Cisco CCIE Security 350-701 – SDN Models – Architecture Part 2

3. SDN – Network Design Requirments

Next thing we’ll try to understand the impact on the networking design when you decided to use controls. Now, let’s take an example. I got a new network set up. One of my clients want to set up a new network probably. And maybe you have some hundreds of devices or maybe thousands of devices you want to set up. As I have learned that the Sdn has a lot of benefits.

So I decided to implement my network with Sdn capabilities. Or maybe if you are using some existing network, probably you want to upgrade to Sdn. Now, what are the things you need to consider while you are designing your network? Because with the help of Sdn I can do automatic provisioning of your devices. I don’t need to go to individual device. They can be automatically updated with the configurations dynamically.

We can change the quality of service policies, or maybe security policies I can change or even you can upgrade your devices. There are plenty of benefits, we already discussed in the previous sections. So now we need to think many things, we need to know many things, or you need to plan the things in advance what exactly we require. So the first thing you need to check the hardware, whatever you select that must understand the controller protocols. Because at the end you need to make sure that your controller this is a group of controllers.

Now these controllers should be communicating with your networking devices. Now, whatever the networking devices you are running, they must be able to talk to each other. Let’s say I decided to run some kind of Cisco specific controller, or maybe I decided to run the VMware controller, or maybe a Juniper controller. Now, whatever the controller you select according to that, let’s say I’m selecting a Cisco. So basically I’ll be running some networking devices which understand and interoperable between the Cisco controller along with your devices.

Like if I’m running a Cisco products in my network, probably I prefer to go with the Cisco controller, which makes much easier to communicate. Or if you are opting for any other controller, you need to make sure that these controllers are able to interact with the existing devices. Or maybe you are planning a new devices, make sure that you are selecting the devices which are interoperatable. Okay? So if you use a different controllers which if they are not able to operate, then it’s not going to work. So that’s the first thing. Controllers selected hardware must understand the controller protocols. Now the second thing is like you must plan redundant paths or you need to path sorry. The next step is controller should configure the clusters in reddency.

The clusters are nothing. But now if you have just one controller and what if the controller goes down, then that is going to be a single point of failure and you don’t want that. So probably it’s very important to manage you plan the clusters for redundancy. Where you are going to say I’m going to use multiple Sdn controllers and I’m going to group them, group them in a cluster, which means it is going to behave just like one single big controller.

And with this we can provide something called failover if any one of the controller fails, till the remaining will take care. And also it will give something called high availability. So that mostly all the time the controller is available and also it will improvise the performance because when you’re running multiple controllers, the performance also will be more better, it improves the performance as well.

So we need to plan the controllers in cluster, at least two, three in a group. And the next thing is we need to plan redundant paths to the controller. Now, which means now let’s say this is your controller or group of controllers. Now we have only one path connecting to that. Now, what if that particular path fails? Then again, that will be a single point of failure. So we always need to make sure that to reach these clusters we have redundant paths. Now this is one path, this other path, there are multiple paths. Here you can see if any one of the path fails or even if multiple path fails, still you have alternative paths so that you can reach the controller in general. So that is also one thing we need to consider. So always ensure that we have multiple paths to reach the controller from your network. Again, as I said, if there is a single path, then that can be a single point of failure.

Now, other things, like if you are setting up multiple geographical locations, then we have to plan the controller so that all the different sites can reach the controller properly. Like if you take an example, I got multiple sites here in different locations. Now I decided to go with the controller. Now, how we are going to plan, now we are going to place one controller, maybe a set of controllers in the head office and you’re going to ensure that all the sites can reach to that particular controller. And also we need to make sure that we have remnant parts because again, if there is a single part then single wire connection, then that’s going to be a single part of failure. Or you are going to place a separate controller in each side. So this is something you have to plan. So most of the time we prefer a centralized controller to minimize the cost.

But at the same time you have to ensure that we do have multiple paths to reach out that particular controller. That is also one thing you need to consider while designing your network with your SDM controllers. Now, one more thing, security is also important because the controller is going to be the central place from where you control it is like part of your SDM. Now we need to make sure that we also secure it because typically if this controller is not secured now, there is a possibility that the controller may be a primary target for the attackers to attack because from everything, all the centralized decisions will be taken from the controller.

And if that particular controller fails, then it can lead to something called single point of failure or generally denial of service attacks where the attackers want the controller should go down or attackers, or even sometimes the attacker may try to gain control over the network or over your controller. And then they can manipulate, they can get access to the controller and based on that, the attacker can actually gain control over your network also.

