Troubleshooting sieci opartej na. Mariusz Kazmierski, CCIE #25082 (R&S, SP) TAC EMEAR Technical Leader Switching

Size: px

Start display at page:

Download "Troubleshooting sieci opartej na. Mariusz Kazmierski, CCIE #25082 (R&S, SP) TAC EMEAR Technical Leader Switching"

Alexander Stevenson
5 years ago
Views:

1 Troubleshooting sieci opartej na architekturze SDA Mariusz Kazmierski, CCIE #25082 (R&S, SP) TAC EMEAR Technical Leader Switching

2 What s on the Network? Overlay Network Control Plane based on LISP Policy Plane based on TrustSec Data Plane based on VXLAN Underlay Network Assumption: Underlay is working 2

SD-Access topology Fabric Border Nodes C Control Plane Node Control-Plane(CP) Nodes Map System that manages the Endpoint to Gateway (Edge or Border) relationship.

3 SD-Access topology Fabric Border Nodes C Control Plane Node Control-Plane(CP) Nodes Map System that manages the Endpoint to Gateway (Edge or Border) relationship. B B Border Nodes The L3 Gateway device (Core), that connects External L3 network(s) to Fabric. Intermediate Nodes Fabric Edge(FE) Nodes The L3 Gateway device (Access or Distribution), that connects Endpoints to Fabric. Intermediate Nodes Basic L3 (IP) Forwarders in the Underlay. Fabric Edge Nodes 3

4 Our Playground Control-Plane(C) Nodes: Map System that manages the Endpoint to Gateway (Edge or Border) relationship. Border Nodes (B) The L3 Gateway device (Core), that connects External L3 network(s) to Fabric. Fabric Edge(E) Nodes The L3 Gateway device (Access or Distribution), that connects Endpoints to Fabric. 4

5 Our Playground Underlay Network Routing ID (RLOC) IP address of the LISP router facing ISP Overlay Network Endpoint Identifier(EID) IP address of a host VN (VRF) - Campus Instance Id

6 Terminology Egress Tunnel Router (ETR): An ETR is a device that is the tunnel endpoint; it accepts an IP packet where the destination address in the "outer" IP header is one of its own RLOCs. Ingress Tunnel Router (ITR): An ITR is a device that is the tunnel start point; it receives IP packets from site endsystems on one side and sends LISP-encapsulated IP packets, across the Internet to an ETR, on the other side. xtr: A xtr refers to a device which functions both as an ITR and an ETR (which is typical), when the direction of data flow is not part of the context description Proxy xtr (PxTR): A PxTR is used for inter-networking between LISP and Non-LISP sites. Scalable Group (SG): Cisco TrustSec uses the device and user credentials acquired during authentication for classifying the packets by scalable groups (SGs) as they enter the network Scalable Group Tag (SGT): Scalable group tag is the tag that is added in the packet to classify the security group. 6

7 What is new in the control plane? Control Plane based on LISP Multiple Routing Tables BEFORE Single Host tracking database - Map Server AFTER C 7

8 8

9 Here is how you begin Host authentication DHCP packet flow Host resolution Host registration East West Traffic... 9

10 Here is how you begin Host authentication DHCP packet flow Host Resolution Host Registration East West Traffic... 10

11 Host authentication configuration (1/2) aaa new-model aaa group server radius dnac-group server name dnac-radius_ ip radius source-interface Loopback0 aaa authentication login default group dnac-group local aaa authentication enable default enable aaa authentication dot1x default group dnac-group aaa authorization exec default group dnac-group local aaa authorization network default group dnac-group aaa authorization network dnac-cts-list group dnac-group aaa accounting dot1x default start-stop group dnac-group aaa server radius dynamic-author client server-key C!sco123

12 Host authentication configuration (2/2) interface GigabitEthernet2/0/13 switchport mode access switchport voice vlan 4000 device-tracking attach-policy IPDT_MAX_10 authentication control-direction in authentication event server dead action authorize vlan 3999 authentication event server dead action authorize voice authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast end

13 Host authentication ISE perspective - users & groups 13

14 Host authentication ISE perspective - authorization profiles

15 Host authentication ISE perspective security groups

16 Host authentication ISE perspective policy

17 Topology refresh TAC user connects to the network 17

18 Host authentication Authentication on edge node (1/3) SDA-D STACK#show authentication sessions interface gi2/0/13 Interface MAC Address Method Domain Status Fg Session ID Gi2/0/ d dot1x DATA Auth AC13660E DD07D9721 SDA-D STACK#show authentication sessions interface gi2/0/13 details Interface: GigabitEthernet2/0/13 IIF-ID: 0x1BD564A7 MAC Address: d IPv6 Address: fe80::4913:cf31:eba3:e337 IPv4 Address: User-Name: tim Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: in Session timeout: N/A Common Session ID: AC13660E DD07D9721 Acct Session ID: 0x Handle: 0xd Current Policy: POLICY_Gi2/0/13

