Cisco Blogs


Cisco Blog > TechWiseTV

Network like it’s 1999 with BGP EVPN

Lukas Krattiger, BGP EVPN for VXLAN Expert on TechWiseTV

Lukas Krattiger, BGP EVPN for VXLAN Expert on TechWiseTV

Long before before ‘virtual’ became synonymous with servers, Network VLANS gave us a layer 2 answer for much needed network segmentation.  It also opened things up for more flexible network designs.

Watch TWTV 186 “Scaling Multitenancy with VXLAN

As server virtualization exploded however, multiple network design issues began to converge and revealed new issues to overcome:

  • Hardware costs rose as Spanning Tree’s lack of multipathing required redundant boxes to lay dormant in the event of failure.
  • Larger networks exposed the limited number of segments that VLANs could scale, capping out at just 4,094 segments, (or less when using STP).
  • Multi-tenancy put further pressure on VLAN limitations.

The answer to these problems arrived in 2012 as RFC 7348:  VXLAN, Virtual Extensible LAN. A network overlay with the entire layer 2 frame encapsulated in UDP by only adding around 50 bytes of overhead.

So now, the 4,094 segment limitation of VLAN had expanded to an incredible 16 million segments with VXLAN.  The ability for VXLAN to span layer 3 boundaries was an additional benefit for cloud networks, yet another concept emerging from server virtualization advancements.

Millions of segments, tenant isolation, layer 3 multipathing.  No more network issues.  Right?  Ironically, these larger VXLAN enhanced networks, began discovering new limitations.

Read More »

Tags: , , , , , , ,

Dynamic Multipoint VPN (DMVPN) Setup.

Since DMVPN has been added to the CCIE v5 BluePrint (http://www.cisco.com/web/learning/exams/docs/ccieRS_Lab5.pdf) I figured that now was just as good of a time as any to write this blog.

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks.

DMVPN is combination of the following technologies:

  • Multipoint GRE (mGRE)
  • Next-Hop Resolution Protocol (NHRP)
  • Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
  • Dynamic IPsec encryption
  • Cisco Express Forwarding (CEF)

Topology that we will be starting with:

Colby's Blog Image 1

First thing will be to complete the base configurations on R1, R2 & R3. This will consist of configuring the IP addresses on the above interfaces and setting up the routing protocol to distribute the routes. In this case we will use EIGRP 123. Read More »

Tags: , , , , ,

Top Things to Know About DFA Before Cisco Live Milan

Two weeks ago, I presented a webinar on Dynamic Fabric Automation (DFA) and went over the allocated 1 hour to cover the content.  Yesterday, as I was doing follow up with a hands-on demo, I went over time too. This illustrates how rich DFA is, and how much there is to say about it! Dynamic Fabric Automation is an environment for data center automation that is centered on the CPOM (Central Point of Management), a set of services that are provided with the new Data Center Network Manager (DCNM) release 7.0(1).

The services available on the CPOM provide the following:

  1. Power On Auto Provisioning (POAP)
  2. Inter-switch link connection verification
  3. A single console for configuration
  4. Network Auto-Config Profile provisioning
  5. Message processing for external orchestrator
  6. Automatic host provisioning
  7. Embedded management for network monitoring and data collection

All of these services are provided using standard protocols and applications. For example, the POAP service uses DHCP, TFTP and SCP/SFTP, but using a combination of templates and a very intuitive and easy-to-use GUI, DCNM provides a simplified and systematic way of bringing up your data center fabric. The inter-switch link validation or cable consistency check allows the operator to verify the fabric connections against a predefined template and prevent unexpected connections to come up.

The Jabber process provides the single console for configuration, statistics and troubleshooting. Using any XMPP client, an operator can “chat” with the fabric devices; this approach offers the possibility to organize devices in chat groups that match their role, their location or simply some administrative set. With XMPP, a single command can be sent to multiple devices in a secure way.

The most important element of the CPOM is certainly the network profile provisioning. Read More »

Tags: , , , , , , , , ,

Securing Critical Internet Infrastructure: a RPKI case study in Ecuador

Securing critical internet infrastructure is an ongoing challenge for operators that require collaboration across administrative boundaries. Last September, something exceptional happened in the small South American country of Ecuador: the entire local network operation community got together to be pioneers in securing the local Internet infrastructure by registering its networks in the RPKI system and implementing secure origin AS validation. Please visit my original blog post over on the Cisco Perspectives Blog to read more!

 

Tags: , , , ,

Securing Critical Internet Infrastructure: an RPKI case study in Ecuador

Securing the Critical Internet Infrastructure is an ongoing challenge for operators that require collaboration across administrative boundaries. Last September something exceptional happened in Ecuador, a small South American country. The entire local network operation community got together to be pioneers in securing its local Internet infrastructure by registering its networks in the Resource Public Key Infrastructure (RPKI) system and implementing secure origin AS validation. This project is a great example on how a global technology change can be accelerated by maximizing its value to local communities.

The global inter-domain routing infrastructure depends on the BGP protocol that was initially developed in the early 90s. Operators know that a number of techniques are needed to improve BGP security (a good reference can be found here). Although these improvements, it is still possible to impersonate the entity with the right of use of Internet resources and produce a prefix hijack as the famous attack in 2007. The IETF, vendors and Regional Internet Registries have been working inside the SIDR working group to create technologies that allow the cryptographic validation. The initial outcomes of this effort have been the RPKI and the BGP origin AS validation; two complementary technologies that work together to improve inter-domain routing security.

Read More »

Tags: , , , , , , , , , , , ,