SlideShare a Scribd company logo

CisCon 2018 - Overlay Management Protocol e IPsec

AreaNetworking.it
AreaNetworking.it

Relatore: Alessandro Legnani, Cisco CCIE e IP Network Architect di IT Global Consulting Srl Sintesi e sinergia perfetta di un nuovo protocollo di routing (e non solo) con il caro vecchio e robusto IPsec (senza le problematiche ike). Perché inventarsi l’ennesima forma di tunnelig per il data plane? Quanto sopra è la chiave del successo della soluzione sdwan Cisco/Viptela che la rende enormemente scalabile e unica sul mercato.

Technology
1 of 42
Download to read offline
Cisco SD-WAN at a Glance Overlay Mngt Protocol & more by Alessandro Legnani IP Network Architect CCIE SP 44166
Agenda 1 2 3 4 5 Cisco-SDWAN OMP Quick&Deep Dive Migration Approaches Extras Credits (for diagrams and source of info)
Cisco SDWAN - Why should I care ? 1 1. Reduce Opex Cost 2. Operate faster and independently from underlay network 3. Integrate Latest Cloud & Network Technologies (Office365, AWS, Azure…) 4. And it perfectly scales out (7k vEdges UCs)
Cisco SDWAN – At a Glance The SD-WAN “fabric” is basically an overlay software network that runs over standard network transport services (underlay), including the public Internet, MPLS, LTE/4GE. Insource MNGT/ POLICY while you can outsource DP and CP 1
Cisco SDWAN – New fully enriched routing protocol OMP (Overlay Management Protocol) is the new routing protocol that carries the routes, next hops, multicast info, keys, and policy information needed to establish and maintain the overlay network. It´s a TCP based and extensible protocol that runs (inside authenticated DTLS tunnels) between vEdge (aka Wan-Edge) routers and vSmart Controllers (and among vSmart themselves) 1
Cisco SDWAN - Data Plane Establishment Optimized bullet-proof IPSEC tunnels (without IKE flaws) are in charge of Data Plane Encapsulation, Integrity and Confidentiality 1
Cisco SDWAN - Key features 1/3 • Centralized routing intelligence and enables per- segment (VPN) topology. • Secures the network automatically. • Influences reachability through centralized policy. • Simplified orchestration and provisioning. • Multi-Tenancy (single vManage in MT Mode) 1
Cisco SDWAN - Key feautures 2/3 • NextGen SaaS services access optimization (CloudExpress) 1 • Accelerate your shift to IaaS cloud services (CloudOnRamp)
Cisco SDWAN - Key feautures 3/3 • Path Liveliness and Quality Measurements (Up/Down, loss/latency/ jitter, IPSec MTU discovery) through BFD • BFD uses hello (Up/Down) interval, poll (App-Aware SLA) interval and multiplier for detection and it is fully customizable • Intelligent application steering • Interactive SLA-monitoring/influence • Improved Convergence (TLOC repetitive ARP request) 1
Cisco SDWAN– Inner Flexibility and Security ! 1 • Place your CP wherever you want • Use competitors/internet “pipes” • Automated building of full mesh Ipsec tunnels without sending a single discovery packet (no IKE) • Man-in-the-Middle is dead !
Cisco SDWAN - Main Components 1/4 1 vManage (NMS) • Centralized network mngt • Simple graphical dashboard • Supports REST API, CLI, Syslog, SNMP, NETCONF • Real time alerting • Stores certificate credentials • Store configurations for all SD-WAN components. As all components come online in the network, they request their certificates and configurations from the vManage NMS. When the vManage NMS receives these requests, it pushes the certificates and configurations to the SD-WAN network devices
Cisco SDWAN - Main Components 2/4 1 vSmart Controller • Centralized brain of the overlay fabric • Establishes OMP peering with vEdges • Acts like a BGP Route Reflector • Enables central control and central data policy creation and distribution (TE, Service Chaining, VPN segmentation, ad hoc topology) • Orchestrates secure data plane connectivity between the edges (IPSEC tunnels)
Cisco SDWAN - Main Components 3/4 1 vBond Orchestrator • Orchestrates connectivity among management, control and data plane • 1st point of authentication • Requires public IP address • All other components need to know the vBond IP/DNS. • Facilitates NAT Traversal (STUN Server) SymNat !X" SymNat/PortRestricted • Authorizes all control connections (white list model) • Distribute list of vSmart to all vEdges
Cisco SDWAN - Main Components 4/4 1 vEdge Routers • Wan edge router of the site • Leverages traditional routing protocols like OSPF, BGP • Applies policies on data plane traffic • Provides secure data plane • Either HW devices or SW VNF support
