SlideShare ist ein Scribd-Unternehmen logo

Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist

Maximilan Wilhelm
Maximilan Wilhelm

SDN ist in aller Munde und Ohren, mindestens auf den Golfplätzen. Welche Technologien Software Defined Netzwerke ermöglichen und warum ein geswitchtes Underlay ab einer bestimmten Größe unhandlich wird und warum Netzwerker gerne Dinge in Dingen einpacken, wird in diesem Vortrag erklärt. Dieser Vortrag erklärt Begriffe wie GRE, VXLAN und EVPN und erläutert wie man diese unter Linux benutzt, um entsprechende Overlay Strukturen zu etablieren und welchen realweltichen Probleme man damit lösen kann.

Internet
1 von 27
Downloaden Sie, um offline zu lesen
Overlay Networks & IP Fabrics FrOSCon 13 Network Track Falk Stern, Maximilian Wilhelm 1 / 27
Agenda 1. Who's who 2. Encapsulate me one more time 3. Tunnel technologies 4. IP-Fabrics 5. Real-World-examples 2 / 27
Who's who Falk Stern Full Stack Infrastructure Engineer IPv6 fanboy Runs his own Kubernetes cluster in his basement Consultant @ Profi Engineering Systems AG Contact @wrf42 falk@fourecks.de 3 / 27
Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux ifupdown2 Occupation: By day: Senior Infrastructure Architect, Uni Paderborn By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Solution Architect for hire Contact @BarbarossaTM max@sdn.clinic 4 / 27
Who's who Encaps/Decaps Encapsulation Wrapping frames or packets into other packets Not always a good idea A bit like Christmas, you're never sure what you get 5 / 27
Who's who Encaps/Decaps 6 / 27
Who's who Encaps/Decaps Tunnel IPSec Authenticates and/or encrypts IP packets Authenticated Header, Encrypted Security Payload IP protocol 50, 51 RFC4301 Transport / Tunnelmode Transport inserts header into packet, Tunnel encapsulates Dynamic Keying through IKEv1, IKEv2 IKE is based on UDP, Port 500 Complex protocol, many options NAT unfriendly, NAT-Traversal is negotiated, UDP port 4500 7 / 27
Who's who Encaps/Decaps Tunnel IPSec Phase 1 Exchange of encryption proposals Both ends exchange session keys through Diffie-Hellman key exchange Pre-Shared-Key or certificate exchange encrypted with session key Security Associations are exchanged Phase 2 Diffie-Hellman key exchange Periodic key changes for perfect forward secrecy Only traffic matching Security Associations is encrypted 8 / 27
Who's who Encaps/Decaps Tunnel GRE - Generic Routing Encapsulation Developed by Cisco in 1994, now RFC2784 and RFC2890 Encapsulates IP, IPX, AppleTalk in IP IP protocol 47 Adds a 4 byte GRE header, total overhead 20 bytes Used in PPTP VPN (encapsulates IP in PPP in GRE) IPv6 in IPv4 Tunnel between IPSEC endpoints Low overhead tunnel between everything 9 / 27
Who's who Encaps/Decaps Tunnel L2TP - Layer 2 Tunneling Protocol L2TPv2 developed to tunnel PPP - RFC2661 L2TPv3 as alternative to MPLS - RFC3931 Based on UDP NAT-friendly L2TPv2 VPNs encapsulate L2TP frames in IPSEC - RFC3193 10 / 27
Who's who Encaps/Decaps Tunnel OpenVPN Flexible SSL VPN TCP/UDP based Tunnels IPv4, IPv6 or even Ethernet frames X.509 Certificate based Authentication Username/Passwort with 2FA possible 11 / 27
Who's who Encaps/Decaps Tunnel Multi Protocol Label Switching / MPLS Developed to enable fast switching in core routers Switching packets based on IP required TCAM, was expensive Label lookup is faster, no need for longest match Layer 2.5, requires IP to work, RFC3031 Enables predefined paths through a network Allows Traffic-Engineering Used by service providers 12 / 27
Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Poor man's MPLS Developed by Cisco, Arista Networks, VMware, now RFC7348 Broad industry backing 24 bit VXLAN identifier (VNI) instead of 12 bit VLAN ID 16M vs. 4096 Encapsulates Ethernet frames in UDP packets 40 bytes overhead over IPv4, 60 bytes over IPv6 Endpoints are called Virtual Tunnel EndPoint (VTEP) 13 / 27
Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Unicast mode VTEPs are statically defined Point-to-Point Can be used for data center interconnects Multicast mode All VTEPs listen on a specified multicast address Broadcasts and unknown Unicasts (BUM) are mapped to Multicast Groups Dynamic learning of endpoints through listening 14 / 27
Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Controller based An external controller programs VTEP endpoints and MAC mappings BUM traffic gets replicated to all VTEPs Ideally there is no BUM traffic Commercially available Cisco APIC VMware NSX through OVSDB Cumulus vxfld (https://github.com/CumulusNetworks/vxfld) 15 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics IP Fabrics 16 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics Clos Fabrics Invented for the telephone network Formalized by Charles Clos in 1952 Far fewer connections required than with a single switch 17 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics What's wrong with Layer 2? Spanning-Tree needs blocked paths L2 only has a single path IP can use multiple concurrent paths MCLAG and LACP are possible solutions But way too complex, limited to 2 upstream devices Does not scale 18 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics IP Fabrics Predictable latency through the whole fabric Scalable Predictable bandwidth through the whole fabric Perfect underlay for overlay networks Typical design includes Leaf and Spine Bisectional bandwidth can be scaled with number of Spines 19 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics BGP to the rescue! BGP has always defined multiple paths between AS Is able to carry all necessary routes Through VPNv4 AFI, can carry MAC addresses One AS per Rack iBGP would need Route Reflectors or full mesh 20 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics BGP to the rescue! Packetflow in an IP Fabric 21 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics Tying it all together VXLAN* can be used as an overlay protocol in the fabric BGP carries all MAC adresses with next-hop of VTEP Suddenly All links in use More than 4096 VLANs available "A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)" RFC8365, March 2018 * To be fair MPLS can be used as data plane too 22 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics VXLAN Tunnel via Unicast between LO- IPs of dr-01 cr-D VTEPs bridged into Chaos network on dr-01 eth1 NIC on cr-D AS13020 AS39225 Core Distribution Border br-01 cr-E cr-A cr-D cr-B cr-C dr-01 Access sw-01 ap-04 ap-03ap-02ap-01 dr-02 VXLAN Tunneled Chaos Ethernet 23 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics Tunneled Chaos Ethernet Set up VTEPs dr-01# ip link add vx_chaos type vxlan id 31337 local 94.45.224.0 remote 194.107.207.4 dr-01# ip l s dev vx_chaos up cr-D# ip link add vx_chaos type vxlan id 31337 remote 94.45.224.0 local 194.107.207.4 cr-D# ip l s dev vx_chaos up Join VTEP into precon gured bridge br_chaos # ip l vx_chaos set master br_chaos 24 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics Real World Examples Cisco ACI BGP control-plane with VXLAN overlay VMware NSX Controller based control-plane with VXLAN overlay OpenNebula / Apache Cloudstack Network virtualization with mcast-VXLAN 25 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics Links Further Reading Cumulus BGP im DC cumulus EVPN 26 / 27
Who's who Encaps/Decaps Tunnel IP Fabrics Links Questions Questions? 27 / 27