19 Host authentication Authentication on edge node (3/3) SDA-D STACK#show authentication sessions interface gi2/0/13 details (...) Local Policies: Idle timeout: sec Server Policies: Vlan Group: Vlan: 1022 Security Policy: None Security Status: Link Unsecured SGT Value: 14 Method status list: Method dot1x State Authc Success

20 Host authentication Authentication on edge node (2/3) SDA-D STACK#show interface gi2/0/13 switchport Name: Gi2/0/13 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1022 (192_168_10_0-Campus) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: 4000 (VOICE_VLAN) SDA-D STACK#show cts role-based sgt-map vrf Campus host Active IPv4-SGT Bindings Information IP Address SGT Source ============================================ LOCAL

21 Here is how you begin Host authentication DHCP packet flow Host registration Host Resolution East West Traffic... 21

22 DHCP packet flow Configuration - edge node interface Vlan1022 description Configured from apic-em mac-address c9f.f45d vrf forwarding Campus ip address ip helper-address no ip redirects ip local-proxy-arp ip route-cache same-interface no lisp mobility liveness test lisp mobility 192_168_10_0-Campus

23 DHCP packet flow Configuration - border node interface Loopback1022 description Loopback Border vrf forwarding Campus ip address ! router bgp address-family ipv4 vrf Campus aggregate-address summary-only redistribute connected! router lisp eid-table vrf Campus instance-id 4098 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration

DHCP packet flow in Campus Fabric 1 FE 2 BDR B 1 2 The DHCP client generates a DHCP request and broadcasts it on the network FE adds remote ID in option 82.

24 DHCP packet flow in Campus Fabric 1 FE 2 BDR B 1 2 The DHCP client generates a DHCP request and broadcasts it on the network FE adds remote ID in option 82. The packet is sent with src IP of the SVI. 3 DHCP Server replies with offer Border uses the remote ID in option 82 to forward the packet. 5 FE installs the DHCP binding and forwards the reply to client 24

25 DHCP option 82 Agent Circuit ID Option 82 is added: Option 82 Suboption: (1) Agent Circuit ID Length: 6 Agent Circuit ID: fe020d Option 82 format: #show ip dhcp snooping Insertion of option 82 is enabled circuit-id default format: vlan-mod-port Decode: fe020d = fe 02 0D 00 = format (vlan-mod-port) 04 = option length 0x03fe = VLAN = module 2 0D = port 13

26 DHCP option 82 Agent Remote ID Option 82 is added: Option 82 Suboption: (2) Agent Remote ID Length: 10 Agent Remote ID: ac Decode: ac100bfd = ac100bfd 03 = used for LISP (01 = MAC; 02 string) 08 = sub-option length = LISP instance 0x1002 = = 01 IPv4; 02 IPv6 ac = RLOC of xtr (Edge device) -> ac = interface Loopback0 description Fabric Node Router ID ip address

27 DHCP packet flow Bindings SDA-D STACK#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface :50:56:93:10:0D dhcp-snooping 1022 GigabitEthernet2/0/13 Total number of bindings: 1 SDA-D STACK#show ip arp vrf Campus Protocol Address Age (min) Hardware Addr Type Interface Internet d ARPA Vlan1022 SDA-D STACK#show device-tracking database interface gi2/0/13 portdb has 2 entries for interface Gi2/0/13, 2 dynamic Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP PKT - Other Packet, API - API created Preflevel flags (prlvl): 0001:MAC and LLA match 0002:Orig trunk 0004:Orig access 0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned 0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned Network Layer Address Link Layer Address Interface vlan prlvl age state Time left ND FE80::4913:CF31:EBA3:E d Gi2/0/ mn REACHABLE 91 s DH d Gi2/0/ s REACHABLE 200 s(43296 s) 27

28 Here is how you begin Host authentication DHCP packet flow Host resolution Host registration East West Traffic... 28

29 Topology refresh at this stage all enddevices get IP address / VLAN / SGT assignment. 29

30 Host registration Edge node configuration and local database router lisp instance-id 4098 remote-rloc-probe on-route-change dynamic-eid 192_168_10_0-Campus database-mapping /24 locator-set rloc_d080ca6d bb9-a86c-1eaa14867c33 exit-dynamic-eid SDA-D STACK#show lisp eid-table Campus ipv4 database /32 LISP ETR IPv4 Mapping Database for EID-table vrf Campus (IID 4098), LSBs: 0x1 Entries total 4, no-route 0, inactive /32, dynamic-eid 192_168_10_0-Campus, inherited from default locator-set rloc_d080ca6d bb9-a86c-1eaa14867c33 Locator Pri/Wgt Source State /10 cfg-intf site-self, reachable 30

