EVPN - PTT.br

Report
ETHERNET VPN (EVPN) - CASOS DE USO E APLICAÇÃO
Alexandre Silvestre
Novembro, 2014
AGENDA
1. EVPN background and motivation
2. EVPN operations
3. EVPN use cases
4. Key take-aways
2
EVPN and the opportunity to make it right
• What have we learnt about VPNs
- IP-VPN (RFC4364) is successfully deployed in SP
networks without interop issues, easy to provision,
supports all-active MH but only IP traffic
- VPLS (RFC4761/4762/6074) had control plane interop
issues, provisioning vs efficiency trade-offs, flood-andlearn is not optimum, but works for any Ethernet traffic
• Why another VPN technology
- Cloud and NFV are shifting the way networks must
behave
- EVPN is an Ethernet VPN technology (provides L2 and
L3) that provides the required flexibility, it is futureproof and inherits over a decade of VPN experience
• Where can we use EVPN
-
3
Cloud and virtualization services
Data Center Interconnect (DCI)
Integrated Layer-2 and Layer-3 VPN services
Overlay technologies that simplify topologies and protocols
EVPN is taking off in the industry
draft-allan-l2vpn-mldp-evpn
draft-boutros-l2vpn-evpn-vpws
draft-boutros-l2vpn-vxlan-evpn
• Perceived as a new hot technology driven by IETF
L2VPN WG
• Many mature base I-Ds and new I-Ds
- RFC7209 (EVPN requirements)
- draft-ietf-l2vpn-evpn base specification: last call already
- draft-ietf-l2vpn-pbb-evpn: no more changes expected
• Diverse authors on requirements and base
specification
- Vendors
- Network operators
• Shipping implementations
4
draft-ietf-l2vpn-evpn
RFC7209 (draft-ietf-l2vpn-evpn-req)
draft-ietf-l2vpn-pbb-evpn
draft-ietf-l2vpn-spbm-evpn
draft-ietf-l2vpn-trill-evpn
draft-jain-l2vpn-evpn-lsp-ping
draft-li-l2vpn-evpn-mcast-state-ad
draft-li-l2vpn-evpn-pe-ce
draft-li-l2vpn-segment-evpn
draft-rabadan-l2vpn-dci-evpn-overlay
draft-rabadan-l2vpn-evpn-prefix-advertisement
draft-rabadan-l2vpn-evpn-optimized-ir
draft-rp-l2vpn-evpn-usage
draft-sajassi-l2vpn-evpn-etree
draft-sajassi-l2vpn-evpn-inter-subnet-forwarding
draft-sajassi-l2vpn-evpn-ipvpn-interop
draft-sajassi-l2vpn-evpn-vpls-integration
draft-salam-l2vpn-evpn-oam-req-frmwk
draft-sd-l2vpn-evpn-overlay
draft-vgovindan-l2vpn-evpn-bfd
draft-zhang-l2vpn-evpn-selective-mcast
draft-zheng-l2vpn-evpn-pm-framework
EVPN changes the paradigm: MACs are advertised in MP-BGP
• Brings proven and inherent BGP control plane scalability
to MAC routes
- Consistent signaled FDB in any size network instead of flooding
- Route-reflectors and BGP features available for layer-2
• BGP advertises MACs/IPs for next hop resolution with
EVPN NLRI
- AFI = 25 (L2VPN) and SAFI = 70 (EVPN)
- Fully supports IPv4 and IPv6
MAC Advertisement Route
(Light Blue Fields are not part of the route key)
Route-distinguisher (8B)
Ethernet Segment ID (10B)
Ethernet Tag ID (4B)
MAC Address Length (1B)
• Offers greater control over MAC learning
MAC Address (6B)
- What is signaled, from where and to whom
- Ability to apply MAC learning policies
IP Address Length (1B)
IP Address (0 or 4 or 16B)
• Maintains virtualization and isolation of EVPN instances
MPLS Label 1 (3B)
• Enables traffic load balancing for multihomed CEs with
ECMP MAC routes
MPLS Label 2 (0 or 3B)
5
EVPN provides control plane and data plane separation
A unified control plane for L2/L3 and any data plane option
EVPN MP-BGP
Control
Plane
draft-ietf-l2vpn-evpn
Data
Plane
• EVPN over MPLS for ELAN
services
• All-active and single-active
multihoming
• RSVP-TE/LDP/SR or any MPLS
transport
• EVPN with PBB PE functionality
for scaling very large networks
over MPLS
• All-active and single-active
multihoming
6
• EVPN over NVO tunnels (VXLAN,
