Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CisCon 2018 - Overlay Management Protocol e IPsec

109 views

Published on

Relatore: Alessandro Legnani, Cisco CCIE e IP Network Architect di IT Global Consulting Srl

Sintesi e sinergia perfetta di un nuovo protocollo di routing (e non solo) con il caro vecchio e robusto IPsec (senza le problematiche ike). Perché inventarsi l’ennesima forma di tunnelig per il data plane?
Quanto sopra è la chiave del successo della soluzione sdwan Cisco/Viptela che la rende enormemente scalabile e unica sul mercato.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CisCon 2018 - Overlay Management Protocol e IPsec

  1. 1. Cisco SD-WAN at a Glance Overlay Mngt Protocol & more by Alessandro Legnani IP Network Architect CCIE SP 44166
  2. 2. Agenda 1 2 3 4 5 Cisco-SDWAN OMP Quick&Deep Dive Migration Approaches Extras Credits (for diagrams and source of info)
  3. 3. Cisco SDWAN - Why should I care ? 1 1. Reduce Opex Cost 2. Operate faster and independently from underlay network 3. Integrate Latest Cloud & Network Technologies (Office365, AWS, Azure…) 4. And it perfectly scales out (7k vEdges UCs)
  4. 4. Cisco SDWAN – At a Glance The SD-WAN “fabric” is basically an overlay software network that runs over standard network transport services (underlay), including the public Internet, MPLS, LTE/4GE. Insource MNGT/ POLICY while you can outsource DP and CP 1
  5. 5. Cisco SDWAN – New fully enriched routing protocol OMP (Overlay Management Protocol) is the new routing protocol that carries the routes, next hops, multicast info, keys, and policy information needed to establish and maintain the overlay network. It´s a TCP based and extensible protocol that runs (inside authenticated DTLS tunnels) between vEdge (aka Wan-Edge) routers and vSmart Controllers (and among vSmart themselves) 1
  6. 6. Cisco SDWAN - Data Plane Establishment Optimized bullet-proof IPSEC tunnels (without IKE flaws) are in charge of Data Plane Encapsulation, Integrity and Confidentiality 1
  7. 7. Cisco SDWAN - Key features 1/3 • Centralized routing intelligence and enables per- segment (VPN) topology. • Secures the network automatically. • Influences reachability through centralized policy. • Simplified orchestration and provisioning. • Multi-Tenancy (single vManage in MT Mode) 1
  8. 8. Cisco SDWAN - Key feautures 2/3 • NextGen SaaS services access optimization (CloudExpress) 1 • Accelerate your shift to IaaS cloud services (CloudOnRamp)
  9. 9. Cisco SDWAN - Key feautures 3/3 • Path Liveliness and Quality Measurements (Up/Down, loss/latency/ jitter, IPSec MTU discovery) through BFD • BFD uses hello (Up/Down) interval, poll (App-Aware SLA) interval and multiplier for detection and it is fully customizable • Intelligent application steering • Interactive SLA-monitoring/influence • Improved Convergence (TLOC repetitive ARP request) 1
  10. 10. Cisco SDWAN– Inner Flexibility and Security ! 1 • Place your CP wherever you want • Use competitors/internet “pipes” • Automated building of full mesh Ipsec tunnels without sending a single discovery packet (no IKE) • Man-in-the-Middle is dead !
  11. 11. Cisco SDWAN - Main Components 1/4 1 vManage (NMS) • Centralized network mngt • Simple graphical dashboard • Supports REST API, CLI, Syslog, SNMP, NETCONF • Real time alerting • Stores certificate credentials • Store configurations for all SD-WAN components. As all components come online in the network, they request their certificates and configurations from the vManage NMS. When the vManage NMS receives these requests, it pushes the certificates and configurations to the SD-WAN network devices
  12. 12. Cisco SDWAN - Main Components 2/4 1 vSmart Controller • Centralized brain of the overlay fabric • Establishes OMP peering with vEdges • Acts like a BGP Route Reflector • Enables central control and central data policy creation and distribution (TE, Service Chaining, VPN segmentation, ad hoc topology) • Orchestrates secure data plane connectivity between the edges (IPSEC tunnels)
  13. 13. Cisco SDWAN - Main Components 3/4 1 vBond Orchestrator • Orchestrates connectivity among management, control and data plane • 1st point of authentication • Requires public IP address • All other components need to know the vBond IP/DNS. • Facilitates NAT Traversal (STUN Server) SymNat !X" SymNat/PortRestricted • Authorizes all control connections (white list model) • Distribute list of vSmart to all vEdges
  14. 14. Cisco SDWAN - Main Components 4/4 1 vEdge Routers • Wan edge router of the site • Leverages traditional routing protocols like OSPF, BGP • Applies policies on data plane traffic • Provides secure data plane • Either HW devices or SW VNF support
