aws training & certification - john...
TRANSCRIPT
AWS Training& CertificationJohn Bryce training offers exclusively in Israel, AWS Training and Certification programs to help you develop skills to design, deploy, and operate your infrastructure and applica-tions on the AWS Cloud. The courses are designed for AWS Partners, ISV’s, Enterprises, Start-ups & High tech.
Whether you are just getting started or looking to deepen your technical expertise, we have a variety of resources to meet your needs. Discover on-demand tools, technical classes, and certifications to help you on your journey with AWS.
Deepen your technical skills and learn best practices for architecting, developing and operating infrastructure and applications on AWS. Classes are taught by qualified AWS technical trainers and help you learn through a mix of presentation, group discussion, and hands-on lab exercises.
For Further Information:03-7100642 | [email protected] | www.johnbryce.co.il/AWS
3554
3566
3542
3553
3550
3549
3555
Systems Operations on Amazon Web Services
DevOps Engineering on Amazon Web Services
Developing on Amazon Web Services
Big Data on Amazon Web Services
Amazon Web Services Essentials
Architecting on Amazon Web Services
Advanced Architecting on Amazon Web Services
AWS Training partner in Israel
Intra and Cross Cloud Communication
(Transport Technologies)
Contents at Glance• Understanding the Fundamental roles of Layer 3 Devices• The Need for Cross Cloud Communication Techniques• Legacy Cross Cloud Communications – GRE/DMVPN• Packet Forwarding Enhancements using MPLS• MPLS Advanced Solutions – L3VPN/L2VPN [vlan vs
vxlan]/Traffic Engineering• OTV – Overlay Transport Virtualization• LISP – Local IP Separation Protocol
1
3
Understanding the Fundamental Roles of
Layer 3 Devices
Layer 3 Device Roles• Control Plane
– Building of Routing Table – Building of Adjacency Table
• Data Plane– Packet Forwarding
2
Frame Rewrite
Control Plane vs Data Plane
3
Topology Driven Switching
Forwarding Information Base (FIB)• Derived from the IP routing table.• Arranged for maximum lookup throughput. • IP destination prefixes stored in TCAM, from most-specific to least-
specific entry. • FIB lookup based on Layer 3 destination address prefix (longest
match)• Updated after each network change but only once. Each change in the
IP routing table triggers a similar change in the FIB.• Contains all known routes. Contains all next-hop addresses associated
with all destination networks.
4
Adjacency Table (AT)• Derived from ARP table and contains Layer 2 header
rewrite (MAC) information for each next hop contained in the FIB. Nodes in network are said to be adjacent if they are within a single hop from each other.
• Maintains Layer 2 next-hop addresses and link-layer header information for all FIB entries.
• Populated as adjacencies are discovered.• Each time adjacency entry created (such as via ARP), a
Layer 2 header for that adjacent node is pre-computed and stored in the adjacency table.
Packet Types Forcing Software Processing• Use of IP header options (packets that use TCP header
options are switched in hardware because they do not affect the forwarding decision).
• Have an expiring IP TTL counter• Forwarded to a tunnel interface• Arrive with non-supported encapsulation types• Routed to interface with non-supported encapsulation type • Exceed the maximum transmission unit (MTU) of an output
interface and must be fragmented• Network Address Translation (NAT)
5
11
The Need for Cross Cloud Communication Techniques
Cross Cloud Communications
6
Communicating via Cloud Technologies
Data Center Network Topologies
7
Virtual Private Networks
15
• Overlay VPN– GRE– DMVPN– OTV– LISP– L2VPN based MPLS
• ATOM• VPLS
• Peer to Peer– L3VPN based MPLS
Benefits of VPN Implementations– Overlay VPN:
• Service provider does not participate in customer routing• Customer network and service provider network are well-
isolated
– Peer-to-peer VPN:• Guarantees optimum routing between customer sites• Easier to provision an additional VPN
8
Drawbacks of VPN Implementations– Overlay VPN:
• Implementing optimum routing requires a full mesh of VCs.• Bandwidth must be provisioned on a site-to-site basis.• Overlay VPNs always incur encapsulation overhead (IPsec or GRE).
– Peer-to-peer VPN:• The service provider participates in customer routing.• The service provider becomes responsible for customer convergence.• PE routers carry all routes from all customers.• The service provider needs detailed IP routing knowledge.
18
Legacy Cross Cloud Communications –
GRE/DMVPN
9
Generic Routing Encapsulation• OSI Layer 3 tunneling protocol:
– Uses IP for transport– Uses an additional header to support any other
OSI Layer 3 protocol as payload
Default GRE Characteristics– Tunneling of arbitrary OSI Layer 3 payload is the primary
goal of GRE– Stateless (no flow control mechanisms)– No security – 24-byte overhead by default (20-byte IP header and 4-
byte GRE header)
10
GRE Configuration Example
DMVPN Overview– DMVPN = MGRE + Dynamic NHRP with NHS +
IPSEC Tunnel Protection
11
What is DMVPN• From a high level
– A Point-to-Multipoint Overlay VPN Tunneling Technology
• From a lower level– Dynamic and scalable way to build GRE over
IPSEC site-to-site tunnels
DMVPN High Level Design• Remote sites build static tunnels to a central
location – Hub-and-spoke– Spokes exchange routing information with hub
over the static tunnel– Spoke to hub traffic routes over static tunnel– Spoke to spoke traffic routes over dynamic on-
demand tunnels
12
Why Use DMVPN?• Simple configuration management
– Spokes use a standard config template• Simple provisioning
– Adding new spokes requires no reconfiguration of hub or other spokes
• Supports transport of multiple protocols– IPv4 & IPv6 unicast & multicast, static &
dynamic routing
DMVPN Components• Can be broken down into major components
– Traffic Routing• Multipoint GRE (mGRE)• Next Hop Resolution Protocol (NHRP)
– Traffic Encryption • IPsec
• DMVPN can be used without IPsec, but most designs want encryption
13
How DMVPN Works – Hub to Spokes• Two main components
– DMVPN Hub / NHRP Server– DMVPN Spokes / NHRP Clients
• Spokes/Clients register with Hub/Server– Spokes manually specify Hub’s address– Hub dynamically learns Spokes’ VPN address & NBMA
address• Spokes establish tunnels to Hub
– Used to exchange IGP Routing information
How DMVPN Works?
14
How DMVPN Works – Spoke to Spoke• Spoke1 knows Spoke2’ routes via IGP
– Learned via tunnel to HUB– Next-hop is Spokke2’s VPN IP
• Spoke1 asks Hub for Spokes2s’ real address– Maps next-hop (VPN) IP to tunnel source (NBMA) IP– Sent via NHRP request
• Spoke to Spoke tunnel is formed– Hub only used for control plane exchange
30
Packet Forwarding Enhancements using MPLS
15
Basic MPLS Features– MPLS is a switching mechanism in which packets are forwarded
based on labels.– Labels usually correspond to IP destination networks (equal to
traditional IP forwarding).– Labels can also correspond to other parameters:
• Layer 3 VPN destination• Layer 2 circuit• Outgoing interface on the egress router• QoS• Source address
– MPLS was designed to support forwarding of non-IP protocols as well.
Basic MPLS Concepts Example
16
Major Components of MPLS Architecture
– Control plane:• Exchanges routing information and labels• Contains complex mechanisms to exchange routing
information, such as OSPF, EIGRP, IS-IS, and BGP• Exchanges labels, such as LDP, BGP, and RSVP
– Data plane:• Forwards packets based on labels• Has a simple forwarding engine
Control Plane Components Example
17
MPLS Labels– MPLS technology is intended to be used
anywhere, regardless of Layer 1 media and Layer 2 protocol.
– MPLS uses a 32-bit label field that is inserted between Layer 2 and Layer 3 headers
MPLS Header Format• MPLS uses a 32-bit label field that contains this
information:– 20-bit label– 3-bit experimental field– 1-bit bottom-of-stack indicator– 8-bit TTL field
18
Label Switch Routers
Packet Forwarding via MPLS
19
39
MPLS Advanced Solutions –L3VPN/L2VPN
[vlan vs vxlan]/Traffic Engineering
Using Layer 2 Circuit Emulation Example
20
Using Layer 3 MPLS VPN Example
MPLS VPN Architecture• An MPLS VPN combines the best features of an
overlay VPN and a peer-to-peer VPN:– PE routers participate in customer routing, guaranteeing
optimum routing between sites and easy provisioning.– PE routers carry a separate set of routes for each
customer (similar to the dedicated PE router approach).– Customers can use overlapping addresses.
21
MPLS VPN Architecture: Terminology
PE Router Architecture
22
Propagation of Routing InformationAcross the P-Network
MPLS VPNs and Packet Forwarding
23
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
PE1#show ip route…172.16.1.4 via 192.168.3.22 S0/0.2172.16.1.1 directly connected Lo0172.16.1.3 via 192.168.3.22 S0/0.2172.16.1.2 via 192.168.3.22 S0/0.2…
P2#show ip route…172.16.1.4 via 192.168.3.17 S0/0.2172.16.1.1 via 192.168.3.21 S0/0.1172.16.1.3 via 192.168.3.17 S0/0.2172.16.1.2 directly connected Lo0… P3#show ip route
…172.16.1.4 via 192.168.3.13 S0/0.2172.16.1.1 via 192.168.3.18 S0/0.3172.16.1.3 directly connected Lo0172.16.1.2 via 192.168.3.18 Se0/0.3…
PE4#show ip route…172.16.1.4 directly connected Lo0172.16.1.1 via 192.168.3.14 S0/0.1172.16.1.3 via 192.168.3.14 S0/0.1172.16.1.2 via 192.168.3.14 S0/0.1…
47
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
PE1#show mpls forwarding-table…
P2#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface…16 Pop tag 172.16.1.1 255.255.255.255 \
1223 Se0/0.1 point2point
P3#show mpls forwarding-table Local Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface…19 16 172.16.1.1 255.255.255.255 \
1267 Se0/0.3 point2point
PE4#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface…20 19 172.16.1.1 255.255.255.255 \
0 Se0/0.1 point2point
48
24
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
Routing table10.1.1.0/24
VRF-B RD 1:20 RT both 1:201
Routing table
Multi-protocol BGP
PE1#show ip route vrf A…O 10.1.1.0/24 [110/65] via 192.168.1.2, 00:00:51, Serial0/0.3…
49
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table
Multi-protocol BGP
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
PE1#show ip bgp vpnv4 vrf ABGP table version is 23, local router ID is 172.16.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:10 (default for vrf A)*> 10.1.1.0/24 192.168.1.2 65 32768 ?…
50
25
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table10.1.1.0/24
Multi-protocol BGP
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
PE1#show ip route vrf B…R 10.1.1.0/24 [120/1] via 192.168.1.2, 00:00:04, Serial0/0.4
51
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table10.1.1.0/24
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
PE1#show ip bgp vpnv4 vrf BBGP table version is 30, local router ID is 172.16.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:20 (default for vrf B)*> 10.1.1.0/24 192.168.1.2 1 32768 ?…
52
26
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table10.1.1.0/24
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
10:1:10.1.1.0/24RT=1:101
10:2:10.1.1.0/24RT=1:201
PE1#show ip bgp vpnv4 all 10.1.1.0BGP routing table entry for 1:10:10.1.1.0/24, version 20Paths: (1 available, best #1, table A)Advertised to non peer-group peers:172.16.1.4 Local192.168.1.2 from 0.0.0.0 (172.16.1.1)Origin incomplete, metric 65, localpref 100, weight 32768, valid, sourced, bestExtended Community: RT:1:101 OSPF DOMAIN ID:0.0.0.11 OSPF RT:0:2:0
BGP routing table entry for 1:20:10.1.1.0/24, version 27Paths: (1 available, best #1, table B)Advertised to non peer-group peers:172.16.1.4 Local192.168.1.2 from 0.0.0.0 (172.16.1.1)Origin incomplete, metric 1, localpref 100, weight 32768, valid, sourced,bestExtended Community: RT:1:201
53
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table10.1.1.0/24
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
10:1:10.1.1.0/24RT=1:101
10:2:10.1.1.0/24RT=1:201
LFIBLabel Out24 untagged on S0/0.326 untagged on S0/0.4
PE1#show mpls forwarding-table detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface …24 Untagged 10.1.1.0 255.255.255.0[V] \
0 Se0/0.3 point2point MAC/Encaps=0/0, MTU=1504, Tag Stack{}VPN route: ANo output feature configured