Empfohlen

Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the thingsMaximilan Wilhelm
 
Best Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learnedBest Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learnedMaximilan Wilhelm
 
Building your own CGN boxes with Linux
Building your own CGN boxes with LinuxBuilding your own CGN boxes with Linux
Building your own CGN boxes with LinuxMaximilan Wilhelm
 
Contemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngContemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngMaximilan Wilhelm
 
Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Maximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPMaximilan Wilhelm
 

Empfohlen

Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the thingsMaximilan Wilhelm
 
Best Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learnedBest Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learnedMaximilan Wilhelm
 
Building your own CGN boxes with Linux
Building your own CGN boxes with LinuxBuilding your own CGN boxes with Linux
Building your own CGN boxes with LinuxMaximilan Wilhelm
 
Contemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngContemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngMaximilan Wilhelm
 
Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Maximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPMaximilan Wilhelm
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018Maximilan Wilhelm
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Maximilan Wilhelm
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux NetworkingMaximilan Wilhelm
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonMaximilan Wilhelm
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxMaximilan Wilhelm
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking ProtocolSamsung Open Source Group
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206pauldeng
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
Low-power IP: 6LoWPAN & Co.
Low-power IP: 6LoWPAN & Co.Low-power IP: 6LoWPAN & Co.
Low-power IP: 6LoWPAN & Co.Matthias Kovatsch
 
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PROIDEA
 
FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionKae Hsu
 

Weitere ähnliche Inhalte

Was ist angesagt?

L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Maximilan Wilhelm
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux NetworkingMaximilan Wilhelm
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonMaximilan Wilhelm
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxMaximilan Wilhelm
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206pauldeng
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 

Was ist angesagt? (20)

IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
 
6.Routing
6.Routing6.Routing
6.Routing
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and python
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and Linux
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Low-power IP: 6LoWPAN & Co.
Low-power IP: 6LoWPAN & Co.Low-power IP: 6LoWPAN & Co.
Low-power IP: 6LoWPAN & Co.
 

