Ethernet Protection Switching (EPS)

Nov 152011

Ethernet Protection Switching

a.k.a. G.8031 is OAM monitored Ethernet redundancy and protection method. It is similar to Resilient Links and Link Aggregations by the fact It also uses backup ports for redundancy. There are however, some Differences, Pros and Cons.

Pros

It can be a lot faster than LAGs or Resilient Links.
It is more redundant in live setup (see below).
It does allow more complex setups, not just back-to-back.
It generates more logs and provides more control (OAM monitored).
Can be operated manually to switch to backup and revert to primary.
Can be set to react faster or slower in cases of network connectivity flapping and jitter.
Generates events and sends them toward the protected user network.
Being based on OAM CFM, It allows Linktrace and Loopback tests.

Cons

A little bit more complex to setup from scratch (compared to Link Aggregations or Resilient links).
Requires understanding of Transparent LAN services.
Redundancy is dependent on the CCMs hello interval (Faster CCMs, more redundancy).
Generates additional management traffic if faster CCMs are used. (~600 pps).
Reaction timers are not dynamic.
In case of irregular connectivity flapping, the system does not learn better route.
Does not have third or fourth link as in Link aggregation to switch over to, in case both primary and backup links are cold-dead.

How to set up G.8031?

You need 2 switches, set with pair of ports back to back. The backup pair should be disabled (port shutdown) until the setup is complete, so you don’t create a loop with management traffic.

G.8031 EPS over TLS

Create a TLS service on both units with primary Service Distribution Point (SDP) with Service VLAN 200 and backup SDP with Service VLAN 250.
Add Service Access Points (SAPs) with Customer VLAN 300 on the ports connecting the User networks A and B.
Enable OAM CFM protocol and create Maintenance domain on level of your choice (0-2 is good in this case)
Create Maintenance association to monitor the TLS. Set hello-interval to the fastest supported by both units.
Create UP MEPs (IN MEPs) on the SAP ports and make sure the connectivity is established. Make sure SDP ports are MIPs for the OAM monitored service.
Set the Ethernet Protection Switching to use local MEPs on the local unit and remote MEPs on the remote unit.
Set the EPS timers to your liking. I suggest Wait-to-restore timer to be 5 minutes so you are protected by primary line flapping. Hold-off timer to be 0 so the switchover to backup happens immediately on connection failure. And Guard timer to 50ms, so small timeouts do not create switchover events.
Enable the EPS service.
Rewire the backup link and check the protection is established.
Break the active Primary link and make sure the traffic is switched over the Backup link.
Rewire the primary link and make sure the traffic is reverted to Primary after the wait-to-restore timer expires.

That’s basically all you need for a basic G.8031 EPS protection of 2 networks, connected with 2 units between them. There are more complex setups, that make this protocol far better than Link aggregations and Resilient links. There may be random number of units in between and the EPS will still be possible:

Another EPS setup

In case you try this setup with Link aggregations or Resilient links, It will simply break. Imagine the link between the middle unit and the second Unit breaks. Both LAG and RL will simply keep sending the traffic from the first unit over the primary link, because the unit does not know the Line is already broken, while the second unit will start sending the traffic over the backup link, because It sees that the primary port is down. In the above case, Network A will have traffic loss to Network B, while Network B will still “see” Network A normally.

With EPS service this setup is working, because the OAM CFM sends Continuity Check Messages (a.k.a. CCMs) between the units and do not care for port-Up and port-Down events to determine if the line between the End Points (MEPs) is broken. If a CCM is late for 3.5 times x Hello-Interval, then the Line between units is down. (like sending pings and reacting on timeout). When this happens, and after the holdoff timer expires, the EPS will revert to backup until the Units starts receiving each others’ CCMs again. After this happens and wait-to-restore timer expires – the EPS will restore the traffic over the Primary link and block the backup link for everything, except management traffic.

Troubleshooting G.8031 EPS

If protection is not established, make sure the following is right:

Backup Link, even not normally used for traffic should be enabled and wired. EPS control traffic goes through there.
OAM CFM connectivity should be established either on primary or backup route and hello-interval should be equal.
Both units are set to use local MEPs as local and remote MEPs are remote.
TLS service name and Index ID is set equal on both units.
SAP ports should have customer equipment or their status signalling should not affect the TLS service (LAB tests are often done without user networks connected to SAP ports).
If there is latency, jitter or connectivity flapping – Timers are adequate to cover It, so No excessive switchover events are created.
If there is a Unit(s) in the middle, make sure their ports are members of the same TLS service and S-VLANs are the same as the ones used for your Primary or backup link.
If the service is set right, make sure the SDP ports in the middle unit(s) are a MIPs in the same OAM CFM domain and Maintenance association and the Unit does not filter CCM’s from the 2 other units.

