EVPN - PTT.br
advertisement
ETHERNET VPN (EVPN) - CASOS DE USO E APLICAÇÃO Alexandre Silvestre Novembro, 2014 AGENDA 1. EVPN background and motivation 2. EVPN operations 3. EVPN use cases 4. Key take-aways 2 EVPN and the opportunity to make it right • What have we learnt about VPNs - IP-VPN (RFC4364) is successfully deployed in SP networks without interop issues, easy to provision, supports all-active MH but only IP traffic - VPLS (RFC4761/4762/6074) had control plane interop issues, provisioning vs efficiency trade-offs, flood-andlearn is not optimum, but works for any Ethernet traffic • Why another VPN technology - Cloud and NFV are shifting the way networks must behave - EVPN is an Ethernet VPN technology (provides L2 and L3) that provides the required flexibility, it is futureproof and inherits over a decade of VPN experience • Where can we use EVPN - 3 Cloud and virtualization services Data Center Interconnect (DCI) Integrated Layer-2 and Layer-3 VPN services Overlay technologies that simplify topologies and protocols EVPN is taking off in the industry draft-allan-l2vpn-mldp-evpn draft-boutros-l2vpn-evpn-vpws draft-boutros-l2vpn-vxlan-evpn • Perceived as a new hot technology driven by IETF L2VPN WG • Many mature base I-Ds and new I-Ds - RFC7209 (EVPN requirements) - draft-ietf-l2vpn-evpn base specification: last call already - draft-ietf-l2vpn-pbb-evpn: no more changes expected • Diverse authors on requirements and base specification - Vendors - Network operators • Shipping implementations 4 draft-ietf-l2vpn-evpn RFC7209 (draft-ietf-l2vpn-evpn-req) draft-ietf-l2vpn-pbb-evpn draft-ietf-l2vpn-spbm-evpn draft-ietf-l2vpn-trill-evpn draft-jain-l2vpn-evpn-lsp-ping draft-li-l2vpn-evpn-mcast-state-ad draft-li-l2vpn-evpn-pe-ce draft-li-l2vpn-segment-evpn draft-rabadan-l2vpn-dci-evpn-overlay draft-rabadan-l2vpn-evpn-prefix-advertisement draft-rabadan-l2vpn-evpn-optimized-ir draft-rp-l2vpn-evpn-usage draft-sajassi-l2vpn-evpn-etree draft-sajassi-l2vpn-evpn-inter-subnet-forwarding draft-sajassi-l2vpn-evpn-ipvpn-interop draft-sajassi-l2vpn-evpn-vpls-integration draft-salam-l2vpn-evpn-oam-req-frmwk draft-sd-l2vpn-evpn-overlay draft-vgovindan-l2vpn-evpn-bfd draft-zhang-l2vpn-evpn-selective-mcast draft-zheng-l2vpn-evpn-pm-framework EVPN changes the paradigm: MACs are advertised in MP-BGP • Brings proven and inherent BGP control plane scalability to MAC routes - Consistent signaled FDB in any size network instead of flooding - Route-reflectors and BGP features available for layer-2 • BGP advertises MACs/IPs for next hop resolution with EVPN NLRI - AFI = 25 (L2VPN) and SAFI = 70 (EVPN) - Fully supports IPv4 and IPv6 MAC Advertisement Route (Light Blue Fields are not part of the route key) Route-distinguisher (8B) Ethernet Segment ID (10B) Ethernet Tag ID (4B) MAC Address Length (1B) • Offers greater control over MAC learning MAC Address (6B) - What is signaled, from where and to whom - Ability to apply MAC learning policies IP Address Length (1B) IP Address (0 or 4 or 16B) • Maintains virtualization and isolation of EVPN instances MPLS Label 1 (3B) • Enables traffic load balancing for multihomed CEs with ECMP MAC routes MPLS Label 2 (0 or 3B) 5 EVPN provides control plane and data plane separation A unified control plane for L2/L3 and any data plane option EVPN MP-BGP Control Plane draft-ietf-l2vpn-evpn Data Plane • EVPN over MPLS for ELAN services • All-active and single-active multihoming • RSVP-TE/LDP/SR or any MPLS transport • EVPN with PBB PE functionality for scaling very large networks over MPLS • All-active and single-active multihoming 6 • EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for overlay encapsulations • All-active and single-active multihoming THE MAIN EVPN CONCEPTS IN ONE SHOT draft-ietf-l2vpn-evpn EVPN Instance (EVI) Identifies a VPN MAC-VRF Virtual Routing Forwarding table for MACs Ethernet Tag Broadcast or Bridge Domain in the EVI Control Plane Learning PEs Advertise MAC Addresses and Next Hops From Connected CEs Using MP-BGP Single-Active Mode Multihomed, One