Software Defined Network (SDN)

3 Comments

First of all, I wanna say thanks to Thomas Nadeau and Ken Gray for making the book (SDN – O’Reilly, 2013)

And now we start with the question…what IS that things called SDN…the trending topic in early-to-mid 2014

*dah lama ga write blog in English….and now…ENGLISH TIMEEEE

================================================

Introduction

The Question is…what is SDN? Well to put it simple, is like this…

You know NMS (Network Management System) right? Like SolarWind, Paessler, OpenNMS, or even the infamous Cacti

They have common behavior…collect informations (by SNMP of course)

What information? Networks (traffic, data, device type, etc.), so we know the status of Our up and running production network and help Us (especially IT Managers/NetAdmins) make decisions for our current network (whether to Filter Traffic, Bandwidth Management, Policy Routing, and so on…you name it)

This SDN is pretty much behave like that, but not only collecting information, it also GIVES information/commands to our intermediary devices such as Routers, Switches, and Friends (friends?!?! O_o?!), so those devices can perform best path selection like PCE (Path Computational Elements, RFC 4655 link or WikiLink) like in MPLS or Quality of Services in the network

Figure 1. Image from Plixar video about SDN, link

Image the possibilities, we’ve been strangled by legacy protocols, in the past…we can only control network but as long as “those” protocols allow us to do, and with SDN…switches only lookup to Forwarding Table/Data Plane, leave the rest (read: control plane) handled by another device


Well…You’re probably right…

Here’s the definition of SDN from ONF…

see https://www.opennetworking.org/sdn-resources/sdn-definition

That’s SDN…in a nutshell

=================================================

Background

In the past, in order to run an Operating System (OS), we have to install it into hardware…a different OS, a different hardware, if you want to have 5 OS running (it doesn’t matter if same OS or not), you must buy 5 hardware

About 10 years ago, One Company had invented an interesting technology that allow host OS (Operating System, ex. Linux) that can run another OS (like Windows, a completely different OS) in that same physical devices

And guess what name the Company is…VMWare, the company that almost synonymous with term Virtualization technologies

And in the same time…our beloved network devices is still…(almost) stagnant, the only well-known virtualization are VLAN and VRF (maybe you can name it more…)

No protocol flexibility, very stiff, and function locked, for example…we cannot add OSPF LSA feature into EIGRP right? OSPF is OSPF…EIGRP is EIGRP…period

We cannot add static route with our terminology, we can only add static route by existing command that given to us by vendor (We often call these things “Vendor/Procotol Locked”)

And also the Price (yeaaa…now we’re talking), none of these Giants Enterprise Networking Companies (Cisco, Juniper, Extreme, etc.) devices are CHEAPPPSS (New ISR G2 Router 1941 price with many features enabled is over $1000…you’ve gotta be kiddin’ me right!?!?)

Building a hardware with proprietary software (ex. Router with its IOS) or building a software only (ex. IOS only but can be placed into any hardware), guess who comes cheaper…So that’s why many vendors turn and move fast into the next “green field

Juniper acquire Contrail™ for its SDN controller technologies, recently Cisco with Tail-F System™ (an SDN Swedish Startup Company focused on SDN Controllers), VMWare bought Nicira™, Brocade bought VYATTA™ (famous for that vRouter technology), BigSwitch with its BNC (Big Network Controller, proprietary) or with the Floodlight (Open Standard), F5 Networks with its LineRate System™ (vLoad Balancer) and Arista joined in the field too (Arista CEO Ulal is Ex-Cisco Exec too, lol)

=================================================

The Separation of Control and Data Plane

At first, Control and Data Plane is in one device, and the question is…how much further we can separate these two plane?

Centralized Control Plane or Distributed Control Plane?

Figure 2. Taken from virtualnetwork.com, link

Image we control MPLS TE via controller, or removing STP (Spanning Tree Protocol) via 802.1aq alias SPB (Shortest Path Bridging) by IEEE (IETF itself made equivalent technologies called TRILL – Transparent Interconnection of Lots of Links)

And then routing table…It’s been aggressively expanded over the years and will continue to grow following IPv6 adoption, especially Internet Routing Tables that ISPs have

With current addressing architectures, a device needs a new IP address every time it changes networks. Therefore, if a Smartphone user switches network connectivity from Wi-Fi to another connectivity (like 3G or 4G), or a virtual machine (VM) is migrated to another physical server in the data center, the device or object requires a new IP address.

