CNGI-CERNET2 SAVI Deployment Update · PDF fileCNGI-CERNET2 SAVI Deployment Update China...
Transcript of CNGI-CERNET2 SAVI Deployment Update · PDF fileCNGI-CERNET2 SAVI Deployment Update China...
CNGI-CERNET2 SAVI Deployment Update
China Education and Research Network (CERNET)/Tsinghua Univ.IETF79, Beijing
Nov. 9, 2010
Outline
• SAVI Switches Implementation• SAVI Switches Testing• SAVI Deployment in CNGI-CERNET2• SAVI Management System and MIB Design• SAVI based User Authentication System in
CERNET2
SAVI Switches Implementation
SAVI Switch Implementation• Solutions implemented
– draft-ietf-savi-dhcp-06– draft-bi-savi-stateless-01– draft-bi-savi-mix-00 (partially)
• Vendors– ZTE、Huawei、H3C (3Com)– Ruijie、Digital China (spun off from Lenovo)– Bitway、Centac
SAVI-Firmware upgradable• Savi-upgradable switches in our deployment
– Switches with at least 2.5 Layer IPv6 capacity– SAVI firmware upgrading– ZTE: ZXR10 8900,5900,3900A– Huawei: S5600, 5300, 3500,3300,2300– H3C (3Com): S5500EI, S5500SI, S5120EI、
E126A, E152, E328, E352– Digital China: DCRS-5950,3950– Ruijie: RG-S8600,S5750,S5760,S2900,S2600– Bitway: BitStream 7000, 6000, 3000– Centec: E600 and E300
Binding State Table of H3C S5500Entry:Source IP | Source MAC | Vlan ID | Type(DHCP or ND)
Console Example
SAVI Switches Testing
Catalogs of SAVI Testing
• CERNET organized formal testing for SAVI switches (several round of tests)
• Test types:– Conformance testing– Performance testing– Test-bed (interoperability) testing– Testing in the production network
• Each type has 3 scenarios– DHCPv6-only– SLAAC-only– DHCPv6-SLAAC-mixed– In each scenario, the static binding for manual
configured address is also tested
SAVI Deployment in CERNET2
SAVI switches installation:100 Univ. campus net (red dot)
Scenarios in Deployment• DHCP-only
– Only DHCP and link local address are allowed.– DHCP and link local address snooping are enabled.
• SLAAC-only– Only SLAAC address is allowed.– SLAAC snooping is enabled.
• DHCP-SLAAC-Mixed– DHCP and SLAAC address are allowed.– DHCP snooping and SLAAC snooping are enabled.
• Static addresses (usually for servers) are manually configured in the above scenarios.
Example: Tsinghua Univ. campus network SAVI deployment (software upgrade at access switch)
Resource
ZJ8#
Office/Teaching area
Faculty apartments
Student Dorm
FIT
Exit 1
Exit 2
9003
GZTCC1
CC2Lib
Main6#16#1
ZJ3#
1#
SCI
Phone
HQY
NW
shop
EDUH1
SE
Lib
LQY
Arch
16#
Campus Backbone(IPv4/IPv6)
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h an ge h ub s pe ed
P ow erC ol li s ion
M a na ge d
1 0B A S E- T
1 00 B AS E - TXS ta t us
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h a n g e h u b s p e e d
P o w e rC o l li s io n
M a n a g e d
1 0 B A S E - T
1 0 0 B A S E - T XS ta t u s
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h a n g e h u b s p e e d
P o w e rC o l li s io n
M a n a g e d
1 0 B A S E - T
1 0 0 B A S E - T XS ta t u s
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
Hub
S D
i n t e lI n t e l E x p re s s1 0 / 1 0 0 S t a c k a b le H u b
C h a n g e h u b s p e e d
P o w e rC o l li s io n
M a n a g e d
1 0 B A S E - T
1 0 0 B A S E - T XS ta t u s
B l a c k - W i r in g s p e e dC l a s s IS o li d - D o wn l o a dA m b e r ( M g m t)
B l a c k - A c ti v i tyS o li d - L i n kG r e e n (v t)1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4
Server
Laser printer
Workstation
Workstation
Workstation
F3
F2
F1
SAVI-access switch
20K users(students)
Aggregation Level
Access Level
subnets switches port hosts users114 1018 23414 22644 20280
Deployment at Campus Network• Tsinghua Student Dorms: 27 buildings, 20K+
students
10 models form 4
vendors at 3 scenarios
DHCPv6-relay
DHCPv6 Server
WS2008
Deployment in Students Buildings
Real Deployment in Student Dorms
H3C: DHCPv6-onlyDigital China: DHCP-SLAAC-mixed
Example: SAVI deployment in Tsinghua FIT building
166.111.143.112/28
166.111.243.17/28
166.111.130.0/24 2001:da8:200:9000::/6
4
166.111.131.0/24 2001:da8:200:9001::/6
4
166.111.132/24 166.111.143.129/26 2001:da8:200:9002::/64
166.111.128.76/30
166.111.128.72/30
166.111.143.0/28 2001:DA8:200:900C::0/6416
6.11
1.13
8.0/
24
200
1:da
8:20
0:90
08::/
64
166.1
11.1
37.0/
24
2001
:da8
:200
:900
7::/6
4
166.1
11.13
6.1/24
20
01:da
8:200
:9006
::/64
166.1
1113
5.0/24
200
1:da8
:200:9
005::
/64
166.111.133.0/24 2001:da8:200:9003::/6
4
166.111
.134.0
/24 2
001:da8:
200:90
04::/6
4
2001:da8:200:f000::/64 166.111.128.32/30
FIT大楼CS_2
FIT大楼CS_1
G7/24 128.33/302001:da8:200:f000::1
G7/24 128.34/30 2001:da8:200:f000::2
310_VOD_CST FIREWALL
Ipv6 ISATAP Tunnel
IPV4采用HSRP做各接入设
备上连的热备份,CS_1为Active,CS_2为standby
Vip:*.*.*.1
G5/2
G7/1
G7/2 131.3
G7/4 132.3 247.131
G7/2
2 12
8.73
G7/8 1
34.3
G7/9 1
35.3
G7/11
136.3
G7/1
2 13
7.3G7
/14
138.3
G7/
16 1
39.3
G7/
20 1
43.1G7/6 133.3/24
G7/2
3 12
8.77
Tunnel source: 59.66.4.50
IPV6 prefix: 2001:da8:200:900e::/64
G7/1
130
.4G
7/2
131
.4
G7/
8 1
34.4
G7/9
135
.4
G7/1
1 13
6.4
G7/12
137.4
G7/14
138.4
G7/16
139.4G7/18 140.4
Fire
wall
In
Fire
wall
Out
G7/21 镜像
T2/1出入数
据
166.111.143.192/26 2001:DA
8:200:900B::0/64
G7/
19 1
43.1
93
59.66.66.0/28 166.111.111.0/28 2001:DA8:200:900F::1/64
G7/15 59.66.66.1 166.111.143.32/28 2001:DA8:200:9010::1/64
XinXiXY FIT Center
G7/13 143.33
G5/2 143.113
DragonLab
神码 神码神码
D05_ChinaGridCorsair 1N1
5x48
1S13×48
2S1 5x48
2N15x48
3S13x48
3N14x48
4S13x48
4N14x48
5S14x48
5N14x48
6N14x48
YaoQiZhi-Lab166.111.142.0/24
1-211
128
.74
10GE
GEFE
SAVI SAVI
Prefix granularity anti-spoofing by RPF
Host granularity
anti-spoofing by SAVI
Deployment in Office Builiding
• FIT Building of Tsinghua Univ
• From Oct 2009-(more than 1year)
• No initial DAD-NS loss observed (link local addr bound)
• Ruijie RG-2652• Digital China
S3950 Switches
Example: South China Univ. of Tech. campus network SAVI deployment (Guangzhou City)
DHCP-only SLAAC-only Ruijie S2628G
…… ………
1000M
DHCP-onlyRuijie S2628G DC S2950
10G
…… ………
100M
Campus Core RouterCISCO 6509
Layer 3 Route SwtichRJ8610
Layer 3 Route SwitchZXR10 8908
SAVI deployment: Student Dorms
SAVI deployment: Teaching and Learning Building: 4 buildings,
100+ classrooms
Example: Shanghai Jiaotong Univ. campus network SAVI
deployment
access switches become SAVI-ready by firmware upgrade.
SAVI Deployment at Campus Network
Student Dorms Deployed
54 57
SAVI Deployment in Student Dorms
Dorm 54Dorm 57
Example: Xi’an JiaoTong Univ. campus network SAVI deployment
SAVI Deployment in Student Dorms
Example: Northeast Univ. campus network SAVI deployment (Shenyang City)
SAVI Deployment in office buildings
Example: Huazhong Univ. of Sci&Tech campus network SAVI deployment (Wuhan City)
UESTC campus network SAVI deployment (Chengdu City)
SAVI Management System and MIB Design
SAVIMIB Tree
KEY
READ‐WRITE
READ‐CREATE
READ‐ONLY
Global View (data gathered in Tsinghua FIT building)
Subnet View
Switch View
SAVI Port Info at One Switch
SAVI Binding Table
SAVI based User Authentication System in CERNET2
System Overview
IPv4/IPv6
Campus Network
SAVI AuthenticationSAI switch
IPv6 Host(MAC)< IP, MAC, Port > < ID, IP, MAC, Port, Time >
IPv6 User(ID)
1 2
3
7 4
Web basedAuth
RadiusDB
Radius Server
DHCPv6Server
5
6
5 tupleDB
NetworkManagement
8
Thank You!Q & A