31 Host registration Registration process 31

32 Host registration Control node configuration and site data router lisp site site_uci description map-server configured from apic-em authentication-key uci eid-prefix instance-id /24 accept-more-specifics SDA-D #show lisp eid-table Campus site LISP Site Registration Information * = Some locators are down or unreachable # = Some registrations are sourced by reliable transport Site Name Last Up Who Last Inst EID Prefix Register Registered ID site_uci never no /24 00:16:00 yes# /32 32

33 Here is how you begin Host authentication DHCP packet flow Host resolution Host registration East West Traffic... 33

34 Topology refresh TAC: users : /24 servers : /24 BU: at this stage all end-devices have IP address / VLAN / SGT assignment and are registered to control node. users : /24 servers : /24 34

35 Host resolution Control node - database control node is aware of all hosts in the fabric SDA-D #show lisp eid-table Campus site LISP Site Registration Information * = Some locators are down or unreachable # = Some registrations are sourced by reliable transport Site Name Last Up Who Last Inst EID Prefix Register Registered ID site_uci never no /24 03:35:40 yes# /32 never no /24 1d20h yes# /32 never no /24 1d20h yes# /32 35

36 Host resolution Edge node - database edge node need to query control node to learn new prefixes SDA-D STACK#show lisp eid-table Campus ipv4 map-cache LISP IPv4 Mapping Cache for EID-table vrf Campus (IID 4098), 10 entries /0, uptime: 2d20h, expires: never, via static-send-map-request Negative cache entry, action: send-map-request 36

37 Host resolution Communication 37

38 Host resolution Edge node - map-cache SDA-D STACK#show lisp eid-table Campus ipv4 map-cache /32 LISP IPv4 Mapping Cache for EID-table vrf Campus (IID 4098), 10 entries /32, uptime: 13:44:58, expires: 10:15:01, via map-reply, complete Sources: map-reply State: complete, last modified: 13:44:58, map-source: Idle, Packets out: 0(0 bytes) Encapsulating dynamic-eid traffic Locator Uptime State Pri/Wgt Encap-IID :44:58 up 10/10 - Last up-down state change: 13:44:58, state change count: 1 Last route reachability change: 13:44:58, state change count: 1 Last priority / weight change: never/never RLOC-probing loc-status algorithm: Last RLOC-probe sent: 13:44:58 (rtt 4ms) 38

39 Here is how you begin Host authentication DHCP packet flow Host resolution Host registration East-West Traffic... 39

40 Topology refresh at this stage all end-devices get IP address / VLAN / SGT assignment and are registered to control node and aware of end-point location TAC: users : /24 servers : /24 BU: users : /24 servers : /24 packet capture packet capture packet capture 40

41 East-west Traffic Security / SGTs scenario: TAC user ßàTAC Server

42 Topology refresh scenario: TAC user ßàTAC Server 42

43 East-west Traffic Packet capture (ingress to fabric) scenario: TAC user ßàTAC Server SDA-D STACK#show monitor capture capin buffer Starting the packet display... Press Ctrl + Shift + 6 to exit > ICMP 74 Echo (ping) request id=0x0001, seq=41/10496, ttl= > ICMP 74 Echo (ping) request id=0x0001, seq=42/10752, ttl= > ICMP 74 Echo (ping) request id=0x0001, seq=43/11008, ttl= > ICMP 74 Echo (ping) request id=0x0001, seq=44/11264, ttl=128 SDA-D STACK#show monitor capture capin buffer dump Starting the packet display... Press Ctrl + Shift + 6 to exit c 9f f4 5d d ].PV...E c 12 eb c0 a8 0a 65 c0 a8.<...e b 0c d M2...)abcdef a 6b 6c 6d 6e 6f ghijklmnopqrstuv wabcdefghi 43