NVGRE, MPLSoGRE) for overlay
encapsulations
• All-active and single-active
multihoming
THE MAIN EVPN CONCEPTS IN ONE SHOT
draft-ietf-l2vpn-evpn
EVPN Instance (EVI)
Identifies a VPN
MAC-VRF
Virtual Routing Forwarding table for MACs
Ethernet Tag
Broadcast or Bridge Domain in the EVI
Control Plane Learning
PEs Advertise MAC Addresses and Next
Hops From Connected CEs Using MP-BGP
Single-Active Mode
Multihomed, One Active PE
Data/Mgmt Plane Learning
Dynamic or Static (Provisioned)
EVI 1
PE6
PE5
MAC/IP
VM
EVI 1
PE1
PE3
EVI 1
All-Active Mode
Multihomed, Two or More
Active PEs
EVI 1
CE
EVI 1
PE2
Customer Edge (CE)
Host, VM, Router or Switch
EVI 1
MAC/IP
BGP update
PE4
Data Plane Encapsulation
MPLS or NVO tunnels
7
LAG
Ethernet Segment
Identifier (ESI)
Link(s) that Connect the CE
to PEs (ESIs are Unique
Across the Network)
AGENDA
1. EVPN background and motivation
2. EVPN operations
Data planes
Multihoming, aliasing and mass-withdraw
MAC-mobility, MAC-duplication and MAC-protection
Proxy-ARP/ND and unknown flooding suppression
Inter-subnet forwarding
3. EVPN use cases
4. Key take-aways
8
EVPN abstracts the control plane to support current and future data
plane encapsulations
• EVPN over MPLS
PE2
CE2
EVI 1
PE1
MAC/IP
BGP update
EVI 1
CE1
MAC1/IP1
RD = 65000:1
2
NVO tunnels
(VNI, VSID)
ESI = 0
Ethernet Tag ID (4B)
MAC1 - IP1/32
MPLS tunnels
(RSVP, LDP, SR)
MPLS label (3B)
1
- draft-ietf-l2vpn-evpn
- Uses a service label (no PWs) as EVI
demultiplexer
- Transport: requires IGP, RSVP/LDP/3107
BGP and takes advantage of all the MPLS
features
• EVPN over NVO tunnels
- draft-sd-l2vpn-evpn-overlay
- Uses the Ethernet-tag to signal the NVO
demultiplexer
- Transport: requires IGP only
- 7x50 support: VXLAN
9
EVPN is the only VPN technology that provides all-active MH
(per-flow load balancing)
CE1
Non-DF for ESI2
CE1
MAC1
CE2
CE3
CE2
LAG
ESI2
PE3
CE3
CE2
LAG
SPLIT-HORIZON
DF ELECTION
DF for ESI2
The DF election avoids duplicate BUM
flooding to all-active CEs
- EVPN elects a DF per ESI per service
- DF is responsible for BUM flooding to
the Ethernet Segment
PE1
CE3
PE2
PE2
DUPLICATED
PACKETS
FF
MAC1
ESI2
PE3
ESI2
PE3
ESI2
CE1
PE1
PE1
ALIASING
ECHO’ED
PACKETS
ESI2
LAG
PE2
MAC1 – ES2 - PE1
- PE2
DF for ESI2
Split-horizon ensures that BUM traffic
sent to the non-DF is not replicated
back to the ESI
- The DF signals an ESI label that the
non-DF is used to send BUM traffic
to the DF
- The DF uses the ESI label to
suppress the BUM to the ESI
identified by the label
10
Aliasing allows load-balancing to the
PEs part of the ESI
- EVPN advertises what PEs are part
of the ESI
- PE3 does ECMP to all the ESI owners
EVPN single-active multihoming and mass-withdraw
ESI1
withdraw
In single-active multihoming EVPN, a masswithdraw message is sent for all the services in
the ESI
- PEs advertise:
- MAC/IP address and its ESI (only PE1)
- AD route per ESI (PE1 and PE2)
- If a failure affects the ESI, PE1 simply
withdraws the route for the ESI and the remote
PE moves all the MACs to the backup PE (PE2)
- Total convergence time is uniform for all the
services
- No need to wait for individual MACs to be
withdrawn, no flooding
PE1
ESI1
EVI 1
EVI 2
EVI 3
EVI 1
EVI 2
EVI 3
PE3
EVI 1
EVI 2
EVI 3
PE2
In single-active multihoming VPLS, individual MAC
flush messages must be sent per service in order to
flush the MACs
- Total convergence time grows with the number of
services
- MAC-flush creates subsequent flooding
11
EVPN supports MAC mobility, duplication and protection
MOBILITY
2
MAC1
MAC1
ALIASING
1
MAC1/ESI1
BGP update
PE1
PE1
ESI1
EVI 1
MAC1/ESI1
BGP update
PE3
EVI 1
PE3
EVI 1
MAC1
MAC1/ESI1
SEQ N
ESI1
EVI 1
EVI 1
EVI 1