Per-packet load-sharing26 Untagged 10.1.1.0 255.255.255.0[V] \
0 Se0/0.4 point2point MAC/Encaps=0/0, MTU=1504, Tag Stack{}VPN route: BNo output feature configured
Per-packet load-sharing
54
27
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Multi-protocol BGP table in PE1
10:1:10.1.1.0/24RT=1:101
10:2:10.1.1.0/24RT=1:201
Multi-protocol BGP table in PE4
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=2655
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table
Routing table
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=26
PE4#show ip bgp vpnv4 vrf ANetwork Next Hop Metric LocPrf …
Route Distinguisher: 1:10 (default for vrf A)*>i10.1.1.0/24 172.16.1.1 65 100 ……PE4#show ip bgp vpnv4 vrf B
Network Next Hop Metric LocPrf …Route Distinguisher: 1:20 (default for vrf B)*>i10.1.1.0/24 172.16.1.1 1 100 ……
56
28
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=26
PE4#show ip route vrf A…B 10.1.1.0/24 [200/65] via 172.16.1.1, 00:11:04…
57
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24PE4#show ip cef vrf A 10.1.1.0 detail10.1.1.0/24, version 11, cached adjacency to Serial0/0.10 packets, 0 bytes
tag information setlocal tag: VPN-route-headfast tag rewrite with Se0/0.1, point2point, tags imposed: {19 24}
via 172.16.1.1, 0 dependencies, recursivenext hop 192.168.3.14, Serial0/0.1 via 172.16.1.1/32valid cached adjacencytag rewrite with Se0/0.1, point2point, tags imposed: {19 24}
58
29
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=26
PE4#show tag-switching forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing …tag tag or VC or Tunnel Id switched interface…20 19 172.16.1.1 255.255.255.255 \
0 Se0/0.1 …
59
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=2660
30
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
Routing table10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=26
PE4#show ip route vrf B…B 10.1.1.0/24 [200/1] via 172.16.1.1, 00:07:28…
61
PE4#show ip cef vrf B 10.1.1.0 detail10.1.1.0/24, version 10, cached adjacency to Serial0/0.10 packets, 0 bytes
tag information setlocal tag: VPN-route-headfast tag rewrite with Se0/0.1, point2point, tags imposed: {19
26}via 172.16.1.1, 0 dependencies, recursive
next hop 192.168.3.14, Serial0/0.1 via 172.16.1.1/32valid cached adjacencytag rewrite with Se0/0.1, point2point, tags imposed: {19 26}
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Routing table10.1.1.0/24
FIB table10.1.1.0/24 {19 26}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=2662
31
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Routing table10.1.1.0/24
FIB table10.1.1.0/24 {19 26}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=26
PE4#show tag-switching forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing …tag tag or VC or Tunnel Id switched interface…20 19 172.16.1.1 255.255.255.255 \
0 Se0/0.1 …
63
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
Routing table10.1.1.0/24
VRF-A RD 1:10 RT both 1:101
VRF-B RD 1:20 RT both 1:201
FIB table10.1.1.0/24 {19 24}
Routing table10.1.1.0/24
FIB table10.1.1.0/24 {19 26}
Multi-protocol BGP
10.1.1.0/24
10.1.1.0/24
10:1:10.1.1.0/24RT=1:101NH=172.16.1.1Label=24
10:2:10.1.1.0/24RT=1:201NH=172.16.1.1Label=2664
32
MPLS/VPN backbone
CE-RIP-B1
CE-OSPF-A1
CE-RIP-B2
CE-OSPF-A2
PE1172.16.1.1
P2172.16.1.2
P3172.16.1.3
PE4172.16.1.4
10.1.1.0/24
10.1.1.0/24
PE1 LFIBLabel Out24 untagged on S0/0.326 untagged on S0/0.4
P2 LFIBLabel Out16 pop on S0/0.1
P3 LFIBLabel Out19 16 on S0/0.3
PE4 FIB vrf A 10.1.1.0/24 {19 24}
10.1.1.110.1.1.1241910.1.1.1241610.1.1.124
10.1.1.1
PE4 FIB vrf B10.1.1.0/24 {19 26}
10.1.1.1
10.1.1.1261910.1.1.1261610.1.1.126
10.1.1.1
65
Designing MPLS-TE
66
33
Designing MPLS-TE cont.