OAM CFM connectivity cheatsheet

Netw0rking 10 Responses »

Oct 252011

CFM connectivity cheatsheet

As i mentioned in the previous chapter, it takes few steps to ensure the CFM connectivity is going to be established. It is quite easy, ordinary and straight forward process. It goes like this:

First. MEPs should see each other physically. e.g. The links between (1) and (6) (see diagram below) should be all Up.
Second. They should be in the same domain and MA. All ports (1)-(6) in the diagram below should be MEPs or MIPs in the same Maintenance association. If ONE of them is not – CFM connectivity will fail.
Third. MEPs should face each other. UP MEP (1) will see UP MEP (6), but if (6) was DOWN mep, connectivity would fail. (e.g. (6) would send CCM packets OUTSIDE of the margins of this network, and (1) would never hear them.)
Fourth. Hello interval should be the same. This is valid for (1) and (6). The MIP ports will simply pass the CCM messages to the next MIP or MEP. But if the End points are not sending the messages in the same interval – the connectivity will fail. It is not just the frequency, because the CCM packet is having a flag, that says what “hello-interval” is the CFM sending it was set to work on. MEPs set on hello interval 1 second, will not connect to MEPs set to generate CCMs every 10ms.

CFM connectivity

Fifth. There must be MIPs in between them, so the CCMs are transferred. If any of the ports (2)-(5) is not a valid MIP port (e.g. In some of the intermediate points, you forgot to enable MIP creation policy or simply the port is not in the same L2 VLAN or L3 service)
Sixth. All of the MEPs should generate CCMs. If only (1) is generating CCMs, there will be partial connectivity. (6) will see (1), but (1) will not see (6).
Seventh. No higher level MEPs should be staying in the way. If MEPs (1) and (6) are level 4 CFM domain and somewhere in (2)-(5) there is MEP of domain level 5,6 or 7 – the higher level MEP will filter the CCMs of domain level 4. It is by design. No high level CFM (e.g. user level) should hear management traffic from the core network. This is designed for security and optimization reasons.
Eight. There should not be MEPs in the same domain in the way, facing oposite direction. If in port (3) or (5) there is Down MEP in the same MA, connectivity between (1) and (6) will not happen, because the MEP will filter the CCMs coming from the direction It is facing. (MEP means End Point) Instead of this, connectivity between (1) and (3) or (5) will hapen.
Ninth. MEP IDs should be unique in the MA. *(not necessary in different MD/MA cases). In case MEP id in (1) is equal to MEP id in (6) connectivity will not happen. MEP id should be unique in the MA in the range 1 – 8192.

That’s basically all you need to be aware, when creating OAM monitored VLAN or Service. Mep connectivity is very important for building higher scale OAM monitored networks, as Rings, Meshes or Ladder networks with mixed Layer 2 and Layer 3 parts, as this example:

R-APS and MPLS

The need of secured e-mail.

Netw0rking Comments Off

Jul 132011

What do you do when you register in such networks as Facebook or Twitter.

You enter an e-mail.

Where do you have your “recover password” set for most of the accounts you use?

You enter an e-mail.

Where do you receive your payments and fiscal reports?

On your e-mail.

Alarmed?

You should at least be aware.

Having your e-mail compromised can lead to tons of problems.

Most of the social networks are providing too much information about yourself. Like your GF/BF/Pet name. Your interests. Your kids’ names. Your favourite books. How often do you contact a person (your best friend) and more.

It’s not that hard to guess your password from your interests and family. Believe me. It’s valid even for me. And from that point on, the bad person that wants your account information, can activate at all your sites of interest the “forgoten password” mechanism and change all your passwords to something else. Steal all your money. Know all your secrets. Download all your private data and use it as s/he sees fit. Just by guessing your e-mail password.

Lately one of my friends allowed his password to be guessed by a hotel picollo. He got all his credits in Texas Hold Them Poker game – lost. 80 millions. Don’t know how long it takes to collect that much… His pasword was his GF name.

The point is… Simply protect your weakest point the best way you can.

If you have ONE e-mail for all purposes, the password should be something really hard and strong. Something even your best friend can’t guess. And even if s/he can… not entirely guess it by the letter.

Suppose you are Clifford D. Simak fan to the grave and adore the “City” the way I did in my youth. Suppose you set your password to be “jenkins”? It’s actually too short. And you probably put your nick name in most of the games you play to be also “jenkins”. Not too short would be jenkinstherobot. But it will also be quite guessable. If not by an actual no-good-doer, it should be easily guessed by anyone that knows you, what you read, what you prefer and what inspires you.

If you are dedicated to your girfriend or your kids or your best friend, it’s still easy. They will first try first names, than senior names, than family names, than all 9 combinations of them with and without spaces. Than with and without capital letters. And believe me. That’s merely 81 combinations.

Today’s normal dictionary attack makes this for a fraction of the second. Your password is weak if it is pure text. And this is valid for ALL your accounts. Not just your master e-mail.

Period.

Good password would be anything that consist of capitol and normal letter and digit or digits. Examples:

I_l()ve_Jan3
J3nk!nsTh3R0b0t
Az!m0vRulzz
M0rdr3dAndM0rgana
MyL!feF0rAiur
\/f0rVend3tta

etc.

In all cases – don’t use weak passwords in an account that can compromise other accounts. It’s imperative. A friend of mine made another blog post in Bulgarian regarding the needed e-mail security. You may want to check his blog post if you are Bulgarian. The diagram in the post heading is quite true and easy to remember. I’ve taken some ideas from his post and the talks with him too. One of the ideas for good password is to make a word, that has nothing to do with ANY dictionary on the planet but is still very easy to remember. Imagine the sentence “I very much enjoy drinking beer while chewing sausage with my friends in the pub at eight”. Now concatenate all the words to 1 letter each. The password becomes: