ACEFx L1 Day2 - 18july2016

ACE-Fx Connect
Day 2
July 2016
© 2016 Avaya Inc. All rights reserved.

Course Agenda – Day Two
Day 2: Services over Fabric Connect
Fabric Connect Services

- Layer 2 Virtual Service Networks
- Inter-VSN Routing
- IP Shortcut Routing
- Layer 3 Virtual Service Networks
Interaction of IS-IS and Non-Fabric Routing Protocols
Enforcing Security Policies
Configuration and Orchestration Manager (COM)

Module 2:
The Data Plane, Routing, and
COM

Module Objectives
Upon completion of this course, you should be able to:
 Describe and explain Fabric Connect services:
– Layer 2 Virtual Service Networks
– Inter-VSN Routing
– IP Shortcut Routing
– Layer 3 Virtual Service Networks
 Describe the interaction of IS-IS and Non-Fabric routing
operations.
 Describe how to enforce security policies in a Fabric
 Describe the use of Configuration and Orchestration
Manager (COM).

Layer 2 VSN

Shortest Path Bridging – L2 Service VSN
 A VLAN provisioned at the edge of the fabric is mapped into the Virtual
Service Network using the Service Identifier (I-SID)
 IS-IS advertises I-SID information for all new services and communities of
interest to the network
 Forwarding Data Base is updated with I-SID Service specific entries
Unified
Management
Assign VLAN20 
I-SID 20100
IS-IS IS-IS
IS-IS
vlan 20 IS-IS IS-IS IS-IS
Virtual Service Network I-SID 20100
IS-IS
IS-IS
IS-IS
IS-IS IS-IS
vlan 20
Creating Meaningful I-SID Values
 There are multiple schemes available for creating I-SID values which
describe the traffic.
 This course will use a schema developed to differentiate Layer 2 VSNs
from Layer 3 VSNs in a single tenant environment.
– I-SID for a Layer 2 VSN 2xxxx Where xxxx is the VLAN ID or VRF.
The I-SID will be 5 digits.
– I-SID for a Layer 3 VSN 3xxxx
 The next course in the ACE-Fx series will use a schema developed for a
multi-tenant environment where there are less than 100 tenants.
– I-SID for a Layer 2 VSN 20LLxxxx Where LL is the location/tenant
and xxxx is the VLAN ID or VRF.
– I-SID for a Layer 3 VSN 30LLxxxx The I-SID will be 8 digits.
 The schema you use does not have to match one of these, but it should be
used consistently and be significant to you.
 Flexible and Transparent UNI Types which may have multiple VLANs with
the same VID or multiple VLANs in a single I-SID pose a unique challenge
VLAN based numbering schemes. The key is to have a unique I-SID for
each L2 or L3 VSN.

Shortest Path Bridging – L2 Service VSN
 Congruent forward and reverse path for unicast and multicast
 All traffic types (known, unknown, broadcast) use the same path
– No out of order packets possible
 Traffic from A to B follows the same path as from B to A

 Multicast trees:
– Rooted at source node within
every service instance
– Only flood packets to I-SID
A
service node members vlan 20
– No MAC learning or flooding

in the Core
– Fully QoS aware infrastructure
D
vlan 20
vlan 20
B
Service and Source Specific Multicast Tree Unicast Path

.. .
Injecting Traffic - Sending Unknown Traffic
PC-1 PC-2
00:15:C5:1F:9E:63 90:F6:52:18:4C:1D
BEB4450-1 BEB4450-2
1 1
I-SID 200100
1/29 1/29
7 1/10 1/10 7
3500 3500
00:0e:44:50:00:01
PC-3 00:0e:44:50:00:02 PC-4

Unknown Traffic
 Unknown unicast or multicast/broadcast traffic
 The multicast addresses are built out of two pieces
 Each SPBM node must be configured with a unique Nick-name:
– Carried in the IS-IS link state database
– Used to form the first portion of the multicast MAC address
 The second portion is the I-SID id converted to hex forming the Multicast
MAC address
NICK-NAME & “3” I-SID in Hexadecimal
 Example : BEB4450-1 Nickname = e.44.01 , I-ISID = 200100 (30DA4)

Multicast Address = e3:44:01:03:0d:a4

Unknown Traffic from BEB4450-1 to BEB4450-2
PC-1 PC-2
00:15:C5:1F:9E:63 90:F6:52:18:4C:1D
BEB4450-1 BEB4450-2
1 1
I-SID 200100
1/29 1/29
7 1/10 1/10 7
3500 3500
00:0e:44:50:00:01
PC-3 00:0e:44:50:00:02 PC-4

Known Traffic to BEB4450-1 from BEB4450-2
 Return traffic has now an entry in Forwarding Database
 A new entry has been created to send traffic to only one SPBm switch