Active PE Data/Mgmt Plane Learning Dynamic or Static (Provisioned) EVI 1 PE6 PE5 MAC/IP VM EVI 1 PE1 PE3 EVI 1 All-Active Mode Multihomed, Two or More Active PEs EVI 1 CE EVI 1 PE2 Customer Edge (CE) Host, VM, Router or Switch EVI 1 MAC/IP BGP update PE4 Data Plane Encapsulation MPLS or NVO tunnels 7 LAG Ethernet Segment Identifier (ESI) Link(s) that Connect the CE to PEs (ESIs are Unique Across the Network) AGENDA 1. EVPN background and motivation 2. EVPN operations Data planes Multihoming, aliasing and mass-withdraw MAC-mobility, MAC-duplication and MAC-protection Proxy-ARP/ND and unknown flooding suppression Inter-subnet forwarding 3. EVPN use cases 4. Key take-aways 8 EVPN abstracts the control plane to support current and future data plane encapsulations • EVPN over MPLS PE2 CE2 EVI 1 PE1 MAC/IP BGP update EVI 1 CE1 MAC1/IP1 RD = 65000:1 2 NVO tunnels (VNI, VSID) ESI = 0 Ethernet Tag ID (4B) MAC1 - IP1/32 MPLS tunnels (RSVP, LDP, SR) MPLS label (3B) 1 - draft-ietf-l2vpn-evpn - Uses a service label (no PWs) as EVI demultiplexer - Transport: requires IGP, RSVP/LDP/3107 BGP and takes advantage of all the MPLS features • EVPN over NVO tunnels - draft-sd-l2vpn-evpn-overlay - Uses the Ethernet-tag to signal the NVO demultiplexer - Transport: requires IGP only - 7x50 support: VXLAN 9 EVPN is the only VPN technology that provides all-active MH (per-flow load balancing) CE1 Non-DF for ESI2 CE1 MAC1 CE2 CE3 CE2 LAG ESI2 PE3 CE3 CE2 LAG SPLIT-HORIZON DF ELECTION DF for ESI2 The DF election avoids duplicate BUM flooding to all-active CEs - EVPN elects a DF per ESI per service - DF is responsible for BUM flooding to the Ethernet Segment PE1 CE3 PE2 PE2 DUPLICATED PACKETS FF MAC1 ESI2 PE3 ESI2 PE3 ESI2 CE1 PE1 PE1 ALIASING ECHO’ED PACKETS ESI2 LAG PE2 MAC1 – ES2 - PE1 - PE2 DF for ESI2 Split-horizon ensures that BUM traffic sent to the non-DF is not replicated back to the ESI - The DF signals an ESI label that the non-DF is used to send BUM traffic to the DF - The DF uses the ESI label to suppress the BUM to the ESI identified by the label 10 Aliasing allows load-balancing to the PEs part of the ESI - EVPN advertises what PEs are part of the ESI - PE3 does ECMP to all the ESI owners EVPN single-active multihoming and mass-withdraw ESI1 withdraw In single-active multihoming EVPN, a masswithdraw message is sent for all the services in the ESI - PEs advertise: - MAC/IP address and its ESI (only PE1) - AD route per ESI (PE1 and PE2) - If a failure affects the ESI, PE1 simply withdraws the route for the ESI and the remote PE moves all the MACs to the backup PE (PE2) - Total convergence time is uniform for all the services - No need to wait for individual MACs to be withdrawn, no flooding PE1 ESI1 EVI 1 EVI 2 EVI 3 EVI 1 EVI 2 EVI 3 PE3 EVI 1 EVI 2 EVI 3 PE2 In single-active multihoming VPLS, individual MAC flush messages must be sent per service in order to flush the MACs - Total convergence time grows with the number of services - MAC-flush creates subsequent flooding 11 EVPN supports MAC mobility, duplication and protection MOBILITY 2 MAC1 MAC1 ALIASING 1 MAC1/ESI1 BGP update PE1 PE1 ESI1 EVI 1 MAC1/ESI1 BGP update PE3 EVI 1 PE3 EVI 1 MAC1 MAC1/ESI1 SEQ N ESI1 EVI 1 EVI 1 EVI 1 MAC1/ESI0 SEQ N+1 PE2 PE2 MAC2 A MAC advertised by two PEs using the same ESI is interpreted by the remote PEs as a multihomed MAC - This function is used for aliasing - Even if only one PE advertises MAC1/ESI1, PE3 will do multipathing - It can also be used for “anycast” forwarding (if ecmp=1) A MAC advertised as protected will not be overridden by the default PEs, and offending packets will be dropped 12 3 PROTECTION MAC2/ESI1 Protected A MAC advertised by two PEs using different ESI is interpreted as mobility (until a threshold is reached) - A SEQ number is incremented each time the MAC is advertised from a different ESI - If MAC1 moves X times in Y minutes (configurable) mac-duplication is triggered EVPN provides integrated L2 and L3 forwarding Asymmetric IRB model (draft-sajassi-l2vpn-evpn-inter-subnet-forwarding) A