Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Intercloud Fabric for Provider
  5. White Paper

Cisco Cisco Intercloud Fabric for Provider White Paper

Download
Page of 8
 
 
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 
Page 4 of 8 
Figure 1.    Secure Site-to-Site Tunnel Architecture 
 
The TCP/UDP ports listed in Table 1 are used for the secure tunnel data and control traffic. 
Table 1. 
TCP and UDP Ports 
Transport Protocol 
Ports 
TCP 
TCP 6646 (data), TCP 6644 (control) 
UDP 
UDP 6644 (data), TCP 6644 (control) 
HTTPS 
TCP 443 
If there is a firewall protecting access to the internal network, the ports listed in Table 1 must be opened. 
● 
The encryption algorithm used is configurable, and different encryption strengths can be used depending on 
the level of security desired. The supported encryption algorithms are AES-128-CBC, AES-256-CBC, AES-
128-GCM, and AES-256-GCM (Suite B) (not available with TCP protocol). 
The supported hashing algorithms are SHA-1, SHA-256, and SHA-384. 
Cisco Intercloud Fabric supports secure and encrypted communications between private and public clouds. Key 
and certificate management for the site-to-site tunnel is done by the director running in the private cloud. This 
secure site-to-site tunnel also provides Layer 2 extension of an enterprise network into the public cloud. 
Cisco Intercloud Fabric Secure Shell 
Cisco Intercloud Fabric creates a secure shell around all public cloud VMs that are a part of the solution. This 
secure shell is created with multiple levels of security, including preshared Secure Shell (SSH) and tunnel keys, 
creating encrypted tunnels for VM-to-VM traffic in a public cloud and the ability to limit access to cloud VMs using 
cloud security groups. 
The following sections provide details about the security mechanisms of the secure shell. 
Trusted Cloud VMs 
Cisco Intercloud Fabric makes sure that every cloud VM that is a part of the secure shell is trusted. This trust is 
created via preshared SSH keys (Figure 2). 
Each time an IT admin creates an intercloud fabric cloud link, an SSH key pair is generated by the Cisco Intercloud 
Fabric Director in the private cloud. The SSH public key and the SSH username is passed onto every VM that is 
deployed or migrated in the public cloud. This makes each cloud VM instantiated or migrated with the director 
trusted. Only VMs with this SSH key are accessed by the director and can be used to create a secure tunnel with 
an intercloud switch. Since SSH keys are generated by the director in the enterprise, the enterprise has full control 
of these keys.