Ähnlich wie Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist

PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PROIDEA
 
FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionKae Hsu
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
PLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXPPLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXPPROIDEA
 
#IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal" #IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal" Brocade
 
LISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WPLISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WPCraig Hill
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...SkillFactory
 
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, ScaleNexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, ScaleTony Antony
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
Dasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solutionDasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solutionHusam Al-Hasani
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussionARCFIRE ICT
 
What is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlanWhat is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlanIT Tech
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetLuke Marsden
 
Speed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC frameworkSpeed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC frameworkKlaus Moessner
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPROIDEA
 

Ähnlich wie Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist (20)

PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
 
FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP Introduction
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
Data center network reference architecture with hpe flex fabric
Data center network reference architecture with hpe flex fabricData center network reference architecture with hpe flex fabric
Data center network reference architecture with hpe flex fabric
 
PLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXPPLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXP
 
#IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal" #IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal"
 
The new imperative in the data center with workload centric networking
The new imperative in the data center with workload centric networkingThe new imperative in the data center with workload centric networking
The new imperative in the data center with workload centric networking
 
IPv6 ND 2020
IPv6 ND 2020IPv6 ND 2020
IPv6 ND 2020
 
LISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WPLISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WP
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
 
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, ScaleNexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPN
 
Dasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solutionDasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solution
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussion
 
What is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlanWhat is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlan
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave Net
 
Hardware9
Hardware9Hardware9
Hardware9
 
Speed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC frameworkSpeed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC framework
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLS
 

Kürzlich hochgeladen

Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...rrouter90
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 

Kürzlich hochgeladen (9)

Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 

Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist

  • 1. Overlay Networks & IP Fabrics FrOSCon 13 Network Track Falk Stern, Maximilian Wilhelm 1 / 27
  • 2. Agenda 1. Who's who 2. Encapsulate me one more time 3. Tunnel technologies 4. IP-Fabrics 5. Real-World-examples 2 / 27
  • 3. Who's who Falk Stern Full Stack Infrastructure Engineer IPv6 fanboy Runs his own Kubernetes cluster in his basement Consultant @ Profi Engineering Systems AG Contact @wrf42 falk@fourecks.de 3 / 27
  • 4. Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux ifupdown2 Occupation: By day: Senior Infrastructure Architect, Uni Paderborn By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Solution Architect for hire Contact @BarbarossaTM max@sdn.clinic 4 / 27
  • 5. Who's who Encaps/Decaps Encapsulation Wrapping frames or packets into other packets Not always a good idea A bit like Christmas, you're never sure what you get 5 / 27
  • 7. Who's who Encaps/Decaps Tunnel IPSec Authenticates and/or encrypts IP packets Authenticated Header, Encrypted Security Payload IP protocol 50, 51 RFC4301 Transport / Tunnelmode Transport inserts header into packet, Tunnel encapsulates Dynamic Keying through IKEv1, IKEv2 IKE is based on UDP, Port 500 Complex protocol, many options NAT unfriendly, NAT-Traversal is negotiated, UDP port 4500 7 / 27
  • 8. Who's who Encaps/Decaps Tunnel IPSec Phase 1 Exchange of encryption proposals Both ends exchange session keys through Diffie-Hellman key exchange Pre-Shared-Key or certificate exchange encrypted with session key Security Associations are exchanged Phase 2 Diffie-Hellman key exchange Periodic key changes for perfect forward secrecy Only traffic matching Security Associations is encrypted 8 / 27
  • 9. Who's who Encaps/Decaps Tunnel GRE - Generic Routing Encapsulation Developed by Cisco in 1994, now RFC2784 and RFC2890 Encapsulates IP, IPX, AppleTalk in IP IP protocol 47 Adds a 4 byte GRE header, total overhead 20 bytes Used in PPTP VPN (encapsulates IP in PPP in GRE) IPv6 in IPv4 Tunnel between IPSEC endpoints Low overhead tunnel between everything 9 / 27
  • 10. Who's who Encaps/Decaps Tunnel L2TP - Layer 2 Tunneling Protocol L2TPv2 developed to tunnel PPP - RFC2661 L2TPv3 as alternative to MPLS - RFC3931 Based on UDP NAT-friendly L2TPv2 VPNs encapsulate L2TP frames in IPSEC - RFC3193 10 / 27
  • 11. Who's who Encaps/Decaps Tunnel OpenVPN Flexible SSL VPN TCP/UDP based Tunnels IPv4, IPv6 or even Ethernet frames X.509 Certificate based Authentication Username/Passwort with 2FA possible 11 / 27
  • 12. Who's who Encaps/Decaps Tunnel Multi Protocol Label Switching / MPLS Developed to enable fast switching in core routers Switching packets based on IP required TCAM, was expensive Label lookup is faster, no need for longest match Layer 2.5, requires IP to work, RFC3031 Enables predefined paths through a network Allows Traffic-Engineering Used by service providers 12 / 27
  • 13. Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Poor man's MPLS Developed by Cisco, Arista Networks, VMware, now RFC7348 Broad industry backing 24 bit VXLAN identifier (VNI) instead of 12 bit VLAN ID 16M vs. 4096 Encapsulates Ethernet frames in UDP packets 40 bytes overhead over IPv4, 60 bytes over IPv6 Endpoints are called Virtual Tunnel EndPoint (VTEP) 13 / 27
  • 14. Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Unicast mode VTEPs are statically defined Point-to-Point Can be used for data center interconnects Multicast mode All VTEPs listen on a specified multicast address Broadcasts and unknown Unicasts (BUM) are mapped to Multicast Groups Dynamic learning of endpoints through listening 14 / 27
  • 15. Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Controller based An external controller programs VTEP endpoints and MAC mappings BUM traffic gets replicated to all VTEPs Ideally there is no BUM traffic Commercially available Cisco APIC VMware NSX through OVSDB Cumulus vxfld (https://github.com/CumulusNetworks/vxfld) 15 / 27
  • 17. Who's who Encaps/Decaps Tunnel IP Fabrics Clos Fabrics Invented for the telephone network Formalized by Charles Clos in 1952 Far fewer connections required than with a single switch 17 / 27
  • 18. Who's who Encaps/Decaps Tunnel IP Fabrics What's wrong with Layer 2? Spanning-Tree needs blocked paths L2 only has a single path IP can use multiple concurrent paths MCLAG and LACP are possible solutions But way too complex, limited to 2 upstream devices Does not scale 18 / 27
  • 19. Who's who Encaps/Decaps Tunnel IP Fabrics IP Fabrics Predictable latency through the whole fabric Scalable Predictable bandwidth through the whole fabric Perfect underlay for overlay networks Typical design includes Leaf and Spine Bisectional bandwidth can be scaled with number of Spines 19 / 27
  • 20. Who's who Encaps/Decaps Tunnel IP Fabrics BGP to the rescue! BGP has always defined multiple paths between AS Is able to carry all necessary routes Through VPNv4 AFI, can carry MAC addresses One AS per Rack iBGP would need Route Reflectors or full mesh 20 / 27
  • 21. Who's who Encaps/Decaps Tunnel IP Fabrics BGP to the rescue! Packetflow in an IP Fabric 21 / 27
  • 22. Who's who Encaps/Decaps Tunnel IP Fabrics Tying it all together VXLAN* can be used as an overlay protocol in the fabric BGP carries all MAC adresses with next-hop of VTEP Suddenly All links in use More than 4096 VLANs available "A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)" RFC8365, March 2018 * To be fair MPLS can be used as data plane too 22 / 27
  • 23. Who's who Encaps/Decaps Tunnel IP Fabrics VXLAN Tunnel via Unicast between LO- IPs of dr-01 cr-D VTEPs bridged into Chaos network on dr-01 eth1 NIC on cr-D AS13020 AS39225 Core Distribution Border br-01 cr-E cr-A cr-D cr-B cr-C dr-01 Access sw-01 ap-04 ap-03ap-02ap-01 dr-02 VXLAN Tunneled Chaos Ethernet 23 / 27
  • 24. Who's who Encaps/Decaps Tunnel IP Fabrics Tunneled Chaos Ethernet Set up VTEPs dr-01# ip link add vx_chaos type vxlan id 31337 local 94.45.224.0 remote 194.107.207.4 dr-01# ip l s dev vx_chaos up cr-D# ip link add vx_chaos type vxlan id 31337 remote 94.45.224.0 local 194.107.207.4 cr-D# ip l s dev vx_chaos up Join VTEP into precon gured bridge br_chaos # ip l vx_chaos set master br_chaos 24 / 27
  • 25. Who's who Encaps/Decaps Tunnel IP Fabrics Real World Examples Cisco ACI BGP control-plane with VXLAN overlay VMware NSX Controller based control-plane with VXLAN overlay OpenNebula / Apache Cloudstack Network virtualization with mcast-VXLAN 25 / 27
  • 26. Who's who Encaps/Decaps Tunnel IP Fabrics Links Further Reading Cumulus BGP im DC cumulus EVPN 26 / 27