  15. 15. OMP Q&D Dive - Thoughts behind OMP creation .. 2 • Link-State is not fine because all devices must have the same view and I cannot filter information • But ISIS is attractive because adjacency is not dependent on interface IP address (=> Site-ID). When I am in a NAT environment my IP is not predictable (=> Site-ID) • BGP is path vector, is for bulk-data transfer, very scalable but based on AS identity (=> base it on Site-ID instead). Change it from AS-PATH protocol to a VPN Protocol (encompassing mpls functionalities) while keeping the extendibility (AFI, SAFI, Attributes) • Do not forget STP in term of poor CP choice (think about very large scale driven by IoT in near future) • The problem with IPSEC (DP) is its CP IKE (essentially built for P2P connectivity), replace IKE doing key-distribution in bgp style using an SSL encrypted tunnel leveraging an ad-hoc attribute (when I give you my route I also give you my encryption keys) . In this manner we could easily encrypt the entire internet • What about using IPsec UDP-based to encrypt mpls ? (RFC 4023) • Loop Avoidance in mind (keep origin information intact) • Take care also of Multicast info distribution (sources, receivers, replicators)
  16. 16. OMP Q&D Dive – .. that led to these features 2 • Authentication via crypto endpoints • Encrypted CP peering • Massively scalable key distribution for DP • Largely scalable overlay routing • Availability • Convergence • Service Side (LAN) routing (IPv4,IPv6) used to identify end-nodes and services (LBs, FWs) and is independent of underlay topology • SERVICE side is overlay • TLOC (IPv4,IPv6) is assigned by any 3rd party carrier/transport network • TLOC is like NH of BGP and I can now assign a full set of attributes to it • TLOC is underlay
  17. 17. OMP Q&D Dive – At a Glance 2 The Overlay Management Protocol (OMP) is the protocol responsible for establishing and maintaining the control plane. It provides the following services: • Orchestration of overlay network communication, including connectivity among network sites, service chaining, and VPN topologies • Distribution of service-level (LAN) routing information and related location mappings • Distribution of data plane security parameters • Central control and distribution of routing policy OMP uses TCP as its transport protocol. https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/ Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/ Firewall_Ports_for_Viptela_Deployments
  18. 18. OMP Q&D Dive - TLOC routes attributes 2 • Site-ID • Encap-SPI • Encap-Authentication • Encap-Encryption • Public IP and Port • Private IP and Port • BFD-Status • Tag • Preference • Weight
  19. 19. OMP Q&D Dive - Service Side route attributes 2 • TLOC • Site-ID • Label • VPN-ID • Tag • Preference • Originator System IP • Origin Protocol • Origin Metric
  20. 20. OMP Q&D Dive - Network Services route attributes 2 I can advertise to all what services are available in particular site to make service-chaining and service move much easier • VPN-ID • Service-ID • Label • Originator System IP • TLOC
  21. 21. OMP Q&D Dive - Service Chaining 2 Service chaining (centralized control policy) allows data traffic to be routed through one or more network services, such as FWs, LBs, and IDS/IPS devices, en route to its destination.
  22. 22. OMP Q&D Dive - Best-Path Algorithm 2 1. Check whether the OMP route is valid. Installed in FIB only if the TLOC to which it points is active. For a TLOC to be active, an active BFD session must be associated with that TLOC. BFD sessions are established by each vEdge router, which creates a separate BFD session with each of the remote TLOCs. If a BFD session becomes inactive, the vSmart controller removes from the forwarding table all the OMP routes that point to that TLOC. 2. If learned from the same device, select the OMP route with the lower administrative distance (OMP AD 250) 3. If the AD are equal, select the OMP route with the higher OMP route preference value. 4. If the OMP route preference values are equal, select the OMP route with the higher TLOC preference value. 5. If the TLOC preference values are equal, compare the origin type, and select one in the following order (select the first match):
 Connected
 Static
 EBGP
 OSFP intra-area
 OSPF inter-area
 OSPF external
 IBGP
 Unknown 6. If the origin type is the same, select the OMP route that has the lower origin metric. 7. If the origin metric are the same, select the OMP route the higher router ID. 8. If the router IDs are equal, select higher private IP address. 9. If a vSmart controller receives the same prefix from two different sites and if all attributes are equal, the vSmart controller chooses both of them (up to 4 ECMP). From vEdge better than from another vSmart