Layer 2 VSN – Customer VLAN UNI
 UNI is a VLAN (Customer VLAN = C-VLAN)
 VLAN is unique on a per Backbone Edge Bridge (BEB) basis
 VLAN performs L2 switching on local VLAN port members
 VLAN transports over L2VSN for remote end-points
 Untagged traffic is assigned to VLAN using the PVID configured on port
– PVID = Primary VLAN ID
– On tagged port, use UntagPVIDOnly mode to force PVID traffic to also go out
untagged
BEB node
VSP9000 q-tag VLAN id 10
Tagged UNI
VSP8X00 q-tag VLAN id 11 Port 1 VLAN10 L2 VSN I-SID 20100
ERS4000 PVID=12
Port Type VSP7X00 untagged traffic
ERS5900
VSP4000 UNI
L2 VSN I-SID 20011
VLAN11
ERS8000
untagged traffic Untagged
UNI
Single Port   Port 2
PVID=12 VLAN12 L2 VSN I-SID 20012
MLT/DMLT  
LACP LAG  
SPB Fabric
SMLT/SLT  
SMLT/SLT  
LACP LAG
vlan i-sid <vlan-id> <i-sid> © 2016 Avaya Inc. All rights reserved.
Layer 2 VSN – Flex mode Switched UNI
Port Type VSP8000 VSP7000
VSP7200 ERS5900
VSP4000 ERS4000
SPB Fabric Single Port  

MLT/DMLT  
BEB node
q tag VLAN id 10 L2 VSN I-SID 20010 LACP LAG  
Tagged
q tag VLAN id 11 UNI Port 1 SMLT/SLT  
L2 VSN I-SID 20011 SMLT/SLT  
LACP LAG
q tag VLAN id 10 UntagPVIDonly
UNI Port 2
untagged traffic PVID=12 L2 VSN I-SID 20012
VOSS VSP: i-sid <i-sid> elan

c-vid <vid> port <port>
c-vid <vid> mlt <mlt-id>
untagged-traffic port <port> [bpdu enable]
untagged-traffic mlt <mlt-id> [bpdu enable]
exit
Stackables: i-sid <i-sid> port <port> vlan <vlan-id>
 UNI is a VLAN-id on an Ethernet port or MLT

 VLAN-id has local significance on the port or MLT
 Same VLAN-id can be used on other ports and belong to different I-SID
 Different VLAN-id on same/different port can be assigned to same I-SID
– Can do VLAN Mapping on local switch
Layer 2 VSN – Flex mode Switched UNI cont.
VSP7200 ERS5900
VSP4000 ERS4000
SPB Fabric
Single Port  
BEB node
q tag VLAN id 10 L2 VSN I-SID 20010
MLT/DMLT  
Tagged
q tag VLAN id 11 UNI Port 1 LACP LAG  
L2 VSN I-SID 20011 SMLT/SLT  
q tag VLAN id 10 UntagPVIDonly SMLT/SLT  
UNI Port 2
untagged traffic PVID=12 L2 VSN I-SID 20012 LACP LAG
 Untagged traffic
– Stackables can be picked up by setting the port to UntagPVIDonly and setting
the PVID on the port (not BPDUs)
– VOSS VSPs there is an express command and the optional ability to pick up
BPDUs with it
 Switched UNIs and CVLAN UNIs can be assigned to the same I-SID
 Supported in VSP7000 10.2, ERS4800 5.7, ERS5900 7.0, VOSS 5.0

Layer 2 VSN – Transparent UNI
VSP7200
VSP4000
Single Port  
MLT/DMLT  
BEB node LACP LAG  
q-tagged traffic
Transparent
SMLT/SLT  
L2 VSN I-SID 20000
untagged traffic
UNI Port 1 SMLT/SLT  
LACP LAG
q-tagged traffic
Transparent
UNI Port 2 L2 VSN I-SID 21000
untagged traffic
SPB Fabric
 UNI is an Ethernet port VOSS VSP: i-sid <i-sid> elan-transparent
port <port> | mlt <mlt-id>
 Ethernet UNI port is not VLAN tag aware exit
VSP7000: i-sid <i-sid> port <port>
 Packets with or without a VLAN q-tag are transported into the L2VSN
 Untagged control traffic (like STP) is not automatically forwarded
 Be aware that all MAC addresses are in ONE COMMON MAC TABLE per
ISID!
UNI Types Simplified
CVLAN UNI maps an Transparent UNI Flex Mode Switched

I-SID to a VLAN maps an I-SID to a UNI maps an I-SID to
port or MLT a CVLAN and a port
I-SID 20010, VLAN 10, port 1/3
Customer I-SID 20030, VLAN 30, port 1/3
I-SID 20400, VLAN 40, port 1/3
VLANs
Carrier
I-SID 20010, VLAN 10
I-SID 20030, VLAN 30
I-SID 20010, port 1/3

I-SID 20030, port 1/4
I-SID 20040, port 1/5
Customer
VLANs A Fabric Attach server
receives requests of
Sends all traffic on a multiple FA Clients to
Customer VLANs port through a single I- create a VLAN/I-SID
crossing an SPB SID, not based upon mapping on the same
Fabric VLAN membership port

Configuring L2VSN CVLAN Mapping
 Supported on all Fabric Switches
 Create a C-VLAN by mapping the VLAN to an I-SID:

vlan i-sid <1–4084> <0–16777215>
 Display C-VLAN information:

show vlan i-sid
 Example:
VSP8000-1> enable
VSP8000-1# configure terminal
VSP8000-1# vlan i-sid 5 20005
VSP8000-1# show vlan i-sid

Note
When a protocol based VLAN is created, all ports are added to the VLAN including
SPBM ports.
To configure a protocol-based VLAN as a C-VLAN, first remove the SPBM-enabled
ports from the VLAN, then configure the VLAN as a C-VLAN.

