Network Virtualization

(Part I) Network Virtualization

This is the first part in the series of posts dedicated to network virtualization and path isolation.

Virtualization is a technique of simulating a hardware device by using software, usually on standard x86 CPU based servers. Hardware devices that are being virtualized are (in the order from most common) servers, firewalls, switches and routers. Almost all devices that you can think of can be virtualized, we listed the most common ones used within network operations. By using virtualization, we are able to run multiple virtual instances (virtual contexts) of a device, in the same way like we would run “real” hardware devices. Each of these virtualized instances is, of course, running independently and usually operating with separate configuration, enabling separation by purpose. Virtual instances are usually running as multiple contexts on specialised, virtualization enabled device or as Virtual Machines (VMs) on a Hypervisor platform like VMWare of Hyper-V.

Network Virtualization is part of above explained virtualization. It is virtulization of networking devices. We are using network virtualization with VLANs on switches to enable multiple broadcast domains (LAN segments) to be connected on one single switch. We are doing the same thing on layer 3 with enabling the router to run multiple routing instances by implementing VRF configuration on it. With VRF we are splitting the router into multiple routers, with VLANs we are splitting switch into multiple switches. We are doing this with the use of software but only on specialized hardware devices that are virtualization enabled.

There are two network elements we can virtualize

Network virtualization can be as simple as running firewall on a VMWare host. In this case we are just skipping the usage of real hardware appliance for firewalling task.

Things can get more complex with requirements for path isolation. Different categories of traffic then need to use same physical devices and their interconnections and have complete data communication isolation between them. Here we are in a situation where we will need to virtualize not only the above mentioned firewall but also router forwarding plane and interconnections between network devices.

VRF

VRF enables the router to run more “virtual” instances of routing and forwarding table. VLANs separate switch port groups into separate broadcast domains/isolated segments. Firewall can have trunk link with subinterfaces of which each one is separate zone forwarding traffic for one router VRF. Image on top shows three different isolated paths which are forwarded through same devices/interconnections. Below, physical topology is shown.

Ok that’s it! We can not only virtualize network devices but the paths between them to. Let’s see what that means.

| Continue Reading.. |

TFTP via VRF

As you can see from my article list, I’m going through some VRF configuration in the last few weeks 🙂

I ran into this today and it sounded interesting enough to share it with you. The issue with TFTP IOS image copy to flash when having all interfaces in specific VRF and no interface in Global Routing Table.

Long story short, you kick in this command for normal IOS download to the router:

R1#copy tftp://10.10.10.11/c890-universalk9-mz.154-3.M5.bin flash:
Destination filename [c890-universalk9-mz.154-3.M5.bin]? 
Accessing tftp://10.10.10.11/c890-universalk9-mz.154-3.M5.bin...
%Error opening tftp://10.10.10.11/c890-universalk9-mz.154-3.M5.bin (Timed out)

…and it isn’t working of course.

| Continue Reading.. |

VRF – Virtual Routing and Forwarding

(Part II) Virtual Routing and Forwarding

This is the second part in the series of posts dedicated to network virtualization and path isolation.

Ever needed one extra router? It’s possible to split the router into more logical routers by using VRF. How? Here’s how!

Virtual Routing and Forwarding or VRF allows a router to run more that one routing table simultaneously. When running more routing tables in the same time, they are completely independent. For example, you could use overlapping IP addresses inside more VRFs on the same router and they will function independently without conflict (You can see this kind of overlap in the example below). It is possible to use same VRF instance on more routers and connect every instance separately using VRF dedicated router port or only a sub-interface.

You can find VRFs to be used on ISP side. Provider Edge (PE) routers are usually running one VRF per customer VPN so that one router can act as a PE router for multiple Customer Edge (CE) routers even with more customers exchanging the same subnets across the VPN. By running VRF per customer, those subnets will never mix in-between them.

VRFs are used to create multiple virtual routers from one physical router.

Every VRF is creating his own Routing table and CEF table, basically a separate RIB and FIB.

| Continue Reading.. |

Static Route Load Balance

How it works?

If you have two routers / two Layer3 switches connected with two L3 links (two paths) you can route with two equal static routes towards the same prefix and the router will load balance traffic across both links.

The idea is to make two same static routes on the same router but with different next-hops. The question was: Which link or which route will be used? And if the traffic will be load balanced, which mechanism will be used to share the traffic across both of links.

static route load balancing

 

ip route 10.0.0.0 255.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.11.2

| Continue Reading.. |

What is route recursion

We are going back to networking basics with this post. In few lines below you will find most important theory that makes network gear do its job.

The main router job is to making routing decisions to be able to route packets toward their destination. Sometimes that includes recursive lookup of routing table if the next-hop value is not available via connected interface.

Routing decision on end devices

Lets have a look at routing decision that happens if we presume that we have a PC connected on our Ethernet network.

If one device wants to send a packet to another device, it first needs to find an answer to these questions:

  • Is maybe the destination IP address chunk of local subnet IP range?
    • If that is true, packet will be forwarded to the neighbour device using Layer 2 in the ARP example below.
    • If that is not the case, does the device network card configuration include a router address through which that destination can be reached? (default gateway)
  • Device then looks at his local ARP table. Does it include a MAC address associated with the destination IP address?
    • If the destination is not part of the local subnet, does the local ARP table contain the MAC address of the nearest router? (MAC address to IP address mapping of default gateway router)

Control Plane Protection in Cisco IOS

CoPP – Control Plane Protection or better Control Plain Policing. It is the only option to make some sort of flood protection or QoS for traffic going to control plane.

In the router normal operation the most important traffic is control plain traffic. Control plane traffic is traffic originated on router itself by protocol services running on it, destined to other router device on the network. In order to run properly, routers need to speak with each other. They speak with each other by rules defined in protocols and protocols are running in shape of router services.

Examples for this kind of protocols are routing protocols like BGP, EIGRP, OSPF or some other non-routing protocols like CDP etc..

CoPP

Control Plane Policing is QoS applied on ingress sub-interfacess towards Route Processor

When router is making BGP neighbour adjacency with the neighbouring router, it means that both routers are running BGP protocol service on them. BGP service is generating control plane traffic, sending that traffic to BGP neighbour and receiving control plane traffic back from the neighbour.

Usage of Control Plane Protection is important on routers receiving heavy traffic of which to many packets are forwarded to Control Plane. In that case, we can filter traffic based on predefined priority classes that we are free to define based on our specific traffic pattern.

| Continue Reading.. |

How Encryption of Network Traffic Works?

I recently started studying again, this time as an attempt of deep-diving into some security concepts for one of my PhD courses. It’s interesting how, as much as you try to escape from it, mathematics will sooner or later catch you somewhere and you will need to learn a bit more of it. At least that happened to me…

In this process I realised that if you go beyond simple security theory and network device configuration all other stuff is pure mathematics.

The reason behind my unplanned course in mathematics is explained through the rest of this text. It will explain what is network security and where is the math needed to get network communication secure. In the end, it was actually fun.

Encryption

Encryption

If you want two distant computers to talk with each other so that nobody else can see what they are talking about, you want to make a secure network connection between them. Security in this case means that you need to connect those machines to the network and be able to make the communication a secret communication. Secret communication through public communication system is possible by using encryption.

| Continue Reading.. |