CNGI-CERNET2 SAVI Deployment Update - Internet ... SAVI Deployment Update China Education and...
-
Upload
nguyenliem -
Category
Documents
-
view
217 -
download
1
Transcript of CNGI-CERNET2 SAVI Deployment Update - Internet ... SAVI Deployment Update China Education and...
CNGI-CERNET2 SAVI Deployment Update
China Education and Research Network (CERNET)/Tsinghua Univ.
IETF78, MaastrichtJuly 26, 2010
Outline
• SAVI Switches Implementation• SAVI Switches Testing• SAVI Deployment in CNGI-CERNET2• SAVI Management System and MIB Design
Brief Introduction• CNGI is China Next Generation Internet• CNGI-CERNET2
– CERNET: was the 2nd Large ISP in China, 2000+ university campus networks, 20M+ users
– CERNET2 is the largest IPv6 network• CNGI-CERNET2 SAVI Deployment Plan
– 100 universities campus networks nationwide– 1 Million users– Time frame: 2008-2010– SAVI software upgrade at about 20K+ access switches– SAVI management system installation in 100 campuses
• China Telecom and China Mobile will also deploy
SAVI Switch Implementation• Solutions implemented
– draft-ietf-savi-dhcp-04– draft-bi-savi-stateless-01 (from draft-bj-cps, and
proposed to be merged with draft-savi-fcfs)• Vendors
– ZTE– Huawei (New)– H3C (3Com)– Ruijie– Digital China (spun off from Lenovo)– Bitway– Centac
SAVI-Software upgradable• Savi-upgradable switches in our deployment
– ZTE: ZXR10 8900,5900,3900A– Huawei: S5600, 5300, 3500,3300,2300– H3C (3Com): S5500EI, S5500SI, S5120EI、
E126A, E152, E328, E352– Digital China: DCRS-5950,3950– Ruijie: RG-S8600,S5750,S5760,S2900,S2600– Bitway: BitStream 7000, 6000, 3000– Centec: E600 and E300
Command Line Design• Snooping
– Enabled at global view or vlan view• Command line: XXX Snooping enable
– Start snooping and binding– Drop the server-end message(DHCP reply, RA) by
default, except for packets from anchor with attribute XXX-Trust
• For example, in DHCP-only senario:– Dhcp snooping enable– NDP snooping link-local enable
• Undo XXX snooping– Stop snooping– Stop filter server-end message
• SHOULD write memory if snooping is enabled, and enable snooping automatically after reboot.
Command Line Design• Port configuration• Attached to monitored host
– IP check source IP-address• Attached to router or DHCP server/relay
– RA trust or DHCP trust• Fully trusted port
– RA trust and DHCP trust• Default port
– No configuration
Command Line Design
• View & Modification– At global view
• View: show all the IPv6 bindings– display ipv6 check source binding table
• Modification: add or del bindings manually– ipv6 check source binding table add IP XXX
MAC XXX PORT XXX TYPE XXX [LIFETIME XXX]
– Ipv6 check source binding table del IP XXX PORT XXX
Binding State Table of H3C S5500Entry:Source IP | Source MAC | Vlan ID | Type(DHCP or ND)
Console Example
Catalogs of SAVI Testing
• CERNET organized formal testing for SAVI switches
• Test types:– Conformance testing– Performance testing– Test-bed (interoperability) testing– Testing in the production network
• Each type has 3 scenarios– DHCPv6-only– SLAAC-only– DHCPv6-SLAAC-mixed– In each scenario, the static binding for manual
configured address is also tested
SAVI Switch Testing
• 10 switches models passed this formal testing
– ZTE: ZXR10-5928 、ZXR10-3928
– H3C: S5500,S5100,E126A
– Ruijei: RG-S5760,RG-S2924,RG-S2628
– Digital China: DCS-5950,DCS-3950
• Totally 4 testing types x 3 scenarios x 10 models= 120 testing reports generated
Binding table size• size
– C1
– C2
– C3
640383488SLAAC-only
320191244DHCPv6-only
H3CDCRJ
460125494SLAAC-only
23062247DHCPv6-only
H3CZTERJ
980125400254SLAAC-only49062200127DHCPv6-onlyH3CZTEDCRJ
Interoperability test for host OS
• Windows XP with SP3 • Windows Vista• Windows 7• Linux• MAC OS• Some dhcpv6 client software, such as dibbler
Scenarios in Deployment• DHCP-only
– Only DHCP and link local address are allowed.– DHCP and link local address snooping are enabled.