  23. 23. OMP Q&D Dive - Messages Types 2 OMP supports a variety of message types to enable routing control using the transport networks such as: • HELLO : sent periodically between peers to indicate that each peer is alive and reachable; • HANDSHAKE: first message sent by each side after a TCP connection is established. It includes the site-id of the site where the route originated. The site-id may be used for route selection and loop detection. HANDSHAKE includes a Hold Time, which is a value that is set by the overlay controller (OC) and specifies the time between HELLO messages and UPDATE messages between the overlay controller (OC) and a overlay edge router (OER). • ALERT : It is used by a peer on one end of a connection to notify the peer at the opposite end that an error condition has been detected. • UPDATE : It is used to transfer routing information between peers in the overlay domain. An UPDATE message is used to advertise feasible routes that share common path attributes to a peer, or to withdraw multiple unfeasible routes from service. An UPDATE message may simultaneously advertise a feasible route and withdraw multiple unfeasible routes from service. • QUERY : It is used to send a request for a specific route for which an aggregate or less specific rout exists. This message is sent by an edge-device once it finds out that a group of prefixes received is equipped with the Query attribute. 

  24. 24. OMP Q&D Dive – Control and Data Policies 2 • Control policy, which affects the flow of routing information in the network's control plane • Data policy, which affects the flow of data traffic in the network's data plane • Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.
  25. 25. OMP Q&D Dive - Basic or Advanced Policies 2 Basic policies to influence or determine basic traffic flow through the overlay network such as managing the paths along which traffic is routed through, and permitting or blocking traffic based on the address, port, and DSCP. You can also enable vEdge local policies such as class of service and queuing, mirroring, and policing. Advanced Policies offer specialized policy-based network applications such as: • Service chaining, which redirects data traffic to shared devices in the network, such as firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before the traffic is delivered to its destination. Service chaining obviates the need to have a separate device at each branch site. • Application-aware routing, best path for traffic based on real-time network and path performance characteristics. • Cflowd, for monitoring traffic flow. • Make vEdge a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.
  26. 26. OMP Q&D Dive - Centrilzed or Localized Policies 2 Centralized policy refers to policy provisioned on vSmart controllers Localized policy refers to policy that is provisioned locally, on the vEdge
  27. 27. OMP Q&D Dive - Centrilzed Policy (CP or DP) 2 • Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the vSmart controller's route table and that is advertised to the vEdge routers. The effects of centralized control policy are seen in how vEdge routers direct the overlay network's data traffic to its destination. The centralized control policy configuration itself remains on the vSmart controller and is never pushed to local routers. • Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers
  28. 28. OMP Q&D Dive - Localized Policy (CP or DP) 2 • Localized control policy, which is also called route policy, affects the BGP and OSPF routing behavior on the site-local network. • Localized data policy allows you to provision access lists and apply them to a specific interface. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring
  29. 29. OMP Q&D Dive - Graceful Restart 2 It allows OMP peers to continue operating if one of the peers becomes unavailable. If a vSmart becomes unavailable, its peer vEdge router continues to forward traffic, using the last-known good routing info received from the vSmart controller. Similarly, if a vEdge router becomes unavailable, its peer vSmart controller continues to use the last-known good routing info that it received from the dead vEdge. OMP graceful restart is enabled by default on vSmart controllers and vEdge routers. The default graceful restart time is 43,200 seconds (12 hours). When OMP graceful restart is enabled, a vEdge router and a vSmart cache the OMP info that they learn from their peer. This information includes OMP routes, TLOC routes, service routes, IPsec SA parameters, and centralized data policies. When one of the OMP peers is unreachable, the other peer uses the cached information. The router also periodically checks whether the peer has again become available. When it´s back on line and the router re-establishes a connection to it, the router flushes its local cache and considers only the new OMP info from the restored peer to be valid and reliable. 

