In today’s fast-paced digital landscape, businesses strive to deliver high-quality services while minimizing costs and maximizing efficiency. To achieve this, organizations are increasingly adopting dynamic workload scaling techniques. This blog post will explore the concept of dynamic workload scaling, its benefits, and how it can help businesses optimize their operations.
Adjustment of resources
Dynamic workload scaling refers to the automated adjustment of computing resources to match the changing demands of a workload. This technique allows organizations to scale their infrastructure up or down in real time based on the workload requirements. By dynamically allocating resources, businesses can ensure that their systems operate optimally, regardless of varying workloads.
Defined Thresholds
Dynamic workload scaling is all about monitoring and distributing traffic at user-defined thresholds. Data centers are under pressure to support the ability to burst new transactions to available Virtual Machines ( VM ). In some cases, the VMs used to handle the additional load will be geographically dispersed, with both data centers connected by a Data Center Interconnect ( DCI ) link. The ability to migrate workloads within an enterprise hybrid cloud or in a hybrid cloud solution between enterprise and service provider is critical for business continuity for planned and unplanned outages.
Before you proceed, you may find the following post helpful:
Introduction to Dynamic Workload Scaling and what is involved.
Highlighting the details of dynamic workloads and how they can be implemented.
Critical points on how Cisco approaches Dynamic Workload Scaling.
A final note on design considerations.
Back to basics with OTV.
Overlay Transport Virtualization (OTV) is an IP-based technology to provide a Layer 2 extension between data centers. OTV is transport agnostic, indicating that the transport infrastructure between data centers can be dark fiber, MPLS, IP routed WAN, ATM, Frame Relay, etc.
The sole prerequisite is that the data centers must have IP reachability between them. OTV permits multipoint services for Layer 2 extension and separated Layer 2 domains between data centers, maintaining an IP-based interconnection’s fault-isolation, resiliency, and load-balancing benefits.
Unlike traditional Layer 2 extension technologies, OTV introduces the Layer 2 MAC routing concept. The MAC-routing concept enables a control-plane protocol to advertise the reachability of Layer 2 MAC addresses. As a result, the MAC-routing idea has enormous advantages over traditional Layer 2 extension technologies that traditionally leveraged data plane learning, flooding Layer 2 traffic across the transport infrastructure.
Cisco and Dynamic Workloads
A new technology introduced by Cisco, called Dynamic Workload Scaling ( DWS ), satisfies the requirement of dynamically bursting workloads based on user-defined thresholds to available resource pools ( VMs ). It is tightly integrated with Cisco Application Control Engine ( ACE ) and Cisco’s Dynamic MAC-in-IP encapsulation technology known as Overlay Transport Virtualization ( OTV ), enabling resource distribution across Data Center sites. OTV provides the LAN extension method that keeps the virtual machine’s state as it passes locations, and ACE delivers the load-balancing functionality.
Dynamic workload and dynamic workload scaling.
Dynamic workload scaling: How does it work?
DWS monitors the VM capacity for an application and expands that application to another resource pool during periods of peak usage. We provide a perfect solution for distributed applications among geographically dispersed data centers.
DWS uses the ACE and OTV technologies to build a MAC table. It monitors the local MAC entries and those located via the OTV link to determine if a MAC entry is considered “Local” or “Remote.”
The ACE monitors the utilization of the “local” VM. From these values, the ACE can compute the average load of the local Data Center.
DWS uses two APIs. One is to monitor the server load information polled from VMware’s VCenter, and another API is to poll OTV information from the Nexus 7000.
During normal load conditions, when the data center is experiencing low utilization, the ACE can load incoming balance traffic to the local VMs.
However, when the data center experiences high utilization and crosses the predefined thresholds, the ACE will add the “remote” VM to its load-balancing mechanism.
Workload scaling and its operations.
Dynamic workload scaling: Design considerations
During congestion, the ACE adds the “remote” VM to its load-balancing algorithm. The remote VM placed in the secondary data center could add additional load on the DCI. Essentially hair-pining traffic for some time as ingress traffic for the “remote” VM continues to flow via the primary data center. DWS should be used with Locator Identity Separation Protocol ( LISP ) to enable automatic move detection and optimal ingress path selection.
Benefits of Dynamic Workload Scaling:
1. Improved Efficiency:
Dynamic workload scaling enables businesses to allocate resources precisely as needed, eliminating the inefficiencies associated with over-provisioning or under-utilization. Organizations can optimize resource utilization and reduce operational costs by automatically scaling resources up during periods of high demand and scaling them down during periods of low demand.
2. Enhanced Performance:
With dynamic workload scaling, businesses can effectively handle sudden spikes in workload without compromising performance. Organizations can maintain consistent service levels and ensure smooth operations during peak times by automatically provisioning additional resources when required. This leads to improved customer satisfaction and retention.
3. Cost Optimization:
Traditional static infrastructure requires businesses to provision resources based on anticipated peak workloads, often leading to over-provisioning and unnecessary costs. Dynamic workload scaling allows organizations to provision resources on demand, resulting in cost savings by paying only for the resources utilized. Additionally, by scaling down resources during periods of low demand, businesses can further reduce operational expenses.
4. Scalability and Flexibility:
Dynamic workload scaling allows businesses to scale their operations as needed. Whether expanding to accommodate business growth or handling seasonal fluctuations, organizations can easily adjust their resources to match the workload demands. This scalability and flexibility enable businesses to respond quickly to changing market conditions and stay competitive.
Dynamic workload scaling has emerged as a crucial technique for optimizing efficiency and performance in today’s digital landscape. By dynamically allocating computing resources based on workload requirements, businesses can improve efficiency, enhance performance, optimize costs, and achieve scalability. Implementing robust monitoring systems, automation, and leveraging cloud computing services are critical steps toward successful dynamic workload scaling. Organizations can stay agile and competitive and deliver exceptional customer service by adopting this approach.
Key Features of Cisco Dynamic Workload Scaling:
Intelligent Automation:
Cisco’s dynamic workload scaling solutions leverage intelligent automation capabilities to monitor real-time workload demands. By analyzing historical data and utilizing machine learning algorithms, Cisco’s automation tools can accurately predict future workload requirements and proactively scale resources accordingly.
Application-Aware Scaling:
Cisco’s dynamic workload scaling solutions are designed to understand the unique requirements of different applications. By utilizing application-aware scaling, Cisco can allocate resources based on the specific needs of each workload, ensuring optimal performance and minimizing resource wastage.
Seamless Integration:
Cisco’s dynamic workload scaling solutions seamlessly integrate with existing IT infrastructures, allowing businesses to leverage their current investments. This ensures a smooth transition to dynamic workload scaling without extensive infrastructure overhauls.
Conclusion:
In today’s dynamic business environment, efficiently managing and scaling workloads is critical for organizational success. Cisco’s dynamic workload scaling solutions provide businesses with the flexibility, performance optimization, and cost savings necessary to thrive in an ever-changing landscape. By leveraging intelligent automation, application-aware scaling, and seamless integration, Cisco empowers organizations to adapt and scale their workloads effortlessly. Embrace Cisco’s dynamic workload scaling and unlock the full potential of your business operations.
The networking landscape has undergone significant transformations over the years, with the need for efficient and scalable routing protocols becoming increasingly crucial. In this blog post, we will delve into the world of LISP (Locator/ID Separation Protocol) and explore its control plane, shedding light on its advantages to modern networks.
LISP, developed by the Internet Engineering Task Force (IETF), is a protocol that separates the location and identity of network devices. It provides a scalable solution for routing by decoupling the IP address (identity) from a device's physical location (locator). The control plane of LISP plays a vital role in managing and distributing the mapping information required for efficient and effective routing.
We need a method to separate identity from location that offers many benefits. However, a single address field for identifying a device and determining where it is topologically located is not an optimum approach and presents many challenges with host mobility.
- Understanding the Control Plane: The control plane in LISP is responsible for managing the mappings between endpoint identifiers (EIDs) and routing locators (RLOCs). It enables efficient and scalable routing by separating the identity of a device from its location. By leveraging the distributed mapping system, control plane operations ensure seamless communication across networks.
- Unraveling the Data Plane: The data plane is where the actual packet forwarding occurs in LISP. It relies on encapsulation and decapsulation techniques to encapsulate the original IP packet within a LISP header. The encapsulated packet is then routed through the network based on the EID-to-RLOC mapping obtained from the control plane. The data plane plays a vital role in maintaining network efficiency and enabling seamless mobility.
The LISP control and data plane offer several advantages for modern networks. Firstly, it enhances scalability by reducing the size of routing tables and simplifying network architecture. Secondly, LISP provides improved mobility support, allowing devices to move without changing their IP addresses. This feature is particularly beneficial for mobile networks and IoT deployments. Lastly, the control and data plane separation enables more efficient traffic engineering and network optimization.
Implementing LISP control and data plane requires a combination of software and hardware components. Several vendors offer LISP-enabled routers and switches, making it easier to adopt this protocol in existing network infrastructures. Additionally, various open-source software implementations are available, allowing network administrators to experiment and deploy LISP in a flexible manner.
Highlights: LISP Control and Data Plane
The LISP Protocol
The LISP protocol offers an architecture that provides seamless ingress traffic engineering and move detection without any DNS changes or agents on the host. A design that LISP can use would be active data center design. A vital concept of the LISP protocol is that end hosts operate similarly. Hosts’ IP addresses for tracking sockets and connections and sending and receiving packets do not change.
LISP Routing
LISP attempts to establish communication among endpoint devices. Endpoints in IP networks are called IP hosts, and these hosts are typically not LISP-enabled, so each endpoint originates packets with a single IPv4 or IPv6 header to another endpoint. Many endpoints exist, including servers (physical or virtual), workstations, tablets, smartphones, printers, IP phones, and telepresence devices. EIDs are LISP addresses assigned to endpoints.
EID – Globally Unique
The EID must be globally unique when communicating on the Internet, just like IP addresses. To be reachable from the public IP space, private addresses must be translated to global addresses through network address translation (NAT). Like any other routing database on the Internet, the global LISP mapping database cannot be populated with private addresses. In contrast, the global LISP mapping database can identify entries as members of different virtual private networks (VPNs).
BGP/MPLS Internet Protocol (IP) VPN network routers have separate virtual routing and forwarding (VRF) tables for each VPN; in the same vein, LISP can be used to create private networks and to have an Internet router with separate routing tables (VRFs) for internet routes and private addresses. In many cases, private EID addresses do not have to be routable over the public Internet when using a dedicated private LISP mapping database. With LISP, private deployments may use the public Internet as an underlay to create VPNs, leveraging the public Internet for transport.
Before you proceed, you may find the following useful for pre-information:
Introduction to the LISP Control Plane and what is involved.
Highlighting the details of the difference between the control vs data plane in a LISP network.
Step by step on the LISP control plane activity.
Step by step on the LISP data plane activity.
Back to basics with the LISP
LISP: An IP overlay solution
LISP is an IP overlay solution that keeps the same semantics for IPv4 and IPv6 packet headers but operates two separate namespaces: one to specify the location and the other to determine the identity. A LISP packet has an inner IP header, which, like the headers of traditional IP packets, is for communicating endpoint to endpoint.
This would be from a particular source to a destination address. Then we have the outer IP header that provides the location to which the endpoint attaches. The outer IP headers are also IP addresses.
Therefore, if an endpoint changes location, its IP address remains unchanged. It is the outer header that consistently gets the packet to the location of the endpoint. The endpoint identifier (EID) address is mapped to a router that the endpoint sits behind, which is understood as the routing locator (RLOC) in LISP terminology.
Benefits of LISP Control Plane:
1. Scalability: LISP’s control plane offers scalability advantages by reducing the size of the routing tables. With LISP, the mapping system maintains only the necessary information, allowing for efficient routing in large networks.
2. Mobility: The control plane of LISP enables seamless mobility as devices move across different locations. By separating the identity and locator, LISP ensures that devices maintain connectivity even when their physical location changes, reducing disruptions and enhancing network flexibility.
3. Traffic Engineering: LISP’s control plane allows for intelligent traffic engineering, enabling network operators to optimize traffic flow based on specific requirements. By leveraging the mapping information, routing decisions can be made dynamically, leading to efficient utilization of network resources.
4. Security: The LISP control plane offers enhanced security features. By separating the identity and locator, LISP helps protect the privacy of devices, making it harder for attackers to track or target specific devices. Additionally, LISP supports authentication mechanisms, ensuring the integrity and authenticity of the mapping information.
Implementing LISP Control Plane:
Several components are required to implement the LISP control plane, including the mapping system, the encapsulation mechanism, and the LISP routers. The mapping system is responsible for storing and distributing the mapping information, while the encapsulation mechanism ensures the separation of identity and locator. LISP routers play a crucial role in forwarding traffic based on the mapping information received from the control plane.
Real-World Use Cases:
LISP control plane has found applications in various real-world scenarios, including:
1. Data Centers: LISP helps optimize traffic flow within data centers, facilitating efficient load balancing and reducing latency.
2. Internet Service Providers (ISPs): The LISP control plane enables ISPs to enhance their routing infrastructure, improving scalability and mobility support for their customers.
3. Internet of Things (IoT): As the number of connected devices continues to grow, the LISP control plane offers a scalable solution for managing the routing of IoT devices, ensuring seamless connectivity even as devices move.
Control Plane vs Data Plane
The LISP data plane
LISP protocol and the data plane functions.
Client C1 is located in a remote LISP-enabled site and wants to open a TCP connection with D1, a server deployed in a LISP-enabled Data Center. C1 queries through DNS the IP address of D1 and an A/AAAA record is returned. The address returned is the destination Endpoint Identifier ( EID ), and it’s non-routable. EIDs are IP addresses assigned to hosts. Client C1 realizes this is not an address on its local subnet and steers the traffic to its default gateway, a LISP-enabled device. This triggers the LISP control-plane activity.
The LISP control plane is triggered only if the lookup produces no results or if the only available match is a default route. This means that a Map-Request ( from ITR to the Mapping system ) is sent only when the destination is not found.
The ITR receives its EID-to-RLOC mapping from the mapping system and updates its local map-cache, which previously did not contain the mapping. The local map cache can be used for future communications between these endpoints.
The destination EID will be mapped to several RLOC ( Routing Locator ), which will identify the ( Egress Tunnel Router ) ETRs at the remote Data Center site. Each entry has associated priorities and weights with loading balance, influencing inbound traffic towards the RLOC address space. The specific RLOC is selected per-flow based on the 5-tuple hashing of the original client’s IP packet.
Once the controls are in place, the ITR performs LISP encapsulation on the original packets and forwards the LISP encapsulated packet to one ( two or more if load balancing is used ) of the RLOCs of the Data Center ETRs. RLOC prefixes are routable addresses. Destination ETR receives the packet, decapsulates it, and sends it towards the destination EID.
LISP control plane
LISP Control plan
The destination ETRs register their non-routable EIDs to the Map-Server using a Map-Register message. This is done every 60 seconds.If the ITR does not have a local mapping for the remote EID-RLOC mapping, it will send a Map-Request message to the Map-Resolver. Map-Requests should be rate-limited to avoid denial of service attacks.
The Map-Resolver then forwards the request to the authoritative Map-Server. The Map-Resolver and Map-Server could be the same device. The Map resolver could also be an anycast address.
The Map-Server then forwards the request to the last registered ETR. The ETR looks at the destination of the Map-Request and compares it to its configured EID-to-RLOC database. A match triggers the ETR to directly reply to the ITR with a Map-Reply containing the requested mapping information. Map-Replies are sent using the underlying routing system topology. On the other hand, if there is no match, the Map-Request is dropped.
When the ITR receives the Map-Reply containing the mapping information, it will update its local EID-to-RLOC map cache. All subsequent flows will go forward without the integration of the mapping systems.
Summary: LISP Control and Data Plane
LISP, which stands for Locator/Identifier Separation Protocol, is a networking architecture that separates the device’s identity (identifier) from its location (locator). This innovative approach benefits network scalability, mobility, and security. In this blog post, we will dive into the details of the LISP control and data plane and explore how they work together to provide efficient and flexible networking solutions.
Understanding the LISP Control Plane
The control plane in LISP is responsible for managing the mapping between the device’s identifier and locator. It handles the registration process, where a device registers its identifier and locator information with a Map-Server. The control plane also maintains the mapping database, which stores the current mappings. This section will delve into the workings of the LISP control plane and discuss its essential components and protocols.
Exploring the LISP Data Plane
While the control plane handles the mapping information, the data plane in LISP is responsible for the actual forwarding of traffic. It ensures that packets are efficiently routed to their intended destination by leveraging the mappings provided by the control plane. This section will explore the LISP data plane, including its encapsulation mechanisms and how it facilitates seamless communication across different networks.
Benefits of the LISP Control and Data Plane Integration
The true power of LISP lies in the seamless integration of its control and data planes. By separating the identity and location, LISP enables improved scalability and mobility. This section will discuss the advantages of this integration, such as simplified network management, enhanced load balancing, and efficient traffic engineering.
Conclusion:
In conclusion, the LISP control and data plane form a harmonious duo that revolutionizes networking architectures. The control plane efficiently manages the mapping between the identifier and locator, while the data plane ensures optimal packet forwarding. Their integration brings numerous benefits, paving the way for scalable, mobile, and secure networks. Whether you’re an aspiring network engineer or a seasoned professional, understanding the intricacies of the LISP control and data plane is crucial in today’s rapidly evolving networking landscape.
The networking world is constantly evolving, with new technologies emerging to meet the demands of an increasingly connected world. One such technology that has gained significant attention is the LISP protocol. In this blog post, we will delve into the intricacies of the LISP protocol, exploring its purpose, benefits, and how it bridges the gap in modern networking and its use case with VM mobility.
LISP, which stands for Locator/ID Separation Protocol, is a network protocol that separates the identity of a device from its location. Unlike traditional IP addressing schemes, which rely on a tightly coupled relationship between the IP address and the device's physical location, LISP separates these two aspects, allowing for more flexibility and scalability in network design.
LISP, in simple terms, is a network protocol that separates the location of an IP address (Locator) from its identity (Identifier). By doing so, it provides enhanced flexibility, scalability, and security in managing network traffic. LISP accomplishes this by introducing two key components: the Mapping System (MS) and the Tunnel Router (TR). The MS maintains a database of mappings between Locators and Identifiers, while the TR encapsulates packets using these mappings for efficient routing.
VM mobility refers to the seamless movement of virtual machines across physical hosts or data centers. LISP Protocol plays a crucial role in enabling this mobility by decoupling the VM's IP address from its location. When a VM moves to a new host or data center, LISP dynamically updates the mappings in the MS, ensuring uninterrupted connectivity. By leveraging LISP, organizations can achieve live migration of VMs, load balancing, and disaster recovery with minimal disruption.
The combination of LISP Protocol and VM mobility brings forth a plethora of advantages. Firstly, it enhances network scalability by reducing the impact of IP address renumbering. Secondly, it enables efficient load balancing by distributing VMs across different hosts. Thirdly, it simplifies disaster recovery strategies by facilitating VM migration to remote data centers. Lastly, LISP empowers organizations with the flexibility to seamlessly scale their networks to meet growing demands.
While LISP Protocol and VM mobility offer significant benefits, there are a few challenges to consider. These include the need for proper configuration, compatibility with existing network infrastructure, and potential security concerns. However, the networking industry is consistently working towards addressing these challenges and further improving the LISP Protocol for broader adoption and seamless integration.
In conclusion, the combination of LISP Protocol and VM mobility opens up new horizons in network virtualization and mobility. By decoupling the IP address from its physical location, LISP enables organizations to achieve greater flexibility, scalability, and efficiency in managing network traffic. As the networking landscape continues to evolve, embracing LISP Protocol and VM mobility will undoubtedly pave the way for a more dynamic and agile networking infrastructure.
Highlights: LISP Protocol and VM Mobility
How Does LISP Work
Locator Identity Separation Protocol ( LISP ) provides a set of functions that allow Endpoint identifiers ( EID ) to be mapped to an RLOC address space. The mapping between these two endpoints offers the separation of IP addresses into two numbering schemes ( similar to the “who” and the “where” analogy ), offering many traffic engineering and IP mobility benefits for the geographic dispersion of data centers beneficial for VM mobility.
LISP Components
The LISP protocol operates by creating a mapping system that separates the device’s Endpoint Identifier (EID), from its location, the Routing Locator (RLOC). This separation is achieved using a distributed database called the LISP Mapping System (LMS), which maintains the mapping between EIDs and RLOCs. When a packet is sent to a destination EID, it is encapsulated and routed based on the RLOC, allowing for efficient and scalable communication.
Before you proceed, you may find the following posts helpful:
Introduction to the LISP Protocol and what is involved.
Highlighting the details of the LISP traffic flow.
Technical details on LAN extension considerations.
LISP Extended Subnet and Across Subnet.
Back to basics with the Virtual Machine (VM).
Virtualization
Virtualization can be applied to subsystems such as disks and a whole machine. A virtual machine (VM) is implemented by adding a software layer to an actual device to sustain the desired virtual machine’s architecture. In general, a virtual machine can circumvent real compatibility and hardware resource limitations to enable a more elevated degree of software portability and flexibility.
In the dynamic world of modern computing, the ability to seamlessly move virtual machines (VMs) between different physical hosts has become a critical aspect of managing resources and ensuring optimal performance. This blog post explores VM mobility and its significance in today’s rapidly evolving computing landscape.
VM mobility refers to transferring a virtual machine from one physical host to another without disrupting operation. Virtualization technologies such as hypervisors make this capability possible, enabling the abstraction of hardware resources and allowing multiple VMs to coexist on a single physical machine.
LISP and VM Mobility
The Locator/Identifier Separation Protocol (LISP) is an innovative networking architecture that decouples the identity (Identifier) of a device or VM from its location (Locator). By separating the two, LISP provides a scalable and flexible solution for VM mobility.
How LISP Enhances VM Mobility:
1. Improved Scalability:
LISP introduces a level of indirection by assigning Endpoint Identifiers (EIDs) to VMs. These EIDs act as unique identifiers, allowing VMs to retain their identity even when moved to different locations. This enables enterprises to scale their VM deployments without worrying about the limitations imposed by the underlying network infrastructure.
2. Seamless VM Mobility:
LISP simplifies moving VMs by abstracting the location information using Routing Locators (RLOCs). When a VM is migrated, LISP updates the mapping between the EID and RLOC, allowing the VM to maintain uninterrupted connectivity. This eliminates the need for complex network reconfigurations, reducing downtime and improving overall agility.
3. Load Balancing and Disaster Recovery:
LISP enables efficient load balancing and disaster recovery strategies by providing the ability to distribute VMs across multiple physical hosts or data centers. With LISP, VMs can be dynamically moved to optimize resource utilization or to ensure business continuity in the event of a failure. This improves application performance and enhances the overall resilience of the IT infrastructure.
4. Interoperability and Flexibility:
LISP is designed to be interoperable with existing network infrastructure, allowing organizations to gradually adopt the protocol without disrupting their current operations. It integrates seamlessly with IPv4 and IPv6 networks, making it a future-proof solution for VM mobility.
Basic LISP Traffic flow
A device ( S1 ) initiates a connection and wants to communicate with another external device ( D1 ). D1 is located in a remote network. S1 will create a packet with the EID of S1 as the source IP address and the EID of D1 as the destination IP address. As the packets flow to the network’s edge on their way to D1, they are met by an Ingress Tunnel Router ( ITR ).
The ITR maps the destination EID to a destination RLOC and then encapsulates the original packet with an additional header with the source IP address of the ITR RLOC and the destination IP address of the RLOC of an Egress Tunnel Router ( ETR ). The ETR is located on the remote site next to the destination device D1.
The magic is how these mappings are defined, especially regarding VM mobility. There is no routing convergence, and any changes to the mapping systems are unknown to the source and destination hosts. We are offering complete transparency.
LISP Terminology
LISP namespaces:
LSP Name Component
LISP Protocol Description
End-point Identifiers ( EID ) Addresses
The EID is allocated to an end host from an EID-prefix block. The EID associates where a host is located and identifies endpoints. The remote host obtains a destination the same way it obtains a normal destination address today, for example through DNS or SIP. The procedure a host uses to send IP packets does not change. EIDs are not routable.
Route Locator ( RLOC ) Addresses
The RLOC is an address or group of prefixes that map to an Egress Tunnel Router ( ETR ). Reachability within the RLOC space is achieved by traditional routing methods. The RLOC address must be routable.
LISP site devices:
LISP Component
LISP Protocol Description
Ingress Tunnel Router ( ITR )
An ITR is a LISP Site device that sits in a LISP site and receives packets from internal hosts. It in turn encapsulates them to remote LISP sites. To determine where to send the packet the ITR performs an EID-to-RLOC mapping lookup. The ITR should be the first-hop or default router within a site for the source hosts.