MAC1/ESI0
SEQ N+1
PE2
PE2
MAC2
A MAC advertised by two PEs using the same
ESI is interpreted by the remote PEs as a
multihomed MAC
- This function is used for aliasing
- Even if only one PE advertises MAC1/ESI1, PE3
will do multipathing
- It can also be used for “anycast” forwarding
(if ecmp=1)
A MAC advertised as protected will not
be overridden by the default PEs, and
offending packets will be dropped
12
3
PROTECTION
MAC2/ESI1
Protected
A MAC advertised by two PEs using different ESI is
interpreted as mobility (until a threshold is reached)
- A SEQ number is incremented each time the MAC is
advertised from a different ESI
- If MAC1 moves X times in Y minutes (configurable)
mac-duplication is triggered
EVPN provides integrated L2 and L3 forwarding
Asymmetric IRB model (draft-sajassi-l2vpn-evpn-inter-subnet-forwarding)
A customer (or tenant) is given:
Ingress PE
-
VRF/ARP tables
IP
MAC
NH
20.1
0
M2
EVI2
MAC
IRB1
EVI2 FDB
EVI2 FDB
EVI1 FDB
NH
MAC
NH
local
M2
EVPNPE2
IRB-1
10.10.10.1
VM1
10.10.10.10/24
M1
-
Egress PE
IRB-2
20.20.20.1
MAC
NH
M2
local
IRB-3
20.20.20.2
VRF
MAC-VRF
EVI2
MAC-VRF
EVI1
-
VRF
IRB-4
10.10.10.2
MAC-VRF
EVI1
MAC-VRF
EVI2
VM2
PE1
PE2
20.20.20.10/24
M2
NOTE: MAC-VRF is an EVI instance in a given PE
13
An EVI per subnet which exists in all the PEs in
the network
A VRF on each PE that has IRBs to all the MACVRFs for the customer and can forward traffic
among all the subnets
EVPN advertises the IRB MAC/IPs and learnt
host MAC/IPs
When a host sends traffic to a remote
subnet:
-
-
At the ingress PE
- FDB lookup yields IRB interface
- Routing/ARP lookup yields local EVI and
remote MAC/PE
At the egress PE
- Only FDB lookup is required
EVPN provides integrated L2 and L3 forwarding
Symmetric IRB model (draft-rabadan-l2vpn-evpn-prefix-advertisement)
IP
NH
IP
MAC
NH
20.0
EVPN-tunnel PE2
20.1
0
M2
EVI2
MAC
NH
IRB1
local
IRB-1
10.10.10.1
An EVI per subnet which exists ONLY where
there are hosts for that subnet
A VRF on each PE that has IRBs to the local
MAC-VRFs and a EVPN-tunnel IRB (no IP)
Host MAC/IPs in one EVI are not imported by
the remote PEs if the EVI is not local
EVPN advertises IP prefixes that are imported
in the VRF routing table
-
EVI2 FDB
EVI1 FDB
10.10.10.10/24
M1
-
VRF/ARP tables
VRF table
VM1
A customer (or tenant) is given:
Egress PE
Ingress PE
IRB
IRB
EVPN-tunnel
EVPN-tunnel
VRF
MAC
NH
M2
local
-
IRB-4
VRF
20.20.20.1
MAC-VRF
EVI2
MAC-VRF
EVI1
PE2
PE1
EVPN Prefix-route
20.20.20.0/24
VM2
20.20.20.10/24
M2
When a host sends traffic to a remote
subnet:
-
At the ingress PE
- FDB lookup yields IRB interface
- Routing lookup yields remote PE and MAC DA
At the egress PE
- Routing/ARP lookup yields MAC and local EVI
- FDB lookup yields the local AC
The symmetric model saves ARP and FDB entries
14
AGENDA
1. EVPN background and motivation
2. EVPN operations
3. EVPN use cases
Data Center and Data Center Interconnect
Service chaining (PBR to NFV appliance)
Internet Exchange Points
Provider VPNs with integrated Layer-2 and Layer-3 services
Overlay VPNs over IP
4. Key take-aways
15
Data Center use-case
Cloud computing and NFV are shifting DC networks to SDNbased DCs where only VXLAN and EVPN provide the required
capabilities
-
Legacy DC networks can’t cope with 10,000s of dynamic hosts/VMs
EVPN-VXLAN
Required EVPN features
Payload
IP Fabric
-
IP
EVPN provides L2/L3 connectivity for 1,000s of tenants
in the DC
The IP fabric can also be extended to the WAN for DC
interconnect
MAC mobility, proxy-ARP/ND, MAC protection, unknown
flooding suppression, inter-subnet forwarding
VLAN
MAC
VXLAN
UDP
IP
MAC
VXLAN
VPN ID + HASH
Tunnel between endpoints
