MPLS-TE FRR Link Protection

These weeks I have been working with Metro Ethernet technologies like E-Line VPWS and E-LAN VPLS to make Layer 2 VPN point to point or multipoint to multipoint. A multipoint to multipoint service can be made with VPLS tecnology that it allows us to simulate a big virtual private switch between our sites which is useful if we want to have layer two connectivity between datacenters. For instance, we could move virtual machines between datacenters easily if we have an hypervisor in each data-center, although they are in different cities.

However, I want to talk about Traffic Engineering over MPLS this time. At the beginning, MPLS was used by service providers because it was too fast to switch labels instead of routing IPs but with the last technological advances in hardware acceleration for routing in the data plane like CEF (Cisco Express Forwarding) their time or delays are the same. Nevertheless, MPLS can be an interesting technology for Traffic Engineering if we combine it with RSVP and a dynamic routing protocol with traffic engineering extensions like OSPF and IS-IS.

What can we do with traffic engineering? Mainly, we will be able to have more resiliency and resource reservation. For instance, we could reserve bandwidth in some links, force a specific path, avoid some routers or hops, or choose a path with a specific delay and jitter to comply with SLAs and QoS. In addition, we can configure MPLS-TE in our network to use links more efficiently because it allows us to use several links at the same time.

Next, we are going to see how we can configure the Fast ReRouting (FRR) Link Protection which allows us to have alternative paths or backup paths that it will be used in less than 50 ms if there is problems with the main path. Note that this technique is faster than waiting the convergence of a dynamic routing protocol. The topology of the lab is the next:

Network Topology

While we can see the configuration in the next video:

With this kind of technique we will have a more reliable network to meet with the requirements and SLA of our customers.

Regards my friend and remember, drop me a line with the first thing you are thinking.

E-Line VPWS and E-LAN VPLS

Last week I wrote about Metro Ethernet Services like E-Line, E-LAN, E-Tree and E-Access. These are the services that Metro Ethernet Forum (MEF) has defined as CE 2.0 to standardize the services that Carrier Ethernet Providers offer to their customers. This is the way to understand easily the broad service portfolio of service providers to know as customers what we can buy and what we can expect from them.

This time I have been making labs to know how we can configure this kind of services. For that, I have installed GNS3 with Cisco 7200 and CSR1000v routers in a Ubuntu virtual machine. Next, we can see two videos where I have configured an E-Line service and an E-LAN service.

E-Line - MPLS L2VPN InterAS VPWS - EoMPLS Port Mode

In the first lab we are going to configure a Virtual Private Wire Service (VPWS) between two Autonomous Systems (ASN 11111 and ASN 22222). For this configuration all routers are c7200.

Network Topology

Next we can see the video for this service:

E-LAN – Basic VPLS

In the second lab we are going to configure a Virtual Private LAN Service (VPLS) where I have used a CSR1000v router to make the VPLS configuration because this service isn't supported by c7200 router. However, all other routers can be c7200 routers. Once the VPLS configuration is done we can enable EIGRP in CE routers to test that CE routers are in the same LAN and they can be neighbors.

Network Topology

Next we can see the video for this service:

Although these two services may seem the same, it is not the same because the first one is like a point to point link while the second lab is like a switch with multipoint to multipoint links.

Regards my friend and remember, drop me a line with the first thing you are thinking.

Metro Ethernet: Network as a Service

All network administrators would like to have a dashboard to measure and monitor in real-time the SLA of our links even when these links interconnect buildings which are many kilometers far from each other. In addition, we would like to configure our MAN (Metropolitan Area Network) easily from an online web page where we could connect several buildings, which are in different cities, on demand with just a few clicks. This is the goal of Metro Ethernet Forum (MEF) since 2001 where telecommunications service providers, network equipment/software manufacturers and semiconductors vendors are working to define common standards for implementation of carrier ethernet services for facilitating the deployment of ethernet services worldwide.

Under the objectives of the MEF, network engineers have to work with network protocols like MPLS, RSVP-TE and OSPF-TE for traffic engineering, BGP signaling, etc to deliver carrier ethernet services which nowadays are in most cases EoMPLS, although we can combine this with NFV (Network Function Virtualization) and SDN (Software Defined Networking), for delivering the main four services that MEF has defined:

E-Line Services

It is a Ethernet Private Line (EPL) or Ethernet Virtual Private Line (EVPL) to connect two sites with a point to point EVC (Ethernet Virtual Connection) from one UNI to another UNI (User Network Interface). It is like a Frame Relay leased line but “cheaper” and more efficient for the service provider. We can build this kind of services with VPWS (Virtual Private Wire Service).

 

E-LAN Services

It is a Ethernet Private LAN (EV-LAN) or Ethernet Virtual Private LAN (EVP-LAN) to connect multiple sites each other with a multipoint to multipoint EVC from one UNI to another UNI. It is a service which works as a switch between each site. We can build this kind of services with VPLS (Virtual Private LAN Service) or TLS (Transparent LAN Service).

 

E-Tree Services

It is a Ethernet Private Tree (EP-Tree) or Ethernet Virtual Private Tree (EVP-Tree) to connect one major site to multiple sites with a rooted multipoint EVC from one UNI to another UNI. It is a service with a hub and spoke architecture which is useful for broadcasting and multicasting services.

 

E-Access Services

It is an Access Ethernet Private Line (Access EPL) or Access Ethernet Virtual Private Line (Access EVPL) to connect one service provider to another with a point to point OVC (Operator Virtual Connection) from one UNI to an ENNI (External Network to Network Interface). It is a service to connect customers through different service providers.