OMP Q&D Dive - Thoughts behind OMP creation .. 2 • Link-State is not fine because all devices must have the same view and I cannot filter information • But ISIS is attractive because adjacency is not dependent on interface IP address (=> Site-ID). When I am in a NAT environment my IP is not predictable (=> Site-ID) • BGP is path vector, is for bulk-data transfer, very scalable but based on AS identity (=> base it on Site-ID instead). Change it from AS-PATH protocol to a VPN Protocol (encompassing mpls functionalities) while keeping the extendibility (AFI, SAFI, Attributes) • Do not forget STP in term of poor CP choice (think about very large scale driven by IoT in near future) • The problem with IPSEC (DP) is its CP IKE (essentially built for P2P connectivity), replace IKE doing key-distribution in bgp style using an SSL encrypted tunnel leveraging an ad-hoc attribute (when I give you my route I also give you my encryption keys) . In this manner we could easily encrypt the entire internet • What about using IPsec UDP-based to encrypt mpls ? (RFC 4023) • Loop Avoidance in mind (keep origin information intact) • Take care also of Multicast info distribution (sources, receivers, replicators)
OMP Q&D Dive – .. that led to these features 2 • Authentication via crypto endpoints • Encrypted CP peering • Massively scalable key distribution for DP • Largely scalable overlay routing • Availability • Convergence • Service Side (LAN) routing (IPv4,IPv6) used to identify end-nodes and services (LBs, FWs) and is independent of underlay topology • SERVICE side is overlay • TLOC (IPv4,IPv6) is assigned by any 3rd party carrier/transport network • TLOC is like NH of BGP and I can now assign a full set of attributes to it • TLOC is underlay
OMP Q&D Dive – At a Glance 2 The Overlay Management Protocol (OMP) is the protocol responsible for establishing and maintaining the control plane. It provides the following services: • Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN topologies • Distribution of service-level (LAN) routing information and related location mappings • Distribution of data plane security parameters • Central control and distribution of routing policy OMP uses TCP as its transport protocol. https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/ Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/ Firewall_Ports_for_Viptela_Deployments
OMP Q&D Dive - TLOC routes attributes 2 • Site-ID • Encap-SPI • Encap-Authentication • Encap-Encryption • Public IP and Port • Private IP and Port • BFD-Status • Tag • Preference • Weight
OMP Q&D Dive - Service Side route attributes 2 • TLOC • Site-ID • Label • VPN-ID • Tag • Preference • Originator System IP • Origin Protocol • Origin Metric
OMP Q&D Dive - Network Services route attributes 2 I can advertise to all what services are available in particular site to make service-chaining and service move much easier • VPN-ID • Service-ID • Label • Originator System IP • TLOC
OMP Q&D Dive - Service Chaining 2 Service chaining (centralized control policy) allows data traffic to be routed through one or more network services, such as FWs, LBs, and IDS/IPS devices, en route to its destination.
OMP Q&D Dive - Best-Path Algorithm 2 1. Check whether the OMP route is valid. Installed in FIB only if the TLOC to which it points is active. For a TLOC to be active, an active BFD session must be associated with that TLOC. BFD sessions are established by each vEdge router, which creates a separate BFD session with each of the remote TLOCs. If a BFD session becomes inactive, the vSmart controller removes from the forwarding table all the OMP routes that point to that TLOC. 2. If learned from the same device, select the OMP route with the lower administrative distance (OMP AD 250) 3. If the AD are equal, select the OMP route with the higher OMP route preference value. 4. If the OMP route preference values are equal, select the OMP route with the higher TLOC preference value. 5. If the TLOC preference values are equal, compare the origin type, and select one in the following order (select the first match):
 Connected
 Static
 EBGP
 OSFP intra-area
 OSPF inter-area
 OSPF external
 IBGP
 Unknown 6. If the origin type is the same, select the OMP route that has the lower origin metric. 7. If the origin metric are the same, select the OMP route the higher router ID. 8. If the router IDs are equal, select higher private IP address. 9. If a vSmart controller receives the same prefix from two different sites and if all attributes are equal, the vSmart controller chooses both of them (up to 4 ECMP). From vEdge better than from another vSmart