customer (or tenant) is given: Ingress PE - VRF/ARP tables IP MAC NH 20.1 0 M2 EVI2 MAC IRB1 EVI2 FDB EVI2 FDB EVI1 FDB NH MAC NH local M2 EVPNPE2 IRB-1 10.10.10.1 VM1 10.10.10.10/24 M1 - Egress PE IRB-2 20.20.20.1 MAC NH M2 local IRB-3 20.20.20.2 VRF MAC-VRF EVI2 MAC-VRF EVI1 - VRF IRB-4 10.10.10.2 MAC-VRF EVI1 MAC-VRF EVI2 VM2 PE1 PE2 20.20.20.10/24 M2 NOTE: MAC-VRF is an EVI instance in a given PE 13 An EVI per subnet which exists in all the PEs in the network A VRF on each PE that has IRBs to all the MACVRFs for the customer and can forward traffic among all the subnets EVPN advertises the IRB MAC/IPs and learnt host MAC/IPs When a host sends traffic to a remote subnet: - - At the ingress PE - FDB lookup yields IRB interface - Routing/ARP lookup yields local EVI and remote MAC/PE At the egress PE - Only FDB lookup is required EVPN provides integrated L2 and L3 forwarding Symmetric IRB model (draft-rabadan-l2vpn-evpn-prefix-advertisement) IP NH IP MAC NH 20.0 EVPN-tunnel PE2 20.1 0 M2 EVI2 MAC NH IRB1 local IRB-1 10.10.10.1 An EVI per subnet which exists ONLY where there are hosts for that subnet A VRF on each PE that has IRBs to the local MAC-VRFs and a EVPN-tunnel IRB (no IP) Host MAC/IPs in one EVI are not imported by the remote PEs if the EVI is not local EVPN advertises IP prefixes that are imported in the VRF routing table - EVI2 FDB EVI1 FDB 10.10.10.10/24 M1 - VRF/ARP tables VRF table VM1 A customer (or tenant) is given: Egress PE Ingress PE IRB IRB EVPN-tunnel EVPN-tunnel VRF MAC NH M2 local - IRB-4 VRF 20.20.20.1 MAC-VRF EVI2 MAC-VRF EVI1 PE2 PE1 EVPN Prefix-route 20.20.20.0/24 VM2 20.20.20.10/24 M2 When a host sends traffic to a remote subnet: - At the ingress PE - FDB lookup yields IRB interface - Routing lookup yields remote PE and MAC DA At the egress PE - Routing/ARP lookup yields MAC and local EVI - FDB lookup yields the local AC The symmetric model saves ARP and FDB entries 14 AGENDA 1. EVPN background and motivation 2. EVPN operations 3. EVPN use cases Data Center and Data Center Interconnect Service chaining (PBR to NFV appliance) Internet Exchange Points Provider VPNs with integrated Layer-2 and Layer-3 services Overlay VPNs over IP 4. Key take-aways 15 Data Center use-case Cloud computing and NFV are shifting DC networks to SDNbased DCs where only VXLAN and EVPN provide the required capabilities - Legacy DC networks can’t cope with 10,000s of dynamic hosts/VMs EVPN-VXLAN Required EVPN features Payload IP Fabric - IP EVPN provides L2/L3 connectivity for 1,000s of tenants in the DC The IP fabric can also be extended to the WAN for DC interconnect MAC mobility, proxy-ARP/ND, MAC protection, unknown flooding suppression, inter-subnet forwarding VLAN MAC VXLAN UDP IP MAC VXLAN VPN ID + HASH Tunnel between endpoints VXLAN data plane provides the required scalability, performance and simplicity - De-facto standard with assisted hardware in servers ECMP and fast resiliency Loop-free forwarding for L2 Shortest path between any 2 endpoints 16 The use of EVPN for PBR EVPN AD route ESI 0x01, VNI 1 NH PE3 IP MAC VXLAN (VNI1) PE1 PBR to F1 (20.20.20.2) IP (to PE3) MAC ESI 0x01 EVI UDP Ingress ACL PE3 Firewall Active Standby Required EVPN features - EVPN AD routes per ESI ESI 0x01 Redirected path EVI IP Fabric VM1 EVI Regular forwarding PE2 PE4 The ESI is a port identifier whose active presence is advertised by EVPN EVI Filter table Matching criteria Action Next-hop - xxxxx forward ESI 0x01 - 17 A PBR rule to an ESI can redirect traffic to a remote ‘port’ regardless of what is connected behind The ESI is advertised by EVPN when the FW port is active and withdrawn when the port goes inactive Active-active redirect is also possible (re-using the aliasing concept) Internet eXchange Points Peering fabrics Static MAC/IP provisioning of the router interfaces for maximum security - Suppresses unknown and ARP/ND flooding Drops unknown source MACs MACs/IPs EVI EVI EVPN required features MAC/IP EVI IP or IP/MPLS Core Network EVI ProxyARP/ND EVI Who has