In the data center use cases, assigning a migrated VM a new IP address means that all other services attached to the VM (Firewalls, Switch, Load Balancers, and so forth) won’t be able to “find” the VM until an administrator re-configures them with the new address (Cisco thought of this case and made OTV – Overlay Transport Virtualization for their DCI – Data Center Interconnect Technologies in Nexus Series Switch)

This is the right use case why we must separate the planes, Cisco Systems create protocol called LISP (Location Identifier Separation Protocol, link), an open standard routing and addressing architecture developed by Cisco Systems (now handled at IETF) that take a role of SDN today.

What LISP does is creating 2 addresses: EIDs (Endpoint Identifiers) and RLOC (Routing Locator), this EID can be attached to many RLOC, the LISP Protocol provide mapping between them

LISP allows a node (devices: Endpoint, Servers, VM, Smartphone, etc.) to keep the same IP address even when its location changes because it keeps its EID while mapping to multiple RLOCs. LISP-enabled edge routers can aggregate EID prefixes with closely aligned RLOCs, making it easier for a core router to quickly determine where to send data.

I’d like to say this is like “Enhanced DNS for IP addressing”, you can move wherever you wants, your IP is still the same (ex. 10.1.1.1) because that IP is EID Attached, and the LISP Databases provide mapping the EID to RLOC

It’s like named address such as google.com (EID) mapping to “74.125.68.102” IP address (RLOC) in DNS, you can type “google.com” wherever you want and it still redirect to that IP (and that IP can be somewhere around the globe that you don’t have to worry about), here the link of LISP Configuration in Cisco IOS XE

Figure 3. Taken from Vina Ermagan and Lori Jakab powerpoint presentation (Cisco System Summit 2014)

And according to SDN Book (O’Reilly, Page 29), MPLS Forwarding is one example of Distributed Control Model

So…SDN is an architectural approach to simplified and optimize network operation by binding the interaction between application and network devices, a Software-Driven Network

========================================================

Push the Configuration

So we know that we can control the network using controller, where do we put the controller? Just like VMWare does, in the VM. Can we place it into actual hardware? Yes, as long as that hardware (ex. Router and Switch) is capable (read: have SDN technologies) in it, otherwise, it just legacy network devices

Basic Question…How we control the forwarding devices from controller? Or how do we push configuration from the controller to those devices? The answer is we make some kind of that “Push Configuration” software/program

In year 1992, there was some people who make network controlling software, but in the end it abandoned, why? Because at later time, network became mission critical, and no one wants to mess with it (according to Ivan Pepeljak #1354 in his SDN presentation video @blog.ipspace.net)

The problem with it is, every vendor has proprietary commands …you can’t type Cisco “show ip interface brief” CLI Commands in Juniper JunOS right (“show interface terse“)?, so why bother making something to push configuration to network device, because every vendor has different commands

And IETF made the open standard “Pushing Configuration” program called NETCONF (developed and published in 2006, RFC 6241 and RFC 6242)

Figure 4. Taken from Tail-f website (recently acquired by Cisco, look at the logo in the top left corner)

According to Thomas Nadeau and Ken Gray (the SDN Book Author), The origin of pushing configuration can be traced back when Juniper Engineer use an XML-based network management approach to communicate to their network remotely, this style of approach is brought into the IETF Table, therefore the birth of NETCONF

Figure 5. The 4 Layer of NETCONF, taken from SDN Book (O’Reilly, 2013)

Even though NETCONF is the protocol that made for these things, it’s not the only one…

Open-standard software like XMPP, Apache Thrift, Google Protocol Buffer, and JSON (JavaScript Object Notation, XML-Based) are somewhat capable of programming the network…and then…OpenStack

Figure 6.Basic configuration of NETCONF, taken from NETCONF wikipedia page

While NETCONF is pushing device configuration, there’s the new guy on the blocks that capable on modifying FORWARDING TABLE (how cool is that?!?) …OpenFlow (link)

NETCONF is a protocol that allows you to modify networking device’s configuration. OpenFlow is a protocol that allows you to modify its forwarding table (Ivan Pepeljak #1354 @blog.ipspace.net)

Figure 7. Taken from SDN book (O’Reilly, 2013)

OpenFlow is a set of protocols and an API (Application Protocol Interface, SDN book, O’Reilly-page 49),
not a product or even single feature of the product. It consist of 2 things

  • Wire Protocol: for establishing a control session, defining message structure for exchanging flow modifications and collecting statistics, and defining fundamental structure of a switch (port and tables)
  • Config and Management Protocol: OF-CONFIG (based on NETCONF), to allocate physical switchports to a particular controller, define high availability (active/standby), and behavior on controller connection fail

Figure 8.Taken from SDN book (O’Reilly,2013)

And what about OpenStack? This is an SDN software for building Cloud Networks (now you know why Cisco and other vendors moves to this software), a software based on OpenFlow, or you can take a look at its rival…CloudStack (link), or its alternative…OpenDayLight (link)

Open here Open there…Stack Here Stack There…its take a while for you (and me or course) to remember these new term haha :p

But it not going to harm you to read this article about CloudStack losing to OpenStack

Figure 9. OpenStack Architecture, taken from OpenStack.org

And with OpenFlow, we can virtualize IP Routing, purposely for building a hybrid network, it called RouteFlow (IGP and BGP on OpenFlow, link)

Figure 10. Taken from RouteFlow Website, http://cpqd.github.io/RouteFlow/

Well…Cisco, Juniper, Level3, and some other companies founded a group under IETF Supervision that called I2RS (Interface to the Routing System) to research those things (they’ve made their own NETCONF if I’m not wrong), with Cisco itself build something called OnePK (One Platform Kit), a toolkit for Cisco ONE (Open Network Environment), so developers can build their own OpenFlow/NETCONF

Figure 11. Taken from Ivan Pepeljak #1354 SDN powerpoint slide @blog.ipspace.net

So…how we can deep dive and get a hand at those thing *rub hand*? Can you do a programming? C? Phyton? Or Java Maybe?….

Are you telling me that this require some sort of programming skills? Yes… :D

(To be honest…the reason I’m joining in the networking field is I’m not good at programming, and now that thing is back to haunting me)

And If you now about Cisco Nexus 1000v, that can be placed in the VMWare vSphere, that thing is programmable *sweeeet*!! (For inserting Firewall capabilities, WAN Optimization, or even the Load Balancers, using Cisco ONE though)

And also with VMWare NSX that capable for vSwitch, vRouter, vFirewall, and so on…, the SDN battle intensifies, even Cisco System…a former allies, build ACI (Application Centric Infrastructure) to match VMWare NSX

Figure 12. VMWare NSX, taken from networkworld.com

===========================================================

Network Function Virtualization

Figure 13.Taken from SDN Book (O’Reilly, 2013)

With the new paradigm, we view the network (infrastructure) as a service, we view the Platfom as a service (such as Software Framework), and we view Application as a service (shared software/application)

We call this sequentially IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service)

Figure 14. Network Virtualization, taken from Cisco.com

In the past, there was Router, a sole router (like Cisco 800 Series), and then came the Router that capable to integrate with something else (like ISR-Integrated Service Router such as 1800 or 1900 series router), insert Access Point module…it became Wireless Router, insert Switch Module…it became Router Switch, insert Firewall Module…it became Firewall Router, and so on…and then virtualization came…the beginning of vRouter (virtual Router), the beginning of vSwitch (Like Cisco N1Kv), vFirewall…and so on

In Cisco, they’ve been echoing the Nexus 9000 series with VDC (Virtual Device Context) and vPC (virtual Port Channel) in it in order to separate the function of network using virtualization

Another question may rise up…How we control BGP with SDN? What perfect use case for SDN to control MPLS? How its correlates with NFV?

In Data Center, there’s a draft that Petr Lapukhov #16379 came up with while at Microsoft…”instead using traditional IGP, why not we use BGP as better IGP”, and then put some controller as a Route Server (Router Server is the term of a Router that can centralize the peerings between BGP speakers, instead of full mesh) and then the controller insert BGP Route to individual routers (with iBGP Sessions) to influence routing decision…isn’t that sweet?!?

Figure 15. taken from Ivan Pepeljak #1354 powerpoint slide video @blog.ipspace.net

Figure 16. Route Server as a centralized peering, taken from Quagga (link)

And in MPLS use case…

If we want to setup 4 Gb LSP from R1 to R5, then it would fail, why? Because R3-R5 link only has 3 Gb available. However the sum of R3-R4-R5 bandwidth is 4 Gb (2+2), but due to the nature of RSVP Signaling, one cannot use that available bandwidth

And those smart guys (engineers and academies) came up with PCE (Path Computation Element), PCE allows a network operator to delegate control of MPLS LSP to an external controller (SDN Book, O’Reilly-Page 103). There are multiple components of PCE environment: Server, Client, and the PCE Protocol for data exchange between PCE Server and Client

In SDN, The PCE Server perform something called segment routing. “If all routing are using OSPF (or ISIS) then all routers have the same LSA, same Computation, and same Database, which is the path that should be taken is all same, and this Layer 3 computation is used by MPLS…but imagine if each node can choose his own path without having dependency to MPLS or IGP Computation”…this is what called Segment Routing – IETF Draft (march 2013)” (link)

These picture of segment routing configuration is taken from Clarence Filsfils (Cisco Distinguished Engineer) in Cisco Blogs Official Slide, link

Figure 17. Segment Routing example from IOS-XR

And I’ve taken a look at OpenFlow example from Juniper on MX80 Router running Junos 12.3I0 (note: running this configuration does require the use of the Juniper SDK), take a look at OpenFlow configuration (at the bottom)

===================================================

Conclusions?

I put a question mark here at the end of “Conclusion” word, to emphasize that maybe some of you doesn’t agree with me, feel free to correct me or add another (with the long page like this, very unlikely :P) of some important information

Do we REALLY must use Network Programming?? I say this with respect of open standard community, the Capitalist will rise… (haha), we will use PROPRIERTARY SDN (Controllers, Virtualization, or Programming Software)

Because of this duo…OPEX and CAPEX, who will risk their business with non-“branded” software? Engineer who can barely write the code will benefit much than Programmer who barely know the Networks World, so cheers ^_^

Things we do well:

  • Destination-only hop-by-hop L3 Forwarding

Things we difficult to do:

  • Large-scale provisioning or Orchestration
  • Sync of Distributed Policies, like security and QoS
  • Optimal traffic engineering, like MPLS TE

That’s 3 point is the mainly pushing factors why we move from legacy to SDN

And we could go on and on and on with the list…especially with the emerging Software-Driven Data Center, but its take a long time to explain that

What I can do is just explain some of beneficial advantages from applying SDN

==============================

References:

Nadeau, Thomas D., Gray, Ken (2013). SDN: Software Defined Networks. O’Reilly Media, Inc. *the guys at Juniper Networks

What is SDN video by Plixer – Network Analysis Company @https://www.youtube.com/watch?v=lPL_oQT9tmc

SDN Explained by Ivan Pepeljak #1354 @http://blog.ipspace.net/2014/01/what-exactly-is-sdn-and-does-it-make.html And the video @http://content.ipspace.net/get/2%20-%20SDN%20Explained.mp4

ONF Founded and Founder @https://www.opennetworking.org

I2RS at IETF @https://datatracker.ietf.org/wg/i2rs/charter/

SDN Controllers definition@https://www.sdxcentral.com/resources/sdn/sdn-controllers/

LISP Definition @http://searchnetworking.techtarget.com/definition/Cisco-LISP-Cisco-Locator-ID-Separation-Protocol or the video https://www.youtube.com/watch?v=AISUwPQPaLs

Route Server definition @http://www.nongnu.org/quagga/docs/docs-multi/Description-of-the-Route-Server-model.html#fig%3aroute%2dserver

What is Segment Routing @http://niau.org/?p=519, IETF Draft @https://tools.ietf.org/html/draft-previdi-isis-segment-routing-extensions-05#section-1, and Cisco SDN Segment Routing Slide @http://www.slideshare.net/getyourbuildon/segment-routing-network-enablement-for-application

RFC 6241 – IETF Standard for NETCONF @https://tools.ietf.org/html/rfc6241

RFC 4655 – PCE (Path Computational Elements) @https://tools.ietf.org/html/rfc4655

OpenDaylight @http://www.opendaylight.org/

Project Floodlight @http://www.projectfloodlight.org/floodlight/

Open vSwitch @http://openvswitch.org/ Or BigSwitch Network™ an Enterprise SDN Switch Company @http://www.bigswitch.com/

NFV and SDN terminology by Howard Baldwin@http://www.infoworld.com/article/2841882/networking/network-virtualization-vs-software-defined-networks-what-the-heck-is-the-difference.html

SDN Standards: from OpenFLow to OpenDayLight by Howard Baldwin @http://www.infoworld.com/article/2842423/making-heads-or-tails-of-sdn-standards-from-openflow-to-opendaylight-and-more.html

SDN for Cheaper Networking? By Greg Ferro #6920 @http://www.networkcomputing.com/networking/sdn-doesnt-mean-cheaper-networking/a/d-id/1234444

Configuring Cisco ISE to use External Authentication

1 Comment

Nah, kemaren2 kita authentikasi user yang mau akses jaringan dengan database local server ISE itu sendiri (Internal)

Now…how about we authenticate users with Active Directory (ISE will synchronize with AD)…pretty good right?!?

Requirement:

  • Like the first lab
  • (optional) Cisco AnyConnect…here’s how to do it
  • DNS Server (wajib, soalnya ISE konek ke AD pake FQDN, bukan IP Address)
  • Active Directory Server (buat external authentication)

Note: DNS dan ActiveDir-nya bisa dalam 1 server yang sama kok

Wokeh..lets begin

===========================

(optional) klo lu udah pasang DNS dan bener IP-nya…skip yang ini, berhubung gw salah kasih IP DNS, makanya gw ganti wkwkwk

Create External Identity Source on ISE

Masuk ke Administration -> Identity Management -> External Identity Sources

Klik Active Directory -> input domain name (nama ActiveDir server lo, gw pake “domain.com”) dan Identity Store Name-nya (nama alias buat dijadiin referensi ISE-nya)

Kalau sudah…nanti ada tulisan bahwa status ISE-nya “not joined to domain”, nyok di test dulu…pilih basic test aja

Isi username dan password ACTIVE DIRECTORY SERVER-nya

Klo berhasil…ada tulisan success

Nah, klo sudah sukses..tinggal klik join deh

Masukin lagi username dan password ActiveDir server-nya

Kita bisa liat Join Operation Status-nya sudah completed

Yuk kita cek di Server ActiveDir-nya…masuk ke Server Manager -> Roles -> Active Directory Users -> [nama domain lu] -> Computers, disitu ada server ISE kita

Klik kanan tulisan ISE-nya..pilih properties, cek bahwa ISE nya sudah Certified CCNA *map* certifiedDC alias sudah pake CA-nya server

Sudah??? Itu aja?? Ya jelas belum…default-nya ISE kan pake Internal User, skrg kita arahin klo mau authentikasi ya pake ActiveDir…klo ActiveDir-nya fail/ga bisa di akses baru pake Internal (Sequences)

====================================

Moving Authentication Source from Internal to External

Masuk ke Administration -> Identity Management -> Identity Source Sequences

Bikin sequence baru…klik add

Bikin dengan nama AD_Internal (maksudnya…urutannya AD dulu…baru klo ga bisa ke Internal), bebas lah klo nama mah…yang penting lu ngerti tujuan lu kasih nama, jgn sampe pusing sendiri wkwkwk

Pastikan AD urutan pertama, baru Internal Users…soalnya ISE nge-cek nya sequential..berurutan (bisa dirubah kok urutannya)

Dan jangan lupa klik option “Treat as if the user…” biar process ke next sequence klo authentikasi via AD fail (ke Internal User)

Trus masuk ke Policy -> Authentication

Edit rule yang dot1x (liat deh…masih pake Sequence Internal Users)…arahin pake AD_Internal Sequence

Jangan lupa save

nah, skrg nyok kita test

=============================

Testing Authentication

Bisa ga pake AyConnect, tapi gw pake…biar kereeen :P

Klik network repair di Cisco AnyConnect Icon (kanan bawah layar monitor)

Nanti disuru authentikasi ulang, why? Karena username (rahman) yang lama ga dikenal, nyok kita pake username rahmanAD (rahman yang ada di ActiveDir maksudnya)

RahmanAD-nya bikin dimana?? Ya di server maaang….

Create user baru di Server Active Dir

Selain initial…semua harus diisi (untuk logon ke network pake “User Logon Name” yang ada di server)

Jgn lupa password-nya

Nah, begitu AnyConnect-nya kita enter…statusnya Connected

Nyok kita liat di ISE dan Switch-nya

Older Entries