OMP Q&D Dive - Messages Types 2 OMP supports a variety of message types to enable routing control using the transport networks such as: • HELLO : sent periodically between peers to indicate that each peer is alive and reachable; • HANDSHAKE: first message sent by each side after a TCP connection is established. It includes the site-id of the site where the route originated. The site-id may be used for route selection and loop detection. HANDSHAKE includes a Hold Time, which is a value that is set by the overlay controller (OC) and specifies the time between HELLO messages and UPDATE messages between the overlay controller (OC) and a overlay edge router (OER). • ALERT : It is used by a peer on one end of a connection to notify the peer at the opposite end that an error condition has been detected. • UPDATE : It is used to transfer routing information between peers in the overlay domain. An UPDATE message is used to advertise feasible routes that share common path attributes to a peer, or to withdraw multiple unfeasible routes from service. An UPDATE message may simultaneously advertise a feasible route and withdraw multiple unfeasible routes from service. • QUERY : It is used to send a request for a specific route for which an aggregate or less specific rout exists. This message is sent by an edge-device once it finds out that a group of prefixes received is equipped with the Query attribute. 

OMP Q&D Dive – Control and Data Policies 2 • Control policy, which affects the flow of routing information in the network's control plane • Data policy, which affects the flow of data traffic in the network's data plane • Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.
OMP Q&D Dive - Basic or Advanced Policies 2 Basic policies to influence or determine basic traffic flow through the overlay network such as managing the paths along which traffic is routed through, and permitting or blocking traffic based on the address, port, and DSCP. You can also enable vEdge local policies such as class of service and queuing, mirroring, and policing. Advanced Policies offer specialized policy-based network applications such as: • Service chaining, which redirects data traffic to shared devices in the network, such as firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before the traffic is delivered to its destination. Service chaining obviates the need to have a separate device at each branch site. • Application-aware routing, best path for traffic based on real-time network and path performance characteristics. • Cflowd, for monitoring traffic flow. • Make vEdge a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.
OMP Q&D Dive - Centrilzed or Localized Policies 2 Centralized policy refers to policy provisioned on vSmart controllers Localized policy refers to policy that is provisioned locally, on the vEdge
OMP Q&D Dive - Centrilzed Policy (CP or DP) 2 • Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the vSmart controller's route table and that is advertised to the vEdge routers. The effects of centralized control policy are seen in how vEdge routers direct the overlay network's data traffic to its destination. The centralized control policy configuration itself remains on the vSmart controller and is never pushed to local routers. • Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers
OMP Q&D Dive - Localized Policy (CP or DP) 2 • Localized control policy, which is also called route policy, affects the BGP and OSPF routing behavior on the site-local network. • Localized data policy allows you to provision access lists and apply them to a specific interface. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring
OMP Q&D Dive - Graceful Restart 2 It allows OMP peers to continue operating if one of the peers becomes unavailable. If a vSmart becomes unavailable, its peer vEdge router continues to forward traffic, using the last-known good routing info received from the vSmart controller. Similarly, if a vEdge router becomes unavailable, its peer vSmart controller continues to use the last-known good routing info that it received from the dead vEdge. OMP graceful restart is enabled by default on vSmart controllers and vEdge routers. The default graceful restart time is 43,200 seconds (12 hours). When OMP graceful restart is enabled, a vEdge router and a vSmart cache the OMP info that they learn from their peer. This information includes OMP routes, TLOC routes, service routes, IPsec SA parameters, and centralized data policies. When one of the OMP peers is unreachable, the other peer uses the cached information. The router also periodically checks whether the peer has again become available. When it´s back on line and the router re-establishes a connection to it, the router flushes its local cache and considers only the new OMP info from the restored peer to be valid and reliable. 

2 system system-ip 1.1.1.9 domain-id 1 site-id 50 vbond 184.168.0.69 ! vpn 0 interface eth4 ip address 10.0.16.19/24 tunnel-interface ! no shutdown ! ip route 0.0.0.0/0 10.0.16.19 omp no shutdown advertise bgp ! system system-ip 1.1.1.5 domain-id 1 site-id 1 vbond 184.168.0.69 ! vpn 0 interface ge1/1 ip address 75.0.13.15/24 tunnel-interface ! no shutdown ip route 0.0.0.0/0 75.0.13.15 ! vpn 1 router bgp 1 address-family ipv4_unicast redistribute omp ! neighbor 10.0.17.17 no shutdown remote-as 2 ! ! ! interface ge0/1 ip address 10.0.19.15/24 ! omp no shutdown advertise ospf external ! system system-ip 1.1.1.6 domain-id 1 site-id 2 vbond 184.168.0.69 ! vpn 0 interface ge2/1 ip address 172.16.10.16/24 tunnel-interface ! no shutdown ! ip route 0.0.0.0/0 172.16.7.16 ! vpn 2 router ospf area 0 interface ge0/2 exit exit ! ! interface ge0/2 ip address 172.16.7.16/24 no shutdown ! OMP Q&D Dive – Config
Migration Approaches – Best Practice/Sequence 3 • Sequence • Investigation and Planning • Factors to be considered
Migration Approaches – DC always first 3 • Interim communication between migrated and non-migrated sites is a must • SD-WAN are in parallel to existing circuits • Seamless migration is paramount and is NOT plug-and-play • Looks simple but it´s complex
Migration Approaches – Replace CE 3 • SD-WAN to Legacy comms via DC/ Regional Hub • SD-WAN to Legacy comms via underlay
Migration Approaches – Retain CE 3 • SD-WAN to Legacy comms via underlay • SD-WAN to Legacy comms via DC/ Regional Hub
Migration Approaches – Comms during migration 1 2 3 4 3
Extras – Redundancy 4
Extras – ZTP Zero Touch Provisioning Assumptions: • DHCP on Transport side (WAN) • DNS to resolve ztp.viptela.com/ devicehelper.cisco.com 44
4Extras– Multicast • PIM-SM v2 • IGMP v2 • Multicast optimization by eliminating redundant packet replication • Designated replicators • RP must be provided by a router on local-site network • Auto-RP is supported • PIM not configure on transport side (VPN0), OMP takes care of source/receivers/ replicators location info distribution • Multicast by default can use up to 20% of interface bw (adjustable) • Data-policy, ACL, Mirroring not supported for Multicast
Extras – SDWAN+SR (for SP Managed CEs) 4 IP 16001 16002 16003 IP 16001 16002 IP 16001IP 2001 IP SDWAN Controller SR Controller 1) Share App Path requiredparameters 2) PCEP to configure SR Policy Binding SID !" SR-TE 3) SR: Binding SID 4)SR:Binding SID Segment Routing can be used by a SP to offer underlay transport SLA, for OverTheTop (overlay) VPN with SLA differentiation SR-TE Policy requires a separate BSID, each SR-TE is associated 1-to-1 with a Binding-SID. At PE, the BSID label is popped, and the SR-TE segment IDs/path list is pushed • SP does not hold any per-flow state in its core • SP does not hold any complex L3-L7 flow classification • SP does not share any info of its infrastructure, topology, capacity, internal SID • SDWAN instance does not share any info of its traffic classification, steering policy or business logic OVERLAY UNDERLAY IGP+SR IP https://tools.ietf.org/html/draft-dukes-spring-sr-for-sdwan-00 PE1P2P3PE4 Binding- SID SR-TE path list vpnv4
Extras - Competitors 4 Gartner Magic Quadrant for WAN Edge Infrastructure,18 October 2018
Credits go to… 5 https://sdwan-docs.cisco.com/Product_Documentation https://www.slideshare.net/CiscoCanada/understanding-ciscos-next-generation-sdwan-solution-with- viptela https://ciscolive.cisco.com/on-demand-library/ • BRKCRS-2110 • BRKCRS-2111 • BRKCRS-2112 • BRKCRS-2113 • BRKRST-2095 https://www.think-like-a-computer.com/2011/09/16/types-of-nat/ http://netdesignarena.com/index.php/2018/08/02/sdwan-segment-routing-applications-sla-based- routing/
Thanks!