IP1? - L2 interconnection over a VXLAN or MPLS peering fabric Proxy-ARP/ND and unknown/ARP/ND suppression MAC duplication, MAC protection Anti-spoofing operation MAC1 has IP1 ARP SPOOFER Dynamic ARP/ND learning of proxy-ARP/ND entries for easy provisioning, minimum flooding and anti-spoofing monitoring - Dynamic learning of ARP/ND entries is possible Anti-spoofing monitors hosts claiming the same IP - If a duplicate is detected, an alarm is triggered and MAC/IPs put in hold-down mode - An option to inject an anti-spoof mac is possible too 18 Provider-provisioned VPNs Layer-2 and Layer-3 services PE1 ESI1 EVPN MAC/IP updates EVI 1 EVI 2 EVI 3 Required EVPN features PE3 EVI 1 EVI 2 EVI 3 VRF - EVI 1 EVI 2 EVI 3 PE2 EVPN provides layer-2 and layer-3 services - Both services are provided through the same logical AC to the customer One VPN technology for both services, no need for multiple protocols VXLAN or MPLS data planes are possible 19 IP-prefix advertisement and inter-subnet forwarding All-active multihoming for link utilization Single-active multihoming for better determinism PBB-EVPN for large layer-2 VPNs Enterprise-provisioned overlay VPNs BGP Control Plane PE CE PE EVI 1 SP B Service Provider A SP C CE EVI 1 PE EVI 1 CE VXLAN Data Plane VPN routing between endpoints can be controlled with BGP (ipv4) and routing policies to service providers EVPN-VXLAN works over any IP service to provide a flexible Layer-2 and Layer-3 VPN - Just requires IP connectivity between the sites, no need to run any MPLS or special configuration by the IP service provider Service Provider is transparent to EVPN EVPN overlay is transparent to service providers Routing and MAC/IP advertisements within EVPN controlled via iBGP (evpn) between PEs 20 AGENDA 1. EVPN background and motivation 2. EVPN operations 3. EVPN use cases 4. Key take-aways 21 EVPN is the next-generation VPN solution - Efficient (all-active MH, BUM-optimized delivery) - Secure (proxy ARP/ND, MAC protection, flooding suppression) - Integrated Layer-2 and Layer-3 services - Flexible data plane choice (MPLS, PBB, NVO) EVPN is already used today in some use-cases with many more to come EVPN real life deployment – the VPN solution that “maximizes the future freedom of action” 22 EVPN requirements and benefits Address Learning VPN Requirements VPLS EVPN What does it do for me? Control Plane Address Learning in the Core Greater Scalability and Control L3VPN-Like Operation Simpler Provisioning and Automation Auto Discovery and Configuration PEs Only Simpler Provisioning and Automation Active-Standby Multihoming (Service-Based Load Balancing) Standby Redundancy All-Active Multihoming (Flow-Based Load Balancing) Active Redundancy and Link Utilization VLAN Based Service Interfaces Virtualization and Advanced Services VLAN Aware Bundling Service Interfaces Virtualization and Advanced Services Inter-Subnet Forwarding Layer 2 and Layer 3 Over the Same Interface ARP/ND Proxy Security and MAC Provisioning MAC Mobility Virtualization and Advanced Services Provisioning Resiliency Services Flow Optimization 24 EVPN NLRI ROUTE TYPES AND EXTENDED COMMUNITIES Route Type Route Description Route Usage Reference 1 Ethernet Auto-Discovery (A-D) Route Endpoint Discovery, Aliasing, Mass-Withdraw draft-ietf-l2vpn-evpn 2 MAC Advertisement Route MAC/IP Advertisement draft-ietf-l2vpn-evpn 3 Inclusive Multicast Route BUM Flooding Tree draft-ietf-l2vpn-evpn 4 Ethernet Segment Route Ethernet Segment Discovery, DF Election draft-ietf-l2vpn-evpn 5 IP Prefix Route IP Route Advertisement draft-rabadan-l2vpn-evpn-prefixadvertisement Extended Community Type Extended Community Description Extended Community Usage Reference 0x06/0x01 ESI Label Extended Community Split Horizon Label draft-ietf-l2vpn-evpn 0x06/0x02 ES-Import Route Target Redundancy Group Discovery draft-ietf-l2vpn-evpn 0x06/0x00 MAC Mobility Extended Community MAC Mobility draft-ietf-l2vpn-evpn 0x03/0x030d Default Gateway Extended Community Default Gateway draft-ietf-l2vpn-evpn, bgp-extended-communities 25