VXLAN data plane provides the required
scalability, performance and simplicity
-
De-facto standard with assisted hardware in servers
ECMP and fast resiliency
Loop-free forwarding for L2
Shortest path between any 2 endpoints
16
The use of EVPN for PBR
EVPN AD route
ESI 0x01, VNI 1
NH PE3
IP
MAC
VXLAN (VNI1)
PE1
PBR to F1
(20.20.20.2)
IP (to PE3)
MAC
ESI 0x01
EVI
UDP
Ingress ACL
PE3
Firewall
Active
Standby
Required EVPN features
-
EVPN AD routes per ESI
ESI 0x01
Redirected
path
EVI
IP Fabric
VM1
EVI
Regular
forwarding
PE2
PE4
The ESI is a port identifier whose active presence
is advertised by EVPN
EVI
Filter table
Matching
criteria
Action
Next-hop
-
xxxxx
forward
ESI 0x01
-
17
A PBR rule to an ESI can redirect traffic to a remote
‘port’ regardless of what is connected behind
The ESI is advertised by EVPN when the FW port is
active and withdrawn when the port goes inactive
Active-active redirect is also possible (re-using the
aliasing concept)
Internet eXchange Points
Peering fabrics
Static MAC/IP provisioning of the router
interfaces for maximum security
-
Suppresses unknown and ARP/ND flooding
Drops unknown source MACs
MACs/IPs
EVI
EVI
EVPN required features
MAC/IP
EVI
IP or IP/MPLS
Core Network
EVI
ProxyARP/ND
EVI
Who has IP1?
-
L2 interconnection over a VXLAN or MPLS
peering fabric
Proxy-ARP/ND and unknown/ARP/ND
suppression
MAC duplication, MAC protection
Anti-spoofing operation
MAC1 has IP1
ARP
SPOOFER
Dynamic ARP/ND learning of proxy-ARP/ND entries for easy provisioning, minimum
flooding and anti-spoofing monitoring
-
Dynamic learning of ARP/ND entries is possible
Anti-spoofing monitors hosts claiming the same IP
- If a duplicate is detected, an alarm is triggered and MAC/IPs put in hold-down mode
- An option to inject an anti-spoof mac is possible too
18
Provider-provisioned VPNs
Layer-2 and Layer-3 services
PE1
ESI1
EVPN MAC/IP
updates
EVI 1
EVI 2
EVI 3
Required EVPN features
PE3
EVI 1
EVI 2
EVI 3
VRF
-
EVI 1
EVI 2
EVI 3
PE2
EVPN provides layer-2 and layer-3 services
-
Both services are provided through the same logical
AC to the customer
One VPN technology for both services, no need for
multiple protocols
VXLAN or MPLS data planes are possible
19
IP-prefix advertisement and inter-subnet forwarding
All-active multihoming for link utilization
Single-active multihoming for better determinism
PBB-EVPN for large layer-2 VPNs
Enterprise-provisioned overlay VPNs
BGP Control Plane
PE
CE
PE
EVI 1
SP B
Service
Provider
A
SP C
CE
EVI 1
PE
EVI 1
CE
VXLAN Data Plane
VPN routing between endpoints can be
controlled with BGP (ipv4) and routing policies
to service providers
EVPN-VXLAN works over any IP service to
provide a flexible Layer-2 and Layer-3 VPN
-
Just requires IP connectivity between the sites, no
need to run any MPLS or special configuration by the
IP service provider
Service Provider is transparent to EVPN
EVPN overlay is transparent to service providers
Routing and MAC/IP advertisements within EVPN
controlled via iBGP (evpn) between PEs
20
AGENDA
1. EVPN background and motivation
2. EVPN operations
3. EVPN use cases
4. Key take-aways
21
EVPN is the next-generation VPN solution
- Efficient (all-active MH, BUM-optimized delivery)
- Secure (proxy ARP/ND, MAC protection, flooding
suppression)
- Integrated Layer-2 and Layer-3 services
- Flexible data plane choice (MPLS, PBB, NVO)
EVPN is already used today in some use-cases
with many more to come
EVPN real life deployment – the VPN solution that
“maximizes the future freedom of action”
22
EVPN requirements and benefits
Address
Learning
VPN Requirements
VPLS
EVPN
What does it do for me?
Control Plane Address Learning
in the Core


