100% found this document useful (1 vote)
113 views

Chapter2 - Virtualization

The chapter discusses device and data path virtualization technologies. It describes hypervisor types 1 and 2 that virtualize hardware. Virtual machines and virtual switches connect VMs to emulate a physical network. VRFs and tunneling protocols like GRE and IPSec are explained for virtualizing the data path and isolating traffic. Network virtualization concepts covered include LISP for separating location and identity and VXLAN for extending VLANs across data centers over layer 3.

Uploaded by

Afia Kamran
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
113 views

Chapter2 - Virtualization

The chapter discusses device and data path virtualization technologies. It describes hypervisor types 1 and 2 that virtualize hardware. Virtual machines and virtual switches connect VMs to emulate a physical network. VRFs and tunneling protocols like GRE and IPSec are explained for virtualizing the data path and isolating traffic. Network virtualization concepts covered include LISP for separating location and identity and VXLAN for extending VLANs across data centers over layer 3.

Uploaded by

Afia Kamran
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

CHAPTER 2
VIRTUALIZATION

1
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

CHAPTER2: VIRTUALIZATION
- Chapter’s Agenda:
2.1 Describe device virtualization technologies
2.1.a Hypervisor type 1 and 2
2.1.b Virtual machine
2.1.c Virtual switching

2.2 Configure and verify data path virtualization technologies


2.2.a VRF
2.2.b GRE and IPsec tunneling

2.3 Describe network virtualization concepts


2.3.a LISP
2.3.b VXLAN

2
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.1 Device Virtualization

- Just Networks, BUT in Virtualized Environment


- Multiple Devices inside One
- Ease of Management

- The Hypervisor: The new Mediator between SW/HW


- Load the Hypervisor on the Physical HW, after that install OS on the
Hypervisor
- Now the Hypervisor = Host, and the OS = Virtual Machines = Guest

- Hypervisors:
- Schedules the VMs requests to the HW
- Distributes the HW resources between the VMs

3
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- Hypervisors Types:

- Type1:
- The Native or Bare Metal
- Runs directly on the HW resources
- HW ---Hypervisor --- VM

- Type2:
- Hosted
- Runs as a SW besides the OS
- HW --- OS --- Hypervisor

4
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- How to connect all these?


- Virtual Switches:

- Connects all VMs Together like a Real Switch


- Assigns a Virtual Network Interface Card (V.NIC) for each VM
- Exists by default in Hypervisors Type1
- After Creating a V.Switch & V.NIC, all VMs will automatically get
connected together
*also, can create Port Group for Complete Isolating (like VLANs)
*there is another V.NIC for each VM (for Internet)

- Examples:
- Microsoft Hyper-V
- ESXi VSwitch

5
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.2 Data Path Virtualization

2.2.1 Virtual Routing & Forwarding (VRF)


- For Service Providers
- With multiple clients
- isolate each client in a “Routing Table”
- for duplicated addresses
- requires ISP’s network
- MPLS, VPN, L3VPN, BGP

- BUT, for Enterprises:


- VRF-Lite
- No Extra VPN protocols
- classic routing protocols can be used

6
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.2.2 Generic Route Encapsulation (GRE)


- Virtually create a P2P path
- Virtually isolate some traffic in a path
- Across multiple hops
- Data will be “Encapsulated” at L3
- Source and Destination ports should be specified
- Virtual ports will be created on Tunnel ends

*NOT SECURED
7
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.2.3 Internet Protocol Security (IPSec)


- packets travels unsecured
- any sniffer, analyzer, can read your data!
- IPSec is a bunch of tools
- pick the set you like to secure your data
- Confidentiality: Encrypt the data all the way
- Data Integrity: Guarantees delivering original data
- Authentication: only the trusted ends can communicate
- Anti-Replay: only regenerated or duplicated packets

8
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- To provide and establish all the CIA and R


- Security Associations (SA) will be exchanged between the peers
- things like (tools, algorithms, protocols, and keys) will be discussed

- Security Associations Parameters


- hashing: redistributing data by using an algorithm (MD5, SHA)
- encryption: locking data by using a 2-way algorithm
- shared passwords
- all of the above is either statically configured, or dynamically (IKE)

- Static means that every parameter is defined manually

9
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- Dynamic (Internet Key Exchange, IKE)


- a group of SA’s
- end tunnels will negotiate their accepted SA’s
- IKE has versions 1 and 2
- IKEv1 creates 2 Tunnels (in 2 phases):
- Phase1: establish an authenticated tunnel, it requires:
- authentication (PSK or PKI)
- encryption (DES, 3DES, or AES)
- hash (SHA or MD5)
- DH group
- lifetime (optional)
- Phase2: negotiates SA’s between end points
- (Destination, Data, and Transport Method)

*PSK requires Password

10
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.3 Network Virtualization

- 2.3.1 Locator/ID Separation Protocol (LISP)


- also, a tunneling protocol (like GRE)
- establish a tunnel between edge routers and the WAN
- separates location from identity
- identity: IP Address of the host (Endpoint ID, EID)
- location: IP Address of the host’s GW (Routing Locator, RLOC)
- RLOC = the address facing the WAN
- useful in the case of:
- load sharing with the provider (multi-homed)
- tunneling IPv6 over IPv4 infrastructure
- other VPN uses
- there are 2 required devices to perform the separation and the mapping
(map this EID to that RLOC)
- a map server (MS), and a map resolver (MR)
- can be combined in a single device
11
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- 2.3.2 Virtual Extensible Local Area Network (VXLAN)


- a tunneling protocol
- for data centers
- replaces VLAN as it gives 2^24 = 16,777,216 VLAN
- transport L2 over L3
- extends L2 connectivity over L3 infrastructure
- supports ECMP over CLOS (spine and leaf)
- requires L2GW and L3GW
- can use the same VXLAN number on multiple sites
- thus, the same broadcast domain will be stretched between sites

12

You might also like