Egress Tunnel Router ( ETR )
An ETR is a LISP Site device that receives LISP-encapsulated IP packets from the Internet, decapsulates them, and forwards them to local EIDs at the site. An ETR only accepts an IP packet where the destination address is the “outer” IP header and is one of its own configured RLOCs. The ETR should be the last hop router directly connected to the destination.
LISP infrastructure devices:
LISP Component Name
LISP Protocol Description
Map-Server ( MS )
The map server contains the EID-to-RLOC mappings and the ETRs register their EIDs to the map server. The map-server advertises these, usually as an aggregate into the LISP mapping system.
Map-Resolver ( MR )
When resolving EID-to-RLOC mappings the ITRs send LISP Map-Requests to Map-Resolvers. The Map-Resolver is typically an Anycast address. This improves the mapping lookup performance by choosing the map-resolver that is topologically closest to the requesting ITR.
Proxy ITR ( PITR )
Provides connectivity to non-LISP sites. It acts like an ITR but does so on behalf of non-LISP sites.
Proxy ETR ( PETR )
Acts like an ETR but does so on behalf of LISP sites that want to communicate to destinations at non-LISP sites.
VM Mobility
LISP Host Mobility
LISP VM Mobility ( LISP Host Mobility ) functionality allows any IP address ( End host ) to move from its subnet to either a) a completely different subnet, known as “across subnet,” or b) an extension of its subnet in a different location, known as “extended subnet,” while keeping its original IP address.
When the end host carries its own Layer 3 address to the remote site, and the prefix is the same as the remote site, it is known as an “extended subnet.” Extended subnet mode requires a Layer 2 LAN extension. On the other hand, when the end hosts carry a different network prefix to the remote site, it is known as “across subnets.” When this is the case, a Layer 2 extension is not needed between sites.
LAN extension considerations
LISP does not remove the need for a LAN extension if a VM wants to perform a “hot” migration between two dispersed sites. The LAN extension is deployed to stretch a VLAN/IP subnet between separate locations. LISP complements LAN extensions with efficient move detection methods and ingress traffic engineering.
LISP works with all LAN extensions – whether back-to-back vPC and VSS over dark fiber, VPLS, Overlay Transport Virtualization ( OTV ), or Ethernet over MPLS/IP. LAN extension best practices should still be applied to the data center edges. These include but are not limited to – End-to-end Loop Prevention and STP isolation.
A LISP site with a LAN extension extends a single site across two physical data center sites. This is because the extended subnet functionality of LISP makes two DC sites a single LISP site. On the other hand, when LISP is deployed without a LAN extension, a single LISP site is not extended between two data centers, and we end up having separate LISP sites.
LISP extended subnet
VM mobility: LISP protocol and extended subnets
To avoid asymmetric traffic handling, the LAN extension technology must filter Hot Standby Router Protocol ( HSRP ) HELLO messages across the two data centers. This creates an active-active HSRP setup. HSRP localization optimizes egress traffic flows. LISP optimizes ingress traffic flows.
The default gateway and virtual MAC address must remain consistent in both data centers. This is because the moved VM will continue to send to the same gateway MAC address. This is accomplished by configuring the same HSRP gateway IP address and group in both data centers. When an active-active HSRP domain is used, re-ARP is not needed during mobility events.
The LAN extension technology must have multicast enabled to support the proper operation of LISP. Once a dynamic EID is detected, the multicast group IP addresses send a map-notify message by the xTR to all other xTRs. The multicast messages are delivered leveraging the LAN extension.
LISP across subnet
VM mobility: LISP protocol across Subnets
LISP across subnets requires the mobile VM to access the same gateway IP address, even if they move across subnets. This will prevent egress traffic triangulation back to the original data center. This can be achieved by manually setting the vMAC address associated with the HSRP group to be consistent across sites.
Proxy ARP must be configured under local and remote SVIs to correctly handle new ARP requests generated by the migrated workload. With this deployment, there is no need to deploy a LAN extension to stretch VLAN/IP between sites. This is why it is considered to address “cold” migration scenarios, such as Disaster Recovery ( DR ) or cloud bursting and workload mobility according to demands.
Benefits of LISP:
1. Scalability: By separating the identifier from the location, LISP provides a scalable solution for network design. It allows for hierarchical addressing, reducing the size of the global routing table and enabling efficient routing across large networks.
2. Mobility: LISP’s separation of identity and location mainly benefits mobile devices. As devices move between networks, their EIDs remain constant while the RLOCs are updated dynamically. This enables seamless mobility without disrupting ongoing connections.
3. Multihoming: LISP allows a device to have multiple RLOCs, enabling multihoming capabilities without complex network configurations. This ensures redundancy, load balancing, and improved network reliability.
4. Security: LISP provides enhanced security features, such as cryptographic authentication and integrity checks, to ensure the integrity and authenticity of the mapping information. This helps mitigate potential attacks, such as IP spoofing.
Applications of LISP:
1. Data Center Interconnection: LISP can interconnect geographically dispersed data centers, providing efficient and scalable communication between locations.
2. Internet of Things (IoT): With the exponential growth of IoT devices, LISP offers an efficient solution for managing these devices’ addressing and communication needs, ensuring seamless connectivity in large-scale deployments.
3. Content Delivery Networks (CDNs): LISP can optimize content delivery by allowing CDNs to cache content closer to end-users, reducing latency and improving overall performance.
The LISP protocol is a revolutionary technology that addresses the challenges of scalability, mobility, multi-homing, and security in modern networking. Its separation of identity and location opens up new possibilities for efficient and flexible network design. With its numerous benefits and versatile applications, LISP is poised to play a pivotal role in shaping the future of networking.
Summary: LISP Protocol and VM Mobility
LISP (Locator/ID Separation Protocol) and VM (Virtual Machine) Mobility are two powerful technologies that have revolutionized the world of networking and virtualization. In this blog post, we delved into the intricacies of LISP and VM Mobility, exploring their benefits, use cases, and seamless integration.
Understanding LISP
LISP, a groundbreaking protocol, separates the role of a device’s identity (ID) from its location (Locator). By decoupling these two aspects, LISP enables efficient routing and scalable network architectures. It provides a solution to overcome the limitations of traditional IP-based routing, enabling enhanced mobility and flexibility in network design.
Unraveling VM Mobility
VM Mobility, on the other hand, refers to the ability to seamlessly move virtual machines across different physical hosts or data centers without disrupting their operations. This technology empowers businesses with the flexibility to optimize resource allocation, enhance resilience, and improve disaster recovery capabilities.
The Synergy between LISP and VM Mobility
When LISP and VM Mobility join forces, they create a powerful combination that amplifies the benefits of both technologies. By leveraging LISP’s efficient routing and location independence, VM Mobility becomes even more agile and robust. With LISP, virtual machines can be effortlessly moved between hosts or data centers, maintaining seamless connectivity and preserving the user experience.
Real-World Applications
Integrating LISP and VM Mobility opens up various possibilities across various industries. In the healthcare sector, for instance, virtual machines hosting critical patient data can be migrated between locations without compromising accessibility or security. Similarly, in cloud computing, LISP and VM Mobility enable dynamic resource allocation, load balancing, and efficient disaster recovery strategies.
Conclusion:
In conclusion, combining LISP and VM Mobility ushers a new era of network agility and virtual machine management. Decoupling identity and location through LISP empowers organizations to seamlessly move virtual machines across different hosts or data centers, enhancing flexibility, scalability, and resilience. As technology continues to evolve, LISP and VM Mobility will undoubtedly play a crucial role in shaping the future of networking and virtualization.
LISP, which stands for Locator/ID Separation Protocol, is a groundbreaking networking protocol that has gained significant attention in recent years. In traditional networking, the IP address plays a dual role as both a locator and an identifier. However, LISP introduces a new approach by separating the two, allowing for more efficient and scalable routing. In this blog post, we will delve into the world of LISP and specifically explore the concept of triangular routing.
Triangular routing is a network routing technique that involves sending data packets through a triangular path instead of the traditional direct route. It aims to optimize network performance by avoiding congestion and improving redundancy. By introducing additional paths, triangular routing enhances fault tolerance and load balancing within the network.
Triangular routing is a fundamental concept within LISP that plays a crucial role in its operation. In traditional routing, packets travel from the source to the destination in a direct path. However, LISP introduces a different approach by employing a triangular routing scheme. In this scheme, packets take a detour through a mapping system known as the Mapping System (MS).
The MS acts as an intermediary, allowing the encapsulation and decapsulation of packets as they traverse the LISP-enabled network. This triangular path not only provides flexibility but also enables various LISP functionalities, such as mobility and traffic engineering.
- Enhanced Network Security: By diverting traffic through an intermediate point, triangular routing provides an additional layer of security. It can help prevent direct attacks on network devices and detect potential threats more effectively.
- Load Balancing: Triangular routing allows for better load distribution across different network paths. By intelligently distributing traffic, it helps prevent congestion and ensures a more balanced utilization of network resources.
- Improved Network Performance: Although triangular routing may introduce additional latency due to the longer path, it can actually enhance network performance in certain scenarios. By avoiding congested or unreliable links, it helps maintain a more consistent and reliable connection.
Highlights: Triangular Routing
LISP Overlay
It creates an overlay network in which the core routers forward packets to RLOCs and EIDs. LISP provides a level of indirection for routing and addressing. A natural mobility feature is created as long as the EID assigned to an endpoint remains constant and the RLOCs change. LISP provides essential support for moving EIDs around, one of its many uses. All devices, whether smartphones, virtual machines, provider-to-provider roaming (physical or in the cloud), or IoT devices, are assigned EIDs with changing RLOCs.
Original use cases
Reducing the size of the routing table in the core router
Making multihoming easier to manage while preventing multiconnected sites (multihoming) from adding more routes to the core routing system
Site addresses can be kept connections can be easily moved from one service provider to another and provider-independent addresses are encouraged
Ingress Site Selection
Supporting distributed applications is an essential requirement for business continuity. Different types of applications, be they legacy or nonlegacy, will provide particular challenges for ingress site selection. One of the main challenges designers face is workload virtualization between different geographic locations. Workload virtualization requires location independence for server resources and the ability to move these resources from one geographic area to another. This is where triangular routing comes into play.
The LISP protocol
What is triangular routing? Triangular routing is a method for transmitting packets of data in communications networks. It uses a form of routing that sends a packet to a proxy system before transmission to the intended destination. The LISP Protocol used as an Internet locator can be used as a proxy.
Introducing LISP
LISP, short for Locator/Identifier Separation Protocol, is a protocol designed to separate IP addresses’ location and identification functions. It provides a scalable and flexible solution to handle IP mobility, multi-homing, and traffic engineering. LISP achieves this by introducing two new address types: Endpoint Identifiers (EIDs) and Routing Locators (RLOCs).
Implementing Triangular Routing with LISP
Now, let’s explore how LISP enables the implementation of triangular routing. By leveraging its capabilities, LISP allows for the creation of multiple paths between the source and destination. This is achieved through LISP mapping systems, which provide the necessary mapping information to enable triangular routing decisions.
Benefits of Triangular Routing with LISP
Triangular routing with LISP offers several advantages in modern network architectures. First, it enhances network resilience by providing alternate paths for data transmission. This improves fault tolerance and reduces the chances of single points of failure. Second, it allows for efficient load balancing, as traffic can be intelligently distributed across multiple paths.
Considerations and Challenges
While triangular routing with LISP brings numerous benefits, certain factors must be considered. One key consideration is the increased complexity of network configuration and management. Proper planning and expertise are required to ensure a smooth implementation. Potential issues such as suboptimal routing and increased latency should also be carefully evaluated.
Related: Before you proceed, you may find the following posts helpful for pre-information:
Introduction to triangular routing and what is involved.
Highlighting the details of the LISP traffic flow.
Technical details on Ingress and Egress traffic flows.
Scenario with a DC extension use case.
LISP Host mobility solution.
Virtualized Workload Mobility
Virtualized Workload Mobility allows live migration between “Twin” data centers and presents several challenges. Firstly, it brings the challenge of route optimization once the workload has moved to the new location. When virtual machines are migrated between data centers, the traffic flow for client-server may become suboptimal, leading to application performance degradation.
How do existing and new connections get directed to the new location? Traditional methods, such as Route Health Injection ( RHI ) and DNS, are available but don’t suit all requirements. They can place unnecessary workloads over the data center interconnect link ( DCI ), creating a triangular routing effect discussed below.
Back to Basics: Triangular Routing
With traditional IP routing, an IP address has two functions:
Identity: To identify the device.
Location: We use the device’s location in the network for routing.
LISP separates these two functions of an IP address into two separate tasks:
Endpoint Identifier (EID): Assigned to hosts like computers, laptops, printers, etc.
Routing Locators (RLOC): Assigned to routers. We use the RLOC address to reach EIDs.
Cisco created LISP. Originally, it was designed for the Internet, but nowadays, it is also used in other environments, such as data centers, IoT, WAN, and the campus (Cisco SD-Access).
IP Routing.
A router’s primary function is to move an IP packet from one network to a different network. Routers try to select the best loop-free path in a network that forwards a packet to its destination IP address. A router understands nonattached networks through static configuration or dynamic IP routing protocols. So, we have two routing protocols, static and dynamic.
Dynamic IP routing protocols distribute network topology information between routers and provide updates without intervention when a topology change occurs. On the other hand, IP routing with static routes only accommodates topology changes well and can burden network engineers depending on the network size.
Diagram: IP routing example. The source is Study CCNA.
A network routing technique
So, what is triangular routing? Triangular routing is a network routing technique that involves sending traffic through three or more points on the network. It is often used to increase the network’s reliability, security, or performance by reducing the load on any single point. In triangular routing, the data is sent from the source node to a middle node and then to the destination node. Depending on the network configuration, the central node may be a router, switch, or hub.
LISP is a map and encapsulation protocol. There are three essential environments in a LISP environment:
LISP sites: This is the EID namespace where EIDs are.
Non-LISP sites: This is the RLOC namespace where we find RLOCs. For example, the Internet.
LISP mapping service: This infrastructure takes care of EID-to-RLOC mappings.
Avoid congestion
Triangular routing is a common technique on the Internet. It is used to avoid congestion and increase reliability. When a connection is established between two nodes, the traffic is sent from the source to the middle node via a shorter route. If the connection between the central node and the destination node is interrupted, the data can be re-routed through another node. This ensures the data is delivered to the destination without interruption.
Triangular routing is also used in private networks, such as corporate networks. It reduces the load on a single point, reduces latency, and increases the network’s security. In addition, each node in the triangular routing is configured with different routing protocols, making it difficult for intruders to penetrate the network.
Triangular routing is a reliable and secure technique for improving network performance. Routing data through multiple points on the network can avoid congestion and increase reliability. The following figure shows an example of triangular routing.
Hair-pinning & Triangular routing – Ingress and Egress traffic flows.
The external client queries its configured DNS server. The Global Load Balancing ( GLB ) device receives the request, which is authoritative for the queried domain. The GLB responds with the VIP_1 address of the local Load Balancer ( LLB ) in DC1. The VIP_1 represents the application in DC1.
Traffic gets directed toward the active LLB in DC1.
The LLB performs a source-NAT translation. Source-NAT changes the source IP address to the LLB’s internal IP address. This enables return traffic to be routed through the correct Load balancer, which is necessary to retain existing established sessions.
The Virtual Machine ( VM ) receives the packet and replies with the destination address of the Local Load Balancer ( due to Source-NAT ).
The LLB performs reverse translation and returns the packet to the external client.
Let’s assume that DC1 is overutilized and the network administrator wants to move the VM from DC1 to DC2. This move will be a hot move, a “live migration,” so all established sessions must remain intact. This is mainly because of the presence of stateful devices and the fact that we are not stretching the state of these stateful devices between the two data centers.
There is also a requirement for a LAN extension, such as OTV or vPC, between the two data centers. The LAN extension stretches VLANs and the layer 2 traffic between the two data centers.
The client-server flows are still directed to VIP_1 from the global load balancers, as there have been no changes to site selection for existing connections. We are traversing the same stateful device as in the earlier example.
The local load balancer performs Source-NAT and changes the source IP address to its inside address.
The packet can reach the moved VM by leveraging the L2 LAN extension between both DCs.
Any existing or new sessions using DC1’s VIP_1 will follow the suboptimal path through DC1 to reach DC2.
You hope there will be immediate changes to DNS and any new sessions ingress to DC2. This would follow the optimum path to the VIP_2, and egress traffic would follow the local gateway in DC2.
Triangular routing: The challenge
The main problem with this approach is that it works for only name-based connections, and previously established connections are hairpinned. The hair-pinning effect implies that there have been active connections to the VIP_1 ( old address ) and some new connections to the VIP_2 in the second data center for some time. Hair-pinning can put an additional load on the DCI and create a triangular routing effect.
The Solution?Locator Identity Separation Protocol ( LISP )
A new routing architecture called the Locator Identity Separation Protocol ( LISP ) was developed to overcome the challenges of workload mobility and triangular routing that were previously discussed. LISP overcomes the problems faced with route optimization when workloads migrate. It creates a new paradigm by splitting the device identity, an Endpoint Identifier ( EID ), and its location, known as its Routing Locator ( RLOC ), into two different numbering spaces.
This means we have a separate protocol representing where and who you are. The existing number scheme based on IP does not offer this flexibility, and both roles ( who and where ) are represented by one address.
LISP Control plane
Additional information on the LISP protocol
RFC 6830 describes LISP as an Internet Protocol routing and addressing architecture. The LISP routing architecture addresses scalability, multihoming, inter-site traffic engineering, and mobility.
Internet addresses today combine location (how a device is connected to the network) and identity semantics into a single 32-bit or 128-bit number. In LISP, the location is separated from the identity. LISP allows you to change your location in a network (your network layer locator), but your identity remains the same (your network layer identifier).
A LISP separates the identifiers of end users from the routing locators used to reach them. The LISP routing architecture design separates device identity – endpoint identification (EID) – from its location – routing locator (RLOC). To further understand how LISP does the locator/ID separation, it is essential to first learn about the architectural components of LISP. The following are some of the functions or features that form the LISP architecture:
LISP Host Mobility provides an automated solution that enables IP endpoints, such as Virtual Machines ( VM ), to change location while keeping their assigned IP address. As a result, the LISP detection and mapping system guarantees optimal routing between clients and the IP endpoints that moved. The critical point to note is that it’s an automated system.
Once the VM moves to the new location, there is no need to change DNS. The LISP control plane does not make any changes to DNS and does not require agents to be installed on the clients. It’s completely transparent.
LISP VM-mobility provides a transparent solution to end hosts and guarantees optimal path routing to the moving endpoints. It decouples the identity from the topology but creates two separate namespaces, RLOC and EID. The RLOCs remain associated with the topology and are reachable via traditional routing methods. The EID, which describes the end host, can dynamically change location and associate with different RLOCs. This allows the End-point Identifier space to be mobile without impacting the routing interconnecting the locator’s IP space.
LISP VM-Mobility solution:
VM migrations are automatically detected by the LISP Tunnel Router ( xTR ). This is accomplished by comparing the source in the IP header of traffic received from the hosts against a range of configured prefixes allowed to roam.
No changes are required to DNS or to install any agents. Transparent to end-users.
Once the move is detected, the mappings between EIDs and RLOCs are updated by the new xTR.
Updating the RLOC-to-EID mappings allows traffic to be redirected to the new locations without causing any updates or churn in the underlying routing. It is transparent to the core.
Additional information
Load Balancing:
By distributing data packets across multiple paths, triangular routing helps balance the network load. This ensures that no single path becomes overwhelmed with traffic, preventing congestion and optimizing network performance. Load balancing improves network efficiency and minimizes latency, resulting in faster data transmission.
Fault Tolerance:
One critical advantage of triangular routing is its fault tolerance capabilities. In the event of a link failure or network congestion on one path, the other two paths can still carry the data packets to their destination. This redundancy ensures that the network remains operational despite adverse conditions, reducing the risk of data loss and maintaining uninterrupted connectivity.
Benefits of Triangular Routing:
1. Improved Network Performance: Triangular routing enhances network performance by distributing traffic across multiple paths, reducing congestion, and minimizing latency.
2. Enhanced Reliability: With fault tolerance capabilities, triangular routing ensures uninterrupted connectivity, even in the face of link failures or network congestion.
3. Scalability: Triangular routing provides a scalable solution for network optimization. As the network expands, additional paths can be added to accommodate the increased traffic, ensuring efficient data transmission.
4. Cost-Efficiency: By optimizing network performance, triangular routing helps reduce operational costs associated with network maintenance and upgrades.
Summary: Triangular Routing
The LISP (Locator/ID Separation Protocol) has revolutionized network architecture, providing efficient solutions for routing and scalability. One intriguing aspect of LISP is triangular routing, a crucial mechanism in optimizing traffic flow. In this blog post, we explored the intricacies of triangular routing within the LISP protocol, exploring its significance and functionality.
Section 1: Understanding LISP Protocol
Before diving into triangular routing, it is essential to grasp the fundamentals of the LISP protocol. LISP is designed to separate the identifier (ID) and the locator (LOC) within IP addresses. By doing so, it enables efficient routing and mobility management. This separation allows for enhanced scalability and flexibility in handling network traffic.
Section 2: Unveiling the Concept of Triangular Routing
Triangular routing is a crucial mechanism employed by LISP to optimize traffic flows. It involves the establishment of a direct tunnel between the source and destination devices, bypassing traditional routing paths. This tunnel ensures that packets take the shortest path possible, improving performance and reducing latency.
Section 3: The Benefits of Triangular Routing
Triangular routing offers several advantages within the LISP protocol. Firstly, it eliminates unnecessary detours by establishing a direct tunnel, thus reducing packet travel time. Secondly, it enhances network security by obscuring the devices’ location, making it challenging for potential attackers to pinpoint them. Lastly, triangular routing promotes load balancing by dynamically selecting the most efficient path for traffic flow.
Section 4: Challenges and Considerations
While triangular routing brings notable benefits, it also presents challenges that must be addressed. One key consideration is the potential for suboptimal routing in specific scenarios. Careful planning and configuration are required to ensure that triangular routing is properly implemented and does not interfere with network performance. Additionally, network administrators must be aware of the potential impact on troubleshooting and monitoring tools, as triangular routing may introduce complexities in these areas.
Conclusion:
Triangular routing plays a significant role within the LISP protocol, offering enhanced performance, security, and load-balancing capabilities. Establishing direct tunnels between devices enables efficient traffic flow and minimizes latency. However, it is essential to consider the challenges and potential trade-offs associated with triangular routing. With careful planning and configuration, network administrators can harness its benefits and optimize network performance within the LISP protocol.
In today's interconnected world, data centers play a crucial role in ensuring the smooth functioning of the internet. Behind the scenes, intricate routing mechanisms are in place to efficiently transfer data between different locations. In this blog post, we will delve into the fascinating world of data center routing locations and discover how they contribute to the seamless browsing experience we enjoy daily.
Data centers are the backbone of our digital infrastructure, housing vast amounts of data and serving as hubs for internet traffic. One crucial aspect of data center operations is routing, which determines the path that data takes from its source to the intended destination. Understanding the fundamentals of data center routing is essential to grasp the significance of routing locations.
When it comes to selecting routing locations for data centers, several factors come into play. Proximity to major internet exchange points, network latency considerations, and redundancy requirements all influence the decision-making process. We will explore these factors in detail and shed light on the complex considerations involved in determining optimal routing locations.
Data center routing locations are strategically distributed across the globe to ensure efficient data transfer and minimize latency. We will take a virtual trip around the world, uncovering key regions where routing locations are concentrated. From the bustling connectivity hubs of North America and Europe to emerging markets in Asia and South America, we'll explore the diverse geography of data center routing.
Content Delivery Networks (CDNs) play a vital role in optimizing the delivery of web content by caching and distributing it across multiple data centers. CDNs strategically position their servers in various routing locations to minimize latency and ensure rapid content delivery to end-users. We will examine the symbiotic relationship between data center routing and CDNs, highlighting their collaborative efforts to enhance web browsing experiences.
Highlights: Data Center Site Section
Routing IP addresses: The Process
Routers must make packet-forwarding decisions independently of each other in IP routing. Therefore, IP routers are only concerned with finding the next hop to a packet’s final destination. The IP routing protocol is myopic in this sense. IP’s myopia allows it to route around failures easily, but it is also a weakness. In most cases, the packet will be routed to its destination via another router unless the router is on the same subnet (more on this later).
In the routing table, a router looks up a packet’s destination IP address to determine the next hop. A packet is then forwarded to the network interface returned by this lookup by the router.