Recommended

Scaleway Approach to VXLAN EVPN Fabric
Scaleway Approach to VXLAN EVPN FabricScaleway Approach to VXLAN EVPN Fabric
Scaleway Approach to VXLAN EVPN FabricScaleway
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Febrian ‎
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewAmeen Wayok
 
Operationalizing EVPN in the Data Center: Part 2
Operationalizing EVPN in the Data Center: Part 2Operationalizing EVPN in the Data Center: Part 2
Operationalizing EVPN in the Data Center: Part 2Cumulus Networks
 
Transition ipv4-ipv6
Transition ipv4-ipv6Transition ipv4-ipv6
Transition ipv4-ipv6Arrow Djibio
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 

Recommended

Scaleway Approach to VXLAN EVPN Fabric
Scaleway Approach to VXLAN EVPN FabricScaleway Approach to VXLAN EVPN Fabric
Scaleway Approach to VXLAN EVPN FabricScaleway
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Febrian ‎
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewAmeen Wayok
 
Operationalizing EVPN in the Data Center: Part 2
Operationalizing EVPN in the Data Center: Part 2Operationalizing EVPN in the Data Center: Part 2
Operationalizing EVPN in the Data Center: Part 2Cumulus Networks
 
Transition ipv4-ipv6
Transition ipv4-ipv6Transition ipv4-ipv6
Transition ipv4-ipv6Arrow Djibio
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
BGP Unnumbered で遊んでみた
BGP Unnumbered で遊んでみたBGP Unnumbered で遊んでみた
BGP Unnumbered で遊んでみたakira6592
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesJeffrey Holden
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Ethernet VPN (EVPN) EVerything Provider Needs
Ethernet VPN (EVPN) EVerything Provider NeedsEthernet VPN (EVPN) EVerything Provider Needs
Ethernet VPN (EVPN) EVerything Provider NeedsCSUC - Consorci de Serveis Universitaris de Catalunya
 
Introduction to Software Defined WANs
Introduction to Software Defined WANsIntroduction to Software Defined WANs
Introduction to Software Defined WANsAPNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
VPLS Fundamental
VPLS FundamentalVPLS Fundamental
VPLS FundamentalReza Farahani
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN IntroductionBangladesh Network Operators Group
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Cisco DevNet
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentAdvanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentArrive Technologies, Inc.
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking ProtocolNetwax Lab
 
Segment Routing
Segment RoutingSegment Routing
Segment RoutingAPNIC
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Kentaro Ebisawa
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)NetProtocol Xpert
 

More Related Content

What's hot

BGP Unnumbered で遊んでみた
BGP Unnumbered で遊んでみたBGP Unnumbered で遊んでみた
BGP Unnumbered で遊んでみたakira6592
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesJeffrey Holden
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Introduction to Software Defined WANs
Introduction to Software Defined WANsIntroduction to Software Defined WANs
Introduction to Software Defined WANsAPNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Cisco DevNet
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking ProtocolNetwax Lab
 
Segment Routing
Segment RoutingSegment Routing
Segment RoutingAPNIC
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Kentaro Ebisawa
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 

What's hot (20)

BGP Unnumbered で遊んでみた
BGP Unnumbered で遊んでみたBGP Unnumbered で遊んでみた
BGP Unnumbered で遊んでみた
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
Ethernet VPN (EVPN) EVerything Provider Needs
Ethernet VPN (EVPN) EVerything Provider NeedsEthernet VPN (EVPN) EVerything Provider Needs
Ethernet VPN (EVPN) EVerything Provider Needs
 
Introduction to Software Defined WANs
Introduction to Software Defined WANsIntroduction to Software Defined WANs
Introduction to Software Defined WANs
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
VPLS Fundamental
VPLS FundamentalVPLS Fundamental
VPLS Fundamental
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentAdvanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
 
Segment Routing
Segment RoutingSegment Routing
Segment Routing
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCH
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stack
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 

Similar to CisCon 2018 - Overlay Management Protocol e IPsec

TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)NetProtocol Xpert
 
evpn_in_service_provider_network-web.pdf
evpn_in_service_provider_network-web.pdfevpn_in_service_provider_network-web.pdf
evpn_in_service_provider_network-web.pdfThanhTrungBui5
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerHolger Winkelmann
 
SD-WAN Catalyst a brief Presentation of solution
SD-WAN Catalyst a brief Presentation of solutionSD-WAN Catalyst a brief Presentation of solution
SD-WAN Catalyst a brief Presentation of solutionpepegaston2030
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesVamsi Krishna Kalavala
 
Bharath Ram Chandrasekar_Tele 6603_SDN &NFV
Bharath Ram Chandrasekar_Tele 6603_SDN &NFVBharath Ram Chandrasekar_Tele 6603_SDN &NFV
Bharath Ram Chandrasekar_Tele 6603_SDN &NFVBharath Ram Chandrasekar
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Jisc
 
3 deus leaflet wp3
3 deus leaflet wp33 deus leaflet wp3
3 deus leaflet wp3imec.archive
 
SDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkSDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkTim4PreStartup
 

Similar to CisCon 2018 - Overlay Management Protocol e IPsec (20)

TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
1Routing Basics.pdf
1Routing Basics.pdf1Routing Basics.pdf
1Routing Basics.pdf
 
evpn_in_service_provider_network-web.pdf
evpn_in_service_provider_network-web.pdfevpn_in_service_provider_network-web.pdf
evpn_in_service_provider_network-web.pdf
 