 

This is an overview of the services standardized by MEF but most of us are wondering about what is about eavesdropping in the carrier ethernet service provider? what is about MAC tables in this kind of layer 2 networks? what is about Spanning Tree? And all of them are issues that we discuss in another post.

Regards my friend and remember, the network are growing even more!!

First World War

From time to time I like to learn, read and work with things outside of IT world and this is the reason why I have worked as a volunteer in Russia last summer or Turkey two summers ago and it is also the reason why I get books sometimes to read something about physicology, bussiness or history.

I have already written about some books like Stuxnet in this blog because this book is about security but I have read others books in the last years as well like Creativity, La Corporación or Crush it! However, I would like to write this time about the last book I have read because, although it is not about network or security, I think it deserves to mention. Actually, it is the century trilogy by Ken Follett that I have just finished the first one of the trilogy last week called “Fall of Giants”.

I think this historical novel is interesting if you want to know why the world, countries and people are as we know today. It is an easy to read and entertaining novel that we can learn about the first world war and the relationship between countries. With this novel we are going to understand the necessity of embassies, inteligent services, army and all of things needed to protect our country and people.

One hundred years ago there was basically two alliances, one was made by Germany and Austria-Hungary and another was made by United Kingdom, France and Russia with the support of EEUU as well. If we read about the first world war we are going to find that the trigger which fired the war was the murder in Sarajavo of Franz Ferdinand who was archduke of Austria in 1914. It is amazing how a murder can decide the begining of a war like the world war one where nearly 10 millions soldiers died. After the murder, Austria attacked to Serbia with the support of Germany and accordingly United Kingdom with the support of France and Russia helped to the Serbian Kingdom with a war against the German Empire. However, this was only at the begining because more countries fought in this war like the EEUU, Italy, Belgium, Turkey, etc, etc for the four years that lasted the war.

At the end, in 1918, Germany asked the armistice to sign the peace after four years of war where a lot of people died, not only in the battlefield but in the streets as well because there wasn't enough food for citizens due to the fact that there wasn't jobs and the economy of most countries was down. As a result of the armistice, in 1919 and after six months of talks between countries, more than 50 countries signed the Treaty of Versailles and it was founded the League of Nations as well.

Reading the book we can realised the importance of spies for countries to get proper information about the status of enemy countries, the importance of women to work in factories because most men were fighting in the battlefield, the importance of international relationships to influence in decisions made to stop the war, the importance of communications to transmit reliable and secure information and of course the importance of the army to avoid the enemy invasion and protect their countries.

This has been an enriching book where I have learnt how it was the first world war, I'll get the next book about the second world war called “Winter of the World” and I just hope that in the third world war we don't finish with the human race because it will be the only one who finishes with themselves

Regards my friend and remember, drop a line with the first thing you're thinking.

PCI-DSS vs ISO 27001

Lately I have been working with the PCI-DSS Compliance implementing this standard in a organization which works with cardholder data. Obviously, many controls, procedures and proceses of PCI-DSS are the same than in ISO 27001, which I know as well because I have worked in the implementation and maintenance of this ISO standard in the Ariadnex company where I actually work. For this reason, I would like to speak and write about these two standard in this post.

First, when comparing the scope of the two standards, scope selection in ISO 27001 depends on the company. For example, the scope could be a specific office or a service of the company. As a result, the company can choose the scope they want. However, the scope is exactly the credit cardholder information in PCI-DSS. As a result, the company can't choose the scope, it is defined by the PCI-DSS standard. In addtion, the controls in ISO 27001 are recommendations while the controls in PCI-DSS are mandatory. Therefore, ISO 27001 is more flexible then PCI-DSS.

On the other hand, recertification auditing of ISO 27001 is performed every three years, and small-scope auditing is also performed every year, which only include some controls that they are chosen randomly by the auditor. Otherwise, there are vulnerability scanning at least quarterly, an onsite audit annually and a penetration test annually for level 1 in PCI-DSS.

Speaking about vulnerability scanning, it's a requirement that external vulnerability scanning are done by an ASV (Approved Scanning Vendor), while internal vulnerability scanning and penetration tests can be done by internal resources of the company which are not ASV. In addition, it's also a requirement that critical security patches are installed within one month of release and other security patches within an appropriate time fram (for example, within three months).

Another thing to mention is the external company which is going to audit your company. PCI-DSS audit should be done by a QSA (Qualified Security Assessor) that there are today only 9 companies in Spain which can audit the PCI-DSS standard. If you want to become a QSA, you have to be willing to spend 3300$ for taking a course and an exam in London and another 1500$ annually to renovate your qualification. However, if you want to get the ISO 27001 certification, you should contact with SGS, Aenor, Bureau Veritas, etc … but I don't know actually what are the requirements to be an ISO 27001 certification company.

If we apply for some of these standard and we pass the audit, we will get a certificate where we can read the scope and services which are in compliance. For instance, we can see the AoC of Microsoft, AoC of Akamai and AoC of Visa, while we can see the ISO 27001 certificate of Amazon and ISO 27001 certificate of Akamai.

Next, we can see a hich level mapping of PCI-DSS requirements to ISO 27001:

To sum up, PCI-DSS is a standard to cover information security of credit cardholders' information, whereas ISO 27001 is a specification for an information security management system.

Regards my friend and remember, drop a line with the first thing you're thinking.