Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

CHAPTER 2
VIRTUALIZATION

1
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

CHAPTER2: VIRTUALIZATION
- Chapter’s Agenda:
2.1 Describe device virtualization technologies
2.1.a Hypervisor type 1 and 2
2.1.b Virtual machine
2.1.c Virtual switching

2.2 Configure and verify data path virtualization technologies

2.2.a VRF
2.2.b GRE and IPsec tunneling

2.3 Describe network virtualization concepts

2.3.a LISP
2.3.b VXLAN

2
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.1 Device Virtualization

- Just Networks, BUT in Virtualized Environment

- Multiple Devices inside One
- Ease of Management

- The Hypervisor: The new Mediator between SW/HW

- Load the Hypervisor on the Physical HW, after that install OS on the
Hypervisor
- Now the Hypervisor = Host, and the OS = Virtual Machines = Guest

- Hypervisors:
- Schedules the VMs requests to the HW
- Distributes the HW resources between the VMs

3
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- Hypervisors Types:

- Type1:
- The Native or Bare Metal
- Runs directly on the HW resources
- HW ---Hypervisor --- VM

- Type2:
- Hosted
- Runs as a SW besides the OS
- HW --- OS --- Hypervisor

4
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- How to connect all these?

- Virtual Switches:

- Connects all VMs Together like a Real Switch

- Assigns a Virtual Network Interface Card (V.NIC) for each VM
- Exists by default in Hypervisors Type1
- After Creating a V.Switch & V.NIC, all VMs will automatically get
connected together
*also, can create Port Group for Complete Isolating (like VLANs)
*there is another V.NIC for each VM (for Internet)

- Examples:
- Microsoft Hyper-V
- ESXi VSwitch

5
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.2 Data Path Virtualization

2.2.1 Virtual Routing & Forwarding (VRF)

- For Service Providers
- With multiple clients
- isolate each client in a “Routing Table”
- for duplicated addresses
- requires ISP’s network
- MPLS, VPN, L3VPN, BGP

- BUT, for Enterprises:

- VRF-Lite
- No Extra VPN protocols
- classic routing protocols can be used

6
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.2.2 Generic Route Encapsulation (GRE)

- Virtually create a P2P path
- Virtually isolate some traffic in a path
- Across multiple hops
- Data will be “Encapsulated” at L3
- Source and Destination ports should be specified
- Virtual ports will be created on Tunnel ends

*NOT SECURED
7
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.2.3 Internet Protocol Security (IPSec)

- packets travels unsecured
- any sniffer, analyzer, can read your data!
- IPSec is a bunch of tools
- pick the set you like to secure your data
- Confidentiality: Encrypt the data all the way
- Data Integrity: Guarantees delivering original data
- Authentication: only the trusted ends can communicate
- Anti-Replay: only regenerated or duplicated packets

8
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- To provide and establish all the CIA and R

- Security Associations (SA) will be exchanged between the peers
- things like (tools, algorithms, protocols, and keys) will be discussed

- Security Associations Parameters

- hashing: redistributing data by using an algorithm (MD5, SHA)
- encryption: locking data by using a 2-way algorithm
- shared passwords
- all of the above is either statically configured, or dynamically (IKE)

- Static means that every parameter is defined manually

9
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- Dynamic (Internet Key Exchange, IKE)

- a group of SA’s
- end tunnels will negotiate their accepted SA’s
- IKE has versions 1 and 2
- IKEv1 creates 2 Tunnels (in 2 phases):
- Phase1: establish an authenticated tunnel, it requires:
- authentication (PSK or PKI)
- encryption (DES, 3DES, or AES)
- hash (SHA or MD5)
- DH group
- lifetime (optional)
- Phase2: negotiates SA’s between end points
- (Destination, Data, and Transport Method)

*PSK requires Password

10
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

2.3 Network Virtualization

- 2.3.1 Locator/ID Separation Protocol (LISP)

- also, a tunneling protocol (like GRE)
- establish a tunnel between edge routers and the WAN
- separates location from identity
- identity: IP Address of the host (Endpoint ID, EID)
- location: IP Address of the host’s GW (Routing Locator, RLOC)
- RLOC = the address facing the WAN
- useful in the case of:
- load sharing with the provider (multi-homed)
- tunneling IPv6 over IPv4 infrastructure
- other VPN uses
- there are 2 required devices to perform the separation and the mapping
(map this EID to that RLOC)
- a map server (MS), and a map resolver (MR)
- can be combined in a single device
11
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

- 2.3.2 Virtual Extensible Local Area Network (VXLAN)

- a tunneling protocol
- for data centers
- replaces VLAN as it gives 2^24 = 16,777,216 VLAN
- transport L2 over L3
- extends L2 connectivity over L3 infrastructure
- supports ECMP over CLOS (spine and leaf)
- requires L2GW and L3GW
- can use the same VXLAN number on multiple sites
- thus, the same broadcast domain will be stretched between sites

12