Showing posts with label COOP (Council of Oracle Protocol). ZMQ (Zero Message Queue). Show all posts
Showing posts with label COOP (Council of Oracle Protocol). ZMQ (Zero Message Queue). Show all posts

Tuesday, 5 August 2025

COOP: Council of Oracle Protocol - Cisco ACI

COOP: Council of Oracle Protocol – A Modern Overview

The Council of Oracle Protocol (COOP) serves as a critical mechanism for transmitting endpoint mapping data—such as identity and location—from leaf switches to spine proxies within a network. 

This communication is facilitated using Zero Message Queue (ZMQ), enabling leaf switches to relay endpoint details to a designated spine switch known as the "Oracle."

Spine nodes running COOP maintain a synchronized repository of endpoint mappings, ensuring consistency across the network. Additionally, COOP manages a Distributed Hash Table (DHT) that stores identity-to-location mappings, forming the backbone of the protocol’s database infrastructure.

To prioritize secure and efficient data transport, COOP uses high-priority channels and encrypted connections. Security is further reinforced through MD5-based authentication, which safeguards COOP messages against unauthorized traffic injection. Both the APIC controller and network switches support this authentication mechanism.

COOP now supports two distinct ZMQ authentication modes:

  • Strict Mode: Only MD5-authenticated ZMQ connections are permitted, ensuring maximum security.
  • Compatible Mode: Allows both authenticated and non-authenticated ZMQ connections, offering flexibility for diverse network environments.

 

Integrating COOP with Cisco APIC: Secure ZMQ Authentication in ACI Fabric

To enable secure communication across the Cisco Application Centric Infrastructure (ACI), the Application Policy Infrastructure Controller (APIC) incorporates support for COOP Zero Message Queue (ZMQ) authentication. This includes the use of MD5-based password protection and a secure operational mode for COOP messaging.


Configuration of COOP ZMQ Authentication Type

A new managed object, coop:AuthP, has been introduced within the Data Management Engine (DME) under the COOP database path (coop/inst/auth). This object allows administrators to define the authentication mode for COOP ZMQ connections. By default, the mode is set to "compatible", permitting both authenticated and unauthenticated connections. For environments requiring stricter security, the mode can be switched to "strict", which enforces MD5 authentication exclusively.


Managing the MD5 Password for COOP Authentication

The APIC also provides a managed object named fabric:SecurityToken, which includes a dynamic attribute called "token". This token serves as the MD5 password and is refreshed automatically every hour. COOP receives update notifications from the DME to ensure the password remains current. For security reasons, the actual token value is not exposed or displayed.

COOP Strict Mode Behavior During ACI Fabric Upgrades

When performing an upgrade across the Cisco ACI fabric, the system temporarily disables COOP strict mode until all switches have completed the upgrade process. This safeguard is designed to prevent disruptions in COOP communication—specifically, it avoids the risk of a switch rejecting COOP connections due to premature enforcement of strict authentication. By deferring strict mode activation, the fabric ensures seamless interoperability and avoids authentication mismatches during transitional states.


Configuring COOP Authentication Policy in Cisco ACI

Using the Cisco APIC GUI

To set the COOP authentication mode through the APIC interface:

  1. Navigate to System > System Settings from the top menu.
  2. In the left-hand Navigation pane, select COOP Group.
  3. In the Work pane, locate the Policy Property section. Under the Type field, choose either:
    • Compatible Type – allows both authenticated and unauthenticated ZMQ connections.
    • Strict Type – enforces MD5 authentication for all ZMQ connections.
  4. Click Submit to apply the changes.

This completes the configuration of the COOP authentication policy via the APIC GUI.

Using the Cisco NX-OS-Style CLI

To configure COOP authentication using the command-line interface:

This sets the COOP authentication mode to strict, ensuring that only MD5-authenticated ZMQ connections are accepted.

apic1# configure 

apic1(config)# coop-fabric 

apic1(config-coop-fabric)# authentication type ? 

compatible Compatible type strict Strict type

apic1(config-coop-fabric)# authentication type strict

Posted by at No comments:
Labels: , , , , ,

COOP (Council of Oracle Protocol) and ZMQ (Zero Message Queue)

 In Cisco ACI (Application Centric Infrastructure), both COOP (Council of Oracle Protocol) and ZMQ (ZeroMQ) play critical roles in the control-plane communication between switches (leaves and spines), but they serve different purposes and operate at different levels. Let’s break down the difference and their relationship:

🔹 What is COOP in Cisco ACI?

📌 Purpose:

COOP is the control-plane protocol used by leaf switches to register endpoint information with spine switches in Cisco ACI.

📌 Function:

  • It is used by leaf switches to tell the spine(s) about endpoints (MAC, IP, EPG, etc.) they’ve learned.
  • Spines act as COOP databases and maintain a distributed mapping table of which leaf has which endpoint.
  • This allows for location-based routing (instead of flooding like in traditional Ethernet).

🔹 What is ZMQ (Zero Message Queue) in Cisco ACI?

📌 Purpose:

ZMQ (ZeroMQ) is a messaging library used within Cisco ACI to transport messages between system components (e.g., between leaf and spine switches).

📌 Function:

  • Acts like a messaging bus.
  • Enables high-performance publish/subscribe or request/response messaging.
  • It’s used under the hood to deliver control-plane messages—including COOP messages.

 Does COOP Use ZMQ?

Yes.

COOP uses ZMQ as its transport mechanism to send and receive messages between leaf and spine switches.

🔍 How Does COOP Use ZMQ?

Here’s the flow simplified:

  1. leaf switch learns a new endpoint (say, a VM with MAC/IP).
  2. The leaf constructs a COOP message with the endpoint details.
  3. This COOP message is encapsulated in a ZMQ message.
  4. The ZMQ library sends this message to the appropriate spine switch (COOP database).
  5. The spine decodes the COOP message and updates its COOP database.

Diagrammatically:

less

CopyEdit

[Leaf Switch]

    |

    |--> [COOP Message Created]

    |

    |--> [Wrapped in ZMQ Message]

    |

    |--> [ZMQ Sends Message to Spine]

    |

[Spine Switch (COOP DB)]

    |

    |--> [ZMQ Receives Message]

    |

    |--> [COOP Message Extracted & DB Updated]

🆚 Summary: COOP vs ZMQ

Feature

COOP

ZMQ

Purpose

Control-plane protocol for endpoint learning

Messaging library used for data transport

Scope

Endpoint registration between leaf & spine

Messaging between ACI components

Layer

Application-layer protocol

Transport mechanism (middleware)

Relationship

Payload Protocol

Transport Protocol

Used By

Leaf-to-Spine communication

All ACI components (APICs, Leafs, Spines)

Example of Usage:

  • You might see coop messages being passed between leaf and spine switches in packet captures.
  • If you dig deeper, those messages are often encapsulated using ZMQ frames, showing how COOP rides on top of ZMQ.

 


Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)