L2VSN UNI Switched and Transparent Mappings
 L2 VSN Switched UNI Configuration
– Assigning an I-SID to a VLAN-id on an individual Ethernet port
– VSP 7000, ERS 4000

vlan create <vlan-id> type spbm-switchedUni
i-sid <i-sid> port <port> vlan <vlan-id>
 L2 VSN Transparent UNI Configuration

– Assigning an I-SID to an Ethernet port
– On VSP 7000, ERS 4000:

i-sid <i-sid> port <port>
– On VSP 4000:
i-sid <i-sid> elan-transparent port <port> | mlt <mlt-id>
exit

SPB L2VSN – Equal Cost Path Example
 An I-SID, on a given BEB, is tied (for transmission) to only one B-VLAN
 With SMLT BEBs, each node is assigned one B-VLAN, for all I-SIDs
– Lowest system-id on the primary B-VLAN
– Highest system-id on the secondary B-VLAN
 With stand alone BEBs, I-SID are allocated in an odd/even fashion

– Odd I-SID  BVLAN#1
– Even I-SID  BVLAN#2
VLAN10 L2-VSN I-SID = 20010 VLAN10
VLAN20 L2-VSN I-SID = 20020 VLAN20
Logical
Physical BCB SMLT BEB-1
TX on BVLAN1 VLAN 20
BEB-3 50%
MLT hash
Edge
SPB (FA Proxy)
50%
Odd/Even I-SID mapping
to BVLAN1 / BVLAN2 TX on BVLAN2 VLAN 21
BCB SMLT BEB-2
Load Sharing Standalone BEB vs Switch Cluster BEB
VLAN 10 --> I-SID 20010 ALL I-SIDs handled using

VLAN 11 -- > I-SID 20011 BVLAN1 4051
SMLT BEB-1
BCB (primary)
Stand alone BEB-3 Non SPB Access

MLT hash
VLAN11 50% VLAN11
SPB
VLAN10
VLAN10
50%

ALL I-SID’s
to BVLAN1 / BVLAN2 BCB
SMLT BEB-2 (Secondary) handled using
BVLAN2 4052
1. Traffic from left to right is handled based on odd/even i-sid

2. Traffic from right to left is first hashed, Both primary & secondary BEB handle even & odd i-sid
3. Traffic in this case is asymmetric

L2 VSN LAB
• Configure L2 VSN
• Verify the configuration

Inter-VSN Routing

SPB VSN Service Flexibility – Inter-VSN Routing
 Route between Layer 2 VSNs
 Routing anywhere in Fabric with L3 VSNs (or GRT IP Shortcut routing)
 Extend L2 VLANs anywhere inside or across the Fabric using L2VSNs
Unified
vlan / IP net1 Management
vlan / IP net2 VRF2
IS-IS IS-IS
IS-IS
IS-IS IS-IS I-SID 30200
L3-VSN IS-IS
VRF2
IS-IS
IS-IS vlan 21 / IP net3
IS-IS
L2-VSN I-SID 20101

IS-IS IS-IS
vlan 21
vlan 21
Datacenter 1 Datacenter2
Inter-VSN Routing Example
 In this example we interconnect VLAN/I-SID 1112 and VLAN/I-SID 3112
 With Inter-VSN Routing, VSP-12 routes between I-SIDs 1112 and 3112
VRF InterVSN
VLAN 1112 11.12.0.1
VLAN 3112 31.12.0.1
I-SID
21112
I-SID 23112
ERS-41 VSP-11 VSP-12 VSP-32 VSP-31 ERS-44

Inter-VSN Routing and VRRP
 If a single Inter-VSN router fails, the route between the I-SIDs is lost
Single router, single PoF
VRRP
 Virtual Router Redundancy Protocol (VRRP) provides required resiliency

 VRRP with Backup Master provides BM functionality within the SPB cloud

Configuring Inter-VSN Routing
1. Create a customer VLAN (C-VLAN) by port
2. Add ports in the C-VLAN
3. Map the C-VLAN to an I-SID
On the Backbone Core Bridge (BCB)
1. Create a VRF
2. Create a VLAN for each VSN
3. In VLAN Interface Config mode add the VLANs to the VRF
4. Associate an I-SID with each VLAN
5. Configure an IP address on the VLAN
6. Repeat steps 2 to 5 for each VLAN you want to route traffic between
Note
When a protocol VLAN is created, all ports are added to the VLAN including SPBM ports.
To configure a protocol-based VLAN as a C-VLAN, first remove the SPBM-enabled ports
from the VLAN, then configure the VLAN as a C-VLAN.