Arun project-Final
Arun project-FinalArun project-Final
Arun project-Final
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
 
SD-WAN Catalyst a brief Presentation of solution
SD-WAN Catalyst a brief Presentation of solutionSD-WAN Catalyst a brief Presentation of solution
SD-WAN Catalyst a brief Presentation of solution
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptx
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
 
Manet ppt
Manet pptManet ppt
Manet ppt
 
IP RAN 100NGN
IP RAN 100NGNIP RAN 100NGN
IP RAN 100NGN
 
Bharath Ram Chandrasekar_Tele 6603_SDN &NFV
Bharath Ram Chandrasekar_Tele 6603_SDN &NFVBharath Ram Chandrasekar_Tele 6603_SDN &NFV
Bharath Ram Chandrasekar_Tele 6603_SDN &NFV
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
 
3 deus leaflet wp3
3 deus leaflet wp33 deus leaflet wp3
3 deus leaflet wp3
 
Networking Fundamentals
Networking FundamentalsNetworking Fundamentals
Networking Fundamentals
 
SDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkSDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual Network
 

More from AreaNetworking.it

CisCon 2018 - Analytics per Storage Area Networks
CisCon 2018 - Analytics per Storage Area NetworksCisCon 2018 - Analytics per Storage Area Networks
CisCon 2018 - Analytics per Storage Area NetworksAreaNetworking.it
 
CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?
CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?
CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?AreaNetworking.it
 
CisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attacker
CisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attackerCisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attacker
CisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attackerAreaNetworking.it
 
CisCon 2018 - Progetto di integrazione Enterprises Network Datacenters
CisCon 2018 - Progetto di integrazione Enterprises Network DatacentersCisCon 2018 - Progetto di integrazione Enterprises Network Datacenters
CisCon 2018 - Progetto di integrazione Enterprises Network DatacentersAreaNetworking.it
 
CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...
CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...
CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...AreaNetworking.it
 
CisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazione
CisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazioneCisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazione
CisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazioneAreaNetworking.it
 
CisCon 2017 - Protection and Visibility for Enterprise Networks
CisCon 2017 - Protection and Visibility for Enterprise NetworksCisCon 2017 - Protection and Visibility for Enterprise Networks
CisCon 2017 - Protection and Visibility for Enterprise NetworksAreaNetworking.it
 
CisCon 2017 - Over-The-Top: la grande corsa
CisCon 2017 - Over-The-Top: la grande corsaCisCon 2017 - Over-The-Top: la grande corsa
CisCon 2017 - Over-The-Top: la grande corsaAreaNetworking.it
 
CisCon 2017 - La Nuova era del Networking – La Rete Intuitiva
CisCon 2017 - La Nuova era del Networking – La Rete IntuitivaCisCon 2017 - La Nuova era del Networking – La Rete Intuitiva
CisCon 2017 - La Nuova era del Networking – La Rete IntuitivaAreaNetworking.it
 
CisCon 2017 - Cyber Security Analytics
CisCon 2017 - Cyber Security AnalyticsCisCon 2017 - Cyber Security Analytics
CisCon 2017 - Cyber Security AnalyticsAreaNetworking.it
 
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...AreaNetworking.it
 

More from AreaNetworking.it (11)

CisCon 2018 - Analytics per Storage Area Networks
CisCon 2018 - Analytics per Storage Area NetworksCisCon 2018 - Analytics per Storage Area Networks
CisCon 2018 - Analytics per Storage Area Networks
 
CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?
CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?
CisCon 2018 - SDN, complessità e TCO: non c’è un modo più semplice?
 
CisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attacker
CisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attackerCisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attacker
CisCon 2018 - [LAB] Conosci il tuo nemico: il punto di vista di un attacker
 
CisCon 2018 - Progetto di integrazione Enterprises Network Datacenters
CisCon 2018 - Progetto di integrazione Enterprises Network DatacentersCisCon 2018 - Progetto di integrazione Enterprises Network Datacenters
CisCon 2018 - Progetto di integrazione Enterprises Network Datacenters
 
CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...
CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...
CisCon 2018 - Piattaforme AntiDDoS – Lo scudo 2.0 nell’era della guerra tele...
 
CisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazione
CisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazioneCisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazione
CisCon 2017 - Anche le acciaierie si trasformano grazie all’innovazione
 
CisCon 2017 - Protection and Visibility for Enterprise Networks
CisCon 2017 - Protection and Visibility for Enterprise NetworksCisCon 2017 - Protection and Visibility for Enterprise Networks
CisCon 2017 - Protection and Visibility for Enterprise Networks
 
CisCon 2017 - Over-The-Top: la grande corsa
CisCon 2017 - Over-The-Top: la grande corsaCisCon 2017 - Over-The-Top: la grande corsa
CisCon 2017 - Over-The-Top: la grande corsa
 
CisCon 2017 - La Nuova era del Networking – La Rete Intuitiva
CisCon 2017 - La Nuova era del Networking – La Rete IntuitivaCisCon 2017 - La Nuova era del Networking – La Rete Intuitiva
CisCon 2017 - La Nuova era del Networking – La Rete Intuitiva
 
CisCon 2017 - Cyber Security Analytics
CisCon 2017 - Cyber Security AnalyticsCisCon 2017 - Cyber Security Analytics
CisCon 2017 - Cyber Security Analytics
 