  30. 30. 2 system system-ip 1.1.1.9 domain-id 1 site-id 50 vbond 184.168.0.69 ! vpn 0 interface eth4 ip address 10.0.16.19/24 tunnel-interface ! no shutdown ! ip route 0.0.0.0/0 10.0.16.19 omp no shutdown advertise bgp ! system system-ip 1.1.1.5 domain-id 1 site-id 1 vbond 184.168.0.69 ! vpn 0 interface ge1/1 ip address 75.0.13.15/24 tunnel-interface ! no shutdown ip route 0.0.0.0/0 75.0.13.15 ! vpn 1 router bgp 1 address-family ipv4_unicast redistribute omp ! neighbor 10.0.17.17 no shutdown remote-as 2 ! ! ! interface ge0/1 ip address 10.0.19.15/24 ! omp no shutdown advertise ospf external ! system system-ip 1.1.1.6 domain-id 1 site-id 2 vbond 184.168.0.69 ! vpn 0 interface ge2/1 ip address 172.16.10.16/24 tunnel-interface ! no shutdown ! ip route 0.0.0.0/0 172.16.7.16 ! vpn 2 router ospf area 0 interface ge0/2 exit exit ! ! interface ge0/2 ip address 172.16.7.16/24 no shutdown ! OMP Q&D Dive – Config
  31. 31. Migration Approaches – Best Practice/Sequence 3 • Sequence • Investigation and Planning • Factors to be considered
  32. 32. Migration Approaches – DC always first 3 • Interim communication between migrated and non-migrated sites is a must • SD-WAN are in parallel to existing circuits • Seamless migration is paramount and is NOT plug-and-play • Looks simple but it´s complex
  33. 33. Migration Approaches – Replace CE 3 • SD-WAN to Legacy comms via DC/ Regional Hub • SD-WAN to Legacy comms via underlay
  34. 34. Migration Approaches – Retain CE 3 • SD-WAN to Legacy comms via underlay • SD-WAN to Legacy comms via DC/ Regional Hub
  35. 35. Migration Approaches – Comms during migration 1 2 3 4 3
  36. 36. Extras – Redundancy 4
  37. 37. Extras – ZTP Zero Touch Provisioning Assumptions: • DHCP on Transport side (WAN) • DNS to resolve ztp.viptela.com/ devicehelper.cisco.com 44
  38. 38. 4Extras– Multicast • PIM-SM v2 • IGMP v2 • Multicast optimization by eliminating redundant packet replication • Designated replicators • RP must be provided by a router on local-site network • Auto-RP is supported • PIM not configure on transport side (VPN0), OMP takes care of source/receivers/ replicators location info distribution • Multicast by default can use up to 20% of interface bw (adjustable) • Data-policy, ACL, Mirroring not supported for Multicast
  39. 39. Extras – SDWAN+SR (for SP Managed CEs) 4 IP 16001 16002 16003 IP 16001 16002 IP 16001IP 2001 IP SDWAN Controller SR Controller 1) Share App Path requiredparameters 2) PCEP to configure SR Policy Binding SID !" SR-TE 3) SR: Binding SID 4)SR:Binding SID Segment Routing can be used by a SP to offer underlay transport SLA, for OverTheTop (overlay) VPN with SLA differentiation SR-TE Policy requires a separate BSID, each SR-TE is associated 1-to-1 with a Binding-SID. At PE, the BSID label is popped, and the SR-TE segment IDs/path list is pushed • SP does not hold any per-flow state in its core • SP does not hold any complex L3-L7 flow classification • SP does not share any info of its infrastructure, topology, capacity, internal SID • SDWAN instance does not share any info of its traffic classification, steering policy or business logic OVERLAY UNDERLAY IGP+SR IP https://tools.ietf.org/html/draft-dukes-spring-sr-for-sdwan-00 PE1P2P3PE4 Binding- SID SR-TE path list vpnv4
  40. 40. Extras - Competitors 4 Gartner Magic Quadrant for WAN Edge Infrastructure,18 October 2018
  41. 41. Credits go to… 5 https://sdwan-docs.cisco.com/Product_Documentation https://www.slideshare.net/CiscoCanada/understanding-ciscos-next-generation-sdwan-solution-with- viptela https://ciscolive.cisco.com/on-demand-library/ • BRKCRS-2110 • BRKCRS-2111 • BRKCRS-2112 • BRKCRS-2113 • BRKRST-2095 https://www.think-like-a-computer.com/2011/09/16/types-of-nat/ http://netdesignarena.com/index.php/2018/08/02/sdwan-segment-routing-applications-sla-based- routing/
  42. 42. Thanks!

×