address by DHCP)

• 4 step process that involves the following– Discover– Offer– Request– Acknowledgement

• Configuration options can be supplied to the requesting device– IP Address– Subnet– Default Gateway– Relay Agent

171

TFTP Basics

• TFTP uses the connectionless UDP transport protocol from the IP suite– Data packets are not larger than 512 bytes

• Has a one for one relationship at the application layer– One block of data sent one acknowledgement sent in response

to data block– If no response there is an attempt to send the data block again

up to a default 4 times at which point communication ends

• Uses a “client-server” model• Port 69 is the server port that the client’s request goes to• Unlike FTP, which uses four port connections, TFTP uses

only three port connections• Initially designed to Bootstrap “diskless” workstations, now

used to update network hardware in an Intranet

172

2014-04-18

87

HTTP Basics

• HTTP is a language spoken between a web browser (client software) and a web server (server software) so they can communicate with each other and exchange files.

• HTTP is a “Request-Response” protocol that specifies that the client will open a connection to a server then send a Request using a very specific format. The server will then Respond and close the connection.

• The key to a HTTP session is Hypertext. Hypertext is data that contains links to other data.

• A URL page with both words and pictures has two sessions: one for the text and one for pictures.

• HTTP is known as a “stateless” session. The session does not stay open for multiple requests.

173

HTTPS / SSL Basics

• Secure mode of moving data over an insecure transmission media

• Address issues of three key entities– Server– Client– Data

• Built into both Netscape and Internet Explorer• Encrypts only the data portion of the packet

– IP– TCP

174

2014-04-18

88

DNS Basics

• Distributed database used by the TCP/IP suite to resolve a name to an IP address; may provide other types of information– AP Engines = 208.185.160.9– Designated zones must run DNS servers in redundant mode– No single entity is responsible for the entire DNS model

• Caching is critical for keeping down network traffic• Within the DNS application is an entity known as the “Resolver” and it is the

responsibility of the Resolver to bind names to IP address• The DNS uses a Doman Name Server Tree to categorize top level domains. The

top level is the unnamed root represented by a .– .com (most valuable of names)– .edu– .org– .net– .mil– .gov

175

Telnet

• Allows a terminal service to operate over a network• Telnet comes in many flavors and the correct terminal

needs to be utilized– DEC VT series (common)– IBM 3270

• Advantage of telnet is it allows a user to login into a device from anywhere as long as security options are ok

• Works with multiple O/S system• Disadvantage of telnet is it is a portal into a network

176

2014-04-18

89

Telnet

• Telnet begins with the 3-way handshake at layer 4• After the 3-way handshake the devices must work on

synchronizing the session:– DOS uses CR-LF to terminate a line– UNIX uses a just a LF– Who will echo characters to the initiator of the telnet session

177

File Transfer Protocol (FTP)

• Data can be transferred by one of three means in the TCP/IP environment– Trivial File Transfer Protocol (TFTP)– Network File System (NFS)– File Transfer Protocol (FTP)

• FTP Requires the use of 4 socket ports– Well known ports 21 and 20– Two open ports greater than 1024

178

2014-04-18

90

FTP Ports

• Port 21 is used for initial setup and controls the session• Port 20 is used to actually transfer the data• Port 21 is opened any time a GET command is issued and

after the transfer of the file port 21 is closed

179

Network Device

Software

ASIC

Network Device

Software

ASIC

TCAM TCAM TCAM TCAM TCAM

Low-Level ASIC Interface

TCAMTCAM

Operating System (OS)

App App AppApp AppApp

Applications for Network Devices

180

2014-04-18

91

Enabling a shift from protocols to applications

Controller (콘트롤러: Openflow 콘트롤러 or SDN 콘트롤러)

Network Device (네트워크 장비)

Software (소프트웨어)

ASICTCAM TCAM TCAM TCAM TCAM

Low-Level ASIC InterfaceLow-Level ASIC Interface

TCAMTCAM

Operating System (OS)Operating System (OS)






TCAMTCAM







TCAMTCAM





Separation of Applications

181

Network Device

Software



TCAMTCAM

SDN Controller

Network Device

Software



TCAMTCAM

Network Device

Software



TCAMTCAM

FlowFlowFlow



Southbound• OpenFlow• NetConf• SNMP• Node Aware

Northbound• Code Base Automation• vBRAS, vCDN, vADC제어

Northbound

Southbound

Agent

AgentAgent

The All-Seeing Eye for Almighty

182

2014-04-18

92

Thank you very much

183

184