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

CisCon 2018 - Overlay Management Protocol e IPsec

  • 1. Cisco SD-WAN at a Glance Overlay Mngt Protocol & more by Alessandro Legnani IP Network Architect CCIE SP 44166
  • 2. Agenda 1 2 3 4 5 Cisco-SDWAN OMP Quick&Deep Dive Migration Approaches Extras Credits (for diagrams and source of info)
  • 3. Cisco SDWAN - Why should I care ? 1 1. Reduce Opex Cost 2. Operate faster and independently from underlay network 3. Integrate Latest Cloud & Network Technologies (Office365, AWS, Azure…) 4. And it perfectly scales out (7k vEdges UCs)
  • 4. Cisco SDWAN – At a Glance The SD-WAN “fabric” is basically an overlay software network that runs over standard network transport services (underlay), including the public Internet, MPLS, LTE/4GE. Insource MNGT/ POLICY while you can outsource DP and CP 1
  • 5. Cisco SDWAN – New fully enriched routing protocol OMP (Overlay Management Protocol) is the new routing protocol that carries the routes, next hops, multicast info, keys, and policy information needed to establish and maintain the overlay network. It´s a TCP based and extensible protocol that runs (inside authenticated DTLS tunnels) between vEdge (aka Wan-Edge) routers and vSmart Controllers (and among vSmart themselves) 1
  • 6. Cisco SDWAN - Data Plane Establishment Optimized bullet-proof IPSEC tunnels (without IKE flaws) are in charge of Data Plane Encapsulation, Integrity and Confidentiality 1
  • 7. Cisco SDWAN - Key features 1/3 • Centralized routing intelligence and enables per- segment (VPN) topology. • Secures the network automatically. • Influences reachability through centralized policy. • Simplified orchestration and provisioning. • Multi-Tenancy (single vManage in MT Mode) 1
  • 8. Cisco SDWAN - Key feautures 2/3 • NextGen SaaS services access optimization (CloudExpress) 1 • Accelerate your shift to IaaS cloud services (CloudOnRamp)
  • 9. Cisco SDWAN - Key feautures 3/3 • Path Liveliness and Quality Measurements (Up/Down, loss/latency/ jitter, IPSec MTU discovery) through BFD • BFD uses hello (Up/Down) interval, poll (App-Aware SLA) interval and multiplier for detection and it is fully customizable • Intelligent application steering • Interactive SLA-monitoring/influence • Improved Convergence (TLOC repetitive ARP request) 1
  • 10. Cisco SDWAN– Inner Flexibility and Security ! 1 • Place your CP wherever you want • Use competitors/internet “pipes” • Automated building of full mesh Ipsec tunnels without sending a single discovery packet (no IKE) • Man-in-the-Middle is dead !
  • 11. Cisco SDWAN - Main Components 1/4 1 vManage (NMS) • Centralized network mngt • Simple graphical dashboard • Supports REST API, CLI, Syslog, SNMP, NETCONF • Real time alerting • Stores certificate credentials • Store configurations for all SD-WAN components. As all components come online in the network, they request their certificates and configurations from the vManage NMS. When the vManage NMS receives these requests, it pushes the certificates and configurations to the SD-WAN network devices
  • 12. Cisco SDWAN - Main Components 2/4 1 vSmart Controller • Centralized brain of the overlay fabric • Establishes OMP peering with vEdges • Acts like a BGP Route Reflector • Enables central control and central data policy creation and distribution (TE, Service Chaining, VPN segmentation, ad hoc topology) • Orchestrates secure data plane connectivity between the edges (IPSEC tunnels)
  • 13. Cisco SDWAN - Main Components 3/4 1 vBond Orchestrator • Orchestrates connectivity among management, control and data plane • 1st point of authentication • Requires public IP address • All other components need to know the vBond IP/DNS. • Facilitates NAT Traversal (STUN Server) SymNat !X" SymNat/PortRestricted • Authorizes all control connections (white list model) • Distribute list of vSmart to all vEdges
  • 14. Cisco SDWAN - Main Components 4/4 1 vEdge Routers • Wan edge router of the site • Leverages traditional routing protocols like OSPF, BGP • Applies policies on data plane traffic • Provides secure data plane • Either HW devices or SW VNF support
  • 15. OMP Q&D Dive - Thoughts behind OMP creation .. 2 • Link-State is not fine because all devices must have the same view and I cannot filter information • But ISIS is attractive because adjacency is not dependent on interface IP address (=> Site-ID). When I am in a NAT environment my IP is not predictable (=> Site-ID) • BGP is path vector, is for bulk-data transfer, very scalable but based on AS identity (=> base it on Site-ID instead). Change it from AS-PATH protocol to a VPN Protocol (encompassing mpls functionalities) while keeping the extendibility (AFI, SAFI, Attributes) • Do not forget STP in term of poor CP choice (think about very large scale driven by IoT in near future) • The problem with IPSEC (DP) is its CP IKE (essentially built for P2P connectivity), replace IKE doing key-distribution in bgp style using an SSL encrypted tunnel leveraging an ad-hoc attribute (when I give you my route I also give you my encryption keys) . In this manner we could easily encrypt the entire internet • What about using IPsec UDP-based to encrypt mpls ? (RFC 4023) • Loop Avoidance in mind (keep origin information intact) • Take care also of Multicast info distribution (sources, receivers, replicators)
  • 16. OMP Q&D Dive – .. that led to these features 2 • Authentication via crypto endpoints • Encrypted CP peering • Massively scalable key distribution for DP • Largely scalable overlay routing • Availability • Convergence • Service Side (LAN) routing (IPv4,IPv6) used to identify end-nodes and services (LBs, FWs) and is independent of underlay topology • SERVICE side is overlay • TLOC (IPv4,IPv6) is assigned by any 3rd party carrier/transport network • TLOC is like NH of BGP and I can now assign a full set of attributes to it • TLOC is underlay
  • 17. OMP Q&D Dive – At a Glance 2 The Overlay Management Protocol (OMP) is the protocol responsible for establishing and maintaining the control plane. It provides the following services: • Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN topologies • Distribution of service-level (LAN) routing information and related location mappings • Distribution of data plane security parameters • Central control and distribution of routing policy OMP uses TCP as its transport protocol. https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/ Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/ Firewall_Ports_for_Viptela_Deployments
  • 18. OMP Q&D Dive - TLOC routes attributes 2 • Site-ID • Encap-SPI • Encap-Authentication • Encap-Encryption • Public IP and Port • Private IP and Port • BFD-Status • Tag • Preference • Weight
  • 19. OMP Q&D Dive - Service Side route attributes 2 • TLOC • Site-ID • Label • VPN-ID • Tag • Preference • Originator System IP • Origin Protocol • Origin Metric
  • 20. OMP Q&D Dive - Network Services route attributes 2 I can advertise to all what services are available in particular site to make service-chaining and service move much easier • VPN-ID • Service-ID • Label • Originator System IP • TLOC
  • 21. OMP Q&D Dive - Service Chaining 2 Service chaining (centralized control policy) allows data traffic to be routed through one or more network services, such as FWs, LBs, and IDS/IPS devices, en route to its destination.
  • 22. OMP Q&D Dive - Best-Path Algorithm 2 1. Check whether the OMP route is valid. Installed in FIB only if the TLOC to which it points is active. For a TLOC to be active, an active BFD session must be associated with that TLOC. BFD sessions are established by each vEdge router, which creates a separate BFD session with each of the remote TLOCs. If a BFD session becomes inactive, the vSmart controller removes from the forwarding table all the OMP routes that point to that TLOC. 2. If learned from the same device, select the OMP route with the lower administrative distance (OMP AD 250) 3. If the AD are equal, select the OMP route with the higher OMP route preference value. 4. If the OMP route preference values are equal, select the OMP route with the higher TLOC preference value. 5. If the TLOC preference values are equal, compare the origin type, and select one in the following order (select the first match):
 Connected
 Static
 EBGP
 OSFP intra-area
 OSPF inter-area
 OSPF external
 IBGP
 Unknown 6. If the origin type is the same, select the OMP route that has the lower origin metric. 7. If the origin metric are the same, select the OMP route the higher router ID. 8. If the router IDs are equal, select higher private IP address. 9. If a vSmart controller receives the same prefix from two different sites and if all attributes are equal, the vSmart controller chooses both of them (up to 4 ECMP). From vEdge better than from another vSmart

  • 23. OMP Q&D Dive - Messages Types 2 OMP supports a variety of message types to enable routing control using the transport networks such as: • HELLO : sent periodically between peers to indicate that each peer is alive and reachable; • HANDSHAKE: first message sent by each side after a TCP connection is established. It includes the site-id of the site where the route originated. The site-id may be used for route selection and loop detection. HANDSHAKE includes a Hold Time, which is a value that is set by the overlay controller (OC) and specifies the time between HELLO messages and UPDATE messages between the overlay controller (OC) and a overlay edge router (OER). • ALERT : It is used by a peer on one end of a connection to notify the peer at the opposite end that an error condition has been detected. • UPDATE : It is used to transfer routing information between peers in the overlay domain. An UPDATE message is used to advertise feasible routes that share common path attributes to a peer, or to withdraw multiple unfeasible routes from service. An UPDATE message may simultaneously advertise a feasible route and withdraw multiple unfeasible routes from service. • QUERY : It is used to send a request for a specific route for which an aggregate or less specific rout exists. This message is sent by an edge-device once it finds out that a group of prefixes received is equipped with the Query attribute. 

  • 24. OMP Q&D Dive – Control and Data Policies 2 • Control policy, which affects the flow of routing information in the network's control plane • Data policy, which affects the flow of data traffic in the network's data plane • Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.
  • 25. OMP Q&D Dive - Basic or Advanced Policies 2 Basic policies to influence or determine basic traffic flow through the overlay network such as managing the paths along which traffic is routed through, and permitting or blocking traffic based on the address, port, and DSCP. You can also enable vEdge local policies such as class of service and queuing, mirroring, and policing. Advanced Policies offer specialized policy-based network applications such as: • Service chaining, which redirects data traffic to shared devices in the network, such as firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before the traffic is delivered to its destination. Service chaining obviates the need to have a separate device at each branch site. • Application-aware routing, best path for traffic based on real-time network and path performance characteristics. • Cflowd, for monitoring traffic flow. • Make vEdge a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.
  • 26. OMP Q&D Dive - Centrilzed or Localized Policies 2 Centralized policy refers to policy provisioned on vSmart controllers Localized policy refers to policy that is provisioned locally, on the vEdge
  • 27. OMP Q&D Dive - Centrilzed Policy (CP or DP) 2 • Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the vSmart controller's route table and that is advertised to the vEdge routers. The effects of centralized control policy are seen in how vEdge routers direct the overlay network's data traffic to its destination. The centralized control policy configuration itself remains on the vSmart controller and is never pushed to local routers. • Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers
  • 28. OMP Q&D Dive - Localized Policy (CP or DP) 2 • Localized control policy, which is also called route policy, affects the BGP and OSPF routing behavior on the site-local network. • Localized data policy allows you to provision access lists and apply them to a specific interface. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring
  • 29. OMP Q&D Dive - Graceful Restart 2 It allows OMP peers to continue operating if one of the peers becomes unavailable. If a vSmart becomes unavailable, its peer vEdge router continues to forward traffic, using the last-known good routing info received from the vSmart controller. Similarly, if a vEdge router becomes unavailable, its peer vSmart controller continues to use the last-known good routing info that it received from the dead vEdge. OMP graceful restart is enabled by default on vSmart controllers and vEdge routers. The default graceful restart time is 43,200 seconds (12 hours). When OMP graceful restart is enabled, a vEdge router and a vSmart cache the OMP info that they learn from their peer. This information includes OMP routes, TLOC routes, service routes, IPsec SA parameters, and centralized data policies. When one of the OMP peers is unreachable, the other peer uses the cached information. The router also periodically checks whether the peer has again become available. When it´s back on line and the router re-establishes a connection to it, the router flushes its local cache and considers only the new OMP info from the restored peer to be valid and reliable. 