RIB and the FIB
All the different pieces of information learned from all the other methods (connected, static, and routing protocols) are stored in the RIB. A software component called the RIB manager selects all these different methods. Every routing protocol has a unique number called the distance2. If more than one protocol has the same prefix, the RIB manager picks the protocol with the lowest distance. The shortest distance is found on connected routes. Routes obtained via a routing protocol have a greater distance than static routes.
Routing to a data center
Let us address how users get routed to a data center. Well, there are several data center site selection criteria or even data center site selection checklists that you can follow to make sure your users follow the most optimal path and limit sub-optimal routing. Distributed workloads with multi-site architecture open up several questions regarding the methods for site selection, path optimization for ingress/egress flows, and data replication (synchronous/asynchronous) for storage.
Distributing the load
Furthermore, once the content is distributed to multiple data centers, you need to manage the request for the distributed content and the load by routing users’ requests to the appropriate data center. Routing in the data center is known as content routing. Content routing takes a user’s request and sends it to the relevant data center.
Before you proceed, you may find the following post helpful:
Introduction to data center site selection and what is involved.
Highlighting the details of data center site selection criteria.
Technical details on load distribution and recovery.
Scenario: HTTP redirection and RHI.
BGP configurations for site selection.
Back to basic with Data Center Interconnect (DCI)
Data Center Interconnect
Before we get started on your journey with a data center site selection checklist, it may be helpful to know how data centers interconnect. Data Center Interconnect (DCI) solutions have been known for quite some time; they are mainly used to help geographically separated data centers.
Layer 2 extensions might be required at different layers in the data center to enable the resiliency and clustering mechanisms offered by the other applications. For example, Cisco’s OTV can be used as a DCI solution.
OTV provides Layer 2 extension between remote data centers using MAC address routing. A control plane protocol exchanges MAC address reachability information between network devices, providing the LAN extension functionality. This has a tremendous advantage over traditional data center interconnect solutions, which generally depend on data plane learning and flooding across the transport to learn reachability information.
Data Center Site Selection Criteria
Proximity-based site selection
Different data center site selection criteria can route users to the most optimum data centers. For example, proximity-based site selection involves selecting a geographically closer data center, which generally improves response time. Additionally, you can route requests based on the data center’s load or application availability.
Things become interesting when workloads want to move across geographically dispersed data centers while maintaining active connections to front-end users and backed systems. All these elements put increasing pressure on the data center interconnect ( DCI ) and the technology used to support workload mobility.
Data Center Site Selection
Multi-site load distribution & site-to-site recovery
Data center site selection can be used for site-to-site recovery and multi-site load distribution. Multi-site load distribution requires a mechanism that enables the same application to be accessed by both data centers, i.e., an active/active setup.
For site-to-site load balancing, you must use an active/active scenario ( also known as hot standby ) in which both data centers host the same active application. Logically active / standby means that some applications will be active on one site while others will be on standby at the other sites.
Data Center Site Selection. Dual Data Centers.
Data center site selection is vital, and determining which data center to target your request can be based on several factors, such as proximity and load. Different applications will prefer different site selection mechanisms. For example, video streaming will choose the closest data center ( proximity selection ). Other types of applications would prefer data centers that are least loaded, and others work efficiently with the standard round-robin metric. The three traditional methods for data center site selection criteria are Ingress site selection DNS-based, HTTP redirection, and Route Health Injection.
Data Center Site Selection Checklist
Hypertext Transfer Protocol ( HTTP ) redirection
Applications can have built-in HTTP redirection in their browsers. This enables them to communicate with a secondary server if the primary server is not available. When redirection is required, the server will send an HTTP Redirect ( 307 ) to the client and send the client to the correct site with the required content. One advantage of this mechanism is that you have visibility into the requested content, but as you have probably already guessed, it only works with HTTP traffic.
Diagram: HTTP redirect.
DNS-based request routing
DNS-based request routing, or DNS load balancing, distributes incoming network traffic across multiple servers or locations based on the DNS responses. Traditionally, DNS has been primarily used to translate human-readable domain names into IP addresses. However, DNS-based request routing can now be vital in optimizing network traffic flow.
How does it work?
When a user initiates a request to access a website or application, their device sends a DNS query to a DNS resolver. Instead of providing a single IP address in response, the DNS resolver returns a list of IP addresses associated with the requested domain. Each IP address corresponds to a different server or location that can handle the request.
The control point for geographic load distribution in DNS-based request routing resides within DNS. DNS-based request routing uses DNS for both site-to-site recovery and multi-site load distribution. A DNS request, either recursive or iterative, is accepted by the client and directed to a data center based on configurable parameters. This provides the ability to distribute the load among multiple data centers with an active/active design based on criteria such as least loaded, proximity, round-robin, and round-trip time ( RTT ).
The support for legacy applications
DNS-based request routing becomes challenging if you have to support legacy applications without DNS name resolution. These applications have hard-coded IP addresses used to communicate with other servers. When there is a combination of legacy and non-legacy applications, the solution might be to use DNS-based request routing and IGP/BGP.
Another caveat for this approach is that the refresh rate for the DNS cache may impact the convergence time. Once a VM moves to the secondary site, there will also be increased traffic flow on the data center interconnect link—previously established connections are hairpinned.
Route Health Injection ( RHI )
Route Health Injection (RHI) is a method for improving network resilience by dynamically injecting alternative routes. It involves monitoring network devices and routing protocols to identify potential failures or performance degradation. By preemptively injecting alternative routes, RHI enables networks to reroute traffic and maintain optimal connectivity quickly.
How does Route Health Injection work?
Route Health Injection operates by continuously monitoring the health of network devices and analyzing routing protocol information. It leverages various metrics such as latency, packet loss, and link utilization to assess the overall health of network paths. When a potential issue is detected, RHI dynamically injects alternative routes to bypass the affected network segment, allowing traffic to flow seamlessly.
RHI is implemented in front of the application and, depending on its implementation allows the same address or a different address to be advertised. It’s a route injected by a local load balancer that influences the ingress traffic path. RHI injects a static route when the VIP ( Virtual IP address ) becomes available and withdraws the static route when the VIP is no longer active. The VIP is used to represent an application.
A key point: Data center active-active scenario
Route Health Injection can be used for an active/active scenario as both data centers can use the same VIP to represent the server cluster for each application. RHI can create a lot of churns as routes are constantly being added and removed. If the number of supported applications grows, the network’s number of network host routes grows linearly. The decision to use RHI should come down to the scale and size of the data center’s application footprint.
RHI is commonly used on Intranets as the propagation of more specifics is not permitted on the Default Free Zone ( DFZ ). Specific requirements require RHI to be used with BGP/IGP for external-facing clients. Due to the drawbacks of DNS caching, RHI is often preferred over DNS solutions for Internet-facing applications.
A quick point: Ansible Automation
Ansible could be a good automation tool for bringing automation into the data center. Ansible can come from Ansible CLI, with Ansible Core, or a platform approach with Ansible Tower. Can these automation tools assist in our data center operations? Ansible variables can be used to remove site-specific information to make your playbooks more flexible.
For data center configuration or simply checking routing tables, you can have a single playbook that uses Ansible variables to perform operations on both data centers. I use this to check the routing tables of each data center. Once playbook using Ansible variables against one inventory for all my data centers. This can quickly help you when troubleshooting data center site selection.
BGP AS prepending
This can be used for active / standby site selection, not a multi-load distribution method. BGP uses the best path algorithm to determine the best Path to a specific destination. One of those steps that all router manufacturers widely use is AS Path—the lower the number of ASs in the path list, the better the route.
Specific routes are advertised from both data centers, with additional AS Paths added to the secondary site’s routes. When BGP goes through its site selection processes, it will choose the Path with the least AS Paths, i.e., the primary site without AS Prepending.
Lab Guide: Configuring BGP AS Prepending
AS Path prepending is a simple yet powerful technique for manipulating BGP route selection. By adding additional AS numbers to the AS Path attribute, network administrators can influence the inbound traffic flow to their network. Essentially, the longer the AS Path, the less attractive the route appears to neighboring ASes, leading to traffic routed through alternate paths.
AS Path prepending offers several benefits for network administrators. Firstly, it provides a cost-effective way to balance inbound traffic across multiple links, thereby preventing congestion on a single path. Secondly, it enhances network resilience by providing redundancy and alternate paths in case of link failures. Lastly, AS Path prepending can be used strategically to optimize outbound traffic flow and improve network performance.
In my example, AS 1 wants to ensure traffic enters the autonomous system through R2. We can add our autonomous system number multiple times, so the as-path becomes longer. Since BGP prefers a shorter AS path, we can influence our routing. This is called AS path pretending. Below, the default behavior is shown without pretending to be configured.
First, create a route map and use set as-path prepend to add your own AS number multiple times. Don’t forget to add the route map to your BGP neighbor configuration. It should be outbound since you are sending this to your remote neighbor! Let’s check the BGP table! Now we see that 192.168.23.3 is our next-hop IP address. The AS Path for the second entry has also become longer. That’s it!
BGP conditional advertisements
BGP Conditional Advertisements are helpful when you are concerned that some manufacturers may have AS Path explicitly removed. A condition must be met with conditional route advertisement before an advertisement occurs. The routers on the secondary site monitor a set of prefixes located on the first site, and when those prefixes are not reachable at the first site, the secondary sites begin to advertise.
Its configuration is based on community”no-export” and iBGP between the sites. If routes were redistributed between BGP > IGP and advertised to the IBGP peer, the secondary site would advertise those routes, defeating the purpose of a conditional advertisement.
How do users get routed to a data center?
The RHI method used internally or externally with BGP is proper when using IP as the site selection method. For example, this may be the case when you have hard-coded IP addresses in the application used primarily with legacy applications or are concerned about DNS caching issues. Site selection based on RHI and BGP requires no changes to DNS.
However, its main drawback is that it cannot be used for active/active data centers and is primarily positioned as an active / standby method. This is because there is only ever one routing table entry in the routing table.
Additionally, for the final data center site selection checklist. There are designs where you can use IP Anycast in conjunction with BGP, IGP, and RHI to achieve an active/active scenario, and I will discuss this later. With this setup, there is no need for BGP conditional route advertisement or AS Path prepending.
In today's digitally connected world, the ability to locate and navigate through various online platforms has become an essential skill. With the advent of Internet Locator, individuals and businesses can now effortlessly explore the vast online landscape. In this blog post, we will delve into the concept of Internet Locator, its significance, and how it has revolutionized how we navigate the digital realm.
Routing table growth: There has been exponential growth in Internet usage, and the scalability of today's Internet routing system is now a concern. With more people surfing the web than ever, the underlying technology must be able to cope with demand.
Whereas in the past, getting an internet connection via some internet locator service could sometimes be expensive, nowadays, thanks to bundles that include telephone connections and streaming services, connecting to the web has never been more affordable. It is also important to note that routing table growth has a significant drive driving a need to reexamine internet connectivity.
Limitation in technologies: This has been met with the limitations and constraints of router technology and current Internet addressing architectures. If we look at the core Internet protocols that comprise the Internet, we have not experienced any significant change in over a decade.
The physical-layer mechanisms that underlie the Internet have radical changed, but only a small number of tweaks have been made to BGP and its transport protocol, TCP. Mechanisms such as MPLS were introduced to provide a workaround to IP limitations within the ISP. Still, Layer 3 or 4 has had no substantial change for over a decade.
Highlights: Internet Locator
Path Selection
In the Forwarding Information Base (FIB), prefix length determines the path a packet should take. Routing information bases (RIBs), or routing tables, program the FIB. Routing protocol processes present routes to the RIB. Three components are involved in path selection:
In the subnet mask, the prefix length represents the number of leading binary bits in the on position.
An administrative distance rating (AD) indicates how trustworthy a routing information source is. It compares the AD if a router learns about a route to a destination from multiple routing protocols.
Routing protocols use metrics to calculate the best paths. Metrics vary from routing protocol to routing protocol.
Prefix Length
Here’s an example of how a router selects a route when the packet destination falls within the range of multiple routes. Consider a router with the following routes, each with a different prefix length:
10.0.3.0/28
10.0.3.0/26
10.0.3.0/24
There are a variety of prefix lengths (subnet masks) for these routes, also known as prefix routes. RIBs, also known as routing tables, contain all of the routes which are considered different destinations. Unless the prefix is connected to a network, the routing table includes the outgoing interface and the next-hop IP address.
Related: Before you proceed, you may find the following posts helpful:
Introduction to Internet Locator and what is involved.
Highlighting the details of the default-free zone.
Technical details on the LISP protocol and how this may help.
Scenario: BGP in the DFZ.
A final note on security.
Back to basics with the Internet
The Internet is often represented as a cloud. However, this needs to be clarified as there are few direct connections over the Internet. The Internet is also a partially distributed network. The Internet is decentralized, with many centers or nodes and direct or indirect links. There are also different types of networks out there on the Internet. For example, we have a centralized, decentralized, and distributed network.
The Internet is a conglomeration of independent systems representing organizations’ administrative authority and routing policies. Autonomous systems are made up of Layer 3 routers that run Interior Gateway Protocols (IGPs) such as Open Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) within their borders and interconnect via an Exterior Gateway Protocol (EGP). The current Internet de facto standard EGP is the Border Gateway Protocol Version 4 (BGP-4), defined in RFC 1771.
1st Lab guide on BGP
In the following, we see a simple BGP design. BGP operated over TCP, more specifically, TCP port 179. BGP peers are created and can be iBGP or EBGP. In the screenshots below, we have an iBGP design. Remember that BGP is a Path Vector Protocol and utilizes a path vector protocol, which considers various factors while making routing decisions. These factors include the number of network hops, network policies, and path attributes such as AS path, next-hop, and origin.
Diagram: Port 179 with BGP peerings.
1. Path Vector Protocol: BGP utilizes a path vector protocol, which considers various factors while making routing decisions. These factors include the number of network hops, network policies, and path attributes such as AS path, next-hop, and origin.
Internet Locator: Default Free Zone ( DFZ )
The first large-scale packet-switching network was ARPAnet- the modern Internet’s predecessor. It used a simplex protocol called Network Control Program ( NCP ). NCP combined addressing and transport into a single protocol. Many applications were built on top of NCP, which was very successful. However, it lacked flexibility. As a result, reliability was separated from addressing and packet transfer in the design of the Internet Protocol Suite, with IP being separated from TCP.
On the 1st of January 1983, ARPAnet officially rendered NCP and moved to a more flexible and powerful protocol suite – TCP/IP. The transition from NCP to TCP/IP was known as “flag day,” It was quickly done with only 400 nodes to recompute.
Today, a similar flag day is impossible due to the sheer size and scale of the Internet backbone. The requirement to change anything on the Internet is driven by necessity, and it’s usually slow to change such a vast network. For example, inserting an additional header into the protocol would impact IP fragmentation processing and congestion mechanism. Changing the semantics of IP addressing is problematic as the IP address has been used as an identifier to higher-level protocols and encoded in the application.
Diagram: Default Free Zone. The source is TypePad.
The driving forces of the DFZ
Many factors are driving the growth of the Default Free Zone ( DFZ ). These mainly include multi-homing, traffic engineering, and policy routing. The Internet Architecture Board ( IAB ) met on October 18-19th, 2006, and their key finding was that they needed to devise a scalable routing and addressing system. Such an addressing system must meet the current challenges of multi-homing and traffic engineering requirements.
Internet Locator: Locator/ID Separation Protocol ( LISP )
There has been some progress with the Locator/ID separation protocol ( LISP ) development. LISP is a routing architecture that redesigns the current addressing architecture. Traditional addressing architecture uses a single name, the IP address, to express two functions of a device.
The first function is its identity, i.e., who, and the second function is its location, i.e., where. LISP separates IP addresses into two namespaces: Endpoint Identifiers ( EIDs ), non-routable addresses assigned to hosts, and Routing Locators ( RLOCs), routable addresses assigned to routers that make up the global routing system.
Internet locator with LISP
Separating these functions offers numerous benefits within a single protocol, one of which attempts to address the scalability of the Default Free Zone. In addition, LISP is a network-based implementation with most of the deployment at the network edges. As a result, LISP integrates well into the current network infrastructure and requires no changes to the end host stack.
2nd Lab guide on LISP.
In the following guide, we will look at a LISP network. These LISP protocol components include the following:
Map Registration and Map Notify.
Map Request and Map-Reply.
LISP Protocol Data Path.
Proxy ETR.
Proxy ITR.
LISP implements the use of two namespaces instead of a single IP address:
Endpoint identifiers (EIDs)—assigned to end hosts.
Routing locators (RLOCs) are assigned to devices (primarily routers) that comprise the global routing system.
Splitting EID and RLOC functions yields several advantages, including improved routing system scalability, multihoming efficiency, and ingress traffic engineering. With the command: show lisp site summary, site 1 consists of R1 and site 2 consists of R2. Each of these sites advertises its own EID-prefix. On R1, the tunnel router, we see the routing locator address 10.0.1.2. The RLOCs ( routing locators ) are interfaces on the tunnel routers.
Border Gateway Protocol (BGP) role in the DFZ
Border Gateway Protocol, or BGP, is an exterior gateway protocol that allows different autonomous systems (AS) to exchange routing information. It is designed to enable efficient communication between different networks and facilitate data exchange and traffic across the Internet.
Exchanging NLRI
BGP is the protocol used to exchange NLRI between devices on the Internet and is the most critical piece of Internet architecture. It is used to interconnect Autonomous systems on the Internet, and it holds the entire network together. Routes are exchanged between BGP speakers with UPDATE messages. The BGP routing table ( RIB ) now stands at over 520,000 routes.
Although some of this growth is organic, a large proportion is driven by prefix de-aggregation. Prefix de-aggregation leads to increased BGP UPDATE messages injected into the DFZ. UPDATE messages require protocol activity between routing nodes, which requires additional processing to maintain the state for the longer prefixes.
Excess churn exposes the network’s core to the edges’ dynamic nature. This detrimental impacts routing convergence since UPDATES need to be recomputed and downloaded from the RIB to the FIB. As a result, it is commonly viewed that the Internet is never fully converged.
Security in the DFZ
Security is probably the most significant Internet problem; no magic bullet exists. Instead, an arms race is underway as techniques used by attackers and defenders co-evolve. This is because the Internet was designed to move packets from A to B as fast as possible, irrespective of whether B wants any of those packets.
In 1997, a misconfigured AS7007 router flooded the entire Internet with /24 BGP routes. As a result, routing was globally disrupted for more than 1 hour as the more specific prefixes took precedence over the aggregated routes. In addition, more specific routes advertised from AS7007 to AS1239 attracted traffic from all over the Internet into AS1239, saturating its links and causing router crashes.
There are automatic measures to combat prefix hijacking, but they are not widely used or compulsory. The essence of BGP design allows you to advertise whatever NLRI you want, and it’s up to the connecting service provider to have the appropriate filtering in place.
Drawbacks to BGP
BGP’s main drawback concerning security is that it does not hide policy information, and by default, it doesn’t validate the source. However, as BGPv4 runs over TCP, it is not as insecure as many think. A remote intrusion into BGP would require guessing the correct TCP numbers to insert data, and most TCP/IP stacks have hard-to-predict TCP sequence numbers. To compromise BGP routing, a standard method is to insert a rogue router that must be explicitly configured in the target’s BGP configuration as a neighbor statement.
Significance of BGP:
1. Inter-Domain Routing: BGP is primarily used for inter-domain routing, enabling different networks to communicate and exchange traffic across the internet. It ensures that data packets reach their intended destinations efficiently, regardless of the AS they belong to.
2. Internet Service Provider (ISP) Connectivity: BGP is crucial for ISPs as it allows them to connect their networks with other ISPs. This connectivity enables end-users to access various online services, websites, and content hosted on different networks, regardless of geographical location.
3. Redundancy and Load Balancing: BGP’s dynamic routing capabilities enable network administrators to create redundant paths and distribute traffic across multiple links. This redundancy enhances network resilience and ensures uninterrupted connectivity even during link failures.
4. Internet Traffic Engineering: BGP plays a vital role in Internet traffic engineering, allowing organizations to optimize network traffic flow. By manipulating BGP attributes and policies, network administrators can influence the path selection process and direct traffic through preferred routes.
In the world of networking, there is a hidden gem that has been revolutionizing the way we connect and communicate. Network overlays, the mystical layer that enhances our networks, are here to unlock new possibilities and transform the way we experience connectivity. In this blog post, we will delve into the enchanting world of network overlays, exploring their benefits, functionality, and potential applications.
Network overlays, at their core, are virtual networks created on top of physical networks. They act as an additional layer, abstracting the underlying infrastructure and providing a flexible and scalable network environment. By decoupling the logical and physical aspects of networking, overlays enable simplified management, efficient resource utilization, and dynamic adaptation to changing requirements.
One of the key elements that make network overlays so powerful is their ability to encapsulate and transport network traffic. By encapsulating data packets within packets of a different protocol, overlays create virtual tunnels that can traverse different networks, regardless of their underlying infrastructure. This magic enables seamless communication between geographically dispersed devices and networks, bringing about a new level of connectivity.
The versatility of network overlays opens up a world of possibilities. From enhancing security through encrypted tunnels to enabling network virtualization and multi-tenancy, overlays empower organizations to build complex and dynamic network architectures. They facilitate the deployment of services, applications, and virtual machines across different environments, allowing for efficient resource utilization and improved scalability.
Network overlays have found their place in various domains. In data centers, overlays enable the creation of virtual networks for different tenants, isolating their traffic and providing enhanced security. In cloud computing, overlays play a crucial role in enabling seamless communication between different cloud providers and environments. Additionally, overlays have been leveraged in Software-Defined Networking (SDN) to enable network programmability and agility.
Highlights: Network Overlays
Overlay Networking
Logical networks
Overlay networks are computer networks that are layered on top of other networks (logical instead of physical). They differ from the traditional OSI layered network model and almost always assume that the underlay network is an IP network. These technologies include VXLAN, BGP VPNs, Layer 2 and Layer 3, and IP over IP, such as GRE or IPsec tunnels. Overlay networks, such as SD-WAN, use IP over IP technologies.
The overlay network (SDN overlay) allows multiple network layers to be run on top of each other, adding new applications and improving security. Multiple secure overlays can be created using software over existing networking hardware infrastructure by making virtual connections between two endpoints. In the cloud, endpoints can be physical locations, such as network ports, or logical locations, such as software addresses.
Software tags, labels, and encryption create a virtual tunnel between two network endpoints. End users must be authenticated to use the connection if encryption is used. Like a phone system, the technology can be considered endpoints with identification tags. An identification tag or number can be used to locate a device in a network, creating virtual connections.
Example Technology: EIGRP and GRE
In simple terms, GRE is a tunneling protocol that encapsulates various network layer protocols within IP packets. It establishes a virtual point-to-point connection between different networks, facilitating data transmission across disparate networks. Encapsulating packets within GRE headers allows for secure and efficient communication.
Two endpoints are required to establish a GRE tunnel: a source and a destination. The source endpoint encapsulates the original packet by adding a GRE header, while the destination endpoint decapsulates the packet and forwards it to the appropriate destination. This encapsulation process involves adding an extra IP header, which allows the packet to traverse the network as if it were a regular IP packet.
Networking approach based on overlays
Different overlay networking approaches are often debated in the SDN community. Some software-only solutions may not be able to integrate at the chip level, depending on the technology. The layering of software and processing in overlay networking has been criticized for creating performance overhead. Network overlays are controlled by SDN controllers using the OpenFlow protocol, which requires specific software code or “agents” to be installed.
Change in Traffic Patterns
Despite being in remote geographic locations, a host of physical servers and I/O devices can host multiple virtual servers that share the same logical network, thanks to the paradigm shift toward cloud computing. In contrast to the traditional north-south direction of data traffic within data centers, virtualization has facilitated more significant east-west data traffic. Communication between servers and applications within a data center is known as east-west traffic.
In corporate networks or on the Internet, much of the data required by the end user involves more complex data that requires preprocessing. Using a web server (via an app server) to access a database as an example of east-west traffic, we can demonstrate the need for preprocessing.
The birth of network overlays
Network virtualization overlays have become the de facto solution for addressing the problems just described in relation to data center expansion. Overlays allow existing network technologies to be abstracted, extending the capabilities of classic networks.
Networking has been using overlays for quite some time. As their name implies, overlays were developed to overcome the disadvantages of conventional networks. An overlay is a tunnel that runs on top of a physical network infrastructure.
Following MPLS- and GRE-based encapsulations in the 1990s, other tunneling technologies, such as IPsec,8 6in4,9, and L2TPv3,10, also gained popularity. For example, 6in4 tunnels were used to carry payloads over a transport network that could not support the payload type. These tunnels were utilized for security purposes, simplifying routing lookups, or carrying payloads over unsupported transport networks.