Greater Scalability and Control
L3VPN-Like Operation


Simpler Provisioning and Automation
Auto Discovery and Configuration
PEs Only

Simpler Provisioning and Automation
Active-Standby Multihoming
(Service-Based Load Balancing)


Standby Redundancy
All-Active Multihoming
(Flow-Based Load Balancing)


Active Redundancy and Link Utilization
VLAN Based Service Interfaces


Virtualization and Advanced Services
VLAN Aware Bundling Service
Interfaces


Virtualization and Advanced Services
Inter-Subnet Forwarding


Layer 2 and Layer 3 Over the Same
Interface
ARP/ND Proxy


Security and MAC Provisioning
MAC Mobility


Virtualization and Advanced Services
Provisioning
Resiliency
Services
Flow
Optimization
24
EVPN NLRI ROUTE TYPES AND EXTENDED COMMUNITIES
Route Type
Route Description
Route Usage
Reference
1
Ethernet Auto-Discovery (A-D) Route
Endpoint Discovery, Aliasing,
Mass-Withdraw
draft-ietf-l2vpn-evpn
2
MAC Advertisement Route
MAC/IP Advertisement
draft-ietf-l2vpn-evpn
3
Inclusive Multicast Route
BUM Flooding Tree
draft-ietf-l2vpn-evpn
4
Ethernet Segment Route
Ethernet Segment Discovery,
DF Election
draft-ietf-l2vpn-evpn
5
IP Prefix Route
IP Route Advertisement
draft-rabadan-l2vpn-evpn-prefixadvertisement
Extended
Community Type
Extended Community
Description
Extended Community Usage
Reference
0x06/0x01
ESI Label Extended Community
Split Horizon Label
draft-ietf-l2vpn-evpn
0x06/0x02
ES-Import Route Target
Redundancy Group Discovery
draft-ietf-l2vpn-evpn
0x06/0x00
MAC Mobility Extended Community
MAC Mobility
draft-ietf-l2vpn-evpn
0x03/0x030d
Default Gateway Extended
Community
Default Gateway
draft-ietf-l2vpn-evpn,
bgp-extended-communities
25

similar documents