  • 30. 2 system system-ip 1.1.1.9 domain-id 1 site-id 50 vbond 184.168.0.69 ! vpn 0 interface eth4 ip address 10.0.16.19/24 tunnel-interface ! no shutdown ! ip route 0.0.0.0/0 10.0.16.19 omp no shutdown advertise bgp ! system system-ip 1.1.1.5 domain-id 1 site-id 1 vbond 184.168.0.69 ! vpn 0 interface ge1/1 ip address 75.0.13.15/24 tunnel-interface ! no shutdown ip route 0.0.0.0/0 75.0.13.15 ! vpn 1 router bgp 1 address-family ipv4_unicast redistribute omp ! neighbor 10.0.17.17 no shutdown remote-as 2 ! ! ! interface ge0/1 ip address 10.0.19.15/24 ! omp no shutdown advertise ospf external ! system system-ip 1.1.1.6 domain-id 1 site-id 2 vbond 184.168.0.69 ! vpn 0 interface ge2/1 ip address 172.16.10.16/24 tunnel-interface ! no shutdown ! ip route 0.0.0.0/0 172.16.7.16 ! vpn 2 router ospf area 0 interface ge0/2 exit exit ! ! interface ge0/2 ip address 172.16.7.16/24 no shutdown ! OMP Q&D Dive – Config
  • 31. Migration Approaches – Best Practice/Sequence 3 • Sequence • Investigation and Planning • Factors to be considered
  • 32. Migration Approaches – DC always first 3 • Interim communication between migrated and non-migrated sites is a must • SD-WAN are in parallel to existing circuits • Seamless migration is paramount and is NOT plug-and-play • Looks simple but it´s complex
  • 33. Migration Approaches – Replace CE 3 • SD-WAN to Legacy comms via DC/ Regional Hub • SD-WAN to Legacy comms via underlay
  • 34. Migration Approaches – Retain CE 3 • SD-WAN to Legacy comms via underlay • SD-WAN to Legacy comms via DC/ Regional Hub
  • 35. Migration Approaches – Comms during migration 1 2 3 4 3
  • 37. Extras – ZTP Zero Touch Provisioning Assumptions: • DHCP on Transport side (WAN) • DNS to resolve ztp.viptela.com/ devicehelper.cisco.com 44
  • 38. 4Extras– Multicast • PIM-SM v2 • IGMP v2 • Multicast optimization by eliminating redundant packet replication • Designated replicators • RP must be provided by a router on local-site network • Auto-RP is supported • PIM not configure on transport side (VPN0), OMP takes care of source/receivers/ replicators location info distribution • Multicast by default can use up to 20% of interface bw (adjustable) • Data-policy, ACL, Mirroring not supported for Multicast
  • 39. Extras – SDWAN+SR (for SP Managed CEs) 4 IP 16001 16002 16003 IP 16001 16002 IP 16001IP 2001 IP SDWAN Controller SR Controller 1) Share App Path requiredparameters 2) PCEP to configure SR Policy Binding SID !" SR-TE 3) SR: Binding SID 4)SR:Binding SID Segment Routing can be used by a SP to offer underlay transport SLA, for OverTheTop (overlay) VPN with SLA differentiation SR-TE Policy requires a separate BSID, each SR-TE is associated 1-to-1 with a Binding-SID. At PE, the BSID label is popped, and the SR-TE segment IDs/path list is pushed • SP does not hold any per-flow state in its core • SP does not hold any complex L3-L7 flow classification • SP does not share any info of its infrastructure, topology, capacity, internal SID • SDWAN instance does not share any info of its traffic classification, steering policy or business logic OVERLAY UNDERLAY IGP+SR IP https://tools.ietf.org/html/draft-dukes-spring-sr-for-sdwan-00 PE1P2P3PE4 Binding- SID SR-TE path list vpnv4
  • 40. Extras - Competitors 4 Gartner Magic Quadrant for WAN Edge Infrastructure,18 October 2018
  • 41. Credits go to… 5 https://sdwan-docs.cisco.com/Product_Documentation https://www.slideshare.net/CiscoCanada/understanding-ciscos-next-generation-sdwan-solution-with- viptela https://ciscolive.cisco.com/on-demand-library/ • BRKCRS-2110 • BRKCRS-2111 • BRKCRS-2112 • BRKCRS-2113 • BRKRST-2095 https://www.think-like-a-computer.com/2011/09/16/types-of-nat/ http://netdesignarena.com/index.php/2018/08/02/sdwan-segment-routing-applications-sla-based- routing/