Understanding MPLS Forwarding
MPLS (Multi-Protocol Label Switching) forwarding is used in modern computer networks to route data packets efficiently. Unlike traditional IP routing, which relies on complex table lookups, MPLS forwarding utilizes labels to simplify and expedite packet forwarding. These labels act as virtual shortcuts, enabling faster and more streamlined transmission. To comprehend MPLS forwarding in action, let’s consider a hypothetical scenario of a multinational corporation with branch offices in different countries.
The organization can establish a private network that connects all its branches securely and efficiently by implementing MPLS forwarding. MPLS labels are assigned to packets at the ingress router and guide them through the network, ensuring reliable and optimized data transmission. This enables seamless communication, data sharing, and collaborative workflows across geographically dispersed locations.
What is the LDP Protocol?
The LDP protocol, short for Label Distribution Protocol, is a signaling protocol used in Multiprotocol Label Switching (MPLS) networks. It facilitates the exchange of label mapping information between Label Switching Routers (LSRs), allowing them to establish forwarding equivalence classes (FECs) and efficiently forward data packets.
Label Distribution: The core functionality of the LDP protocol lies in its ability to distribute and assign labels to network paths. These labels help LSRs establish predetermined forwarding paths, enabling faster and more efficient packet forwarding.
Traffic Engineering: Through its Traffic Engineering (TE) extensions, the LDP protocol allows network administrators to optimize the utilization of network resources. Dynamically adjusting label assignments and traffic flows enables better load balancing and network performance.
Network Overlays and Virtual Networks
Network overlays have emerged as a powerful solution to address the challenges posed by the increasing complexity of modern networks. This blog post will explore network overlays, their benefits, and how they improve connectivity and scalability in today’s digital landscape.
Network overlays are virtual networks that run on physical networks, providing an additional abstraction layer. They allow organizations to create logical networks independent of the underlying physical infrastructure. This decoupling enables flexibility, scalability, and simplified management of complex network architectures.
Diagram: Overlay Networking with VXLAN
Virtual Network Services
Network overlays refer to virtualizing network services and infrastructure over existing physical networks. By decoupling the network control plane from the underlying hardware, network overlays provide a layer of abstraction that simplifies network management while offering enhanced flexibility and scalability. This approach allows organizations to create virtual networks tailored to their specific needs without the constraints imposed by physical infrastructure limitations.
Creating an overlay tunnel
A network overlay is an architecture that creates a virtualized network on top of an existing physical network. It allows multiple virtual networks to run independently and securely on the same physical infrastructure. Network overlays are a great way to create a more secure and flexible network environment without investing in new infrastructure.
Network overlays can be used for various applications, such as creating virtual LANs (VLANs), virtual private networks (VPNs), and multicast networks. For example, we have DMVPN (Dynamic Multipoint VPN), with several DMVPN phases providing a secure network technology that allows for multiple sites’ efficient and secure connection.
In addition, they can segment traffic and provide secure communication between two or more networks. As a result, network overlays allow for more efficient resource use and provide better performance, scalability, and security.
Securing and overlay: GRE and IPSec
When combined, GRE and IPSec create a robust security infrastructure that addresses tunneling and encryption requirements. GRE tunnels establish secure connections between networks, enabling the transmission of encapsulated packets. IPSec then encrypts these packets, ensuring that data remains confidential and protected from interception. This powerful combination allows organizations to establish secure and private communication channels over untrusted networks like the Internet.
The utilization of GRE and IPSec brings numerous benefits to network security. Firstly, organizations can establish secure and scalable virtual private networks (VPNs) using GRE tunnels, allowing remote employees to access internal resources securely. Secondly, IPSec encryption protects data during transmission, safeguarding against eavesdropping and tampering. Additionally, the combination of GRE and IPSec facilitates secure communication between branch offices, enabling seamless collaboration and data sharing.
Enhanced Connectivity:
Network overlays improve connectivity by enabling seamless communication between different network domains. By abstracting the underlying physical infrastructure, overlays facilitate the creation of virtual network segments that can span geographical locations, data centers, and cloud environments. This enhanced connectivity promotes better collaboration, data sharing, and application access within and across organizations.
Understanding IPv6 Tunneling
IPv6 tunneling is a mechanism that encapsulates IPv6 packets within IPv4 packets, allowing them to traverse an IPv4 network. This enables communication between IPv6-enabled devices across IPv4-only networks. By encapsulating IPv6 packets within IPv4 packets, tunneling provides a practical solution for the coexistence of both protocols.
Types of IPv6 Tunneling
There are several methods for implementing IPv6 tunneling over IPv4, each with advantages and considerations. Let’s explore some popular types:
Manual Tunneling: Manual tunneling involves manually configuring tunnels between IPv6 and IPv4 endpoints. This method requires configuring tunnel endpoints and addressing them, making it suitable for smaller networks or specific scenarios.
Automatic tunneling, also known as 6to4 tunneling, allows for the automatic creation of IPv6 tunnels over IPv4 networks. It utilizes a 6to4 relay router to facilitate communication between IPv6 and IPv4 networks. Automatic tunneling is relatively easy to set up and does not require manual configuration.
Teredo Tunneling: Teredo tunneling is a mechanism that enables IPv6 connectivity over IPv4 networks, even behind Network Address Translations (NATs). It provides a way for IPv6 traffic to traverse NAT devices by encapsulating IPv6 packets within UDP packets. Teredo tunneling is particularly useful for home networks and scenarios where IPv6 connectivity is limited.
Advanced Topic
DMVPM:
The underlay network forms the foundation of any DMVPN deployment. It consists of the physical infrastructure that connects the various endpoints. From routers and switches to cables and network protocols, the underlay network ensures reliable and efficient data transmission. Key considerations in establishing a robust underlay include network design, redundancy, Quality of Service (QoS) policies, and security measures.
DMVPN truly shines in the overlay network, built on top of the underlay. It enables secure and efficient communication between remote sites, regardless of their physical locations. By leveraging multipoint GRE tunnels and dynamic routing protocols such as EIGRP or OSPF, DMVPN establishes a mesh network that seamlessly connects all endpoints. This overlay architecture eliminates the need for complex and static point-to-point VPN configurations, providing scalability and ease of management.
Benefits and Use Cases:
DMVPN offers a plethora of benefits and finds extensive usage across various industries. Its ability to provide secure and scalable connectivity makes it ideal for enterprises with multiple branch offices. By utilizing DMVPN, organizations can optimize their network infrastructure, reduce costs associated with traditional VPN solutions, and enhance overall network performance. Additionally, DMVPN enables seamless integration with cloud services and facilitates secure remote access for teleworkers.
Related: Before you proceed, you may find the following helpful:
Introduction to network overlays and what is involved.
Highlighting the details of control plane interaction.
Technical details on the encapsulation overhead.
Scenario: Security in the tunnel overlay.
A final note on STP and layer 2 attacks.
Back to Basics With Network Overlays
Supporting distributed application
There has been a significant paradigm shift in data center networks. This evolution has driven network overlays known as tunnel overlay, bringing several new requirements to data center designs. Distributed applications are transforming traffic profiles, and there is a rapid rise in intra-DC traffic ( East-West ).
We designers face several challenges to support this type of scale. First, we must implement network virtualization with the overlay tunnel for large cloud deployment.
Suppose a customer requires a logical segment per application, and each application requires load balancing or firewall services between segments. In that case, having an all-physical network using traditional VLANs is impossible. The limitations of 4000 VLANS and the requirement for stretched Layer 2 subnets have pushed designers to virtualize workloads over an underlying network.
1st Lab guide on network overlay with VXLAN
The following guide has a Layer 2 overlay across a routed Layer 3 core. Spine A and Spine B cores run an OSPF network to each other and the leaf layer. VXLAN is the overlay protocol that maps a bridge domain to a VNI that extends layer 2 across the routed core. Notice in the show command output that the encapsulation is set to VXLAN.
Diagram: VXLAN Overlay
Concepts of network Virtualization
Network virtualization is cutting up a single physical network into multiple virtual networks. Virtualizing a resource allows it to be shared by various users. Numerous virtual networks have jumped up over the decades to satisfy different needs.
A primary distinction between these different types is their model for providing network connectivity. Networks can provide connectivity via bridging (L2) or routing (L3). Thus, virtual networks can be either virtual L2 networks or virtual L3 networks.
Virtual networks started with the Virtual Local Area Network (VLAN). First, the VLAN was invented to lessen the unnecessary chatter in a Layer 2 network by isolating applications from their noisy neighbors. Then VLAN was then pushed into the world of security.
Then, we had the Virtual Routing and Forwarding (VRF). The virtual L3 network was invented along with the L3 Virtual Private Network (L3VPN) to solve the problem of interconnecting geographically disparate networks of an enterprise over a public network.
Network Overlay
Main Network Overlay Components
Network Overlay
Network overlays are virtual networks that run on physical networks.
Network overlays improve connectivity by enabling seamless communication between different network domains.
The limitations of 4000 VLANS and the requirement for stretched Layer 2 subnets have pushed designers to virtualize workloads over an underlying network.
Virtual networks can be either virtual L2 networks or virtual L3 networks.
Benefits of Network Overlays:
1. Simplified Network Management: With network overlays, organizations can manage their networks centrally, using software-defined networking (SDN) controllers. This centralized approach eliminates the need for manual configuration and reduces the complexity associated with traditional network management.
2. Enhanced Scalability: Network overlays enable businesses to scale their networks easily by provisioning virtual networks on demand. This flexibility allows rapid deployment of new services and applications without physical network reconfiguration.
3. Improved Security: Network overlays provide an additional layer of security by encapsulating traffic within virtual tunnels. This isolation helps prevent unauthorized access and reduces the risk of potential security breaches, especially in multi-tenant environments.
4. Interoperability: Network overlays can be deployed across heterogeneous environments, enabling seamless connectivity between different network types, such as private and public clouds. This interoperability makes it possible to extend the network across multiple locations and integrate various cloud services effortlessly.
Scalability and Elasticity
One of the critical advantages of network overlays is their ability to scale and adapt to changing network requirements. Overlays can dynamically allocate resources based on demand, allowing network administrators to deploy new services or expand existing ones rapidly. This elasticity enables organizations to meet the evolving needs of their users and applications without the constraints imposed by the underlying physical infrastructure.
Simplified Network Management
Network overlays simplify network management by providing a centralized control plane. This control plane abstracts the complexity of the underlying physical infrastructure, allowing administrators to configure and manage the virtual networks through a single interface. This simplification reduces operational overhead, minimizes human errors, and enhances network security.
VXLAN vs VLAN
One of the first notable differences between VXLAN and VLAN was increased scalability. The VXLAN ID is 24 bits, enabling you to create up to 16 million isolated networks. This overcomes the limitation of VLANs having the 12-bit VLAN ID, which enables only a maximum of 4094 isolated networks.
Multiple segments per application and the need for a tunnel overlay,
What are the drawbacks of network overlays, and how does it affect network stability?
Use Cases of Network Overlays:
1. Data Center Networking: Network overlays are commonly used in data center environments to simplify network management, enhance scalability, and improve workload mobility. By abstracting the physical network infrastructure, data center operators can create isolated virtual networks for different applications or tenants, ensuring optimal resource utilization and agility.
2. Cloud Networking: Network overlays enable connectivity and security in cloud environments. Whether public, private, or hybrid clouds, network overlays allow organizations to extend their networks seamlessly, ensuring consistent connectivity and security policies across diverse cloud environments.
3. Multi-site Connectivity: For organizations with multiple locations, network overlays provide a cost-effective solution for connecting geographically dispersed sites. By leveraging virtual networks, businesses can establish secure and reliable communication channels between sites, regardless of the underlying physical infrastructure.
Overlay Technologies:
1. Virtual Private Networks (VPNs):
Virtual Private Networks create secure, encrypted connections over public networks, enabling remote access and secure communication between geographically dispersed locations. VPNs are commonly used to provide secure connectivity for remote workers or to establish site-to-site connections between different branches of an organization.
2. Software-Defined Networking (SDN):
Software-defined networking is a network architecture that separates the control plane from the data plane, enabling centralized network management and programmability. SDN overlays can leverage network virtualization techniques to create logical networks independent of the underlying physical infrastructure.
3. Network Function Virtualization (NFV):
Network Function Virtualization abstracts network services, such as firewalls, load balancers, and routers, from dedicated hardware appliances and runs them as virtual instances. NFV overlays allow organizations to deploy dynamically and scale network services, reducing costs and improving operational efficiency.
Control Plane Interaction
Tunneled network overlays
Virtualization adds a level of complexity to the network. Consider the example of a standard tunnel. We are essentially virtualizing workloads over an underlying network. From a control plane perspective, there must be more than one control plane.
This results in two views of the network’s forwarding and reachability information—a view from the tunnel endpoints and a view from the underlying network. The control plane may be static or dynamic and provides reachability through the virtual topology on top of it, which provides reachability to the tunnel endpoints.
The overlay tunnel and potential consequences.
Router A has two paths to reach 192.0.2.0/24. Already, we have the complexity of influencing and managing what traffic should and shouldn’t go down the tunnel. Modifying metrics for specific destinations will influence path selection, but this comes with additional configuration complexity and policies’ manual management.
The incorrect interaction configuration between two control planes may cause a routing loop or suboptimal routing through the tunnel interfaces. The “routers in the middle” and the “routers at tunnel edges” have different views of the network – increasing network complexity.
A key point: Not an independent topology
These two control planes may seem to act independently, but they are not independent topologies. The control plane of the virtual topology relies heavily on the control plane of the underlying network. These control planes should not be allowed to interplay freely, as both can react differently to inevitable failures. The timing of the convergence process and how quickly each control plane reacts may be the same or different.
The underlying network could converge faster or slower than the overlaying control plane, affecting application performance. Design best practice is to design the network overlays control plane so that it detects and reacts to network failures faster than the underlying control plane or have the underlying control plane detect and respond faster than the network overlays control plane.
Encapsulation overhead
Every VXLAN packet originating from the end host and sent toward the IP core will be stamped with a VXLAN header. This leads to an additional 50 bytes per packet from the source to the destination server. If the core cannot accommodate the greater MTU size or the Path MTU is broken, the packet may have to be fragmented into smaller pieces. Also, the VXLAN header must be encapsulated and de-encapsulated on the virtual switch, which takes up computing cycles. Both of these are problematic for network performance.
VXLAN overhead.
Security in a tunnel overlay
There are many security flaws with tunnels and network overlays. The most notable is that they hide path information. A tunnel can pass one route on one day and take another path on a different day. The change of path may be unknown to the network administrator. Traditional routing is hop-by-hop; every router decides where the traffic should be routed.
However, independent hop-by-hop decisions are not signaled and are not known by the tunnel endpoints. As a result, an attacker can direct the tunnel traffic via an unintended path where the rerouted traffic can be monitored and snooped.
Tunneled traffic hides from any policies or security checkpoints. Many firewalls have HTTP port 80 open to support web browsing. This can allow an attacker to tunnel traffic in an HTTP envelope, bypassing all the security checks. There are also several security implications if you are tunneling with GRE.
First, GRE does not perform encryption or authentication on any part of the data journey. The optional 32-bit tunnel key for identifying individual traffic flows can easily be brute-forced due to the restriction of 2×32 number combinations.
Finally, it has a weak implementation of the sequence number used to provide a method of in-order delivery. These shortcomings have opened up to several MTU-based and GRE packet injection attacks.
STP and Layer 2 attacks
VXLAN extends layer 2 domains across layer 3 boundaries, resulting in more extensive layer 2 flat networks. Regarding intrusion, the attack zones become much more significant as we connect up to two remote disjointed endpoints. This increases the attack zones over traditional VLANs where the Layer 2 broadcast domain was much smaller.
You are open to various STP attacks if you run STP over VXLAN. Tools such as BSD brconfig and Linux bridge-utilis allow you to generate STP frames into a Layer 2 network and can be used to insert a rogue root bridge to modify the traffic path.
Tunnel overlay with VXLAN inbuilt security?
The VXLAN standard has no built-in security, so if your core is not secure and becomes compromised, so will all your VXLAN tunneled traffic. Schemes such as 802.1x should be deployed for the admission control of VTEP ( tunnel endpoints ). 802.1x at the edges provides defense so that rogue endpoints may not inject traffic into the VXLAN cloud. The VXLAN payload can also be encrypted with IPsec.
Closing Points: Understanding Network Overlays
At its core, a network overlay is a virtual network created using software-defined networking (SDN) technologies. It enables the creation of logical network segments independent of the physical infrastructure. By decoupling the network’s control plane from its data plane, overlays provide flexibility, scalability, and agility for network architectures.
Benefits of Network Overlays
Enhanced Security and Isolation
Network overlays provide strong isolation between virtual networks, ensuring that traffic remains separate and secure. This isolation helps protect sensitive data and prevents unauthorized access, making overlays an ideal solution for multi-tenant environments.
Simplified Network Management
With network overlays, administrators can manage and control the network centrally, regardless of the underlying physical infrastructure. This centralized management simplifies network provisioning, configuration, and troubleshooting, improving operational efficiency.
Overlay Technologies
Virtual Extensible LAN (VXLAN)
VXLAN is a widely adopted overlay technology that extends Layer 2 networks over an existing Layer 3 infrastructure. It uses encapsulation techniques to provide scalability and flexibility, allowing for the seamless expansion of network segments.
Generic Routing Encapsulation (GRE)
GRE is another popular overlay protocol that enables the creation of private point-to-point or multipoint tunnels over an IP network. It provides a simple and reliable way to connect geographically dispersed networks and facilitates the transit of diverse protocols.
Use Cases for Network Overlays
Data Center Virtualization
Network overlays play a crucial role in data center virtualization, allowing the creation of virtual networks that can span multiple physical servers. This enables efficient resource utilization, workload mobility, and simplified network management.
Hybrid Cloud Connectivity
By leveraging network overlays, organizations can establish secure and seamless connections between on-premises infrastructure and public cloud environments. This enables hybrid cloud architectures, providing the flexibility to leverage the benefits of both worlds.
In conclusion, network overlays have emerged as a powerful tool in modern networking, enabling flexibility, security, and simplified management. With their ability to abstract away the complexities of physical infrastructure, overlays pave the way for innovative network architectures. As technology continues to evolve, network overlays will undoubtedly play a vital role in shaping the future of networking.
Summary: Network Overlays
Network overlays have revolutionized the way we connect and communicate in the digital realm. In this blog post, we will explore the fascinating world of network overlays, their purpose, benefits, and how they function. So, fasten your seatbelts as we embark on this exciting journey!
What are Network Overlays?
Network overlays are virtual networks that are built on top of an existing physical network infrastructure. They provide an additional layer of abstraction, allowing for enhanced flexibility, scalability, and security. By decoupling the logical network from the physical infrastructure, network overlays enable organizations to optimize their network resources and streamline operations.
Benefits of Network Overlays
Improved Scalability:
Network overlays allow for seamless scaling of network resources without disrupting the underlying infrastructure. This means that as your network demands grow, you can easily add or remove virtual network components without affecting the overall network performance.
Enhanced Security:
With network overlays, organizations can implement advanced security measures to protect their data and applications. By creating isolated virtual networks, sensitive information can be shielded from unauthorized access, reducing the risk of potential security breaches.
Simplified Network Management:
Network overlays provide a centralized management interface, allowing administrators to control and monitor the entire network from a single point of control. This simplifies network management tasks, improves troubleshooting capabilities, and enhances overall operational efficiency.
How Network Overlays Work
Overlay Protocols:
Network overlays utilize various overlay protocols such as VXLAN (Virtual Extensible LAN), NVGRE (Network Virtualization using Generic Routing Encapsulation), and GRE (Generic Routing Encapsulation) to encapsulate and transmit data packets across the physical network.
Control Plane and Data Plane Separation:
Network overlays separate the control plane from the data plane. The control plane handles the creation, configuration, and management of virtual networks, while the data plane deals with the actual forwarding of data packets.
Use Cases of Network Overlays
Multi-Tenancy Environments:
Network overlays are highly beneficial in multi-tenant environments, where multiple organizations or users share the same physical network infrastructure. By creating isolated virtual networks, each tenant can have their own dedicated resources while maintaining logical separation.
Data Center Interconnectivity:
Network overlays enable seamless connectivity between geographically dispersed data centers. By extending virtual networks across different locations, organizations can achieve efficient workload migration, disaster recovery, and improved application performance.
Hybrid Cloud Deployments:
Network overlays play a crucial role in hybrid cloud environments, where organizations combine public cloud services with on-premises infrastructure. They provide a unified network fabric that connects the different cloud environments, ensuring smooth data flow and consistent network policies.
Conclusion:
In conclusion, network overlays have revolutionized the networking landscape by providing virtualization and abstraction layers on top of physical networks. Their benefits, including improved scalability, enhanced security, and simplified management, make them an essential component in modern network architectures. As technology continues to evolve, network overlays will undoubtedly play a vital role in shaping the future of networking.
In the realm of network security, understanding different scanning techniques is crucial. One such technique is UDP (User Datagram Protocol) scanning. While TCP (Transmission Control Protocol) scanning is more widely known, UDP scanning serves its unique purpose. In this blog post, we will delve into the fundamentals of UDP scanning, explore its significance, and understand how it differs from TCP scanning.
UDP scanning involves sending UDP packets to specific ports on a target system to identify open, closed, or filtered ports. Unlike TCP, UDP is a connectionless protocol, which makes scanning UDP ports trickier. UDP scans are typically used to discover services running on a target system, especially those that may not respond to traditional TCP scans.
UDP (User Datagram Protocol) scan is a network scanning technique used to identify open UDP ports on a target system. Unlike TCP, which establishes a connection before data transmission, UDP is connectionless, making it a popular choice for certain applications. UDP scan operates by sending UDP packets to various ports on a target system and analyzing the responses received.
UDP scan finds its utility in various scenarios. One prominent use case is the identification of open ports on a target network. By discovering open UDP ports, network administrators can gain insights into potential vulnerabilities and take appropriate mitigation measures. Additionally, UDP scan can be employed for monitoring and troubleshooting network devices, especially those that rely heavily on UDP-based protocols.
While UDP scan can be a powerful tool, it also comes with certain vulnerabilities and limitations. One significant limitation is the lack of reliable response verification. Unlike TCP, which sends acknowledgments for successful packet delivery, UDP does not provide such mechanisms. This makes UDP scan prone to false positives and inconclusive results. Moreover, some firewalls and intrusion detection systems may block or limit UDP traffic, hindering the effectiveness of UDP scan.
To mitigate the risks associated with UDP scan, network administrators can implement several strategies. First and foremost, maintaining up-to-date firewall rules and configurations is crucial. This includes selectively allowing or blocking UDP traffic based on specific requirements. Additionally, implementing network segmentation can limit the attack surface and minimize the impact of potential UDP scan attempts. Regular vulnerability assessments and patch management also play a vital role in mitigating vulnerabilities that could be exploited through UDP scan.
Highlights: UDP Scan
Understanding Networking
Network-based security testing requires an understanding of how protocol stacks are defined. Using the Open Systems Interconnection (OSI) model, one can define protocols and, more specifically, their interactions. Through the OSI model, we can break down communications into different functional elements and identify where other information is added to network packets. Furthermore, you can see how systems interact across functional elements.
Identifying vulnerabilities and assessing your attack surface requires scanning your network for open ports and services. Network Mapper (Network Mapper) identifies hosts, open TCP and UDP ports, services running on those ports, and the operating system on your network.
Port scanning – what is it?
As a network grows and more devices connect, an administrator may find keeping track of devices and services helpful. NMAP can scan a network for open ports and services connected to the environment. Network audits are primarily conducted using NMAP port scans, but they can also be used to find exploitable vulnerabilities.
NMAP displays open ports on the targeted system after scanning the host with the command.
NMAP stands for Network Mapper. What is it?
NMAP has a graphical user interface (GUI) and a command-line interface. The tool also scans open ports on computers on the network. NMAP can also check other devices, including computers. It scans all networked devices, desktops, mobile devices, routers, and IoT devices.
NMAP is available for free on the developer’s website. Windows, Mac, and Linux are supported. Identifying vulnerable devices on a network is one of the utility’s most important functions, and it has been a part of many network administrators’ and hackers’ tools for years.
Stress Testing
The purpose of stress testing is to generate vast amounts of traffic and send it to a device or application. A device or application may be stressed if unexpected data is sent. There are certain expectations about the type and structure of data that applications will receive, even when they run on limited-use devices (such as thermostats, locks, and light switches). A failure to send what was expected may fail in an application. Knowing this is useful. Stress testing the logic of an application is another type of stress testing.
SIP and UDP Testing
SIP can use TCP or User Datagram Protocol (UDP) as a transport protocol, although earlier versions preferred UDP. Thus, older tools, particularly older ones, tend to use UDP. TCP is supported by modern implementations and Transport Layer Security (TLS) to prevent headers from being read.
