Cisco Cisco Intercloud Fabric for Provider White Paper
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 8
Figure 1. Secure Site-to-Site Tunnel Architecture
The TCP/UDP ports listed in Table 1 are used for the secure tunnel data and control traffic.
Table 1.
TCP and UDP Ports
Transport Protocol
Ports
TCP
TCP 6646 (data), TCP 6644 (control)
UDP
UDP 6644 (data), TCP 6644 (control)
HTTPS
TCP 443
If there is a firewall protecting access to the internal network, the ports listed in Table 1 must be opened.
●
The encryption algorithm used is configurable, and different encryption strengths can be used depending on
the level of security desired. The supported encryption algorithms are AES-128-CBC, AES-256-CBC, AES-
128-GCM, and AES-256-GCM (Suite B) (not available with TCP protocol).
The supported hashing algorithms are SHA-1, SHA-256, and SHA-384.
Cisco Intercloud Fabric supports secure and encrypted communications between private and public clouds. Key
and certificate management for the site-to-site tunnel is done by the director running in the private cloud. This
secure site-to-site tunnel also provides Layer 2 extension of an enterprise network into the public cloud.
Cisco Intercloud Fabric Secure Shell
Cisco Intercloud Fabric creates a secure shell around all public cloud VMs that are a part of the solution. This
secure shell is created with multiple levels of security, including preshared Secure Shell (SSH) and tunnel keys,
creating encrypted tunnels for VM-to-VM traffic in a public cloud and the ability to limit access to cloud VMs using
cloud security groups.
The following sections provide details about the security mechanisms of the secure shell.
Trusted Cloud VMs
Cisco Intercloud Fabric makes sure that every cloud VM that is a part of the secure shell is trusted. This trust is
created via preshared SSH keys (Figure 2).
Each time an IT admin creates an intercloud fabric cloud link, an SSH key pair is generated by the Cisco Intercloud
Fabric Director in the private cloud. The SSH public key and the SSH username is passed onto every VM that is
deployed or migrated in the public cloud. This makes each cloud VM instantiated or migrated with the director
trusted. Only VMs with this SSH key are accessed by the director and can be used to create a secure tunnel with
an intercloud switch. Since SSH keys are generated by the director in the enterprise, the enterprise has full control
of these keys.