44 East-west Traffic Packet capture (ingress to fabric) scenario: TAC user ßàTAC Server 44

45 East-west Traffic Packet capture (ingress to fabric point-of-exit) scenario: TAC user ßàTAC Server SDA-D #sh monitor capture capin buffer display-filter icmp Starting the packet display... Press Ctrl + Shift + 6 to exit > ICMP 124 Echo (ping) request id=0x0001, seq=45/11520, ttl= > ICMP 124 Echo (ping) request id=0x0001, seq=46/11776, ttl= > ICMP 124 Echo (ping) request id=0x0001, seq=47/12032, ttl= > ICMP 124 Echo (ping) request id=0x0001, seq=48/12288, ttl=127 SDA-D #show monitor capture capin buffer display-filter icmp dump Starting the packet display... Press Ctrl + Shift + 6 to exit ff 8c 6f e4 64 f6 9d 71 b P...o.d..q.@..E e 0e f e 11 cb 60 ac ac 13.n..@.~..`..f ff b5 00 5a e d...z ba 25 cd f4 ad c 9f % c 12 f f c0 a8 0a 65 E..<...e 0050 c0 a8 0b 0c d 2e d M...-abcd a 6b 6c 6d 6e 6f efghijklmnopqrst uvwabcdefghi 45

46 East-west Traffic Packet capture (ingress to fabric point-of-exit) scenario: TAC user ßàTAC Server

East-west Traffic Security / SGTs scenario: TAC user ßàTAC Server SDA-D-3850-3#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group

47 East-west Traffic Security / SGTs scenario: TAC user ßàTAC Server SDA-D #show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 14:SDA_TAC_Users to group 16:SDA_TAC_Servers: Permit IP-00 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALS SDA-D #show cts role-based counters from 14 to 16 Role-based IPv4 counters From To SW-Denied HW-Denied SW-Permit HW-Permit SW-Monitor HW-Monitor

48 Topology refresh scenario: TAC user ßà BU Server 48

49 East-West Traffic Packet capture (ingress to fabric) scenario: TAC user ßàBU Server SDA-D STACK#show monitor capture capin buf display-filter icmp Starting the packet display... Press Ctrl + Shift + 6 to exit > ICMP 74 Echo (ping) request id=0x0001, seq=61/15616, ttl= > ICMP 74 Echo (ping) request id=0x0001, seq=62/15872, ttl= > ICMP 74 Echo (ping) request id=0x0001, seq=63/16128, ttl= > ICMP 74 Echo (ping) request id=0x0001, seq=64/16384, ttl=128 SDA-D STACK#sh monitor capture capin buffer display-filter icmp dump Starting the packet display... Press Ctrl + Shift + 6 to exit c 9f f4 5d d ].PV...E c d c0 a8 0a 65 c0 a8.<.a...e d d 1e d M...=abcdef a 6b 6c 6d 6e 6f ghijklmnopqrstuv wabcdefghi 49

50 East-West Traffic Packet capture (ingress to fabric) scenario: TAC user ßàBU Server

51 East-west Traffic Packet capture (ingress to fabric point-of-exit) scenario: TAC user ßàTAC Server SDA-D #show monitor capture capin buffer display-filter icmp Starting the packet display... Press Ctrl + Shift + 6 to exit > ICMP 124 Echo (ping) request id=0x0001, seq=61/15616, ttl= > ICMP 124 Echo (ping) request id=0x0001, seq=62/15872, ttl= > ICMP 124 Echo (ping) request id=0x0001, seq=63/16128, ttl= > ICMP 124 Echo (ping) request id=0x0001, seq=64/16384, ttl=127 SDA-D #show monitor capture capin buffer display-filter icmp dump Starting the packet display... Press Ctrl + Shift + 6 to exit c 5d e f6 9d 71 b ].Tdd..q.@..E e 0f 3f e 11 cb 12 ac ac 13.n.?@.~...f ff b5 00 5a e d...z ba 25 cd f4 ad c 9f % c f d c0 a8 0a 65 E..<.a...e 0050 c0 a8 15 0d d 1e d M...=abcd a 6b 6c 6d 6e 6f efghijklmnopqrst uvwabcdefghi 51

52 East-west Traffic Packet capture (ingress to fabric point-of-exit) scenario: TAC user ßàTAC Server

East-west Traffic Security / SGTs scenario: TAC user ßàTAC Server SDA-D-3850-4#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group

53 East-west Traffic Security / SGTs scenario: TAC user ßàTAC Server SDA-D #show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 14:SDA_TAC_Users to group 18:SDA_BU_Servers: Deny IP-00 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE SDA-D #sh cts role-based counters from 14 to 18 Role-based IPv4 counters From To SW-Denied HW-Denied SW-Permit HW-Permit SW-Monitor HW-Monitor

54 Here is how you begin Host authentication DHCP packet flow Host registration Host Resolution East-West Traffic ALL GOOD J 54

55 Here is how you begin

56 Dziękuję za uwagę!

DNA SA Border Node Support

DNA SA Border Node Support Digital Network Architecture (DNA) Security Access (SA) is an Enterprise architecture that brings together multiple building blocks needed for a programmable, secure, and highly automated fabric. Secure