So it’s very important we need to plan the Sdn controller so that the Sdn controller should not have any unauthorized access. And even if someone is trying to do that, then basically there must be some kind of alerts which indicates that this unauthorized access has occurred. So probably into planned secrets. So it’s a big thing, probably, but securing the control is also very important. And finally training as well. Because once you decided to implement the controllers, you need to make sure that your network engineers should be able to understand the behavior of these controller networks so that they can implement as well as later on. They can. Also verify the SDL networks because they need to have an understanding, good knowledge of these things so that later on they can expertise in implementing this specific technology.

4. UNde

rlaY Networks

Now in this section we’ll try to understand the controller based Sdn architecture concepts. Okay? So in the previous section if you remember we have discussed about the Sdn controller options, how it is going to separate the control plane and the data plane. So probably in this section we will try to understand the architecture and some terminologies later to underlay network and the overlay network. So we’ll try to see the difference between the underlying network and the overlay. And the fabric is fabrics we call them as these are the concepts comes under Sdn architectures. So most of the Sdn networks as we already discussed, they are completely based on underlay and the overlay. So if you want to achieve a separate control plane and the data plane like we have seen in the traditional networks, we used to have the same devices.

So all the networking devices will actually do forwarding that is your data plane as well as they make the decisions or build the routing tables or build database. Now with the help of Sdn, what we are doing is we are going to separate the control plane and most likely the control plane task will be present on your Sdn controller and whereas your networking devices will be doing the job of a data plane. Okay, so we have seen this concept earlier. So here we’ll see the underlay and the overlay. So in short to describe the underlay networks. Now the underlay is the actual network which is being built. Which is being built and we will be providing something called IP reachability, like end to end. Let’s say I have a server here or a computer here trying to access another end. So we do have end to end reachability.

So when you are building a network with a complete IP reachability, we call this as an underlying network and the overlay network is actually on the top of the underlay. It is a kind of virtual network which is built on the top of your underlying infrastructure. OK, Sdn fabric is actually the devices which are used in this architecture. So let’s try to get into more details here. Like first we’ll talk about under the networks. So the first thing we need to understand underlying networks relates to whatever the protocols and the features we are going to use to provide end to end IP reachability between the two endpoints. Like if we take an example, I got a specific computer here or a server here and I have another server here.

So we need to make sure that these two devices or any two devices in your network should have reachability. So that is your main thing what you are going to do. So the underlay provides EndToEnd reachability between your devices. Now to provide this end to end reachability, what we are going to do in general, the first thing we’ll be connecting. So we’ll be doing some kind of connectivity like using some kind of NSE cards or the physical links which are going to connect between the routers which is whatever the devices we use in between we are going to provide the connectivity and simply providing the connectivity is not sufficient.

You need to make sure that we do have some kind of routing protocols like IP routing protocols which must be running any protocol like EHR pospo or static routing or whatever it is. So that must be running on those devices. So once you do this, once you do these two things now we do have an IP reachability between the two endpoints. Now if I generate a ping request from here, so I should be able to ping or reach any other device within your network. So that is what the basic set up. So protocols are the features which are used to provide end to end IP reach ability does the main thing. Now the next thing is like all the links typically will be configured as layer three, point to point links.

Now what this means is so normally we do connectivity between switch to switch, maybe switch to computer and then switch to router in general, whatever the things what we’ll learn in our normal networks. So the links connecting between the routers will be L three where we are going to assign an IP address on both the ends and also will assign IP here of course. But the links which are connecting between switch to switch typically will be L two links, generally trunk links or access links. The L two links where you have an SDP running between the switches and this STP will be deciding which port will be forwarding, the traffic in general. So there is a separation of L two and the L three links in general. But whereas when you talk about the underlying network which we are going to use in our Sdn architecture probably here all the links will be configured as L three links.

So which means the links which are connecting between this will be L three and the links connecting between router to speech will be L three. And of course the links connecting between the router to router also will be L Three. So typically that’s the difference you need to understand when it comes to SDL networks. So this is actually a recommended design to have all the L three links in your campus design. Of course L two also works but it is not recommended. So this is a typical designing consideration.

You need to understand while we are setting up an underlying network in your SDM. Now one more thing, once we set up the links like we discussed that all the links will be L three. Now even the link here will be L three, here switch to switch as well. Now just simply connecting the links as an L three that is not sufficient. So we need to make sure that we run some kind of routing protocol so that we do have a reachability between this point and this point.

So we have two devices, or any two devices in your network must have reachability between them. And that is only possible when you configure some kind of routing protocol. So most commonly, routing protocols like OSPF or ISS are used, which are commonly used. We can say, of course, this supports standard and supported by all the vendors, but you can still go ahead and use EHRP or BCP, any other routing protocol, it’s up to you, as long as it supports.

• Category: Uncategorized