Configuring Inter-VSN Routing BEB Example
vlan create 11 type port-mstprstp 1
vlan members 11 1/2 portmember
Create VLAN
vlan i-sid 11 20011
Add ports to VLAN
Map VLAN to I-SID

Configuring Inter-VSN Routing BCB Example
ip vrf blue vrfid 100
Create VRF vlan create 11 type port-mstprstp 1
Create VLAN vlan i-sid 11 20011
interface vlan 11
Map VLAN to I-
SID vrf blue
Associate VLAN ip address 10.100.11.1 255.255.255.0
with VRF
exit
Set up IP address
vlan create 12 type port-mstprstp 1
vlan i-sid 12 20012
Repeat for
interface vlan 12
second VLAN vrf blue
ip address 10.100.12.1 255.255.255.0
exit © 2016 Avaya Inc. All rights reserved.
Inter-VSN routing LAB
• Create VLANs
• Map to I-SIDs
• Create VRF
• Implement Inter-VSN
Routing

IP Shortcuts

IP Shortcut Routing on Global Routing Table (VRF0)
 GRT provisioned at the edge of the fabric forwards standard IP packets
user standard VLAN encapsulation
 IS-IS used to advertise IP route reachability
Unified
 IP routes are set in GRT IP routing table with next hop Management
shortcut to reach advertising node
Enable IP Shortcut
IS-IS IS-IS
GRT IS-IS
vlan / IP net1 IS-IS IS-IS
IS-IS
vlan / IP net2
IS-IS
IS-IS
IS-IS
IS-IS IS-IS
ROLE VSP9000 ERS8800 VSP8200 VSP7000 VSP7200 VSP4000 ERS4800 3rd Party vlan / IP net3
VSP8400 ERS5900 GRT
vlan / IP net4
BEB        
BCB         © 2016 Avaya Inc. All rights reserved. ..….
IP Shortcuts and In-band Management
 All in-band management traffic is only processed if received on an IP
interface belonging to the GRT
– Telnet
– SSH
– SNMP
– HTTPS
 Therefore in an SPB Fabric IP Shortcuts are always enabled for

management

Configuring IP Shortcuts
1. Configure a CLIP interface for use as the source address for IP shortcuts
2. Exit the Loopback Interface Config mode to Global Config mode
3. Log on to IS-IS Router Config mode
4. Specify the CLIP interface as the source address for IP shortcuts
5. Set up IP shortcuts
6. Display the status of IP shortcuts
7. Identify routes on the local switch to be announced into the SPBM
network
8. Enable routes to be announced into the SPBM network
9. Exit to Global Configuration mode
10. Apply the configured redistribution

IP Shortcuts Configuration Example
VSP9000-1> enable
VSP9000-1# configure terminal
Configure a CLIP interface
for use as the source
VSP9000-1(config)# interface loopback 1
address for IP shortcuts
VSP9000-1(config-if)# ip address 10.0.0.2/32
VSP9000-1(config-if)# exit
VSP9000-1(config)# router isis
VSP9000-1(config-isis)# ip-source-address 10.0.0.2
VSP9000-1(config-isis)# spbm 1 ip enable
Specify the CLIP as source
VSP9000-1(config-isis)# show isis spbm
address for SPB IP
======================================================================= shortcuts
ISIS SPBM Info
=======================================================================
SPBM B-VID PRIMARY NICK LSDB IP
INSTANCE VLAN NAME TRAP
----------------------------------------------------------------------- Enable IP on SPB !
1 4051,4052 4051 1.11.16 disable enable
-----------------------------------------------------------------------
Total Num of SPBM instances: 1
Redistribute the directly
-----------------------------------------------------------------------
attached networks
VSP9000-1(config-isis)# redistribute direct
VSP9000-1(config-isis)# redistribute direct enable
VSP9000-1(config-isis)# redistribute direct metric 1
VSP9000-1(config-isis)# exit
VSP9000-1(config)# isis apply redistribute direct
LAB EXERCISE
IP Shortcut Routing
• Enable IP Shortcut
• Set-up route-redistribution

Layer 3 VSN

SPB – Layer 3 Service VSN
 A VRF provisioned at the edge of the fabric is mapped into the Virtual
Service Network using the Service Identifier (I-SID)
 IS-IS advertises: Unified
– All new services and communities of interest (I-SID information) Management
– The VRF IP routes which are only accepted

and installed on VRFs in the same I-SID Assign VRF-2  IPVPN I-SID 30200
IS-IS IS-IS
VRF2 IS-IS
vlan / IP net1 IS-IS
IS-IS IS-IS
vlan / IP net2
Virtual Service Network I-SID 30010
IS-IS
IS-IS
IS-IS
IS-IS IS-IS
vlan / IP net3
ERS4800
Role VSP9000 ERS8800 VSP8400 VSP8200 VSP7000 VSP4000 3rd Party
ERS5900 VRF2
vlan / IP net4
BEB        
BCB         © 2016 Avaya Inc. All rights reserved. ..….
SPB Service Type Encapsulations
BEB BCB BCB BEB
Service Types Node A Node B Node C Node D
Global Routing instance Data IP C-MAC Data IP B-MAC regular IP on Ethernet

(IP Shortcuts)
L2 VSN Data IP C-MAC Data IP C-MAC I-SID B-MAC 802.1ah MAC-in-MAC
L3 VSN Data IP C-MAC Data IP *C-MAC I-SID B-MAC * C-MAC 802.1ah MACinMAC
header is
NULL
Edge SPBM

SPB L3VSN – IP ECMP Example
 With L3 VSNs, IP ECMP translates into SPB ECT
9000G 9000A
BVID#1: 4051
3/11 3/2
3/5 3/1
9000C 3/12 3/3 MLT1
VLAN 101 4/30
3/21 3/22 3/29 3/30
10.1.101.0/24 L3VSN I-SID 30001
MLT 1 IST10.1.102.0/24
4/1 4/20 4/30 3/29 3/30
Tester
Tester 4/29 4/11 3/3 SMLT
3/1
4/29 4/12 3/2
BVID#2: 4052 VLAN 102
9000D 9000B
9000C:5# show ip route info vrf green
================================================================================
IP Route - VRF green
================================================================================
DST MASK NEXT NHVRF COST I/F PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.1.101.0 255.255.255.0 10.1.101.1 - 1 101 LOC 0 DB 0
10.1.102.0 255.255.255.0 9000A Glob~ 20 4051 IS-IS 0 IBSVE 7
10.1.102.0 255.255.255.0 9000B Glob~ 20 4051 IS-IS 0 IBSVE 7
10.1.102.0 255.255.255.0 9000A Glob~ 20 4052 IS-IS 0 IBSVE 7
10.1.102.0 255.255.255.0 9000B Glob~ 20 4052 IS-IS 0 IBSVE 7

Load Sharing Standalone BEB vs Switch Cluster BEB
ALL I-SIDs handled using
VLAN 10 --> I-SID 20010 BVLAN1 4051
VLAN 11 -- > I-SID 20011
SMLT BEB-1 (primary)

BCB
Stand alone BEB-3 Non SPB Access

MLT hash
VLAN11 50%
VLAN11
SPB
VLAN10
VLAN10
50%

to BVLAN1 / BVLAN2 BCB ALL I-SID’s handled
SMLT BEB-2 (Secondary) using BVLAN2 4052
1. Traffic from left to right is handled based on odd/even i-sid

2. Traffic from right to left is first hashed, Both primary & secondary BEB handle even & odd i-sid
3. Traffic in this case is asymmetric

IP ECMP Before and After Example
192.168.1.34 255.255.255.255 SME-VSP4K-2 GlobalRouter 10 4051
SME-VSP4K-1:1(config)#ip ecmp


.. .
Route Redistribution on an L3 VSN
 Remove the ports being used from default VLAN 1
 Create a VRF
 Create a VLAN
 Add ports to the VLAN
 Assign the VLAN to the created VRF
 Enable IP on the VRF
 Map the VRF to an I-SID
 Redistribute direct routes
 Enable route redistribution of direct routes
 Apply the route redistribution

L3VSN Configuration Example Part 1
VSP9000-1> enable
VSP9000-1# configure terminal
VSP9000-1(config)# router vrf vrfred
Create the IP VPN instance
VSP9000-1(router-vrf)#ipvpn
VSP9000-1(router-vrf)#i-sid 30100
Associate an I-SID with the VRF
VSP9000-1(router-vrf)#ipvpn enable
VSP9000-1(router-vrf)# exit
VSP9000-1#show ip ipvpn Enable IP VPN
VRF Name : vrfred
Ipvpn-state : enabled Verify configuration
I-sid : 30100
VSP9000-1# show ip isis redistribute vrf vrfred
=======================================================================
ISIS Redistribute List - VRF vrfred
=======================================================================
SOURCE MET MTYPE SUBNET ENABLE LEVEL RPOLICY
-----------------------------------------------------------------------
LOC 1 internal allow TRUE l1

L3VSN Configuration Example Part 2
VSP9000-1(config)# router vrf vrfred
VSP9000-1(router-vrf)# isis redistribute direct
VSP9000-1(router-vrf)# isis redistribute direct metric 1
VSP9000-1(router-vrf)# isis redistribute direct enable
Redistribute routes on
VSP9000-1(router-vrf)# exit local switch
VSP9000-1(config)# isis apply redistribute direct vrf vrfred
Apply redistribution of routes on local switch

L3 VSN – Configuration Using ACLI
vlan 101 vlan 102

10.1.101.0/24 L3 VSN I-SID 30101 10.1.102.0/24
8000C 8000G 8000D
IS-IS Area MLT

49.0000
1 MLT 1
4/1 4/1
ip vrf green vrfid 1 ip vrf green vrfid 1

vlan create 101 type port 1 vlan create 102 type port 1
vlan members add 101 4/1 vlan members add 102 4/1
interface vlan 101 interface vlan 102
ip vrf green ip vrf green
ip address 10.1.101.1 255.255.255.0 ip address 10.1.102.1 255.255.255.0
exit exit
router vrf green router vrf green
ipvpn ipvpn
i-sid 30101 i-sid 30101
ipvpn enable ipvpn enable
isis redistribute direct isis redistribute direct
isis redistribute direct enable isis redistribute direct enable
exit exit
isis apply redistribute direct vrf green isis apply redistribute direct vrf green

Adding L3 VSN ACLI Example
8000G 8000A
3/11 3/2
3/5 3/1
8000C 3/12 3/3 MLT1
VLAN 101 4/30
IS-IS (SPBM)
3/21 3/22 3/29 3/30
MLT 1
I-SID 30990001 IST
10.0.101.0/24
4/1 4/20 4/30 3/29 3/30
Tester
Tester 4/29 4/11 3/3 SMLT
3/1
4/29 4/12 3/2
VLAN 102
8000D 8000B
router vrf green router vrf green
ipvpn ipvpn
i-sid 30990001 i-sid 30990001
ipvpn enable ipvpn enable
isis redistribute direct isis redistribute direct
isis redistribute direct enable isis redistribute direct enable
isis apply redistribute direct vrf green isis apply redistribute direct vrf green
router vrf green
ipvpn
i-sid 30990001
ipvpn enable
Not currently available on the isis redistribute direct
VSP 9000. isis redistribute direct enable
isis apply redistribute direct vrf green

SPB Hierarchical Addressing – L3VSN
VRF instance IP routing table VRF instance IP routing table
=========================================== ===========================================
10.1.101.0/24  vlan 101 (LOCAL/DIRECT) 10.1.101.0/24  BMAC00:bb:00:00:13:00 (ISIS)
10.1.102.0/24  BMAC00:bb:00:00:14:00 (ISIS) 10.1.102.0/24  vlan 102 (LOCAL/DIRECT)
vlan 101 vlan 102

10.1.101.0/24 L3VSN I-SID 30101 10.1.102.0/24
8000C 8000G 8000D

BEB BCB BEB
00:bb:00:00:13:00 00:bb:00:00:10:00 00:bb:00:00:14:00
MLT 1 MLT 1
4/1 4/30 3/5 4/1

10.1.101.10/24 10.1.102.10/24
Backbone VLAN #1 : VID=4051
2nd BVLAN used

Backbone VLAN #2 : VID=4052
for load sharing
Backbone VLAN 4051 FDB (ISIS programmed) Backbone VLAN 4051 FDB (ISIS programmed)
======================================== ========================================
00:bb:00:00:10:00  port 4/30 00:bb:00:00:13:00  port 3/5
00:bb:00:00:14:00  port 4/30 00:bb:00:00:14:00  MLT 1

L3 VSN LAB EXERCISE
• Create a VRF
• Create VLAN
• Map VRF to I-SID
• Route Redistribution
• Verify Configuration

IS – IS Accept policies & Route
Redistribution

L3 VSN and IS-IS Accept Policies
 L3 VSN by default only accepts and imports IP routes from the same I-SID
 Can be overridden via IS-IS accept policies
– A VRF can be made to accept IP routes from any other I-SID
– Including IP routes on the same local BEB but in a different VRF
– The IP route in the VRF control plane is key to allow traffic to follow that IP
route in the data plane
– In the Avaya implementation this is possible between VRF/L3 VSNs as well as
between GRT/IP Shortcuts and VRF/L3 VSNs
VSP 9001 VSP 9003
Green User
L3 VSN 30001 10.1.102.100
Green User
10.1.101.100 ERS2
ERS1
IST L3 VSN 30010 IST
Red User
10.2.201.100 L3 VSN 30002 Red User
10.2.202.100
VSP 9002 VSP 9004

L3 VSN and IS-IS Accept Policies
VSP 9001 VSP 9003
Green User
L3 VSN 30101 10.1.102.100
Green User
10.1.101.100 ERS2
ERS1
IST L3 VSN 30010 IST
Red User
10.2.201.100 L3 VSN 300202 Red User
10.2.202.100
VSP 9002 VSP 9004

 On red VRFs: accept policy for routing updates from I-SID 30010
 On green VRFs: accept policy for routing updates from I-SID 30010
 On yellow VRFs: accept policy for I-SIDs 30101 and 300202
 Result:
– Green users can communicate with other Green users
– Red users can communicate with other Red users
– Green and Red users cannot communicate with each other
– Green and red users can communicate with shared server
Route Redistribution
 The Route Table Manager controls routing on the switch.
 It will automatically route traffic between directly connected interfaces in
the same VRF.
 If you want devices to see your local interfaces you will need to inject
these routes into the IS-IS route messages.
 We do this with redistribute direct and
redistribute direct enable commands.
 We can also redistribute routes that have been
statically configured on our switches with
redistribute static and redistribute static enable
commands.
 When redistributing other protocols such as
direct, static, OSPF, RIP, or BGP into IS-IS,
configure under router-isis.
 After configuring under router-isis, exit and
apply the redistributed routes.

IP RTM Example
Local/Static
Routes Route
Preferences
RIP Local
(Bellman-Ford Static
Algorithm) IP
spbmLevel1 Routing
OSPFintra Best Table
OSPF
OSPFinter Routes
(Dijkstra’s
SPF Algorithm) BGP
RIP
OSPFExtn1
BGP
OSPFExtn2
IS – IS Lowest Preference wins

Alternate Routes apply here
Lowest Cost for each
protocol wins.
ECMP is applied here
.
Three Route Filtering Stages Applied to IP Traffic
 Filter stage 1 is the ‘Accept Policy’ or ‘In-filter’
– Applies to incoming traffic to detect changes in the dynamic routing information,
which are then submitted to the routing table
 Filter stage 2 is the ‘Redistribution filter’

– Applies to entries in the routing table to the protocol during the leaking process
 Filter stage 3 is the ‘Announce policy’ or ‘Out-filter’

– Applies to outgoing traffic within a protocol domain
RX Protocol Filter3 TX
Filter1 Filter2
All Route Sources Routing table

Building a Route Table

Enforcing Security Policies

Re-architect Security Zones
Network Design Flexibility
IDS/IPS Firewall
• No longer need to physically wedge Firewalls/IDS/IPS deep into the physical

network to intercept the traffic.
• Connect Firewalls/IDS/IPS at the edge of the network where it makes more sense.
• Use VSNs to take/force the traffic through the Firewall/IDS/IPS
IDS/IPS Firewall
/
L2 VSN L3 VSN
Private Cloud

