Building a Secure Network Architecture – No.2 – Virtualization Technology

Like cattle and horses yearn for the grasslands, network engineers yearn for technology, not competition!

1.SCF Technology

1)SCF: Secure Cluster Framework, its technical implementation isIRF, the core idea is to connect multiple devices throughIRF physical ports, and after necessary configuration, virtualize them into a “distributed device”; the technical advantages are: unified management, high reliability, and flexible expansion.

2)Principle: UsingN: 1 virtualization, virtualizing multiple devices into one device, combining the software and hardware processing capabilities of multiple devices; multiple devices work together, unified management, and uninterrupted maintenance. The master and slave devices in theIRF stack maintain synchronized configuration and operational status, achieving1: N backup. Currently, the maximum number of member devices allowed in oneIRF is2

3)Basic concept ofIRF, the operating modes are divided into standalone mode andIRF mode; the roles inIRF are divided intoMaster (responsible for managing the entireIRF, only oneMaster can exist in anIRF) andSlave (operating as a backup device for theMaster);IRF ports are divided intoIRF-Port1 andIRF-Port2, which need to be bound to physical ports to take effect;IRF merging (twoIRFs operate stably, forming oneIRF through physical connection and necessary configuration) and splitting (after oneIRF is formed, due toIRF link failure, it becomes twoIRFs)

4)Formation ofIRF: A. Physical connection, theIRF-Port1 of the local device needs to connect to theIRF-Port2 of the opposite end;B. Topology collection: member devices collect the entireIRF topology through interactiveIRF hello messages, and after topology convergence, proceed to the role election stage;C. Role election: theIRF system consists of multiple member devices, each with a defined role, eitherMaster orSlave, this process is called role election.

5)Master election rules: the currentMaster is preferred over non-Master members; when all member devices are distributed devices, the local active master is preferred over the local standby master,Master‘s standby master is preferred over the master on non-Master members; members with higher priority are preferred; longer system uptime is preferred (hello message transmission); members with smaller bridgeMAC are preferred.

Building a Secure Network Architecture - No.2 - Virtualization Technology

6)After the stack split, the twoIRF stacks generated have the sameIP address and other layer 3 configurations, causing conflicts, thus the stack split detection technology arises.

7)MAD: Multi-Active Detection, detects whether multipleIRFs exist in the network throughLACP,BFD or freeARP; it keeps the stack with the smallest master member number active (normal working state) and migrates other stacks to recovery state (disabled state), shutting down all physical ports on its member devices except for reserved ports (usually business ports); note:LACP MAD andARP MAD should not be configured simultaneously,BFD MAD andARP MAD should not be configured simultaneously.

8)Detection based onLACP MAD: achieved through extending theLACP protocol message content, that is, defining a newTLV (Type/Length/Value) data field in the extended field of theLACP protocol message—–for interacting withIRF‘sDomainID (domain number) andActive ID (equal to the member number of the master device); when a member device receives theLACP protocol message, it first compares theDomainID, if the same, then compares theActiveID; if theDomainID is different, it is considered that the message comes from differentIRFs, and no furtherMAD processing is performed; if theActiveID is the same, it indicates that theIRF is operating normally, without multi-active conflicts; if different, it indicates that theIRF has split; the side with the largerActiveID competes unsuccessfully and migrates toRecovery state.

9)Detection based onBFD MAC detection: member devices connect through layer 3 ports and configure aBFD detection address respectively, enablingBFD MAD detection. During normal operation, theBFD master device address is effective, while the backup device address is not effective, causing theBFD session to be DOWN; during stack split, both addresses become effective, causing theBFD session to be UP, and afterBFD MAD detection takes effect, the session goes DOWN again; the side with the largerActive ID competes unsuccessfully and migrates toRecovery state; theBFD detection occupies a pair of ports and aVLAN.

10)Detection based onARP MAD detection: ARP MAD detection is achieved by extending theARP protocol message, that is, using unused fields in theARP protocol to interact withDomainID andActiveID; after enablingARP MAD detection, member devices can interact with other member devices throughARP protocol messages to exchangeDomainID andActiveID information; theARP MAD detection method can use intermediate devices for connection or not; if member devices interact through intermediate devices, the intermediate device, master device, and slave device must configure spanning tree functionality to prevent loops; theARP detection occupies a separateVLAN.

2.SOP Technology

1) SOP: Secure One Platform, that is,Context technology, which divides a physical device into multiple logical devices through virtualization technology, each logical device becomes acontext, for users, eachcontext is an independent device.

2) Advantages:1: can flexibly dividecontext, meeting the new tenant needs in cloud deployment scenarios, improving network resource utilization;2: multiplecontexts integrated on one physical device, reducing management and maintenance costs;3: eachcontext is equivalent to an independent physical device,contexts are isolated from each other and cannot communicate directly, providing high security;4: interfaces can be shared betweencontexts, simplifying networking.

3)Divided into defaultcontext and non-defaultcontext

Building a Secure Network Architecture - No.2 - Virtualization Technology

4)Contexts can allocatevlan,CPU, memory, etc., but one point to note is that it must be resident in a security engine to have an actual operating environment to run services; one security engine can only belong to one security engine group; multiple security engines can be added under one security engine group, and the system will automatically elect one as the main security engine, with others as backup security engines.

5)After creating acontext, executecontext start to completecontext initialization.Switch to context command switches to thecontext command interface.

Leave a Comment