• SLAAC-only– Only SLAAC address is allowed.– SLAAC snooping is enabled.
• DHCP-SLAAC-Mixed– DHCP and SLAAC address are allowed.– DHCP snooping and SLAAC snooping are enabled.
• Static addresses (usually for servers) are manually configured in the above scenarios.
Example: Tsinghua Univ. campus network had deployed (software upgrade at access switch)
Resource
ZJ8#
Office/Teaching area
Faculty apartments
Student Dorm
FIT
Exit 1
Exit 2
9003
GZTCC1
CC2Lib
Main6#16#1
ZJ3#
1#
SCI
Phone
HQY
NW
shop
EDUH1
SE
Lib
LQY
Arch
16#
Campus Backbone(IPv4/IPv6)
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h an ge h ub s pe ed
P ow erC ol li s ion
M a na ge d
1 0B A S E- T
1 00 B AS E - TXS ta t us
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h a n g e h u b s p e e d
P o w e rC o l li s io n
M a n a g e d
1 0 B A S E - T
1 0 0 B A S E - T XS ta t u s
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h a n g e h u b s p e e d
P o w e rC o l li s io n
M a n a g e d
1 0 B A S E - T
1 0 0 B A S E - T XS ta t u s
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h a n g e h u b s p e e d
P o w e rC o l li s io n
M a n a g e d
1 0 B A S E - T
1 0 0 B A S E - T XS ta t u s
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
SAVI-access switch
20K users(students)
Aggregation Level
Access Level
subnets switches port hosts users114 1018 23414 22644 20280
10 models form different vendors at 3
scenarios
DHCPv6-relay
DHCPv6 Server
WS2008
Deployment in Students Buildings
Example: SAVI deployment in Tsinghua FIT building
166.111.143.112/28
166.111.243.17/28
166.111.130.0/24 2001:da8:200:9000::/6
4
166.111.131.0/24 2001:da8:200:9001::/6
4
166.111.132/24 166.111.143.129/26 2001:da8:200:9002::/64
166.111.128.76/30
166.111.128.72/30
166.111.143.0/28 2001:DA8:200:900C::0/6416
6.11
1.13
8.0/
24
200
1:da
8:20
0:90
08::/
64
166.1
11.1
37.0/
24
2001
:da8
:200
:900
7::/6
4
166.1
11.13
6.1/24
20
01:da
8:200
:9006
::/64
166.1
1113
5.0/24
200
1:da8
:200:9
005::
/64
166.111.133.0/24 2001:da8:200:9003::/6
4
166.111
.134.0
/24 2
001:da8:
200:90
04::/6
4
2001:da8:200:f000::/64 166.111.128.32/30
FIT大楼CS_2
FIT大楼CS_1
G7/24 128.33/302001:da8:200:f000::1
G7/24 128.34/30 2001:da8:200:f000::2
310_VOD_CST FIREWALL
Ipv6 ISATAP Tunnel
IPV4采用HSRP做各接入设
备上连的热备份,CS_1为Active,CS_2为standby
Vip:*.*.*.1
G5/2
G7/1
G7/2 131.3
G7/4 132.3 247.131
G7/2
2 12
8.73
G7/8 1
34.3
G7/9 1
35.3
G7/11
136.3
G7/1
2 13
7.3G7
/14
138.3
G7/
16 1
39.3
G7/
20 1
43.1G7/6 133.3/24
G7/2
3 12
8.77
Tunnel source: 59.66.4.50
IPV6 prefix: 2001:da8:200:900e::/64
G7/1
130
.4G
7/2
131
.4
G7/
8 1
34.4
G7/9
135
.4
G7/1
1 13
6.4
G7/12
137.4
G7/14
138.4
G7/16
139.4G7/18 140.4
Fire
wall
In
Fire
wall
Out
G7/21 镜像
T2/1出入数
据
166.111.143.192/26 2001:DA
8:200:900B::0/64
G7/
19 1
43.1
93
59.66.66.0/28 166.111.111.0/28 2001:DA8:200:900F::1/64
G7/15 59.66.66.1 166.111.143.32/28 2001:DA8:200:9010::1/64
XinXiXY FIT Center
G7/13 143.33
G5/2 143.113
DragonLab
神码 神码神码
D05_ChinaGridCorsair 1N1
5x48
1S13×48
2S1 5x48
2N15x48
3S13x48
3N14x48
4S13x48
4N14x48
5S14x48
5N14x48
6N14x48
YaoQiZhi-Lab166.111.142.0/24
1-211
128
.74
10GE
GEFE
SAVI SAVI
Prefix granularity anti-spoofing by RPF
Host granularity
anti-spoofing by SAVI
Deployment in Office Builiding
• FIT Building of Tsinghua Univ
• From Oct 2009-(about 10 months)
• No initial DAD-NS loss observed (link local addr bound)
• Ruijie RG-2652• Digital China
S3950 Switches
Digital China console61 addresses bound at a 24-ports switch, multiple addr per host
6to4
Global
Link local
Function
• Set : – SAVI-DHCP or SAVI-SLAAC function– Anchor (switch port) type– Binding limitation of anchor
• Get:– Binding State Table entries– Filtering Table entries– Statistics
Structure of SAVI-MIB
• Two separate MIB tree– IPV4SAVI-MIB for IPv4– IPV6SAVI-MIB for IPv6– They have Similar Structure
• Following we illustrate IPV6SAVI-MIB
Structure of IPV6SAVI-MIB• ipv6SaviObjectsStatus
– SAVI-DHCP/SAVI-SLAAC Status
• ipv6SaviObjectsMaxDadDelay, ipv6SaviObjectsMaxDadPrepareDelay, – constants of SAVI
• ipv6SaviObjectsIfStatusTable– Validation type of anchor– Trust type of anchor– Binding limitation of anchor
• ipv6SaviObjectsBindingTable– Binding State Table entries
Structure of IPV6SAVI-MIB
• ipv6SaviObjectsIfStatusTable– ipv6SaviObjectsIfStatusIfIndex InterfaceIndex,– ipv6SaviObjectsIfStatusCheckStatus Integer32,– ipv6SaviObjectsIfStatusTrustStatus Integer32,– ipv6SaviObjectsIfStatusBindingNum Unsigned32
Structure of IPV6SAVI-MIB
• ipv6SaviObjectsBindingTable– ipv6SaviObjectsBindingIfIndex InterfaceIndex,– ipv6SaviObjectsBindingType Integer32,– ipv6SaviObjectsBindingIdentifier InetAddressIPv6,– ipv6SaviObjectsBindingMacAddr MacAddress,– ipv6SaviObjectsBindingState Integer32,– ipv6SaviObjectsBindingLifetime TimeInterval,– ipv6SaviObjectsBindingRowStatus RowStatus
Conclusions• SAVI drafts have been implemented by multiple
vendors and being largely deployed in CERNET2– draft-ietf-savi-dhcp-04– draft-bi-savi-stateless-01
• SAVI switches in CNGI-CERNET2 have been fully tested
• SAVI management system and MIB have been designed
• A light-weight savi-slaac is necessary for low end access switch for large scale deployment
– Currently, no major problem found– For details: draft-bi-savi-stateless-01