How to Configure the Fabric for Policy Enforcement
 Create L2VSN on BEBs where servers are connected.
 Extend that L2VSN to the BEB where the policy enforcement device
(IDS/IPS, Firewall, Load Balancer, etc.) is connected.
 Create the L3VSN on the BEBs connecting the end-user devices.
 Extend the L3VSN to the BEB connecting the policy enforcement device.
 Create a VLAN on the VRF implementing the L3VSNs ‘facing outbound’.
 Add an IP address to the VLAN extended through the L2VSN on the port
connecting the policy enforcement device.
 Enable the policy enforcement device (or enable routing on that device).
IDS/IPS Firewall Load Balancer
/ /
L2 VSN L3 VSN
Private Cloud

Summary of SPB Services
SPB Access SPB Core SPB Access
Infrastructure
Tester Tester
GRT IP VLAN 13 VLAN 14
Shortcut 10.0.13.0/24 GRT IP Shortcuts (Mgmt of devices)
IP Multicast Routing enable 10.0.14.0/24
Routing
IP Multicast Snoop enable
VLAN 10 I-SID 20010 VLAN 10
L2VSN
IP Multicast Snoop enable
VLAN 9 I-SID 20009 VLAN 19
Virtualized Services
VLAN 101 IP Multicast Routing enable VLAN 102
10.1.101.0/24 I-SID 30001 10.1.102.0/24
L3VSN
VLAN 201 IP Multicast Routing enable VLAN 202
10.2.201.0/24 I-SID 30002 10.2.202.0/24
VLAN 11 VLAN 11
L2VSN 10.3.11.0/24 I-SID 20011 VLAN 300
I-SID 30005 10.3.1.0/24
VLAN 12
L2VSN I-SID 20012 VLAN 12
10.3.12.0/24
For this topology IP Multicast would be handled as Inter-VSN L3VSN (or IP Shortcuts)
above for L3VSNs; forwarding streams through the
Fabric multiple times is sub-optimal © 2016 Avaya Inc. All rights reserved.
.
Configuration and
Orchestration Manager
• VSN Manager
• Bulk Configuration Manager
(BCM)
• Virtualization and
Provisioning Service (VPS)

Avaya Unified Communication Management

.
Role-Based Access Control
 Roles are administered through Avaya System Manager
 Default Roles:
– Network administrator has complete privileges set
– System administrator does not include User Management, nor device and server
credentials page access
– Operator has a view-only tool kit, but can be assigned managers and wizards for
specific tasks
 Roles can be customized

COM Feature Overview
Admin
Preferences, Device Credentials, Licensing, Audit Log, Security Admin, Operator user
Devices
Network Discovery based inventory, Device categories Views, Device details and export
Managers and Viewers

VLAN - Multilink-Trunking - Security - Routing - Trap/Log - Virtual Routing - Multicast -
Bulk Configuration – VSN - Multimedia Manager, Trap and Syslog Viewer
Virtualization Provisioning Service

End-to-End Management of the Network within, as well as between Data Centers
Wizards
For easy configuration of complex features and to hide complexity
Templates
To reduce configuration error and speed-up provisioning time
Tools
Smart Diff Tool, Scheduler, Port Scanner, CLI*Manager, Configuration Auditing
.…..
…..
….
…
...
VSN Manager – Exploring the Network

VSN Manager – IP Shortcuts

VSN Manager – L2 VSNs

VSN Manager – L3 VSNs

VSN Manager – CFM Globals

VSN Manager – Adding an L2 VSN

VSN Manager – Adding a C-VLAN to a Device

VSN Manager - Adding an L3 VSN

Adding Devices to L3 I-SID

Visualization of an L2 VSN

VSN Manager – Visualization of an L3 VSN

Bulk Configuration Manager
 Application in COM which is part of the Avaya System Manager solution
 Suite of tools that perform management tasks across multiple devices
using a Web-based interface:
– Configuration Backup and Restore
– Configuration Update Generator
– Device Password Manager
– Inventory
– Log Browser
– License
– Scheduler
– Software Version Updater

 Configuration Backup and Restore
– Back up and restore device configuration parameters
– Can perform a backup diff based on a previous config or baseline
– System generates a readable copy of the running device configuration
– Can send e-mail with diffs between backups
 Configuration Update Generator

– Run a common set of configuration commands on multiple system devices
– One can create a template parameter as a variable
– A data file can contain a value for each device IP
 Device Password Manager

– Select a group of managed devices
– Change admin password and SNMP read-only and read/write community strings
 Inventory
– Feature to add, store, and import devices
– Devices from COM inventory are imported when BCM is launched first time
 Log Browser
– Avaya BCM logs all interactions with devices to a common file.
– This file rolls over to a new file when the size reaches 10 megabytes.
– Open a log file or export for offline viewing or transfer to Avaya customer service.
 License
– Node-based license providing license-tracking functions for Avaya BCM tools.
 Scheduler
– Select a tool from a drop down list of Avaya BCM tools.
– Select a previously created task from a drop-down list with tasks of that tool.
– Choose the date and time to activate the task.
 Software Version Updater

– Perform updates of individual device images.
– Create an SVU package to update a group of devices of the same type.

