Product of the Month: Extreme Fabric Connect

Traditional ‘hop-by-hop’ provisioning works, however there is one simple flaw. Provisioning in a traditional network becomes exponentially more complex with every additional switch and service. There’s just no way around it.

Every time something changes, every switch in the possible path of the traffic must be provisioned – this is true if additional switches are added or additional services need to be deployed. So, as the matrix of switches and services increases, so does the complexity of every individual switch’s configuration. That’s the number of services squared by the number of switches…

To make matters worse, provisioning mistakes in traditional networks are rather easy to make.  Best case scenario, it causes some parts or the entirety of the network to fail. in the worst turn of events, only a hacker notices it and uses the misconfiguration to exploit the network.

Solving this requires a better way of thinking about networking. In particular, the separation of routing (how data gets from one point to another) and services (the logical networks being routed that fulfil specific business needs). For example, routing is how data can get from one office to one hundred other offices around the world. Services are things like the security camera network providing access to a central server to all the cameras.

When you add a new office location, you should only need to update the routing. When you add a new service or modify an existing one, you should only need to define the service at the edge. This separation is the essence of Fabric Connect’s advantage over traditional hop-by-hop provisioning.

Extreme’s Fabric Connect is based on the SPBm industry-standard protocol. SPB is “Shortest Path Bridging” and is based on the IEEE 802.1q. The standard describes two distinct roles for switches (or ‘bridges’, as the IEEE standard likes to call them) – The Backbone Core Bridge (BCB) which performs the routing functions and the Backbone Edge Bridge (BEB) which performs the routing and the service functions.

Let’s dive in a little deeper and see how that works...

The BCB is only concerned with routing. It’s job (along with the other BCBs in the fabric) is to make sure that the traffic between the services is routed in the most efficient way possible. The name “shortest-path” is there for a reason, after all.

Unlike traditional networks, Fabric Connect does not try to determine paths through the network by some clever guesswork (for example, protocols such as Spanning Tree). The auto-determination style of traditional networking is the reason why expressions like ‘network loop’ strike fear into the hearts of networking engineers.

Instead, Fabric connect uses IS-IS which stands for “Intermediate System to Intermediate System” – basically this is a mechanism for a group of physically connected SPBm network nodes (i.e., the BCBs) to communicate with each other in order to determine the best route for data through the network. Not only is this automatic, but it’s also self-healing. If a BCB runs into issues, the other BCBs will simply route around it to keep the network running. More links between BCBs are a good thing… not “a loop waiting to happen”, as in traditional networking.

In simple terms, each BCB is told about the links it has directly to other BCBs. These links are called “Network to Network Interfaces” or NNIs. It’s important to note that each BCB is only configured with the NNIs directly attached. This prevents the configuration complexity growing every time a new BCB is added. Each additional BCB only affects the configuration of its direct peers. The new BCB will ‘learn’ about all the other core switches through IS-IS.

With every additional BCB and every additional NNI, the Fabric Connect network grows and, more importantly, becomes more resilient. While fabric networks can support the same topologies as the traditional networking, the topology becomes generally less much of an issue anyway.

When service traffic is presented to the core network, Fabric Connect calculates the most efficient path through the network. You can add additional paths or remove paths (deliberately or due to failure) and the core network will automatically work its way around it.

So, in summary, the BCB provisioning is only concerned with routing. There is no requirement for the BCB switches (or the networking engineers managing them) to know anything about services. The addition and removal of services to the Fabric Connect network is completely hidden from the BCBs, making the network both simple and easy to manage.

The BEB is concerned with services and routing. The simplest way to visualize a service is to consider a distinct layer 2 network which automatically connects between two or more BEBs. Each service is uniquely identified by an I-SID (Service Identifier) and Extreme’s Fabric Connect supports more than 16 million services per network.

Since our routing is encapsulated by the BCBs, the core network can be considered as a bubble. BEBs are placed around the edges of the bubble and then services are connections between the BEBs. This can be a bit confusing, so let’s try to visualize it. If we want a service (we can use the security camera example mentioned before), we must first decide on its unique identifier. So, in this case, we’ll use an I-SID of 200. In our network we have two cameras, each connected to a different BEB and the camera server. So, we must tell 3 BEB switches that they have the same I-SID on certain ports (this is an over-simplification, but we will get to that later!).