The SIP protocol is based on HTTP, so all the headers and other information are text-based, unlike H.323, another binary VoIP protocol that cannot be read visually without a protocol decoder. It is not possible to switch from UDP to TCP when using the tool invite flood. Although there is no time wasted waiting for the connection to be established, this does allow the flood to happen faster.
Conducting a UDP Scan
When conducting a UDP scan, the scanner sends UDP packets to a range of ports on the target system. If a UDP port is open, the target system responds with an ICMP (Internet Control Message Protocol) port unreachable message.
If a UDP port is closed, the target system may respond with an ICMP message indicating it is closed or ignore the packet. In some cases, if a firewall filters a UDP port, the target system may not respond, making it harder to determine the port’s status.
Significance of UDP Scan
UDP scanning plays a crucial role in network security and vulnerability assessment. It helps identify potential vulnerabilities and misconfigurations in network devices and services. By discovering open UDP ports, network administrators can assess the risks associated with those services and take appropriate measures to secure them.
Additionally, UDP scanning enables the detection of UDP-based services that may not be visible through traditional TCP scans.
Related: Before you proceed, you may find the following posts helpful:
UDP scanning is network scanning to discover services running on a computer or network.
Network Scanning can be performed with NMAP.
UDP uses headers when packaging message data to transmit. UDP headers include a set of parameters.
A UDP handshake is a method computers use to connect over the User Datagram Protocol (UDP).
Network Scanning
UDP scanning is network scanning that discovers services running on a computer or network. It also detects any open ports on a system that may be used for malicious activities.
System administrators and security professionals commonly use UDP scanning to identify potential weaknesses in their network security.UDP scanning involves sending a packet to a specific port on the target host.
The host will respond with an acknowledgment packet if the port is open. If the port is closed, the host will not respond. By sending multiple UDP packets to various ports, it is possible to determine which services are running on the target host.
UDP scanning can quickly identify potential targets for malicious activities and vulnerable services that attackers may exploit. It is often used with other network scanning techniques, such as port and vulnerability scanning.
UDP scanning is an essential tool for network security professionals. It provides valuable information about a system’s open ports, allowing system administrators to better secure their networks and help prevent malicious activities.
1st Lab Guide: Network Scanning with NMAP
Nmap (Network Mapper) is an open-source and versatile network scanning tool that enables users to discover hosts and services on a computer network.
It operates by sending packets and analyzing the responses received from target devices. Nmap scanning provides valuable insights into network topology, open ports, operating systems, and potential vulnerabilities. The following will teach you the foundational knowledge of NMAP to scan a network to see which hosts and ports are online on each host you know about.
Note:
You will use NMAP to scan the 192.168.18.0/24 network. For this first test, we want to see which hosts respond and not care what ports they have open. I have a small network that is isolated using VMware.
In this example, use the “Ping Scan” option, either—sn or—sP. I am using the—sP option in the example below. I also used the -F option. The -F argument will tell NMAP to scan the host only for the 100 most common open ports.
Analysis:
There are three hosts online: 192.168.18.2, 192.168.18.130, and 192.168.18.131.
You will also see how long it took for this NMAP scan to complete and how many IP addresses were scanned.
The example shows that 256 IP addresses were scanned on the screen, which took 2.64 seconds.
We can also see the open ports. On 192.168.18.131, port 22 for SSH is open, and on 192.168.18.2, port 53 is open.
Note: When performing NMAP scans on a network, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can easily detect the scans. There are ways to avoid this, such as completing a Stealth Scan and limiting the speed at which the scans are performed. We will look at Stealth Scans in the following lab guide.
Port Scanning
Port scanning is a method computer networks use to identify open ports on a system and check for vulnerabilities. It is commonly used to detect security weaknesses in networks and systems by probing for open ports and services that may be vulnerable to attack. Port scanning is done by either manually entering commands or using specialized software.
Port scans are used as a reconnaissance step to identify open ports on a system and assess the target’s security posture. A port scan will typically look for open ports on a target system and then attempt to identify the service running on that port. This helps to identify possible vulnerabilities in the design and determine what kind of attack may be possible.
Port scanning is essential for network security, as it can help to identify any potential weaknesses in a system that an attacker could exploit. However, it is also necessary to ensure that all ports and services are adequately secured, as an open port can be an easy target for an attacker.
NMAP can be used to perform host discovery. Once you’ve identified confirmed hosts within your network, you can continue by performing port scanning, which will help you identify risk areas. Additionally, you can perform TCP and UDP port scans. This post focuses on the UDP scan with the process of UDP scanning. Remember that the information that should be exposed to the outside world is down to security policy.
Any IP scanning starts with an ICMP. This is the first step; you can block all incoming ICMPs at the perimeter network. This will make Ping ineffective and filter ICMP unreachable messages to block Traceroute. Consider this to be the first line of defense. But does this solve all of the problems? No, port scan works on TCP/UDP ports as well.
Connectionless protocols ( UDP ) spread the state required to carry the data through every possible device. In contrast, connection-oriented protocols ( TCP ) constrain the state to only those involved in two-way communication. These differences affect network convergence and how applications react to network failure.
Connectionless moves the data onto another path, while connections-orientated must build up the state again. You can see from the packet header below that UDP is a lightweight protocol with few options to set. On the other hand, TCP has many options and flags that can influence communication.
1. Be mindful of the network bandwidth: UDP scans can generate significant traffic. It is essential to consider the network capacity and prioritize critical systems to avoid overwhelming the network.
2. Use appropriate scanning tools: Various network scanning tools, such as Nmap or Nessus, offer UDP scanning capabilities. Choose a tool that aligns with your specific requirements and provides accurate results.
3. Understand the limitations: Due to UDP’s connectionless nature, scanning accuracy might be compromised. Some ports may be filtered or unresponsive, leading to inconclusive results. It is crucial to analyze the results holistically and consider other factors.
UDP header
UDP (User Datagram Protocol) is a communications protocol for sending data over an IP network. It is an alternative to the more commonly used Transmission Control Protocol (TCP). Unlike TCP, UDP does not provide reliable data delivery, meaning that there is a chance that packets of data sent over UDP may be dropped or lost. However, UDP is faster than TCP and is more suitable for applications that require speed.
The following diagram shows the UDP Header. UDP uses headers when packaging message data to transmit. UDP headers include a set of parameters. These parameters are called fields defined by the protocol’s technical specifications. The UDP header has four fields, each of which is 2 bytes. The UDP header’s four fields are listed as follows:
The source port number is the source port of the sender.
The destination port number is the port to which the datagram is addressed and destined.
Length, the length in bytes of the UDP header.
A checksum is used for error checking.
In summary, the UDP header is 8 bytes long and consists of four fields: source port, destination port, length, and checksum. The source port is a 16-bit field that identifies the source application used for the communication.
The destination port is a 16-bit field that identifies the application used for the transmission. The length field is a 16-bit field that specifies the length of the UDP header and data. The checksum is a 16-bit field used to verify the integrity of the header and data.
Diagram: UDP scan and the UDP header.
UDP handshake
A UDP handshake is a method that computers use to connect to the User Datagram Protocol (UDP). It is an essential part of setting up a network connection and allows two devices to communicate with each other.
The UDP handshake starts with the sending device sending a request to the receiving device. This request is usually an IP address and a port number. The receiving device then sends a confirmation packet, indicating it is ready to receive data.
Once this packet is received, the sending device can send data to the receiving device. The UDP handshake is often used for streaming audio and video, as it is a fast way of establishing a connection between two devices. In addition, it does not require the same security level as a TCP connection, so it is often preferred for streaming applications.
Once the UDP handshake is complete, the two devices are connected and can begin exchanging data. The connection remains active until one of the devices closes it. This is done either by sending a particular packet or by the connection timing out. A UDP handshake is a fast and reliable way to connect two devices.
No three-way UDP handshake:
UDP has a source and destination port but does not mandate that the source and destination establish a three-way UDP handshake before transmission occurs. Further, there is no requirement for an end-to-end connection. This is in comparison to TCP.
TCP establishes a connection between a sender and receiver before sending data. The UDP handshake does not establish a connection before sending data. So, in a TCP-based connection, a three-way handshake is used to create a connection. TCP uses handshake protocols like SYN, SYN-ACK, and ACK, while in the case of UDP, we have no UDP handshake protocols.
Differences from TCP Scan:
Unlike TCP scanning, which establishes a connection with the target system, UDP scanning works without a handshake process. This makes UDP scanning faster but less reliable. Furthermore, UDP scans are more likely to trigger intrusion detection systems (IDS) or firewalls due to the nature of unsolicited packets being sent. It is essential to configure these security systems accordingly to avoid false alarms.
Capabilities:
TCP
UDP
Connection Type:
Sequencing:
Usage:
Connection-oriented
Yes
Downloads
File Sharing
Connectionless
No
Video Streaming
VoIP
Transmission Control Protocol
User Datagram Protocl
Getting Started with UDP Scanning
Consider how these protocols work and respond to scans when enabled at your perimeter. How these protocols interact with the network affects how they are viewed and scanned by the outside world. For example, UDP sends a packet to the receiver with no mechanism for ensuring packet delivery and does not require a response from the target machine.
This type of communication is often referenced as dropping a letter into a mailbox and not knowing if the receiver has opened it. So, how does the design of these protocols affect the type of scans and results they offer?
50%
UDP Scanning Checklist
UDP is a prime target for DNS reflection attacks. UDP does not have any in-built security.
Examine port scanning with a layered approach. Start with ICMP and then move to port scanning with both a TCP and UDP scan.
TCP and UDP differ significantly with their handshake methods.
NMAP is a tool that can be used to perform port scans.
What Is a UDP Scan?
A classic problem with UDP fingerprinting is that you will unlikely get a response from the receiver. If the service is available and accepting UDP packets, the expected behavior for this service is to accept the packet but not send back a response to the sender. Likewise, a common firewall strategy is to absorb the packet and not send a reply to the sender—the “if you can’t see me, you can’t attack me” approach.
Diagram: UDP scanning and the UDP transfer.
This is common with UDP scans, which tend to result in false positives. As a result of this behavior, most UDP scans provide very little information and mark nearly every port as “open|filtered.” Generally, a port is considered “open” if the scanning host does not receive an unreachable message from an Internet Control Message Protocol ( ICMP ) port.
NMAP UDP Scan
To elicit more of a response, you can optimize NMAP ( Network Mapper ) to include the “-sV” switch, which will send specially crafted packets to the ports that are listed as “open|filtered.” This can hopefully help us narrow down the results and generate ports to become “open|open.”
Now, the NMAP UDP scan can help inventory UDP ports. So, the NMAP UDP scan is activated with the—sU option. Consider combining the NMAP UDP scan with an SYN or TCP scan type. This can be carried out with the—sS option. It allows you to check both protocols during the same scan run.
Alternatively, you could go above Layer 4. For example, if you are doing an SNMP scanning, you would send an “SNMP ping” instead of looking for open UDP ports. An SNMP ping is not like an ICMP ping. Instead, it operates above Layer 4 and requests the OID/object name universally present on all SNMP agents.
Another problem with UDP scans is that they are slow. UDP does not provide error checking, and sometimes, the UDP CRC32 checksum is not supported by the IP stack being used. As a result, the scanning host usually sends three successive UDP packets and waits for at least one ICMP port unreachable message ( if the receiving host decides to generate a response ).
The only way to do this is to offset your stealth and generate multiple UDP scans in parallel. In contrast, TCP is a connection-oriented protocol that creates the communication session using a three-way handshake.
Diagram: TCP handshake
Its design makes it subject to several different scans, which offer better results than a UDP scan. The most basic and stable type of scan is a TCP Connect scan. The scanning host attempts to complete the three-way handshake and tears down the session gracefully.
This type of scan is not a “Stealth” scan; most applications will log the completion of a three-way handshake. Instead, you could go for a TCP SYN scan if you want a faster or stealthier scan. SYN scans are faster because they only complete the process’s first two steps rather than completing the entire three-way handshake.
If we consider comparing the TCP three-way handshake to the analogy of someone making a phone call, an SYN scan would be similar. However, once the receiver picks up, you say nothing and hang up. An SYN scan is the default NMAP scan.
Note: When performing NMAP scans on a network, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can easily detect you. There are ways to avoid this, such as completing a Stealth Scan and limiting the speed at which the scans are performed.
When performing a Stealth Scan, Nmap sends a SYN packet to the target host. The port is open and listening if the target host responds with a SYN/ACK packet. At this point, Nmap sends an RST packet to terminate the connection without completing the handshake. This approach allows Nmap to gather information about open ports without establishing a full connection, making detecting the scan difficult for intrusion detection systems.
Note:
The—sS argument performs a Stealth Scan. This is accomplished by not completing the TCP three-way handshake. The computer performing the NMAP scan sends the TCP SYN message, and when the host responds with the TCP SYN-ACK message, the computer doesn’t send the final TCP ACK message, completing the handshake.
The -O argument tells NMAP to guess the host’s operating system. NMAP can detect the operating system by looking at the responses to various TCP/IP messages, such as TTL messages.
The -Pn argument tells NMAP not to send an ICMP (or Ping) packet used for host discovery.
Note: NMAP has numerous scripts that can be run. You tell NMAP to run a script by adding the –script argument and then immediately specifying which script you want to run. In this command, you run the vuln script to check the host for 105 vulnerabilities.
I am on a lockdown Unbuntu host that is pretty secure by default. Also, I run a different Nmap scan and not a stealth scan. In production, this scan out be detected. However, at least now you can see that it has detected my Ubuntu OS as a version of Linux.
Benefits of a Stealth Scan:
1. Reduced network footprint: The Stealth Scan minimizes the network footprint by avoiding unnecessary connections and reducing the chances of detection by IDS and intrusion prevention systems (IPS).
2. Faster scanning: Since the Stealth Scan only partially completes the TCP three-way handshake, it can scan many ports, making it an efficient scanning technique.
3. Evasion of firewall rules: The Stealth Scan can bypass specific firewall rules that only filter incoming connections but do not inspect outgoing SYN packets.
Limitations and Considerations:
While the Stealth Scan is an effective scanning technique, it has its limitations and considerations:
1. Limited application with stateful firewalls: Stateful firewalls that track the status of network connections can detect and block Stealth Scans by recognizing the incomplete three-way handshake.
2. Inaccurate results with heavily filtered ports: Some hosts may be configured to drop incoming SYN packets instead of responding with an SYN/ACK packet. In such cases, the Stealth Scan may yield inaccurate results.
3. Detection by advanced IDS/IPS systems: Advanced intrusion detection and prevention systems may implement behavior analysis and anomaly detection techniques to identify and block Stealth Scans. Therefore, it’s important to remember the scan’s stealthiness when conducting security assessments.
The Use of XMAS scans
An XMAS scan is another helpful scan that sets specific flags in the TCP header. XMAS scans get their name due to the analogy of being “lit up like a Christmas tree.” The “lighting up” refers to the fact that the FIN, PSH, and URG packet flags are all set to “on,” and the packet is “lit up like a Christmas tree.”
Diagram: TCP scans
An XMAS-crafted packet is highly unusual because it doesn’t have an SYN, ACK, or RST flag set, violating traditional TCP communications. Why would you not set these flags? To elicit a response or no response from the receiver.
The RFC states that the packet should be ignored if an opened port receives a packet without an SYN, ACK, or RST flag set. As a result, NMAP can determine the port state without initiating or completing a connection to the target system, but only if the target host’s operating system fully complies with the TCP RFC.
XMASS scan creates packets without the SYN flag set
Early packet filters block inbound SYN packets to stop a TCP three-way handshake. If no TCP three-way handshake occurs, then no TCP communication can originate outside the filter.
However, it would help if you considered that the NMAP XMASS scan does not attempt to establish an entire TCP session to determine what ports are open. This filter will indeed prevent a TCP Connect scan, but because an XMASS scan creates packets without the SYN flag set, it will bypass the filter.
Closing Points: UDP Scanning
UDP scanning involves probing target systems for open UDP ports. Unlike TCP, UDP is connectionless, making verifying whether a port is open or closed is challenging. UDP scanning attempts to determine the state of UDP ports by sending packets and analyzing the responses.
UDP scanning provides valuable insights into network security. By identifying open UDP ports, security professionals can assess potential vulnerabilities and take appropriate measures to protect against threats. Additionally, it allows for the discovery of services and applications running on these ports, aiding in network mapping and a better understanding of the network infrastructure.
Types of UDP Scanning Techniques:
1. UDP Connect Scanning: This technique emulates a connection-oriented approach, similar to TCP scanning. It sends a UDP packet to a specific port and waits for a response, indicating whether the port is open, closed, or filtered.
2. UDP Stealth Scanning: Also known as UDP Idle Scanning, this technique leverages the concept of zombie hosts. UDP stealth scanning can glean information about open ports without directly interacting with the target by exploiting the trust relationship between a zombie host and the target.
3. UDP Fragmentation Scanning: This technique involves splitting UDP packets into smaller fragments to bypass firewall filters and evade detection. The scanner can identify open UDP ports by reassembling the fragmented packets at the receiving end.
Vulnerabilities Revealed by UDP Scanning:
1. Open UDP Ports: UDP scanning exposes open UDP ports that can be potential entry points for attackers. Services running on these ports may have vulnerabilities that can be exploited.
2. Misconfigured Firewalls: UDP scanning can uncover misconfigured firewalls that allow unauthorized access through open UDP ports.
3. Amplification Attacks: Certain UDP-based services can be exploited to launch amplification attacks, where a small request generates a large response. UDP scanning helps identify such susceptible services and enables their mitigation.
While TCP scanning is more widely recognized, UDP scanning plays a crucial role in network security assessments. Security professionals can identify open UDP ports and potential vulnerabilities by leveraging various scanning techniques. Understanding UDP scanning and its significance helps organizations strengthen their network defenses against threats. Regular UDP scanning and robust security measures ensure a more resilient and secure network infrastructure.
Summary: UDP Scan
Understanding different scanning techniques is crucial in the vast world of network security. One such technique is UDP scanning, which allows for the identification of potential vulnerabilities in a network. In this blog post, we delved into the intricacies of UDP scanning, its benefits, and how it can be utilized effectively.
What is UDP Scanning?
UDP (User Datagram Protocol) scanning is used to discover open UDP ports on a target system. While TCP scanning focuses on establishing a connection with a host, UDP scanning involves sending a series of UDP packets to specific ports and analyzing the response. This technique helps identify potential entry points that hackers may exploit.
Benefits of UDP Scanning
UDP scanning provides several advantages in the realm of network security. Firstly, it allows administrators to assess the security posture of their network by identifying open ports that may be susceptible to unauthorized access. Secondly, it helps identify services running on non-standard ports, enabling better network management. Lastly, UDP scanning aids in detecting potential misconfigurations or outdated protocols that may pose security risks.
Techniques for Effective UDP Scanning
To ensure accurate and efficient UDP scanning, it is essential to employ the right techniques. One common approach is the ICMP-based scan, which involves sending UDP packets and analyzing the ICMP error messages received in response. Another technique is the reverse identification method, where the scanner sends packets to closed ports and examines the reaction to identify open ports. Employing a combination of these techniques enhances the overall effectiveness of the scanning process.
Overcoming Challenges and Limitations
While UDP scanning is a valuable technique, it comes with its challenges and limitations. One of the primary challenges is the lack of reliable responses from closed ports, which can lead to false positives or negatives. Additionally, firewalls and network filtering devices may block or alter UDP packets, making scanning more challenging. Understanding these limitations helps in interpreting scan results accurately.
Conclusion:
UDP scanning is a vital tool in the arsenal of network security professionals. Administrators can effectively utilize UDP scanning techniques to identify potential vulnerabilities, enhance network security, and mitigate risks. Understanding the intricacies and limitations of UDP scanning enables organizations to fortify their networks and stay one step ahead of potential threats.
Modularization virtualization has emerged as a game-changing technology in the field of computing. This innovative approach allows organizations to streamline operations, improve efficiency, and enhance scalability. In this blog post, we will explore the concept of modularization virtualization, understand its benefits, and discover how it is revolutionizing various industries.
Modularization virtualization refers to breaking down complex systems or applications into smaller, independent modules that can be managed and operated individually. These modules are then virtualized, enabling them to run on virtual machines or containers separate from the underlying hardware infrastructure. This approach offers numerous advantages over traditional monolithic systems.
Modularization virtualization brings together two transformative concepts in technology. Modularization refers to the practice of breaking down complex systems into smaller, independent modules, while virtualization involves creating virtual instances of hardware, software, or networks. When combined, these concepts enable flexible, scalable, and efficient systems.
Enhanced Flexibility and Scalability: By modularizing systems, organizations can easily add or remove modules as needed, allowing for greater flexibility and scalability. Virtualization further enhances this by providing the ability to create virtual instances on-demand, eliminating the need for physical infrastructure.
Modularization virtualization optimizes resource utilization by pooling and sharing resources across different modules and virtual instances. This leads to efficient use of hardware, reduced costs, and improved overall system performance.
- IT Infrastructure: Modularization virtualization has revolutionized IT infrastructure by enabling the creation of virtual servers, storage, and networks. This allows for easy provisioning, management, and scaling of IT resources, leading to increased efficiency and cost savings.
- Manufacturing:In the manufacturing industry, modularization virtualization has streamlined production processes by creating modular units that can be easily reconfigured and adapted. This enables agile manufacturing, faster time-to-market, and improved product quality.
- Healthcare:The healthcare sector has embraced modularization virtualization to enhance patient care and improve operational efficiency. Virtualized healthcare systems enable seamless data sharing, remote patient monitoring, and resource optimization, leading to better healthcare outcomes.
Highlights: Modularization Virtualization
Data centers and modularity
There are two ways to approach modularity in data center design. Each leaf (pod or rack) must be constructed entirely in the first step. Each pod contains the necessary storage, processing, and other services to perform a specific task. It is possible to design pods to provide Hadoop databases and human resources systems or even build application environments.
In a modular network, pods can be exchanged relatively independently of each other and other services and pods. Services can be connected (or disconnected) according to their needs. This model is extremely flexible and ideal for enterprises and other users of data centers with rapidly changing needs.
The second approach modularizes pods according to their resource availability. Block storage pods, file storage pods, virtualized compute pods, and bare metal compute pods can all be housed in different pods. The network operator can minimize the effect of upgrading one type of resource on the operation of specific services in the data center by upgrading it in bulk. This solution would benefit organizations that virtualize most of their services on standard hardware and want to separate hardware and software lifecycle management.
Of course, the two options can be mixed. In a data protection pod, backup services might be provided to other pods, which would then be organized based on their services rather than their resources. A resource-based modularization plan may be interrupted if an occasional service runs on bare metal servers instead of virtual servers. There are two types of traffic in these situations: those that can be moved for optimal traffic levels and those that cannot.
Performing modularization
With virtualization modularization, systems are deemed modular when they can be decomposed into several components that may be mixed and matched in various configurations. So, with virtualization modularization, we don’t have one flat network; we have different modules with virtualization as the base technology performing the modularization. Some of these virtualization technologies include MPLS.
Diagram: MPLS Overlay
Overlay Networking: Modular Partitions
To move data across the physical network, overlay services, and data-plane encapsulations must be defined. Underlay networks (or simply underlays) are typically used for this type of transport. The OSI layer at which tunnel encapsulation occurs is crucial to determining the underlay. The overlay header type somewhat dictates the transport network type. With VXLAN, for example, the underlying transport network (underlay) is a Layer 3 network that transports VXLAN-encapsulated packets between the source and destination tunnel edge devices. As a result, the underlay facilitates reachability between the tunnel edge devices and the overlay edge devices.
Diagram: VXLAN multicast mode
Reducing state and control plane
Why don’t we rebuild the Internet into one flat-switched domain – the flat earth model? The problem with designing one significant flat architecture is that you would find no way to reduce individual devices’ state and control plane. To forward packets efficiently, every device would have to know how to reach every other device; each device would also have to be interrupted every time there was a state change on any router in the entire domain. This is in contrast to modularization virtualization, also called virtualization modularization.
Modularity: Data Center Design
Modularity in data center design can be approached in two ways.
To begin with, each leaf (or pod, or “rack”) should be constructed as a complete unit. Each pod provides storage, processing, and other services to perform all the tasks associated with one specific service set. One pod may be designed to process and store Hadoop data, another for human resources management, or an application build environment.
This modularity allows the network designer to interchange different types of pods without affecting other pods or services in the network. By connecting (or disconnecting) services as needed, the fabric becomes a “black box”. The model is flexible for enterprises and other data center users whose needs constantly change.
In addition, pods can be modularized according to the type of resources they offer. The bare metal compute, the virtualized compute, and the block storage pods may be housed in different pods. As a result, the network operator can upgrade one type of resource en masse with minimal impact on the operation of any particular service in the data center. A solution like this is more suited to organizations that can virtualize most of their services onto standard hardware and want to manage the hardware life cycle separately from the software life cycle.
Diagram: What is spine and leaf architecture. 2-Tier Spine Leaf Design
Related: Before you proceed, you may find the following posts helpful:
Introduction to modularization virtualization and what is involved.
Highlighting the details of failure domains.
Technical details on the rate of the state of change and how this can effect you.
Scenario: Positive feedback loops.
A final note on virtualization techniques to perform modularization.
Back to basics with network modularity and hierarchical network design
Hierarchical network design reaches beyond hub-and-spoke topologies at the module level and provides rules, or general design methods, that give the best overall network design.
The first rule is to assign each module a single function. Reducing the number of functions or roles assigned to any particular module will help. It will also streamline the configuration of devices within the module and along its edge.
The second general rule in the hierarchical method is to design the network modules. Hence, every module at a given layer or distance from the network core has a roughly parallel function.
Why perform modularization? One big failure domain.
The amount of state and the rate at which it changes is impossible to maintain, and what you would witness would be a case of information overload at the machine level. Machine overload can be diagnosed into three independent problems below. The general idea behind machine overload is that too much information is insufficient for network efficiency. Some methods can reduce these defects, but no matter how much you try to optimize your design, you will never get away from the fact that fewer routes in a small domain are better than many routes in a large domain.
The need for virtualization modularization with machine overload.
CPU and memory utilization
On most Catalyst platforms, routing information is stored in a special high-speed memory called TCAM. Unfortunately, TCAM is not infinite and is generally expensive. Large routing tables require more CPU cycles, physical memory, and TCAM.
Rate of state of change
Every time the network topology changes, the control plane must adapt to the new topology. The bigger the domain, the more routers will have to recalculate the best path and propagate changes to their neighbors, increasing the rate of state change. Because MAC addresses are not hierarchical, a Layer 2 network has a much higher rate of state change than a Layer 3 network.
Positive feedback loops
Positive feedback loops add the concept of rate of change with the rate of information flow.
Positive feedback loops
Router A sends Router B a large database update which causes Router B’s control plane to fail.
Router B’s control plane failure is propagated to Router D and causes Router D’s control plane to fail.
Router D’s control plane failure is propagated to Router C and causes Router C’s control plane to fail.
Router C’s control plane failure is propagated to Router B and causes Router B’s control plane to fail.
Positive feedback loops
How can we address these challenges? The answer is network design with modularization and information hiding with the technique of virtualization modularization.
Modularization, virtualization, and information hiding
Information hiding reduces routing table sizes and state change rates by combining multiple destinations into one summary prefix, aggregation, or separating destinations into sub-topologies, aka virtualization. Information hiding can also be carried out by configuring route filters at specific network points.
Router B summarizes network 192.168.0.0/16 in the diagram below and sends the aggregate route to Router C. The aggregation process hides more specific routes behind Router A. Router C never receives any specifics or state changes for those specifics, so it doesn’t have to do any recalculations if the reachability of those networks changes. Link flaps and topology changes on Router A will not be known to Router C and vice versa.
Positive feedback loops
Positive feedback loops add the concept of rate of change with the rate of information flow.
Routers A and B are also in separate failure domains from router C. Routers C’s view of the network differs from Routers A and B. A failure domain is the set of devices that must recalculate their control plane information in the case of a topology change.
When a link or node fails in one fault domain, it does not affect the other. There is an actual split in the network. You could argue that aggregation does not split the network into “true” fault domains, as you can still have backup paths ( specific routes ) with different metrics reachable in the other domain.
If we split the network into fault domains, devices within each fault domain only compute paths within their fault domain. This drags the network closer to the MTTR/MTBF balance point, which is another reason you should divide complexity from complexity.
Virtualization Modularization
The essence of network design and fault domain isolation is based on the modularization principle. Modularization breaks up the control plane, giving you different information in different network sections. It would help if you engineered the network so it can manage organic growth and change with fixed limits. You can move to the next module when the network gets too big. The concept of repeatable configurations creates a more manageable network. Each topology should be designed and configured using the same tools where possible.
Why Modularize?
The prime reason to introduce modularity and a design with modular building blocks is to reduce the amount of data any particular network device must handle when it describes and calculates paths to a specific destination. The less information the routing process has to process, the faster the network will converge in conjunction with tight modulation limits.
The essence of modularization can be traced back to why the OSI and TCP/IP models were introduced. So why do we have these models? First, they allow network engineers to break big problems into little pieces so we can focus on specific elements and not get clouded by the complexity of the entire problem all at once. With the practice of modulation, particular areas of the network are assigned specific tasks.
The core focuses solely on fast packet forwarding, while the edge carries out various functions such as policing, packet filtering, QoS classification, etc. Modulization is done by assigning specific tasks to different points in the network.
Virtualization techniques to perform modularization
Virtualization techniques such as MPLS and 802.1Q are also ways to perform modularization. The difference is that they are vertical rather than horizontal. Virtualization can be thought of as hiding information and vertical layers within a network. So why don’t we perform modularization on every router and put each router into a single domain? The answer is network stretch.
MPLS provides modularization by providing abstraction with labels. MPLS leverages the concept of predetermined “labels” to route traffic instead of relying solely on the ultimate source and destination addresses. This is done by appending a short bit sequence to the packet, known as forwarding equivalence class (FEC) or class of service (CoS).
Enhanced Scalability and Flexibility:
One of the primary benefits of modularization virtualization is its ability to enhance scalability and flexibility. Organizations can quickly scale their infrastructure up or down by virtualizing individual modules based on demand. This flexibility allows businesses to adapt rapidly to changing market conditions and optimize resource allocation.
Improved Fault Isolation and Resilience:
Modularization virtualization also improves fault isolation and resilience. Since each module operates independently, a failure or issue in one module does not impact the entire system. This isolation ensures that critical functions remain unaffected, enhancing the overall reliability and uptime of the system.
Simplified Development and Maintenance:
With modularization, virtualization, development, and maintenance become more manageable and efficient. Each module can be developed and tested independently, enabling faster deployment and reducing the risk of errors. Additionally, updates or changes to a specific module can be implemented without disrupting the entire system, minimizing downtime and reducing maintenance efforts.
Summary: Modularization Virtualization
In today’s fast-paced technological landscape, businesses constantly seek ways to optimize their operations and maximize efficiency. Two concepts that have gained significant attention in recent years are modularization and virtualization. In this blog post, we will explore the power of these two strategies and how they can revolutionize various industries.
Understanding Modularization
In simple terms, modularization refers to breaking down complex systems or processes into smaller, self-contained modules. Each module serves a specific function and can be developed, tested, and deployed independently. This approach offers several benefits, such as improved scalability, easier maintenance, and faster development cycles. Additionally, modularization promotes code reusability, allowing businesses to save time and resources by leveraging existing modules in different projects.
Unleashing the Potential of Virtualization
Conversely, virtualization involves creating virtual versions of physical resources, such as servers, storage devices, or networks. By decoupling software from hardware, virtualization enables businesses to achieve greater flexibility, cost-effectiveness, and resource utilization. Virtualization technology allows for creating virtual machines, virtual networks, and virtual storage, all of which can be easily managed and scaled based on demand. This reduces infrastructure costs, enhances disaster recovery capabilities, and simplifies software deployment.
Transforming Industries with Modularization and Virtualization
The combined power of modularization and virtualization can potentially transform numerous industries. Let’s examine a few examples:
1. IT Infrastructure: Modularization and virtualization can revolutionize how IT infrastructure is managed. By breaking down complex systems into modular components and leveraging virtualization, businesses can achieve greater agility, scalability, and cost-efficiency in managing their IT resources.
2. Manufacturing: Modularization allows for creating modular production units that can be easily reconfigured to adapt to changing demands. Coupled with virtualization, manufacturers can simulate and optimize their production processes, reducing waste and improving overall productivity.
3. Software Development: Modularization and virtualization are crucial in modern software development practices. Modular code allows for easier collaboration among developers and promotes rapid iteration. Virtualization enables developers to create virtual environments for testing, ensuring software compatibility and stability across different platforms.
Conclusion:
Modularization and virtualization are not just buzzwords; they are powerful strategies that can bring significant transformations across industries. By embracing modularization, businesses can achieve flexibility and scalability in their operations, while virtualization empowers them to optimize resource utilization and reduce costs. The synergy between these two concepts opens up endless possibilities for innovation and growth.
Network stretch refers to the capability of a network to extend its reach, connecting users and devices across geographical boundaries. This can be achieved through various technologies such as virtual private networks (VPNs), wide-area networks (WANs), or cloud-based networking solutions.
Network stretch goes beyond the traditional limitations of physical infrastructure and geographical boundaries. It refers to the ability of a network to expand, adapt, and connect diverse devices and systems across various locations. This flexibility allows for enhanced communication, collaboration, and access to resources.
Highlights: Network Stretch
Understanding Network Routing
Network routing forms the backbone of data transmission, guiding packets of information from source to destination. It involves selecting the most suitable path for data to travel through a network of interconnected devices. Data reaches its destination promptly by efficiently navigating the network, ensuring a smooth user experience.
Factors Influencing Network Path Selection
Network Congestion: High network congestion can lead to data packet loss, delays, and poor quality of service. Routing algorithms consider network congestion levels to avoid congested paths and select alternative routes for optimal performance.
Bandwidth Availability: Bandwidth availability along different network paths affects the speed and reliability of data transmission. Routing protocols consider the bandwidth capacity of various paths to choose the one that can efficiently handle the data volume.
Latency and Delay: Reducing latency and minimizing delays are crucial for real-time applications such as video streaming, online gaming, and VoIP. Network routing algorithms consider latency measurements to choose paths with minimal delay, ensuring smooth and responsive user experiences.
Example: EIGRP and LFA
EIGRP LFA utilizes a pre-computed table called the Topology Table (T-Table), which stores information about feasible successors and loop-free alternate paths. When a primary path fails, EIGRP refers to the T-Table to quickly identify a backup path, avoiding potential loops.
EIGRP LFA offers numerous benefits, including reduced convergence time, improved network stability, and optimized resource utilization. It is particularly useful in environments where fast and reliable rerouting is critical, such as data centers, large enterprise networks, or service provider networks.
Understanding BGP Route Reflection
BGP route reflection is a method that allows for efficient and scalable distribution of routing information within an Autonomous System (AS). It reduces the full mesh requirement between BGP speakers, providing a more streamlined approach for propagating routing updates.
One of the primary objectives of network redundancy is to ensure uninterrupted connectivity in the event of link or router failures. BGP route reflection plays a crucial role in achieving redundancy by allowing the distribution of routing information to multiple reflector routers. In case of a failure, the reflector routers can continue forwarding traffic to the remaining operational routers, ensuring seamless connectivity.
Enhancing connectivity
One of the critical advantages of network stretch is enhanced connectivity. By extending the network to different locations, businesses can seamlessly connect their employees, customers, and partners, regardless of location. This improves collaboration and communication and enables organizations to tap into new markets and expand their customer base.
End users perception
Defining and engineering the most optimal network path is critical to network architecture. The value of the network is most evident in the end users’ perception of application quality. Application quality and the perception of quality will vary from user to user.
For example, one user may view a 5-second interrupt to a voice call as acceptable, while another could classify this as unacceptable. To maintain a high-quality perception for all users, you must engineer a packet to reach its destination as quickly as possible. This is where the concept of “network stretch” comes into play.
Software-defined networking (SDN)
Software-defined networking (SDN) is a crucial technology driving network stretch. SDN enables centralized control and management of network infrastructure, making it easier to scale and extend networks across multiple locations. By decoupling the network control plane from the underlying hardware, SDN offers greater flexibility, agility, and scalability, making it an ideal solution for network stretch.
Diagram: Software Defined Networking (SDN). Source is Opennetworking
Virtual private network (VPN) and GRE
Another critical technology is virtual private networks (VPNs), which provide secure and encrypted connections over public networks. VPNs play a crucial role in network stretch by enabling organizations to connect their various locations and remote workers securely. By utilizing VPNs, businesses can ensure that their data remains protected while allowing employees to access company resources anywhere in the world.
Related: For pre-information, you may find the following useful:
Stretch LAN, also known as Extended LAN or Stretched LAN, is an innovative networking approach that enables seamless connectivity across multiple geographical locations. Unlike traditional LANs, which are typically confined to a specific physical area, Stretch LAN extends the network coverage to distant places, creating a unified and expanded network infrastructure. This breakthrough technology has revolutionized how organizations establish and manage their networks, providing unprecedented flexibility and scalability.
Benefits of Stretch LAN
Enhanced Connectivity: Stretch LAN eliminates distance limitations, enabling seamless communication and data sharing across multiple locations. It promotes collaboration, improves productivity, and fosters a cohesive work environment even when teams are geographically dispersed.
Cost-Effective: By leveraging existing network infrastructure and extending it to new locations, Stretch LAN eliminates the need for costly hardware investments. This cost-effectiveness makes it attractive for businesses looking to expand their operations without breaking the bank.
Scalability and Flexibility: Stretch LAN offers unparalleled scalability, allowing organizations to add or remove locations as needed quickly. It provides the flexibility to accommodate evolving business needs, ensuring the network can grow alongside the organization.
Implementing Stretch LAN
Network Architecture: Implementing Stretch LAN requires careful planning and a well-designed network architecture. It involves deploying specialized equipment, such as stretch switches and routers, which facilitate the seamless extension of the LAN.
Configuration and Security: Proper configuration and security measures are essential to ensure the integrity and confidentiality of data transmitted across the Stretch LAN. Encryption protocols, firewalls, and robust access controls must be implemented to safeguard against potential threats.
Applications of Stretch LAN
Multi-Site Organizations: Stretch LAN is particularly advantageous for businesses with multiple locations, such as retail chains, educational institutions, or healthcare facilities. It provides a unified network infrastructure, enabling seamless site communication and resource sharing.
Disaster Recovery: Stretch LAN plays a crucial role in disaster recovery scenarios, where maintaining network connectivity is vital. By extending the LAN to a remote backup site, organizations can ensure uninterrupted access to critical data and applications, even in a disaster at the primary location.
Lab Guide: Router on a stick configuration
A router on a Stick is a networking setup where a single physical interface on a router is used to communicate with multiple VLANs (Virtual Local Area Networks). A trunk port is utilized instead of dedicating a separate port for each VLAN. This trunk port carries traffic from multiple VLANs to the router, which is processed and forwarded accordingly. Network administrators can effectively manage and control traffic flow within their network infrastructure by leveraging this configuration.
Note:
VLAN 10 and VLAN 20 are configured on the switch, and a single cable connects the router and switch. Routers need access to both VLANs, so switches and routers will share the same trunk!
Subinterfaces can be created on a router. We can configure IP addresses on each sub-interface of these virtual interfaces.
Here are the IP addresses I assigned to my two sub-interfaces. The default gateway for computers in VLAN 10 will be 192.168.10.254, while the default gateway for computers in VLAN 20 will be 192.168.20.254.
Encapsulation dot1Q is an important command. Our router cannot tell which VLAN belongs to which sub-interface, so we must use this command.Fa0/0.10 will belong to VLAN 10, and Fa0/0.20 will belong to VLAN 20.
To grasp the concept of the router on a stick, we must first delve into its fundamental principles. Essentially, a router on a stick involves using a single physical interface on a router to handle traffic between multiple VLANs. By utilizing subinterfaces and 802.1Q tagging, network administrators can achieve efficient inter-VLAN routing without requiring dedicated router interfaces for each VLAN.
Benefits and Use Cases
A router on a stick offers several advantages, making it an attractive option for various scenarios. First, it provides cost savings by reducing the number of physical router interfaces required. Second, it simplifies network management by centralizing routing configurations. This technique is particularly useful in environments where VLANs are prevalent, such as educational institutions, large enterprises, or multi-tenant buildings.
Deploying Stretched VLANs/LAN Extensions
Migration of virtual machines to another data center is critical for virtual workload mobility. Conversely, virtual machines and their applications can still communicate and be identified on the network, and services can continue to run.
Stretched VLANs, which span multiple physical data centers, are typically required for this to work. A Layer 3 WAN SDN connects locations in multisite data center topologies. This is the most straightforward configuration, removing many complex considerations from the environment.
A native Layer 3 environment requires migrated devices to change their IP addresses to match the addressing scheme at the other site, or all resources on the VLAN subnet must be moved at once. This approach severely restricts the ability to move resources from one site to another and does not provide flexibility.
It is, therefore, necessary to implement stretched VLANs to facilitate live migration over distance since they can extend beyond a single site and enable resources to communicate as if they were local.
Overlay networking is a virtual network infrastructure that operates on top of an existing physical network. It allows for the creation of logical networks decoupled from the underlying hardware infrastructure. Organizations can achieve greater flexibility, scalability, and security by encapsulating data packets within a separate overlay network.
Benefits of Overlay Networking
Overlay networking offers a multitude of benefits for businesses. Firstly, it simplifies network management by enabling seamless integration of different network types, such as virtual private networks (VPNs) and software-defined networks (SDNs). Secondly, overlay networks empower organizations to scale their infrastructure effortlessly, as new devices and services can be added without disrupting the existing network. Lastly, overlay networking enhances security by isolating and encrypting traffic within the overlay, protecting sensitive data from unauthorized access.
Implementation of Overlay Networking
Implementing overlay networking requires a robust and flexible software-defined network controller. This controller manages the creation, configuration, and maintenance of overlay networks. The underlying physical network must also support the necessary protocols, such as Virtual Extensible LAN (VXLAN) or Generic Routing Encapsulation (GRE). Organizations can leverage these technologies to establish overlay networks across data centers, cloud environments, and geographically dispersed locations.
Network modularity. Different designs and approaches.
Layered hub-and-spoke topologies are more widely used because they provide better network convergence than ring topologies. What about building a full mesh of modules?
Although a full mesh design might work well for a network with a small set of modules, it does not have stellar scaling characteristics because it requires an additional (and increasingly more extensive) set of ports and links for each module added to the network.
Additionally, full mesh designs don’t lend themselves to efficient policy implementation; each link between every pair of modules must have policy configured and managed, a job that can become demanding as the network expands.
Modular network design is an approach to architecture that divides the entire network into small, independent units or modules. These modules can be connected to form a more extensive network, enabling organizations to create a custom network tailored to their specific needs. Organizations can customize their network using modular network design to meet performance and scalability requirements while providing a cost-effective solution.
The value of a stretch network is that it’s modular and can affect only certain network parts. Therefore, you can design around its concept. A modular network separates the network into various functional modules consisting of network functions, each targeting a specific place or purpose in the network.
This brings a lot of value from a security and performance perspective. In a leaf and spine data center design, you could consider a network module, a pod, or a group of pods. So, the stretched network concepts must first be addressed with a bird’s eye view in the network design.
Network Stretch and Route Path Selection
Network stretch is the difference between the best possible path and the actual path the traffic takes through the network. The concept of a stretched network relates to both Layers 2 and 3.
For instance, if the shortest actual path available is 2 hops, but the traffic follows a 3-hop path, the stretch is 1. An increase in network stretch always represents sub-optimal use of available resources. To fully understand the concept of network stretch, first, consider the basics of route path selection and route aggregation.
Diagram: The basics of routing: Destination-based routing.
The following diagram illustrates the basics of routing. We have three routers in the network topology. Router 1 has two outbound connections—one to Router 2 and another to Router 3, each with different routing metrics. Routers 1 to Router 2 cost 10, and Router 1 to Router 3 cost 20. Destination-based routing for the same prefix length always prefers a path with a lower cost, resulting in traffic following the path to Router 2.
Route path selection
One critical aspect of a router’s functionality is its ability to determine the most efficient route for these packets. This process, known as route path selection, ensures data is transmitted optimally and reliably.
Factors Influencing Route Path Selection:
1. Network Topology:
The underlying network topology significantly impacts the route path selection process. Routers have a routing table containing information about the available paths to different destinations. Based on this information, a router determines the best path to forward packets. Factors such as the number of hops, link capacity, and network congestion are considered to ensure efficient data transmission.
2. Administrative Distance:
Administrative distance is a metric routers use to determine the reliability of a particular routing protocol or source. A numerical value is assigned to each forwarding routing protocols, indicating its preference level. With multiple routing protocols or sources, the router selects the one with the lowest administrative distance. For example, a router might prefer a directly connected network over a network learned through a dynamic routing protocol.
3. Routing Metrics:
Routing metrics are used to quantify the performance characteristics of a route. Different routing protocols utilize various metrics to determine the best path. Standard metrics include hop count, bandwidth, delay, reliability, and load. By analyzing these metrics, routers can select the most suitable path based on the network requirements and priorities. Take note of the metric assigned to the individual routes once the summary routes have been configured on R1. A metric of 16 is assigned, meaning they are not used while the summary route is in place.
Routing Algorithms:
1. Shortest Path First (SPF) Algorithm:
The SPF algorithm, Dijkstra’s algorithm, is widely used for route path selection. It calculates the shortest path between the source and destination based on the link costs. The algorithm maintains a routing table that stores the shortest path to each destination. By iteratively updating the routing table, routers can dynamically adapt to changes in the network topology.
2. Border Gateway Protocol (BGP):
BGP is a routing protocol used in large-scale networks like the Internet. Unlike interior routing protocols, BGP focuses on inter-domain routing. BGP routers exchange routing information to determine the best path for data transmission. BGP considers path length, AS (Autonomous System) path, and routing policies to select routes.
Route aggregation
Next, we have route aggregation. Route summarization—also known as route aggregation—is a method to minimize the number of routing tables in an IP network. It consolidates selected multiple routes into a single route advertisement, which serves two purposes in the network.
Breaking the network into multiple failure domains and
Reducing the amount of information the routing protocol must deal with when converging.
In our case, Router 1 must install all individual routes without route aggregation, including metrics, tags, and other information. The best path to reach a particular destination must be calculated every time the topology changes.
Route aggregation is crucial in simplifying the routing process and optimizing network performance in networking. By consolidating multiple network routes into a single entry, route aggregation reduces the size of routing tables, improves scalability, and enhances overall network efficiency. In this blog post, we will explore the concept of route aggregation, its benefits, and its implementation in modern networking environments.
1st Lab guide: EIGRP Summary Address
In the following lab guide, we have a DMVPN network. R11 is the hub, and R31 and R41 are the spokes. We are running EIGRP over the DMVPN tunnel, which is a mGRE tunnel. EIGRP has been configured to send a summary route to the spoke sites.
Notice below in the screenshot that after the configuration, we have a Null0 route on the hub where the summarization was configured, and also, the spokes now only have one route, i.e., the summary route, in their routing tables.
Remember that when you have a Hub and Spoke topology and a Distant Vector protocol, we have issues with Split Horizon at the hub site. However, as we are sending a summary route from the Hub, this is not an issue.
Diagram: EIGRP Summary Address
What is Route Aggregation?
Route aggregation, also known as route summarization or supernetting, is a technique used to consolidate multiple network routes into a more concise representation. Instead of advertising individual routes, network administrators can advertise a summarized route, which encompasses several smaller routes. This consolidation allows routers to make more efficient routing decisions, reducing the complexity of routing tables.
Benefits of Route Aggregation:
1. Reduced Routing Table Size: One of route aggregation’s primary advantages is the significant reduction in routing table size. By summarizing multiple routes into a single entry, the number of entries in the routing table is significantly reduced, leading to faster routing lookups and improved scalability.
2. Enhanced Network Efficiency: Smaller routing tables allow routers to process routing updates more quickly, improving network efficiency. The reduced size of routing tables also reduces memory and processing requirements, enabling routers to handle higher traffic loads without performance degradation.
3. Improved Convergence: Route aggregation helps to improve network convergence, which refers to the time it takes for routers to reach a consistent view of the network topology after a change occurs. Consolidating routes expedites the convergence process, as routers have fewer individual routes to process and update.
4. Enhanced Security: Using route aggregation, network administrators can help protect network resources by concealing internal network details. By advertising summarized routes instead of specific routes, it becomes more challenging for potential attackers to gain insight into the network’s internal structure.
Implementation of Route Aggregation:
Route aggregation can be implemented using various routing protocols, such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF). These protocols allow network administrators to configure route summarization at specific points within the network, optimizing routing efficiency.
Balancing summarizing routes too aggressively and maintaining the necessary network granularity level is essential when implementing route aggregation. Over-aggregation can lead to suboptimal routing decisions and potential connectivity issues. Network administrators must carefully design and configure route aggregation to ensure optimal performance.
Route Aggregation: A networking technique
Route aggregation is a networking technique that reduces the number of routes in a routing table. It is based on summarizing multiple IP addresses into a single IP address prefix. The method reduces the size of routing tables, thereby reducing the memory and bandwidth required for network communication.
Route aggregation is also known as route summarization or supernetting. Route aggregation groups multiple IP addresses into a single IP address prefix. This is done by selecting a typical bit pattern between the IP addresses and replacing that bit pattern with a single value. This allows for a reduction in the number of routes, which reduces the total memory and bandwidth requirements for the router.
Route aggregation can be used in both interior and exterior routing protocols. In internal protocols, the router can use route aggregation to reduce the number of routes in the routing table, thus reducing the total memory and bandwidth requirements.
In exterior protocols, route aggregation can reduce the number of routes sent to other network routers. This reduces the overall network traffic and the time it takes for the routing information to be propagated throughout the network.
Route aggregation and performance problems
This can cause performance problems, especially if the network has a high state change rate and many routes. Whenever the network topology changes, the router’s control plane must go through the convergence process steps ( detect, describe, switch, find ) and recalculate the best path to the affected destinations. If the rate of change is faster than the control plane can calculate new best paths, the network will never converge. One method used to overcome this is Route Aggregation.
Route aggregation creates separate failure domains and boundaries in the network. Routing nodes on different sides of the boundary will not query each other. It is essentially slicing the network. In addition, if a specific link frequently alternates between Up and Down states, the links uninvolved in the route summarization will not be affected. This prevents route flapping and improves network stability.
Route aggregation example:
So, in summary, route aggregation lets you take several specific routes and combine them into one inclusive route. As a result, route aggregation can reduce the number of routes a given protocol advertises. This is because the aggregates are activated by contributing routes. The routing protocols will have different route aggregation methods, such as those used in OSPF. When an ABR sends routing information to other areas, it originates Type 3 LSAs for each network segment.
If any contiguous segments exist in this area, run the abr-summary command to summarize these segments into one. An ABR then sends just one summarized LSA to other areas and no LSAs that belong to the summarized network segment specified by this command. Therefore, the routing table size is reduced, and router performance is improved. The critical point in the diagram below is the two separate failure domains. Failure domains A and B.
Diagram: Route aggregation.
State versus stretch
This has benefits and drawbacks in that packets can follow a less optimal path to reach their destination. When you summarize at the edge of the network, the receiving router loses complete network visibility, which can cause an increase in network stretch in some cases. What happens to traffic entering Router 1 and traveling to destination 192.168.1.1/24?
Diagram: The issues of route summarization.
Loss of visibility and state results in suboptimal traffic flow
Without aggregation on Router 3, this traffic would flow to Router 1 – Router 3 – Router 6. However, with route aggregation configured on both Router 2 and Router 3, this traffic will take the path with the better cost, Router 1 – Router 2 – Router 3 – Router 6, increasing one hop. As a result, the path from Router 1 to reach the destination 192.168.1.1/24 has stretched by one hop – or the stretch of the network has increased by 1.
Understanding Suboptimal Traffic Flow:
Suboptimal traffic flow is when data packets transmitted through routers take longer than necessary to reach their destination. This issue arises due to the complex nature of router operations, congestion, and routing protocols. Simply put, the path the data packets take is inefficient, resulting in delays, packet loss, and even degraded network performance.
Causes of Suboptimal Traffic Flow:
Several factors contribute to routers’ suboptimal traffic flow. One significant factor is the inefficient routing algorithms employed by routers. These algorithms determine the best path for data packets to travel through a network. However, due to limitations in these algorithms, they may choose suboptimal paths, such as congested or longer routes, resulting in delays.
Another cause of suboptimal traffic flow is network congestion. Conger occurs when multiple devices are connected to a router, and the data traffic exceeds capacity. This congestion leads to packet loss, increased latency, and inefficient traffic flow.
Impact on Online Experiences:
The suboptimal traffic flow in routers can significantly impact our online experiences. Slow-loading web pages, buffering videos, and laggy online gaming sessions are just a few examples. Beyond these inconveniences, businesses relying on efficient data transfer may suffer from decreased productivity and customer dissatisfaction. It is, therefore, crucial to address this issue to ensure a seamless online experience for all users.
Solutions to Improve Traffic Flow:
Several approaches can improve routers’ suboptimal traffic flow. One solution is investing in routers with advanced algorithms that optimize the path selection process. These algorithms can consider network congestion, latency, and packet loss to choose the most efficient route for data packets.
Additionally, implementing Quality of Service (QoS) techniques can help prioritize critical traffic, ensuring that it receives higher bandwidth and lower latency. By giving priority to time-sensitive applications such as video streaming or VoIP calls, QoS can significantly improve the overall traffic flow.
Regular router maintenance and firmware updates are also crucial to maintaining optimal traffic flow. By keeping the router’s software current, manufacturers can address any known issues and improve the device’s overall performance and efficiency.
Network Performance and CDN
Moreover, network performance can be impacted when the network is stretched over long distances. Latency and bandwidth limitations can affect the user experience, particularly for applications that require real-time data transmission. To overcome these challenges, businesses must carefully design their network architecture, leveraging technologies like content delivery networks (CDNs) and edge computing.
State reduction ( blocking links ) costs increase the stretch.
Consider the example of a Spanning Tree regarding state/stretch trade-offs. A spanning tree works by selecting one switch as the tree’s root and selecting specific links within the tree structure to move toward the root. This reduces the state to an absolute minimum by forcing all traffic along a single tree and blocking redundant links that don’t belong to that Tree. However, the state reduction ( blocking links ) costs increase the stretch through the network to the maximum possible.
This has led to the introduction of THRILL and Cisco’s FabricPath. These technologies allow you to have active/active paths, thereby increasing the state of the network while decreasing the stretch. When examining the data center transition, the default way to create scalable designs for Layers 2 and 3 is to have an overlay, such as VXLAN. Layer 2 and 3 traffic is differentiated with the VNI of the VXLAN header. All of these operate over a routed Layer 3 underlay.
VXLAN Benefits: Scale and loop-free networks.
A closing point on the stretch network
You can’t hide state information constantly, as it decreases the network’s overall efficiency by increasing the stretch. However, if all your traffic flows north/south, reducing the state will not impact the stretch, as the traffic can only follow one direction. But if you have a combination of traffic patterns ( north/south & east/west ), reducing the state will cause traffic to take a sub-optimal path through the network – thus increasing the stretch.
Summary: Network Stretch
In this fast-paced digital age, the concept of network stretch has emerged as a game-changer. Network stretch refers to expanding and optimizing networks to meet the increasing demands of connectivity. This blog post explored the various aspects of network stretch and how it can revolutionize how we connect and communicate.
Section 1: Understanding Network Stretch
Network stretch is more than just expanding physical infrastructure. It involves leveraging advanced technologies, such as software-defined networking (SDN) and network function virtualization (NFV), to enhance network capabilities. Organizations can achieve scalability, flexibility, and improved performance by embracing network stretch.
Section 2: The Benefits of Network Stretch
Network stretch offers a myriad of benefits. Firstly, it enables seamless connectivity across various locations, allowing businesses to expand their reach without compromising network performance. Secondly, it enhances disaster recovery capabilities by creating redundant pathways and ensuring business continuity. Lastly, network stretch empowers organizations to adopt cloud-based services and leverage the Internet of Things (IoT) power.
Implementing network stretch requires careful planning and execution. Organizations need to assess their current network infrastructure, identify areas for improvement, and leverage technologies like SDN and NFV. Working with experienced network providers can also help design and deploy robust network stretch solutions tailored to specific business needs.
Section 4: Overcoming Challenges
While network stretch offers immense potential, it comes with its own challenges. Ensuring security across stretched networks becomes paramount, as it involves a broader attack surface. Proper encryption, authentication protocols, and network segmentation are crucial to mitigate risks. Additionally, organizations must address potential latency issues and ensure seamless integration with existing network infrastructure.
Conclusion:
In conclusion, network stretch presents a remarkable opportunity for organizations to unlock new connectivity, scalability, and performance levels. By embracing advanced technologies and implementing sound strategies, businesses can revolutionize their networks and stay ahead in the digital era. Whether expanding geographical reach, improving disaster recovery capabilities, or embracing emerging technologies, network stretch is the key to a more connected future.
In today's rapidly evolving digital landscape, network management and data flow control have become critical for businesses of all sizes. OpenFlow is one technology that has gained significant attention and is transforming how networks are managed. In this blog post, we will delve into the concept of OpenFlow, its advantages, and its implications for network control.
OpenFlow is an open-standard communications protocol that separates the control and data planes in a network architecture. It allows network administrators to have direct control over the behavior of network devices, such as switches and routers, by utilizing a centralized controller.
Traditional network architectures follow a closed model, where network devices make independent decisions on forwarding packets. On the other hand, OpenFlow introduces a centralized control plane that provides a global view of the network and allows administrators to define network policies and rules from a centralized location.
OpenFlow operates by establishing a secure channel between the centralized controller and the network switches. The controller is responsible for managing the flow tables within the switches, defining how traffic should be forwarded based on predefined rules and policies. This separation of control and data planes allows for dynamic network management and facilitates the implementation of innovative network protocols.
One of the key advantages of OpenFlow is its ability to simplify network management. By centralizing control, administrators can easily configure and manage the entire network from a single point of control. This reduces complexity and enhances the scalability of network infrastructure. Additionally, OpenFlow enables network programmability, allowing for the development of custom networking applications and services tailored to specific requirements.
OpenFlow plays a crucial role in network virtualization, as it allows for the creation and management of virtual networks on top of physical infrastructure. By abstracting the underlying network, OpenFlow empowers organizations to optimize resource utilization, improve security, and enhance network performance. It opens doors to dynamic provisioning, isolation, and efficient utilization of network resources.
Highlights: What is OpenFlow?
How does OpenFlow work?
OpenFlow allows network controllers to determine the path of network packets in a network of switches. There is a difference between switches and controllers. With separate control and forwarding, traffic management can be more sophisticated than access control lists (ACLs) and routing protocols. An OpenFlow protocol allows switches from different vendors, often with proprietary interfaces and scripting languages, to be managed remotely. Software-defined networking (SDN) is considered to be enabled by OpenFlow by its inventors.
With OpenFlow, Layer 3 switches can add, modify, and remove packet-matching rules and actions remotely. By doing so, routing decisions can be made periodically or ad hoc by the controller and translated into rules and actions with a configurable lifespan, which are then deployed to the switch’s flow table, where packets are forwarded at wire speed for the duration of the rule. If the switch cannot match packets, they can be sent to the controller. The controller can modify existing flow table rules or deploy new rules to prevent a structural traffic flow. It may even forward the traffic itself if the switch is instructed to forward packets rather than just their headers.
OpenFlow uses Transport Layer Security (TLS) over Transmission Control Protocol (TCP). Switches wishing to connect should listen on TCP port 6653. In earlier versions of OpenFlow, port 6633 was unofficially used. The protocol is mainly used between switches and controllers.
Introducing SDN
Recent changes and requirements have driven networks and network services to become more flexible, virtualization-aware, and API-driven. One major trend affecting the future of networking is software-defined networking ( SDN ). The software-defined architecture aims to extract the entire network into a single switch.
Software-defined networking (SDN) is an evolving technology defined by the Open Networking Foundation ( ONF ). It involves the physical separation of the network control plane from the forwarding plane, where a control plane controls several devices. This differs significantly from traditional IP forwarding that you may have used in the past.
The activities around OpenFlow
Even though OpenFlow has received a lot of industry attention, programmable networks and decoupled control planes (control logic) from data planes have been around for many years. To enhance ATM, Internet, and mobile networks’ openness, extensibility, and programmability, the Open Signaling (OPENING) working group held workshops in 1995. A working group within the Internet Engineering Task Force (IETF) developed GSMP to control label switches based on these ideas. June 2002 marked the official end of this group, and GSMPv3 was published.
Data and control plane
Therefore, SDN separates the data and control plane. The main driving body behind software-defined networking (SDN) is the Open Networking Foundation ( ONF ). Introduced in 2008, the ONF is a non-profit organization that wants to provide an alternative to proprietary solutions that limit flexibility and create vendor lock-in.
The insertion of the ONF allowed its members to run proof of concepts on heterogeneous networking devices without requiring vendors to expose their software’s internal code. This creates a path for an open-source approach to networking and policy-based controllers.
Building blocks: SDN Environment
As a fundamental building block of an SDN deployment, the controller, the SDN switch (for example, an OpenFlow switch), and the interfaces are present in the controller to communicate with forwarding devices, generally the southbound interface (OpenFlow) and the northbound interface (the network application interface). In an SDN, switches function as basic forwarding hardware, accessible via an open interface, with the control logic and algorithms offloaded to controllers. Hybrid (OpenFlow-enabled) and pure (OpenFlow-only) OpenFlow switches are available.
OpenFlow switches rely entirely on a controller for forwarding decisions, without legacy features or onboard control. Hybrid switches support OpenFlow as well, in addition to traditional operation and protocols. Today, hybrid switches are the most common type of commercial switch. A flow table performs packet lookup and forwarding in an OpenFlow switch.
You may find the following useful for pre-information:
Introduction to what is OpenFlow and what is involved with the protocol.
Highlighting the details and benefits of OpenFlow.
Technical details on the lack of session layers in the TCP/IP model.
Scenario: Control and data plane separation with SDN.
A final note on proactive vs reactive flow setup.
Back to basics. What is OpenFlow?
What is OpenFlow?
OpenFlow was the first protocol of the Software-Defined Networking (SDN) trend and is the only protocol that allows decoupling a network device’s control plane from the data plane. In most straightforward terms, the control plane can be thought of as the brains of a network device. On the other hand, the data plane can be considered hardware or application-specific integrated circuits (ASICs) that perform packet forwarding.
Numerous devices also support running OpenFlow in a hybrid mode, meaning OpenFlow can be deployed on a given port, virtual local area network (VLAN), or even within a regular packet-forwarding pipeline such that if there is not a match in the OpenFlow table, then the existing forwarding tables (MAC, Routing, etc.) are used, making it more analogous to Policy Based Routing (PBR).
Despite various modifications to the underlying architecture and devices (such as switches, routers, and firewalls), traditional network technologies have existed since the inception of networking. Using a similar approach, frames, and packets have been forwarded and routed in a limited manner, resulting in low efficiency and high maintenance costs—consequently, the architecture and operation of networks needed to evolve, resulting in SDN.
By enabling network programmability, SDN promises to simplify network control and management and allow innovation in computer networking. Network engineers configure policies to respond to various network events and application scenarios. They can achieve the desired results by manually converting high-level policies into low-level configuration commands.
Often, minimal tools are available to accomplish these very complex tasks. Controlling network performance and tuning network management are challenging and error-prone tasks.
A modern network architecture consists of a control plane, a data plane, and a management plane; the control and data planes are merged into a machine called Inside the Box. To overcome these limitations, programmable networks have emerged.
How OpenFlow Works:
At the core of OpenFlow is the concept of a flow table, which resides in each OpenFlow-enabled switch. The flow table contains match-action rules defining how incoming packets should be processed and forwarded. The centralized controller determines these rules and communicates with the switches using the OpenFlow protocol.
When a packet arrives at an OpenFlow-enabled switch, it is first matched against the rules in the flow table. If a match is found, the corresponding action is executed, including forwarding the packet, dropping it, or sending it to the controller for further processing. This decoupling of the control and data planes allows for flexible and programmable network management.
What is OpenFlow SDN?
The main goal of SDN is to separate the control and data planes and transfer network intelligence and state to the control plane. These concepts have been exploited by technologies like Routing Control Platform (RCP), Secure Architecture for Network Enterprise (SANE), and, more recently, Ethane.
In addition, there is often a connection between SDN and OpenFlow. The Open Networking Foundation (ONF) is responsible for advancing SDN and standardizing OpenFlow, whose latest version is 1.5.0.
An SDN deployment starts with these building blocks.
For communication with forwarding devices, the controller has the SDN switch (for example, an OpenFlow switch), the SDN controller, and the interfaces. An SDN deployment is based on two basic building blocks: a southbound interface (OpenFlow) and a northbound interface (the network application interface).
As the control logic and algorithms are offloaded to a controller, switches in SDNs may be represented as basic forwarding hardware. Switches that support OpenFlow come in two varieties: pure (OpenFlow-only) and hybrid (OpenFlow-enabled).
Pure OpenFlow switches do not have legacy features or onboard control for forwarding decisions. A hybrid switch can operate with both traditional protocols and OpenFlow. Hybrid switches make up the majority of commercial switches available today. A flow table performs packet lookup and forwarding in an OpenFlow switch.
OpenFlow reference switch
The OpenFlow protocol and interface allow OpenFlow switches to be accessed as essential forwarding elements. A flow-based SDN architecture like OpenFlow simplifies switching hardware. Still, it may require additional forwarding tables, buffer space, and statistical counters that are difficult to implement in traditional switches with integrated circuits tailored to specific applications.
There are two types of switches in an OpenFlow network: hybrids (which enable OpenFlow) and pores (which only support OpenFlow). OpenFlow is supported by hybrid switches and traditional protocols (L2/L3). OpenFlow switches rely entirely on a controller for forwarding decisions and do not have legacy features or onboard control.
Hybrid switches are the majority of the switches currently available on the market. This link must remain active and secure because OpenFlow switches are controlled over an open interface (through a TCP-based TLS session). OpenFlow is a messaging protocol that defines communication between OpenFlow switches and controllers, which can be viewed as an implementation of SDN-based controller-switch interactions.
Application-driven routing. Users can control the network paths.
The networks paths.A way to enhance link utilization.
An open solution for VM mobility. No VLAN reliability.
A means to traffic engineer without MPLS.
A solution to build very large Layer 2 networks.
A way to scale Firewalls and Load Balancers.
A way to configure an entire network as a whole as opposed to individual entities.
A way to build your own encryption solution. Off-the-box encryption.
A way to distribute policies from a central controller.
Customized flow forwarding. Based on a variety of bit patterns.
A solution to get a global view of the network and its state. End-to-end visibility.
A solution to use commodity switches in the network. Massive cost savings.
The following table lists the Software Networking ( SDN ) benefits and the problems encountered with existing control plane architecture:
Identify the benefits of OpenFlow and SDN
Problems with the existing approach
Faster software deployment.
Large scale provisioning and orchestration.
Programmable network elements.
Limited traffic engineering ( MPLS TE is cumbersome )
Faster provisioning.
Synchronized distribution policies.
Centralized intelligence with centralized controllers.
Routing of large elephant flows.
Decisions are based on end-to-end visibility.
Qos and load based forwarding models.
Granular control of flows.
Ability to scale with VLANs.
Decreases the dependence on network appliances like load balancers.
A key point: The lack of a session layer in the TCP/IP stack.
Regardless of the hype and benefits of SDN, neither OpenFlow nor other SDN technologies address the real problems of the lack of a session layer in the TCP/IP protocol stack. The problem is that the client’s application ( Layer 7 ) connects to the server’s IP address ( Layer 3 ), and if you want to have persistent sessions, the server’s IP address must remain reachable.
This session’s persistence and the ability to connect to multiple Layer 3 addresses to reach the same device is the job of the OSI session layer. The session layer provides the services for opening, closing, and managing a session between end-user applications. In addition, it allows information from different sources to be correctly combined and synchronized.
The problem is the TCP/IP reference module does not consider a session layer, and there is none in the TCP/IP protocol stack. SDN does not solve this; it gives you different tools to implement today’s kludges.
What is OpenFlow? Lack of a session layer
Control and data plane
When we identify the benefits of OpenFlow, let us first examine traditional networking operations. Traditional networking devices have a control and forwarding plane, depicted in the diagram below. The control plane is responsible for setting up the necessary protocols and controls so the data plane can forward packets, resulting in end-to-end connectivity. These roles are shared on a single device, and the fast packet forwarding ( data path ) and the high-level routing decisions ( control path ) occur on the same device.
What is OpenFlow | SDN separates the data and control plane
Control plane
The control plane is part of the router architecture and is responsible for drawing the network map in routing. When we mention control planes, you usually think about routing protocols, such as OSPF or BGP. But in reality, the control plane protocols perform numerous other functions, including:
Connectivity management ( BFD, CFM )
Interface state management ( PPP, LACP )
Service provisioning ( RSVP for InServ or MPLS TE)
Topology and reachability information exchange ( IP routing protocols, IS-IS in TRILL/SPB )
Adjacent device discovery via HELLO mechanism
ICMP
Control plane protocols run over data plane interfaces to ensure “shared fate” – if the packet forwarding fails, the control plane protocol fails as well.
Most control plane protocols ( BGP, OSPF, BFD ) are not data-driven. A BGP or BFD packet is never sent as a direct response to a data packet. There is a question mark over the validity of ICMP as a control plane protocol. The debate is whether it should be classed in the control or data plane category.
Some ICMP packets are sent as replies to other ICMP packets, and others are triggered by data plane packets, i.e., data-driven. My view is that ICMP is a control plane protocol that is triggered by data plane activity. After all, the “C” is ICMP does stand for “Control.”
Data plane
The data path is part of the routing architecture that decides what to do when a packet is received on its inbound interface. It is primarily focused on forwarding packets but also includes the following functions:
ACL logging
Netflow accounting
NAT session creation
NAT table maintenance
The data forwarding is usually performed in dedicated hardware, while the additional functions ( ACL logging, Netflow accounting ) usually happen on the device CPU, commonly known as “punting.” The data plane for an OpenFlow-enabled network can take a few forms.
However, the most common, even in the commercial offering, is the Open vSwitch, often referred to as the OVS. The Open vSwitch is an open-source implementation of a distributed virtual multilayer switch. It enables a switching stack for virtualization environments while supporting multiple protocols and standards.
Identify the benefits of OpenFlow
Software-defined networking changes the control and data plane architecture.
The concept of SDN separates these two planes, i.e., the control and forwarding planes are decoupled. This allows the networking devices in the forwarding path to focus solely on packet forwarding. An out-of-band network uses a separate controller ( orchestration system ) to set up the policies and controls. Hence, the forwarding plane has the correct information to forward packets efficiently.
In addition, it allows the network control plane to be moved to a centralized controller on a server instead of residing on the same box carrying out the forwarding. Moving the intelligence ( control plane ) of the data plane network devices to a controller enables companies to use low-cost, commodity hardware in the forwarding path. A significant benefit is that SDN separates the data and control plane, enabling new use cases.
A centralized computation and management plane makes more sense than a centralized control plane.
The controller maintains a view of the entire network and communicates with Openflow ( or, in some cases, BGP with BGP SDN ) with the different types of OpenFlow-enabled network boxes. The data path portion remains on the switch, such as the OVS bridge, while the high-level decisions are moved to a separate controller. The data path presents a clean flow table abstraction, and each flow table entry contains a set of packet fields to match, resulting in specific actions ( drop, redirect, send-out-port ).
When an OpenFlow switch receives a packet it has never seen before and doesn’t have a matching flow entry, it sends the packet to the controller for processing. The controller then decides what to do with the packet.
Applications could then be developed on top of this controller, performing security scrubbing, load balancing, traffic engineering, or customized packet forwarding. The centralized view of the network simplifies problems that were harder to overcome with traditional control plane protocols.
A single controller could potentially manage all OpenFlow-enabled switches. Instead of individually configuring each switch, the controller can push down policies to multiple switches simultaneously—a compelling example of many-to-one virtualization.
Now that SDN separates the data and control plane, the operator uses the centralized controller to choose the correct forwarding information per-flow basis. This allows better load balancing and traffic separation on the data plane. In addition, there is no need to enforce traffic separation based on VLANs, as the controller would have a set of policies and rules that would only allow traffic from one “VLAN” to be forwarded to other devices within that same “VLAN.”
The advent of VXLAN
With the advent of VXLAN, which allows up to 16 million logical entities, the benefits of SDN should not be purely associated with overcoming VLAN scaling issues. VXLAN already does an excellent job with this. It does make sense to deploy a centralized control plane in smaller independent islands; in my view, it should be at the edge of the network for security and policy enforcement roles. Using Openflow on one or more remote devices is easy to implement and scale.
It also decreases the impact of controller failure. If a controller fails and its sole job is implementing packet filters when a new user connects to the network, the only affecting element is that the new user cannot connect. If the controller is responsible for core changes, you may have interesting results with a failure. New users not being able to connect is bad, but losing your entire fabric is not as bad.
What Is OpenFlow? Identify the Benefits of OpenFlow
A traditional networking device runs all the control and data plane functions. The control plane, usually implemented in the central CPU or the supervisor module, downloads the forwarding instructions into the data plane structures. Every vendor needs communications protocols to bind the two planes together to download forward instructions.
Therefore, all distributed architects need a protocol between control and data plane elements. The protocol to bind this communication path for traditional vendor devices is not open-source, and every vendor uses its proprietary protocol (Cisco uses IPC – InterProcess Communication ).
Openflow tries to define a standard protocol between the control plane and the associated data plane. When you think of Openflow, you should relate it to the communication protocol between the traditional supervisors and the line cards. OpenFlow is just a low-level tool.
OpenFlow is a control plane ( controller ) to data plane ( OpenFlow enabled device ) protocol that allows the control plane to modify forwarding entries in the data plane. It enables SDN to separate the data and control planes.
Proactive versus reactive flow setup
OpenFlow operations have two types of flow setups: Proactive and Reactive.
With Proactive, the controller can populate the flow tables ahead of time, similar to a typical routing. However, the packet-in event never occurs by pre-defining your flows and actions ahead of time in the switch’s flow tables. The result is all packets are forwarded at line rate. With Reactive, the network devices react to traffic, consult the OpenFlow controller, and create a rule in the flow table based on the instruction. The problem with this approach is that there can be many CPU hits.
The following table outlines the critical points for each type of flow setup:
Proactive flow setup
Reactive flow setup
Works well when the controller is emulating BGP or OSPF.
Used when no one can predict when and where a new MAC address will appear.
The controller must first discover the entire topology.
Punts unknown packets to the controller. Many CPU hits.
Discover endpoints ( MAC addresses, IP addresses, and IP subnets )
Compute forwarding paths on demand. Not off the box computation.
Compute off the box optimal forwarding.
Install flow entries based on actual traffic.
Download flow entries to the data plane switches.
Has many scalability concerns such as packet punting rate.
No data plane controller involvement with the exceptions of ARP and MAC learning. Line-rate performance.
Not a recommended setup.
Hop-by-hop versus path-based forwarding
The following table illustrates the keys point for the two types of forwarding methods used by OpenFlow; hop-by-hop forwarding and path-based forwarding:
Hop-by-hop Forwarding
Path-based Forwarding
Similar to traditional IP Forwarding.
Similar to MPLS.
Installs identical flows on each switch on the data path.
Map flows to paths on ingress switches and assigns user traffic to paths at the edge node
Scalability concerns relating to flow updates after a change in topology.
Compute paths across the network and installs end-to-end path-forwarding entries.
Significant overhead in large-scale networks.
Works better than hop-by-hop forwarding in large-scale networks.
FIB update challenges. Convergence time.
Core switches don’t have to support the same granular functionality as edge switches.
Identify the benefits of OpenFlow with security.
Obviously, with any controller, the controller is a lucrative target for attack. Anyone who knows you are using a controller-based network will try to attack the controller and its control plane. The attacker may attempt to intercept the controller-to-switch communication and replace it with its commands, essentially attacking the control plane with whatever means they like.
An attacker may also try to insert a malformed packet or some other type of unknown packet into the controller ( fuzzing attack ), exploiting bugs in the controller and causing the controller to crash.
Fuzzing attacks can be carried out with application scanning software such as Burp Suite. It attempts to manipulate data in a particular way, breaking the application.
The best way to tighten security is to encrypt switch-to-controller communications with SSL and self-signed certificates to authenticate the switch and controller. It would also be best to minimize interaction with the data plane, except for ARP and MAC learning.
To prevent denial-of-service attacks on the controller, you can use Control Plane Policing ( CoPP ) on Ingress to avoid overloading the switch and the controller. Currently, NEC is the only vendor implementing CoPP.
The Hybrid deployment model is helpful from a security perspective. For example, you can group specific ports or VLANs to OpenFlow and other ports or VLANs to traditional forwarding, then use traditional forwarding to communicate with the OpenFlow controller.
Identify the Benefits of OpenFlow
Software-defined networking or traditional routing protocols?
The move to a Software-Defined Networking architecture has clear advantages. It’s agile and can react quickly to business needs, such as new product development. For businesses to achieve success, they must have software that continues to evolve.
Otherwise, your customers and staff may lose interest in your product and service. The following table displays the advantages and disadvantages of the existing routing protocol control architecture.
+Reliable and well known.
-Non-standard Forwarding models. Destination-only and not load-aware metrics**
+Proven with 20 plus years field experience.
-Loosely coupled.
+Deterministic and predictable.
-Lacks end-to-end transactional consistency and visibility.
+Self-Healing. Traffic can reroute around a failed node or link.
-Limited Topology discovery and extraction. Basic neighbor and topology tables.
+Autonomous.
-Lacks the ability to change existing control plane protocol behavior.
+Scalable.
-Lacks the ability to introduce new control plane protocols.
+Plenty of learning and reading materials.
** Basic EIGRP IETF originally proposed an Energy-Aware Control Plane, but the IETF later removed this.
Software-Defined Networking: Use Cases
Edge Security policy enforcement at the network edge.
Authenticate users or VMs and deploy per-user ACL before connecting a user to the network.
Custom routing and online TE.
The ability to route on a variety of business metrics aka routing for dollars. Allowing you to override the default routing behavior.
Custom traffic processing.
For analytics and encryption.
Programmable SPAN ports
Use Openflow entries to mirror selected traffic to the SPAN port.
DoS traffic blackholing & distributed DoS prevention.
Block DoS traffic as close to the source as possible with more selective traffic targeting than the original RTBH approach**. The traffic blocking is implemented in OpenFlow switches. Higher performance with significantly lower costs.
Traffic redirection and service insertion.
Redirect a subset of traffic to network appliances and install redirection flow entries wherever needed.
Network Monitoring.
The controller is the authoritative source of information on network topology and Forwarding paths.
Scale-Out Load Balancing.
Punt new flows to the Openflow controller and install per-session entries throughout the network.
IPS Scale-Out.
OpenFlow is used to distribute the load to multiple IDS appliances.
**Remote-Triggered Black Hole: RTBH refers to installing a host route to a bogus IP address ( RTBH address ) pointing to NULL interfaces on all routers. BGP is used to advertise the host routes to other BGP peers of the attacked hosts, with the next hop pointing to the RTBH address, and it is mainly automated in ISP environments.
SDN deployment models
Guidelines:
Start with small deployments away from the mission-critical production path, i.e., the Core. Ideally, start with device or service provisioning systems.
Start at the Edge and slowly integrate with the Core. Minimize the risk and blast radius. Start with packet filters at the Edge and tasks that can be easily automated ( VLANs ).
Integrate new technology with the existing network.
Gradually increase scale and gain trust. Experience is key.
Have the controller in a protected out-of-band network with SSL connectivity to the switches.
There are 4 different models for OpenFlow deployment, and the following sections list the key points of each model.
Native OpenFlow
They are commonly used for Greenfield deployments.
The controller performs all the intelligent functions.
The forwarding plane switches have little intelligence and solely perform packet forwarding.
The white box switches need IP connectivity to the controller for the OpenFlow control sessions. If you are forced to use an in-band network for this communication path using an isolated VLAN with STP, this should be done with an out-of-band network.
Fast convergence techniques such as BFD may be challenging to use with a central controller.
Many people believe that this approach does not work for a regular company. Companies implementing native OpenFlow, such as Google, have the time and resources to reinvent the wheel when implementing a new control-plane protocol ( OpenFlow ).
Native OpenFlow with Extensions
Some control plane functions are handled from the centralized controller to the forwarding plane switches. For example, the OpenFlow-enabled switches could load balancing across multiple links without the controller’s previous decision. You could also run STP, LACP, or ARP locally on the switch without interaction with the controller. This approach is helpful if you lose connectivity to the controller. If the low-level switches perform certain controller functions, packet forwarding will continue in the event of failure.
The local switches should support the specific OpenFlow extensions that let them perform functions on the controller’s behalf.
Hybrid ( Ships in the night )
This approach is used where OpenFlow runs in parallel with the production network.
The same network box is controlled by existing on-box and off-box control planes ( OpenFlow).
Suitable for pilot deployment models as switches still run traditional control plane protocols.
The Openflow controller manages only specific VLANs or ports on the network.
The big challenge is determining and investigating the conflict-free sharing of forwarding plane resources across multiple control planes.
Integrated OpenFlow
OpenFlow classifiers and forwarding entries are integrated with the existing control plane. For example, Juniper’s OpenFlow model follows this mode of operation where OpenFlow static routes can be redistributed into the other routing protocols.
No need for a new control plane.
No need to replace all forwarding hardware
It is the most practical approach as long as the vendor supports it.
Closing Points on OpenFlow
Advantages of OpenFlow:
OpenFlow brings several critical advantages to network management and control:
1. Flexibility and Programmability: With OpenFlow, network administrators can dynamically reconfigure the behavior of network devices, allowing for greater adaptability to changing network requirements.
2. Centralized Control: By centralizing control in a single controller, network administrators gain a holistic view of the network, simplifying management and troubleshooting processes.
3. Innovation and Experimentation: OpenFlow enables researchers and developers to experiment with new network protocols and applications, fostering innovation in the networking industry.
4. Scalability: OpenFlow’s centralized control architecture provides the scalability needed to manage large-scale networks efficiently.
Implications for Network Control:
OpenFlow has significant implications for network control, paving the way for new possibilities in network management:
1. Software-Defined Networking (SDN): OpenFlow is a critical component of the broader concept of SDN, which aims to decouple network control from the underlying hardware, providing a more flexible and programmable infrastructure.
2. Network Virtualization: OpenFlow facilitates network virtualization, allowing multiple virtual networks to coexist on a single physical infrastructure.
3. Traffic Engineering: By controlling the flow of packets at a granular level, OpenFlow enables advanced traffic engineering techniques, optimizing network performance and resource utilization.
Conclusion:
OpenFlow represents a paradigm shift in network control, offering a more flexible, scalable, and programmable approach to managing networks. By separating the control and data planes, OpenFlow empowers network administrators to have fine-grained control over network behavior, improving efficiency, innovation, and adaptability. As the networking industry continues to evolve, OpenFlow and its related technologies will undoubtedly play a crucial role in shaping the future of network management.
Summary: What is OpenFlow?
In the rapidly evolving world of networking, OpenFlow has emerged as a game-changer. This revolutionary technology has transformed the way networks are managed, offering unprecedented flexibility, control, and efficiency. In this blog post, we will delve into the depths of OpenFlow, exploring its definition, key features, and benefits.
What is OpenFlow?
OpenFlow can be best described as an open standard communications protocol that enables the separation of the control plane and the data plane in network devices. It allows centralized control over a network’s forwarding elements, making it possible to program and manage network traffic dynamically. By decoupling the intelligence of the network from the underlying hardware, OpenFlow provides a flexible and programmable infrastructure for network administrators.
Key Features of OpenFlow
a) Centralized Control: One of the core features of OpenFlow is its ability to centralize network control, allowing administrators to define and implement policies from a single point of control. This centralized control improves network visibility and simplifies management tasks.
b) Programmability: OpenFlow’s programmability empowers network administrators to define how network traffic should be handled based on their specific requirements. Through the use of flow tables and match-action rules, administrators can dynamically control the behavior of network switches and routers.
c) Software-Defined Networking (SDN) Integration: OpenFlow plays a crucial role in the broader concept of Software-Defined Networking. It provides a standardized interface for SDN controllers to communicate with network devices, enabling dynamic and automated network provisioning.
Benefits of OpenFlow
a) Enhanced Network Flexibility: With OpenFlow, network administrators can easily adapt and customize their networks to suit evolving business needs. The ability to modify network behavior on the fly allows for efficient resource allocation and improved network performance.
b) Simplified Network Management: By centralizing network control, OpenFlow simplifies the management of complex network architectures. Policies and configurations can be applied uniformly across the network, reducing administrative overhead and minimizing the chances of configuration errors.
c) Innovation and Experimentation: OpenFlow fosters innovation by providing a platform for the development and deployment of new network protocols and applications. Researchers and developers can experiment with novel networking concepts, paving the way for future advancements in the field.
Conclusion:
OpenFlow has ushered in a new era of network management, offering unparalleled flexibility and control. Its ability to separate the control plane from the data plane, coupled with centralized control and programmability, has opened up endless possibilities in network architecture design. As organizations strive for more agile and efficient networks, embracing OpenFlow and its associated technologies will undoubtedly be a wise choice.
With the introduction and hype around Software Defined Networking ( SDN ) and Cloud Computing, one would assume that there has been little or no work with the advances in IP routing. You could say that the cloud has clouded the mind of the market. Regardless of the hype around this transformation, routing is still very much alive and makes up a vital part of the main internet statistics you can read. Packets still need to get to their destinations.
Advanced in IP Routing
The Internet Engineering Task Force (IETF) develops and promotes voluntary internet standards, particularly those that comprise the Internet Protocol Suite (TCP/IP). The IETF shapes what comes next, and this is where all the routing takes place. It focuses on anything between the physical layer and the application layer. It doesn’t focus on the application itself, but on the technologies used to transport it, for example, HTTP.
In the IETF, no one is in charge, anyone can contribute, and everyone can benefit. As you can see from the chart below, that routing ( RTG ) has over 250 active drafts and is the most popular working group within the IETF.
Diagram: IETF Work Distribution.
The routing area is responsible for ensuring the continuous operation of the Internet routing system by maintaining the scalability and stability characteristics of the existing routing protocols and developing new protocols, extensions, and bug fixes promptly
The following table illustrates the subgroups of the RTG working group:
Bidirectional Forwarding Detection (BFD)
Open Shortest Path First IGP (OSPF)
Forwarding and Control Element Separation (forces)
Routing Over Low power and Lossy networks (roll)
Interface to the Routing System (i2rs)
Routing Area Working Group (RTGW)
Inter-Domain Routing (IDR)
Secure Inter-Domain Routing (SCIDR)
IS-IS for IP Internets (isis)
Source Packet Routing in Networking (spring)
Keying and Authentication for Routing Protocols (Karp)
Mobile Ad-hoc Networks (manet)
The chart below displays the number of drafts per subgroup of the routing area. There has been a big increase in the subgroup “roll,” which is second to BGP. “Roll” relates to “Routing Over Low power and Lossy networks” and is driven by the Internet of Everything and Machine-to-Machine communication.
Diagram: RTG Ongoing Work.
OSPF Enhancements
OSPF is a link-state protocol that uses a common database to determine the shortest path to any destination.
Two main areas of interest in the Open Shortest Path First IGP (OSPF) subgroups are OSPFv3 LSA Extendibility and Remote Loop-Free Alternatives ( LFAs ). One benefit IS-IS has over OSPF is its ability to easily introduce new features with the inclusion of Type Length Values ( TLVs ) and sub-TLVs. The IETF draft-IETF-OSPF-ospfv3-lsa-extend extends the LSA format by allowing the optional inclusion of TLVs, making OSPF more flexible and extensible. For example, OSPFv3 uses a new TLV to support intra-area Traffic Engineering ( TE ), while OSPFv2 uses an opaque LSA.
Diagram: TLV for OSPFv3.
Another shortcoming of OSPF is that it does not install a backup route in the routing table by default. Having a pre-installed backup up path greatly improves convergence time. With pre-calculated backup routes already installed in the routing table, the router process does not need to go through the convergence process’s LSA propagation and SPF calculation steps.
Loop-free alternatives (LFA)
Loop-Free Alternatives ( LFA ), known as Feasible Successors in EIGRP, are local router decisions to pre-install a backup path.
In the diagram below:
-Router A has a primary ( A-C) and secondary ( A-B-C) path to 10.1.1.0/24
-Link State allows Router A to know the entire topology
-Router A should know that Router B is an alternative path. Router B is a Loop-Free Alternate for destination 10.1.1.0/24
Diagram: OSPF LFA.
This is not done with any tunneling, and the backup route needs to exist for it to be used by the RIB. If the second path doesn’t exist in the first place, the OSPF process cannot install a Loop-Free Alternative. The LFA process does not create backup routes if they don’t already exist. An LFA is simply an alternative loop-free route calculated at any network router.
A drawback of LFA is that it cannot work in all topologies. This is most notable in RING topologies. The answer is to tunnel and to get the traffic past the point where it will loop. This effectively makes the RING topology a MESH topology. For example, the diagram below recognizes that we must tunnel traffic from A to C. The tunnel type doesn’t matter – it could be a GRE tunnel, an MPLS tunnel, an IP-in-IP tunnel, or just about any other encapsulation.
In this network:
-Router A’s best path through E
-Routers C’s best path is through D
-Router A must forward traffic directly to C to prevent packets from looping back.
Diagram: Remote LFA.
In the preceding example, we will look at “Remote LFA,” which leverages an MPLS network and Label Distribution Protocol ( LDP ) for label distribution. If you use Traffic Engineering ( TE ), it’s called “TE Fast ReRoute” and not “Remote LFA.” There is also a hybrid model combining Remote LFA and TE Fast ReRoute, and is used only when the above cannot work efficiently due to a complex topology or corner case scenario.
Remote LFAs extend the LFA space to “tunneled neighbors”.
– Router A runs a constrained SPF and finds C is a valid LFA
– Since C is not directly connected, Router A must tunnel to C
a) Router A uses LDP to configure an MPLS path to C
b) Installs this alternate path as an LFA in the CEF table
– If the A->E link fails.
a) Router A begins forwarding traffic along the LDP path
The total time for convergence usually takes 10ms.
Remote LFA has some topology constraints. For example, they cannot be calculated across a flooding domain boundary, i.e., an ABR in OSPF or L1/L2 boundary is IS-IS. However, they work in about 80% of all possible topologies and 90% of production topologies.
BGP Enhancements
BGP is a scalable distance vector protocol that runs on top of TCP. It uses a path algorithm to determine the best path to install in the IP routing table and for IP forwarding.
Recap BGP route advertisement:
RR client can send to a RR client.
RR client can send to a non RR client.
A non-RR client cannot send to a non-RR client.
One drawback to the default BGP behavior is that it only advertises the best route. When a BGP Route Reflector receives multiple paths to the same destination, it will advertise only one of those routes to its neighbors.
This can limit the visibility in the network and affect the best path selection used for hot potato routing when you want traffic to leave your AS as quickly as possible. In addition, all paths to exit an AS are not advertised to all peers, basically hiding ( not advertising ) some paths to exit the network.
The diagram below displays default BGP behavior; the RR receives two routes from PE2 and PE3 about destination Z; due to the BGP best path mechanism, it only advertises one of those paths to PE1.
Diagram: Route Reflector – Default.
In certain designs, you could advertise the destination CE with different Route Distinguishers (RDs), creating two instances for the same destination prefix. This would allow the RR to send two paths to PE.
Diverse BGP path distribution
Another new feature is diverse BGP Path distribution, where you can create a shadow BGP session to the RR. It is easy to deploy, and the diverse iBGP session will announce the 2nd best path. Shadow BGP sessions are especially useful in virtualized deployments, where you can create another BGP session to a VM acting as a Route-Reflector. The VM can then be scaled out in a virtualized environment creating numerous BGP sessions. You are allowing the advertisements of multiple paths for each destination prefix.
Diagram: Route Reflector – Shadow Sessions.
BGP Add-path
A special extension to BGP known as “Add Paths” allows BGP speakers to propagate and accept multiple paths for the same prefix. The BGP Add-Path feature will signal diverse paths, so you don’t need to create shadow BGP sessions. There is a requirement that all Add-Path receiver BGP routers must support the Add-Path capability.
There are two flavors of the Add-Path capability, Add-n-path, and Add-all-path. The “Add-n-path” will add 2 or 3 paths depending on the IOS version. With “Add-all-path,” the route reflector will do the primary best path computation (only on the first path) and then send all paths to the BR/PE. This is useful for large ECMP load balancing, where you need multiple existing paths for hot potato routing.
Diagram: BGP Add Path
Source packet routing
Another interesting draft the IETF is working on is Source Packet Routing ( spring ). Source Packet Routing is the ability of a node to specify a forwarding path. As the packet arrives in the network, the edge device looks at the application, determines what it needs, and predicts its path throughout the network. Segment routing leverages the MPLS data plane, i.e., push, swap, and pop controls, without needing LDP or RSVP-TE. This avoids millions of labels in the LDP database or TE LSPs in the networks.
Diagram: Application Controls – Network Delivers
The complexity and state are now isolated to the network’s edges, and the middle nodes are only swapping labels. The source routing is based on the notion of a 32-bit segment that can represent any instructions, such as service, context, or IGP-based forwarding construct. This results in an ordered chain of topological and service instructions where the ingress node pushes the segment list on the packet.
Prefix Hijacking in BGP
BGP hijacking revolves around locating an ISP that is not filtering advertisements, or its misconfiguration makes it susceptible to a man-in-the-middle attack. Once located, an attacker can advertise any prefix they want, causing some or all traffic to be diverted from the real source towards the attacker.
In February 2008, a large portion of YouTube’s address space was redirected to Pakistan when the Pakistan Telecommunication Authority ( PTA ) decided to restrict access to YouTube.com inside the country but accidentally blackholed the route in the global BGP table.
These events and others have led the Secure-Inter Domain Routing Group ( SIDR ) to address the following two vulnerabilities in BGP:
-Is the AS authorized to originate an IP prefix?
-Is the AS-Path represented in the route the same as the path through which the NLRI traveled?
This lockdown of BGP has three solution components:
RPKI Infrastructure
Offline repository of verifiable secure objects based on public-key cryptography
Follows resources (IPv4/v6 + ASN) allocation hierarchy to provide “right of use”
BGP Secure Origin AS
You only validate the Origin AS of a BGP UPDATE
Solves most frequent incidents (*)
No changes to BGP nor the router’s hardware impact
Standardization is almost finished and running code
BGP PATH Validation
BGPSEC proposal under development at IETF
Requires forward signing AS-PATH attribute
Changes in BGP and possible routers
The roll-out and implementation should be gradual and create islands of trust worldwide. These islands of trust will eventually interconnect together, making BGP more secure.
The table below displays the RPKI Deployment State;
RIR
Total
Valid
Invalid
Unknown
Accuracy
RPKI Adoption Rate
AFRINIC
100%
.44%
.42%
99.14%
51.49%
.86%
APNIC
100%
.22%
.24%
99.5%
48.32%
.46%
ARIN
100%
.4%
.14%
99.46%
74.65%
.54%
LACNIC
100%
17.84%
2.01%
80.15%
89.87%
19.85%
RIPE NCC
100%
6.7%
0.59%
92.71%
91.92%
7.29%
Cloud Enhancements – The Intercloud
Today’s clouds have crossed well beyond the initial hype, and applications are now offered as on-demand services ( anything-as-a-service [XaaS] ). These services are making significant cost savings, and the cloud transition is shaping up to be as powerful as the previous one – the Internet. The Intercloud and the Internet of Things are the two new big clouds of the future.
Currently, the cloud market is driven by two spaces – the public cloud ( off-premise ) and the private cloud (on-premise). The intercloud takes the concept of cloud much further and attempts to connect multiple public clouds. A single application that could integrate services and workloads from ten or more clouds would create opportunities and potentially alter the cloud market landscape significantly. Hence, it is important to know and understand the need for cloud migration and its related problems.
We are already beginning to see signs of this in the current market. Various applications, such as Spotify and Google Maps, authenticate unregistered users with their Facebook credentials. Another use case is a cloud IaaS provider could divert incoming workload to another provider if it doesn’t have the resources to serve the incoming requests, essentially cloud bursting from provider to provider. It would also make economic sense to move workload and services between cloud providers based on cooling costs ( follow the moon ). Or maybe dynamically move workloads between providers, so they are closest to the active user base ( follow the sun )
The following diagram displays a Dynamic Workload Migration between two Cloud companies.
Diagram: Intercloud.
A: Cloud 1 finds Cloud 2
-Naming, Presence
B: Cloud 1 Trusts Cloud 2
-Certificates, Trustsec
C: Both Cloud 1 and 2 negotiate
-Security, Policy
D: Cloud 1 sets up Cloud 2
-Placement, Deployment
E: Cloud 1 sends to Cloud 2
-VM runs in cloud-Addressing, configurations
The concept of Intercloud was difficult to achieve with the previous version of vSphere based on the restriction of latency for VMotion to operate efficiently. Now vSphere v6 can tolerate 100 msec of RTT.
InterCloud is still a conceptual framework, and the following questions must be addressed before it can be moved from concept to production.
1) Intercloud security
2) Intercloud SLA management
3) Interoperability across cloud providers.
Cisco’s One Platform Kit (onePK)
The One Platform Kit is Cisco’s answer to Software Defined Networking. It aims to provide simplicity and agility to a programmatic network. It’s a set of APIs driven by programming languages, such as C and Java, that are used to program the network. We currently have existing ways to program the network with EEM applets but lack an automation tool that can program multiple devices simultaneously. It’s the same with Performance Routing ( PfR ). PfR can program and traffic engineer the network by remotely changing metrics, but the decisions are still local and not controller-based.
Traffic engineering
One useful element of Cisco’s One Platform Kit is its ability to perform “Off box” traffic engineering, i.e., the computation is made outside the local routing device. It allows you to create route paths throughout the network without relying on default routing protocol behavior. For example, the cost is the default metric for route selection for equal-length routes in OSPF. This cannot be changed, which makes the routing decisions very static. In addition, Cisco’s One Platform Kit (onePK) allows you to calculate routes using different variables you set, giving you complete path control.
Shopping Basket
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