67
Convergence After Failure
68
34
Convergence After Failure cont.
69
70
OTV – Overlay Transport Virtualization
35
Data Center Interconnects• What is a Data Center Interconnect
(DCI)?– Connection used to
transparently extend LAN and SAN connectivity between data center sites
– Common DCI use cases• Secure Data Replication• Server Clustering• Workload mobility
– E.g vmotion
Types of DCIs• DCIs are typically private circuits
– Dark Fiber– MPLS Layer 2 VPN– MPLS Layer 3 VPN
36
Overlay Transport Virtualization Overview• What is Overlay Transport Virtualization (OTV)?
– Layer 2 VPN over IPv4– Used over the DCI to extend VLANs between data
center sites• OTV was designed for Layer 2 DCI
– Optimizes ARP flooding over DCI– Does not extend STP domain– Can overlay multiple VLANs without complicated design
OTV Benefits• Provides a flexible overlay VPN on top of
without restrictions for IP network• L2 transports leveraging the transport IP
network capabilities• Provides a virtual multi-access L2 network
that supports efficient transport of unicast, multicast, and broadcast traffic
37
OTV Terminology• OTV Edge Device
– Edge router(s) running OTV
• Authoritative Edge Device (AED)– Active edge router for a particular VLAN– Allows for multiple redundant edge routers while preventing loops
• Extend VLANs– VLAN being bridged over OTV
• Site VLAN– Internal VLAN used to elect AED
OTV Terminology (cont.)• Site Identifier
– Unique ID per DC site, shared between AEDs• Overlay Interface
– The logical OTV tunnel Interface• OTV Join Interface
– The physical link or port-channel that you use to route upstream towards the DCI
38
OTV Terminology (cont.)• OTV Control Group
– Multicast address used to discover the remote sites in the control plane
• OTV Data Group– Used when you’re tunneling multicast traffic
over OTV in the data plane
OTV Control Plane• Uses IS-IS to advertise MAC addresses
between AEDs– “MAC in IP” Routing
• Encapsulated as Control Group Multicast– Implies that DCI must support ASM Multicast– Can be encapsulated as Unicast with OTV
Adjacency Server
39
OTV Data Plane• Uses both Unicast and Multicast Transport• Multicast Control Group
– Multicast or Broadcast Control Plane Protocols– E.g. ARP, OSPF, EIGRP. Etc.
• Unicast Data– Normal Unicast is encapsulated as Unicast between AEDs
• Multicast Data Group– Multicast Data flows are encapsulated as SSM Multicast– Implies AEDs use IGMPv3 for (S,G) Joins
• OTV Adjacency Server can remove requirement for Multicast completely
OTV Data Plane: Inter-Site Packet Flow
40
Data Center Innovations
VXLAN Forwarding
41
83
LISP – Local IP Separation Protocol
Why LISP ?• Internet -> Problem Statement
– Rate of routing table growth has scaling impact on the Internet
– Can current routing architecture support newer services
• Routing Tables (RTs) are growing too fast
42
Routing Table Growth
LISP for DCI• Use Cases
– Stretched VLANs– Metro data centers– Live migrations– Disaster recovery sites– Hot/Cold migrations
43
LISP use Cases
Separating ID and LocationChanging the semantics for IP
44
Level of Indirection• By keeping EIDs fixed
– You don’t have to renumber– You can keep TCP connections established
• You can change locators when:– Changing service providers– Roaming hand-sets– Relocating Virtual Machines
• While ISP’s scales efficiently
What is LISP?
45
LISP Design Principles• Locator/Identifier Split
– EID (Endpoint Identifier) -> Identity– RLOC (Routing Locator) -> Location
• EID to RLOC Mapping– Distributed architecture that maps EID to RLOC
• Overlay Architecture– Low deployment cost– Incremental deployment
What is the Mapping Database System• ITRs need EID-to-RLOC map-cache entries• Require site authoritative and secure control• Database needs dynamic updates for
locator changes• Mapping Database must be distributed for
load scaling and security reasons
46
LISP Basic Operation
Unicast Packet Forwarding
47
Vmotion based LISP
Modern Overlay DCI Technologies
48
49