COM Feature Overview
Admin
Preferences, Device Credentials, Licensing, Audit Log, Security Admin, Operator user
Devices
Network Discovery based inventory, Device categories Views, Device details and export
Managers and Viewers

VLAN – Multi Link Trunking - Security - Routing - Trap/Log - Virtual Routing - Multicast -
Bulk Configuration – VSN - Multimedia Manager, as well as Trap and Syslog Viewer

End-to-End Management of the Network within, as well as between Data Centers
Wizards
For easy configuration of complex features and to hide complexity
Templates
To reduce configuration error and speed-up provisioning time
Tools
Smart Diff Tool, Scheduler, Port Scanner, CLI*Manager, Configuration Auditing

 Manage and visualize a Data Center Network
 Automatic configuration of infrastructure
 Historical reporting and tracking of VM moves and network provisioning
 Configure switches with server virtualization aware networks
 Provide reports of network usage and access
 Eliminate manual configuration errors

Configuration and Orchestration Manager

vCenter Server
with Virtualization Provisioning Service
Secure API
…...
VPS – Topology View

VPS – Highlighting Selected Elements

VPS – Highlighting a Specific Cluster

VPS – Virtual Machine Inventory

Visualization, Performance, and Fault Manager (VPFM)
 Device discovery
 Topology Views  SPBM topology discovered using SNMP
 Switch to SPBM view in the network browser
 Dashboards
 Shows the SPBm area and the switches configured
 Event browser with correlation  Right click on SPBm area to show the SPBm schematic
 events
 Automated actions for thresholds and Show B-VLANs and C-VLANs (Layer 2)
– Right click on any of these for a tabular listing
 KHI Trend Graphs  Show VRFs (Layer 3)
 Proactive Fault Management – Right click on VRFs for a tabular listing
 Performance Management
 Reports and Actions
 Servers
Virtual Machine
 Storage
 Applications
 WLAN Controllers
 Wireless Access Points
VM Host
 UPS
…..
….
…
...
Avaya Diagnostic Server with SLA Mon™
SAL SLA Mon™ Server

Gateway Endpoint Diagnostics Network Monitoring
Agent
Agent
WAN Agent
Agent
Agent
SAL Gateway Endpoint Network Monitoring

 Remote Access Diagnostics  End to End Network
Phone Remote Control Performance
 Alarm Transport 
 Event Monitoring  Hop by Hop QoS Analysis

 Automatic
Software Updates  Screen Capture  Historical Statistics
 Packet Capture  Agent to Agent tests
 Bulk Calls
 Agent status and
capabilities
Module Summary
In this module we discussed services implemented on
Shortest Path Bridging:
– Layer 2 VSNs
– Inter-VSN Routing
– IP Shortcut Routing
– Layer 3 VSNs
 We also discussed:
– Route Table Manager
– Security Policy Enforcement
– COM and other management applications

ACEFx L1 Day2 - 18july2016

Uploaded by

Copyright:

Available Formats

ACEFx L1 Day2 - 18july2016

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACEFx L1 Day2 - 18july2016

Uploaded by

Copyright:

Available Formats

ACE-Fx Connect

© 2016 Avaya Inc. All rights reserved.

Fabric Connect Services

Interaction of IS-IS and Non-Fabric Routing Protocols

Enforcing Security Policies

Configuration and Orchestration Manager (COM)

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

Virtual Service Network I-SID 20100

© 2016 Avaya Inc. All rights reserved.

 Traffic from A to B follows the same path as from B to A

– No MAC learning or flooding

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

NICK-NAME & “3” I-SID in Hexadecimal

 Example : BEB4450-1 Nickname = e.44.01 , I-ISID = 200100 (30DA4)

© 2016 Avaya Inc. All rights reserved.

PC-3 00:0e:44:50:00:02 PC-4

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

SPB Fabric Single Port  

VOSS VSP: i-sid <i-sid> elan

 UNI is a VLAN-id on an Ethernet port or MLT

© 2016 Avaya Inc. All rights reserved.

CVLAN UNI maps an Transparent UNI Flex Mode Switched

I-SID 20010, port 1/3

© 2016 Avaya Inc. All rights reserved.

 Create a C-VLAN by mapping the VLAN to an I-SID:

 Display C-VLAN information:

© 2016 Avaya Inc. All rights reserved.

– VSP 7000, ERS 4000

 L2 VSN Transparent UNI Configuration

– On VSP 7000, ERS 4000:

© 2016 Avaya Inc. All rights reserved.

 With stand alone BEBs, I-SID are allocated in an odd/even fashion

VLAN10 L2-VSN I-SID = 20010 VLAN10

VLAN20 L2-VSN I-SID = 20020 VLAN20

VLAN 10 --> I-SID 20010 ALL I-SIDs handled using

Stand alone BEB-3 Non SPB Access

Odd/Even I-SID mapping

1. Traffic from left to right is handled based on odd/even i-sid

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

L2-VSN I-SID 20101

ERS-41 VSP-11 VSP-12 VSP-32 VSP-31 ERS-44

© 2016 Avaya Inc. All rights reserved.

Single router, single PoF

 Virtual Router Redundancy Protocol (VRRP) provides required resiliency

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

Add ports to VLAN

Map VLAN to I-SID

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

© 2016 Avaya Inc. All rights reserved.

 Therefore in an SPB Fabric IP Shortcuts are always enabled for