Sunday, November 29, 2020

An Inro. to VXLAN

 

Who invented it?

Created by three companies: Cisco, Arista and VMware, VXLAN RFC7348

When was it invented?

The RFC is published at August 2014, but Cisco documents indicates earlier times

Why VXLAN was invented?

To solve VLAN limitations in Datacenters and Cloud, so it provides scalability by allowing Layer2 encapsulated in UDP or it extends VLAN, this is called MAC-in-UDP (UDP port 4789) Encapsulation.

In addition to helping customer sites to configure layer2 VPN.

VXLAN identifier (VNI) is a 24-bit segment, which means is can provide 16 million VXLAN within same domain.

 

 


 

Diagram source: Cisco

 

List some of VXLAN uses?

·         Datacenters (virtualized hosts) allowing VM's to communicate between two DC's

·         Extending Layer2 (VLANS) in remote sites

·         Multicast instead of broadcast for example: instead of ARP broadcast in same layer2 domain without it, Multicast is used with VXLAN

Components and Configuration basics?

VXLAN components are:

·         VTEP: this is where VXLAN encapsulation and decapsulation is done, basically a Router or A Switch

·         VNID: VXLAN network identifier which is the 24-bit segment which identifies the broadcast domain

·         NVE: Network virtual interface (logically) created on the VTEP

Examples of VXLAN?

·         Within one domain or site: for example in a Datacenter we can have two subnets connected to Core switch to work with VXLAN and Multicast routing

·         Between two remote sites with will be implemented with BGP and EVPN

·         Virtual machine to virtual machine communication

Configuration initial steps:

1.       Enable Multicast

2.       IGP configured to reach the RP

3.       Configure the Core to be as RP

4.       Configure VTEPS(Virtual Tunnel Endpoint) with NVE interfaces (Network Virtual Interface)

5.       Make VTEP NVI member of the multicast-group for the VNI (VXLAN Network Identifier)

How to Verify VXLAN?

On VTEPS:

#show ip mroute group-ip

#show ne peers (traffic must be generated first)

#show nve vni

#show run interface nve x

 

A simple look on VM-TO-VM Unicast communication:

The Basic idea here is to make the communication between VM's using the overlay network created by the VXLAN, the requests from VM#1 to VM#2 will be

Destined to MAC address of VM#2 and the request will be sent to the VTEP which is located on the host will be checking VNI looking for the VM, which the source is associated with.

Then VTEP will check the destination MAC address and see if it is on the same segment and mapped on the VTEP on the remote destination.

The VN segment is the new method of tagging packets but it is 24 bits and this is unlike tagging on the VLAN tagging (802.1Q).

How about Security?

Well, spoofing can happen since we are dealing with MAC addresses, MAC address flooding, UDP flooding, ARP attacks, Double tagging 802.1Q are all potential attacks.

But those risks also do exist in traditional layer2 or even in MPLS and other technologies like GRE.

VXLAN brought a lot of benefits to Networking today and Data Centers and enabled roaming of Layer2 across remote sites, security is not one of those benefits, but might be added in future.



Samer R. Saleem

- No comments:
Labels: , , , ,

Thursday, August 20, 2020

Decryption Policy on PaloAlto Firewall


SSL Decryption is a feature that is used by the Firewalls and web gateways to inspect encrypted traffic such as HTTPS, the SSL decryption will make the firewall work as a proxying the user for the traffic to remote destinations and requests.

NOTE: SSL Scan/inspection can cause high impact on the Firewall resources and might cause network interruption if misconfigure.

 

 

With that been said, Firewall will for sure need to create two sessions

1.       From user to firewall

2.       From firewall to remote site

So, the firewall must have a certificate created in order to be installed on the user computer or Mobile device, to do that you will need to do the following:

Device > Certificate Management > certificates > Generate

 

the IP should be the inside interface IP address of the firewall.



 
 

Now this certificate will not be used until we implement the decryption policy.

To create the decryption policy we will:

Go to > Policies > Decryption > Add

Add the name, source zone and IP address, destination and then the action to decrypt the traffic matching source address.



Now that we have created the policy, the IP matched in it will not be able to go www.youtube.com unless the certificate created by the Firewall is installed, and below message will be seen once the firewall start inspecting the traffic, if you select “NO” then the traffic will not pass and will be dropped.


 
 
 

Ok, How to install the certificate on the computer or mobile?

What I have done is exporting the certificate I generated at the beginning, saved locally on my computer, and then imported it on the computer as trusted certificate.

Go to Device > Certificate management > certificates.

Select the certificate and then export .der file and then install this file on the device you need to make SSL inspection on.

 
I hope this was helpful!



Samer R. Saleem

- No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...