Introducing Virtualization Protocols & Techniques Flashcards
Communications & Collaborations Group (CCG)
- a hardened version of Linux on the bare-metal Media Convergence Server (MCS) 7800 Series Server
Hypervisor
- a combination of a lightweight operating system and additional software to create and manage the virtual environment
- the hypervisor used with almost all collaboration applications is VMware Elastic Sky X Integrated (ESXi vSphere)
Virtualization Benefits
1) Hardware resource consolidation
2) Utilization optimization
3) Physical resource sharing
Network Virtualization Components
1) Access Control - Access control is responsible for authenticating and authorizing devices connecting at the edge of the network. Access control allows customers to assign devices to a specific network “segment,” which usually corresponds to deploying a device in a dedicated VLAN.
2) Path Isolation - Path isolation is an overlay network and refers to the creation of independent logical traffic paths to isolate traffic between users belonging to separate groups (for example, guests and partners) over a shared physical network infrastructure.
3) Services Edge - Services edge is responsible for centralizing policy enforcement points where it is possible to control and restrict communications between separate logical partitions or access to services that can be dedicated or shared between virtual networks.
Path Isolation Mechanisms
1) dynamic ACLs
2) VRF-List with GRE tunnels
3) MPLS VPN
VRF
- a networking device that serves as the boundary between L2, client-side VLANs, and the L3 network
- Each VRF instance consists of an IP routing table, a forwarding table, and interface(s) assigned to it.
Data Path Virtualization
- Data path virtualization is the virtualization of the interconnection between devices
- This interconnection can be a single-hop or multihop. The type of data path virtualization varies depending on how far the VRFs are from each other.
VRF-Lite
- combines the use of VRF instances with either 802.1q trunking for hop-by-hop path isolation, or GRE/Multipoint GRE (mGRE) for multihop path isolation
- VRF-Lite with 802.1Q trunking would be found in a campus network where the IP routing is completely under the control of the organization deploying it and would typically make use of OSPF or EIGRP as the IGP for routing.
- VRF-Lite can be used along with GRE or mGRE when it becomes necessary to extend a virtual network across a Layer 3 infrastructure or domain where virtualization is either not required or, as in the case of a service provider WAN, is beyond the control of the organization.
- In addition to GRE and mGRE, Multiprotocol Label Switching (MPLS) can also be used to extend VRFs across an IP infrastructure as well.
- MPLS would be the best choice for large-scale enterprises that require more than 32 virtual networks per device or require traffic engineering and optimal path selection with fast reroute capabilities along with the ability to provide extremely scalable full-mesh connectivity.
Control Plane
- Control Plane: All the protocols, databases, and tables necessary to make forwarding decisions and maintain a functional network topology free of loops or unintended black holes. This plane can be said to draw a clear picture of the topology for the network device. A virtualized device must have a unique picture of each virtual network it handles; thus, there is the requirement to virtualize the control plane components.
Forwarding Plane
- Forwarding Plane: All the processes and tables used to forward traffic. The forwarding plane builds forwarding tables based on the information provided by the control plane. Like the control plane, each virtual network has a unique forwarding table that needs to be virtualized.
VRF-Lite Advantages
1) Allows for true routing and forwarding separation—Dedicated data and control planes are defined to handle traffic belonging to groups with various requirements or policies. This represents an extra level of segregation and security because no communication between devices belonging to different VRFs is allowed unless explicitly configured.
2) Simplifies the management and troubleshooting of the traffic belonging to the specific VRF because separate forwarding tables are used to switch that traffic—These data structures are different from the ones associated with the global routing table. This also guarantees that configuring the overlay network does not cause issues (such as routing loops) in the global table.
3) Enables the support for alternate default routes—The advantage of using separate control and data plane is that it allows for defining a separate default route for each virtual network (VRF). This can be useful, for example, in providing guest access in deployment when there is a requirement to use the default route in the global routing table just to create a black hole for unknown addresses to aid in detecting certain types of worm and network scanning attacks.
Generic Routing Encapsultion (GRE)
- a tunneling protocol that provides a path for transporting packets over a public network by encapsulating packets inside a transport protocol
- supports multiple Layer 3 protocols such as IP, IPX, and AppleTalk.
- It also enables the use of multicast routing protocols across the tunnel.
- GRE is one of many tunneling protocols.
- IP protocol 47 defines GRE packets.
- It allows routing information to pass between connected networks.
- No encryption is used.
- GRE adds a 20-byte IP header (also known as Delivery Header) and a 4-byte GRE header, hiding the existing packet headers
- GRE, developed by Cisco, is designed to encapsulate arbitrary types of network layer packets inside arbitrary types of network layer packets, as defined in RFC 1701, GRE; RFC 1702, GRE over IPv4 Networks; and RFC 2784, GRE.It uses a protocol type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol.It is stateless. It does not include any flow control mechanisms, by default.It does not include any strong security mechanisms to protect its payload.The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead for tunneled packets.
You may have to adjust the MTU (Maximum Transmission Unit) on GRE tunnels by using the ip mtu interface configuration command. This MTU must match on both sides.
GRE Header Contents
The GRE header contains a flag field and a protocol type field to identify the Layer 3 protocol being transported. It may contain a tunnel checksum, tunnel key, and tunnel sequence number.
Supported Tunnel Interface Headers
A passenger protocol or encapsulated protocol such as IPv4 or IPv6; this protocol is the one that is being encapsulated
A carrier or encapsulation protocol (GRE, in this case) A transport delivery protocol, such as IP, which is the protocol that carries the encapsulated protocol