How the three BEBs configured with the service (i.e., I-SID) communicate is of no concern to the edge switches. They are connected to the BCBs via defined NNI links, and they simply mark the traffic with the correct I-SID and pass it to the BCBs. The only configuration is the mapping of supported services (I-SIDs) to ports.

Now, as I mentioned earlier, mapping I-SIDs to ports is an over-simplification. Fabric connect does support mapping of individual BEB ports to I-SIDs, but it is more common to map VLANs to I-SIDs as this is a flexible way to integrate a traditional network with a fabric network. Since the mapping of I-SID to VLAN is also per-BEB, it is even possible to map different VLANs over the same I-SID as shown in the following diagram:

There are some even better ways to automate I-SID mapping, but we will get to that soon.

A particular advantage of Fabric Connect is that all communication via an I-SID is tunneled through the core-network. So, each ‘elastic’ layer 2 network is private, making it much harder for would-be hackers to move laterally across the network (a common form of attack in traditional networking where you attack something simple like an IoT sensor and then jump from there to a more important network).

The same advantages are true for Layer 3 as well. If you were to run tools such as traceroute from a workstation, your network topology would be completely invisible. This is often called ‘hyper-segmentation’ as each of the 16 million services are automatically segmented from one-another, and the tunnels only exist for as long as the service is in use. So, Fabric Connect is not only easier to manage, but also far more secure by design.

The advantages of the BEB and I-SID abstraction are clear. You can add new services and modify existing services at will, without the need to touch the distribution and core configuration. Adding new services can be done in prime time without need for service windows or lengthy reconfiguration and testing. The network can move at the same speed as the rest of the business, rather than being a rate-determining-step.

Now that we have routing (in the form of our BCBs) and services (provided by the BEBs) there is one remaining piece of the puzzle to consider: the clients. Clients are anything that requires access to the services provided by the fabric network: laptops, APs, sensors, printers, servers, etc.

Generally, for secure networking, a Network Access Control (NAC), such as Extreme Control, is used. When a client attempts to attach to the network, the NAC is responsible for authenticating the client. Traditional networking has supported several types of client authorization (i.e., specifying what an authenticated client can do) through things like Access Control Lists, firewalls VLANs and so on. Fabric allows the NAC to inform the switch which VLAN/I-SID a client should be allowed to talk to and which network policy should be applied. This fully automates the edge of the fabric network and centralizes the edge configuration. Even better, if a client moves around the network, the fabric can extend the same services to the client from any BEB, since the NAC automates the whole edge provisioning.

If a new location is connected to the fabric, the BEB automatically has access to all services. Provided the NAC authenticates a connecting client (and the client has the correct privileges on the NAC), the fabric elastically provides services without any need for configuration.

If your network does not have a SPBm edge capable device, Extreme also provides “Fabric Attach” functionality in many Extreme edge switches, Extreme APs and 3rd party devices such as Industrial switches and video surveillance camera (NEXANS, AXIS, Microsens). Fabric Attach allows connecting clients (that are fabric attach enabled) to announce themselves to the network specifying what service is required. These clients can be edge switches, access points, video cameras, etc. The Fabric network can then assist you with the configuration of the devices, provide service IDs for SSIDs, management VLANs and more to greatly simplify and automate the network edge.

One of the common ‘fears’ around a technology like Fabric Connect is the need to remove the current network in order to replace it with a new one (the so-called 'forklift upgrade' where everything needs to be replaced). Fabric Connect supports Fabric Extend for the sole purpose of extending the Fabric over an IP WAN or even over the public Internet using IPSEC encryption.

Fabric Extend allows fabric networks (i.e., BCBs) to be extended over non-fabric networks. For example, you could roll out a fabric network in all your Stockholm offices and your Tokyo offices and connect the two together over MPLS or any other traditional networking capable of transporting VLANs and VRFs.

Fabric edge switches from Extreme support fully ‘zero-touch’ deployment with no need for stacking. Fabric switches can automatically detect attached devices using Extreme’s auto-sense functions. Devices such as other SPBm nodes, Fabric Attach enabled devices, IP telephones and more can be automatically handled. 802.1x is also provided as a fallback default to ensure fast and secure deployment and replacement of switches in the network.

Hopefully, this simple overview of Fabric Connect has encouraged you to want to learn more. Here are some useful links that explore the subject of Fabric networking in far more detail: