Building Blocks in EVPN VXLAN for Multi-Service Fabrics. Aldrin Isaac Co-author RFC7432 Juniper Networks

Transcription

1 Building Blocks in EVPN VXLAN for Multi-Service Fabrics Aldrin Isaac Co-author RFC7432 Juniper Networks

2 Network Subsystems Network Virtualization Bandwidth Broker TE LAN Fabric WAN Fabric LAN WAN

3 EVPN for Network Virtualization EVPN Bandwidth Broker TE LAN Fabric WAN Fabric LAN WAN

4 EVPN in the LAN Fabric = The Multi-Service Fabric EVPN LAN Fabric LAN

5 Agenda Quick recap of EVPN fundamentals (5 slides) EVPN overlay options for intra-tenant east-west traffic (16 slides) Examples: interesting use cases with EVPN (7 slides) North-south traffic through EVPN based service chains (14 slides) Efficient replication options in EVPN (8 slides)

6 Things to note about this tutorial Is about native EVPN building blocks that are compliant with RFCs or standardstrack drafts. No proprietary technology Is about what has been implemented or is possible to implement on network SW/HW today Will not go into route and tunnel header gory details Is based on EVPN VLAN-Aware bridging model (vs VLAN-based) As we move forward, we will move faster.

7 Network Virtualization Overlay Reference Model for this Tutorial E1 E2 VLAN1 E3 E4 Tenant 1 VLAN2 SF E5 VLAN3 E6 E7 Tenant 2 VLAN4 E8 For this tutorial, tenants are groups of locationindependent endpoints where: Groups manifest as subnets that are routed to other groups of the same tenant (i.e. east-west) via a distributed routing function Tenants are routed to other tenants and to external destinations (i.e. north-south) through service function chains BGP Route Reflectors Tenants and groups are implemented as IP and Ethernet overlay virtual networks Overlay Edge VRF1 VXLAN overlay data plane VRF2 VRF2 VRF1 VRF1 VRF2 NVE VTEP PE The network virtualization edge (NVE) function may be implemented on ToR switch: to support physical end-systems Virtual routers: to support virtual end-points VLAN2 VLAN3 VLAN4 VLAN1 VLAN3 VLAN4 VLAN1 VLAN2 E3 E5 E6 E7 E1 E2 E4 E8 Note: NVE are also referred to as PE in SP networks, or VTEP in VXLAN networks. 7

8 EVPN Parallels with Classical Networks IP Fabric Multi-Tenant EVPN Network Single-Tenant Classical Network VTEP NVE / PE Virtual Router aka VRF IP EVPN Physical Router Physical Router Physical Router Virtual Switch aka MAC-VRF IRB Interfaces VLAN Table z Ethernet EVPN aka EVI Broadcast Domain EVPN Tag VXLAN VNI Physical zswitch VLAN Table VLAN Table VLAN Table Broadcast Domain EVPN Tag VXLAN VNI Physical Switch Physical Switch VLAN Table VLAN Table VLAN Table VLAN Table RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

9 BGP-based VPNs Overview IP Fabric MP-BGP Route Reflector VTEP 3 VTEP 2 VTEP 1 L3 Routes VRF-A MP-BGP EVPN VRF-A BGP Policy Route export with Extended Community RT 1111:1111 Route import with Extended Community RT 1111:1111 IPVPN-A Tunnels EVI-A MAC-VRF-A VLAN 10 EVPN Tag 100 VXLAN VNI 100 VLAN 20 EVPN Tag 200 VXLAN VNI 200 L2 Routes L1 Routes MAC-VRF-A BGP Policy Route export with Extended Community RT 2222:2222 Route import with Extended Community RT 2222:2222 Broadcast Domain EVPN Tag VXLAN VNI Broadcast Domain EVPN Tag VXLAN VNI RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

10 EVPN Route Types By Layer L3: IP Routing Type-5 IP Prefix Route MAC-VRF IP forwarding Type-5 VRF-to-VRF IP Prefix Route VRF IP forwarding L2: Ethernet Bridging Type-2 MAC/IP route MAC-Only MAC unicast forwarding MAC + IP ARP Proxy Type-3 Inclusive Multicast Ethernet Tag (IMET) Route BUM forwarding Type-6 Selective Multicast Ethernet Tag (SMET) Route Selective IP multicast forwarding L1: Ethernet Multi-Homing Type-4 Ethernet Segment (ES) Route Designated Forwarder (DF) election Type-1 Ethernet A-D Route Per ES Split horizon, Fast convergence Per EVI (ES:Tag) Aliasing Type-7 Multicast Join Sync Route Selective IP multicast support Type-8 Multicast Leave Sync Route Selective IP multicast support Layer 2.5 Includes ESI only Includes Tag only Includes Tag & ESI 10

11 EVPN Route Types By Unicast-related Vs Replication-related Unicast L1: Type-1 Ethernet A-D Route per ES Fast convergence L1: Type-1 Ethernet A-D Route per EVI Aliasing L2: Type-2 MAC/IP route MAC unicast forwarding, ARP Proxy ** L3: Type-5 Prefix Route Route IP forwarding BUM and IP Multicast L1: Type-1 Ethernet A-D Route per ES Split horizon L1: Type-4 Ethernet Segment (ES) Route Designated Forwarder (DF) election L1: Type-7 Multicast Join Sync Route Selective IP multicast support L1: Type-8 Multicast Leave Sync Route Selective IP multicast support L2: Type-3 Inclusive Multicast Ethernet Tag (IMET) Route BUM forwarding L2: Type-6 Selective Multicast Ethernet Tag (SMET) Route ** Selective IP multicast forwarding 11

12 Intra-Tenant (EAST-WEST) Overlay Service Models

13 1. Pure Bridging Overlay

14 Bridging Overlay Spine Unicast MAC forwarding EVPN Type-2 MAC-only route Routes generated from locally learned MACs in local VLAN table Bridging Only External Gateway NVE VLAN1 VLAN2 VLAN1 VLAN2 VRF1 WAN VLAN1 VLAN2 VLAN1 VLAN2 VRF1 L2VNs VLAN1 VLAN2 VLAN2 NVE Bridging Only BUM forwarding Type-3 Inclusive Multicast Ethernet Tag (IMET) route Ingress replicated by default Overlay transport VXLAN tunnels are marked with the VNI of a transported broadcast domain. Like Ethernet trunks between physical switches VXLAN VNI is carried in Label and Tag field of EVPN NLRI ARP suppression Add Type-2 MAC+IP route RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay 14

15 Bridging Overlay Detail Type-2 MAC, Type-3 IMET Leaf1 Leaf2 MAC-VRF-T MAC-VRF-T VLAN1 VLAN2 MAC VLAN2 VLAN1 L2 EVPN H1 H2 H3 H4 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement 15

16 ARP Proxy

17 EVPN ARP Proxy -- Synchronization and Suppression Leaf 1 Flow 1 Gateway ARP Synchronization VRF1 VRF1 ARP request 2 4 MAC/IP Route 3 ARP response 5 Flow Original ARP response 2 MAC/IP Route Leaf1 H1 ARP Suppression ARP request Leaf2 H2 Generated ARP response 4 ARP request Leaf3 Subnet 1 Subnet 1 Subnet 1 H3 Generated ARP response ARP synchronization keeps the per-subnet ARP tables of tenant VRFs synchronized MAC-to-IP bindings are learned by Leaf VTEP from the Sender field of local ARP request and reply packets and advertised as Type-2 MAC+IP routes MAC-to-IP bindings can be learned and advertised by Leaf VTEP with or without local VRF RFC/Drafts: RFC7432, draft-ietf-bess-evpn-proxy-arp-nd With distributed ARP broadcast suppression, Leaf VTEP will proxy respond to local ARP requests using the same synchronized MAC-to-IP bindings Reduces the impact of ARP broadcast on routers and hosts MAC-to-IP bindings may be learned from DHCP messages and coupled with sticky MAC procedures to safeguard against IP spoofing, ARP poisoning and duplicate detection 17

18 EVPN ARP suppression (cont d) Gratuitous ARP Proxy 1 GARP 2 MAC/IP Route Leaf1 Leaf2 Regenerated GARP Leaf3 Subnet 1 Subnet 1 Subnet 1 H1 H2 3 3 H3 Regenerated GARP GARP proxy is a feature of EVPN ARP suppression used to avoid data-plane flooding of GARPs. MAC-to-IP bindings are learned from Sender field of local GARP and advertised as Type-2 MAC+IP routes VTEP regenerate GARP to local end systems when they receive new remote MAC-to-IP bindings via Type-2 MAC+IP routes Example scenarios: VIP mobility for active-standby firewall Mobility in bridged mode WIFI VM mobility RFC/Drafts: RFC7432, draft-ietf-bess-evpn-proxy-arp-nd 18

19 2. Centrally Routed Bridging Overlay

20 Centrally Routed Bridging (CRB) Overlay IP routing is performed with IRB at central gateway VTEP. All default gateways for a subnet should share same MAC and IP. CRB gateway role can be placed at spine, leaf or anywhere else CRB access role at Leaf VTEPs only perform bridging CRB Border Gateway VRF1 VRF1 WAN L2VNs VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 CRB Access Host packets addressed to IRB MAC are forwarded to CRB gateway for routing. Other MACs are forwarded directly between Leaf. Type-2 MAC+IP route provides ARP synchronization between central gateways T2 MAC+IP also supports ARP suppression at leaf VTEP without need for local VRF Typical use case: where CRB gateway supports advanced functions, such as high ACL scale, stateful FW, NAT, etc vs CRB access RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay 20

21 Centrally Routed Bridging Detail CRB Gateway Gateway1 VRF-T Type-2 MAC, Type-3 IMET Type-2 MAC, MAC+IP Type-2 MAC, MAC+IP MAC-VRF-T VLAN1 VLAN2 Leaf1 MAC/IP MAC/IP Leaf2 CRB Access MAC-VRF-T VLAN1 VLAN2 MAC/IP VLAN2 MAC-VRF-T VLAN1 CRB Access L2 EVPN H1 H2 H3 H4 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement 21

22 3. Edge Routed Bridging Overlay

23 Edge Routed Bridging (ERB) Overlay Both intra and inter subnet IP forwarding are performed at Leaf VTEP with IRB. All gateways for a subnet must share same MAC and IP. Asymmetric ERB: Same route types as CRB Inter-subnet forwarding relies on ARP table synchronization using Type-2 MAC+IP route Drawback: All VLANs of tenant must be provisioned at all the VTEP where the tenant VRF is present Type-5 based Symmetric ERB (recommended): IP Border Gateway VRF1 WAN VRF1 L3VNs L2VNs VRF1 VRF1 VLAN1 VLAN2 VLAN2 ERB Uses Type-5 Prefix Route to exchange IP host routes for inter-subnet forwarding carries VRF VNI Locally learned ARP entries are imported into RIB and advertised as Type-5 host routes Type-2 MAC+IP route is used for distributed ARP suppression Advantages: L2VN/VLAN need to only be provisioned on the VTEP that have locally attached members of that VN. So has improved scaling over asymmetric model RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

24 Edge Routed Bridging Detail Type-2 MAC, Type-3 IMET Local, Type-2 MAC, MAC+IP Type-5 IP Host Leaf1 VRF-T IP EVPN Host IP Leaf2 VRF-T MAC-VRF-T MAC-VRF-T VLAN2 VLAN1 VLAN2 MAC/IP VLAN1 L2 EVPN H1 H2 H3 H4 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

25 4. IP Routed Overlay

26 IP Routed Overlay IPVPN for LAN using EVPN and VXLAN. No Ethernet Bridging. IP overlays are useful for North-south traffic flows ( service chaining ) Tenants that have no need for Ethernet bridging Uses only EVPN Type-5 Prefix route Requires BGP to host for IP address mobility IP Border Gateway L3VNs VRF1 VRF1 VRF1 WAN VRF1 IP Only May be useful for cloud fabrics as well: Lean core option for SaaS fabrics Or lightweight network-level multi-tenancy option for SaaS operators (Ex: production and development on same fabric) Additionally, overlay tunnels can enable useful functions such as in-situ OAM and GBP RFC/Drafts: draft-ietf-bess-evpn-prefix-advertisement section 5.4.1

27 Full Mesh IP EVPN Leaf3 VRF-T Import RT-T Export RT-T Type-5 Leaf1 Import RT-T Export RT-T T i T k Tk X j Import RT-T Export RT-T Leaf2 VRF-T X i X j VRF-T RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

28 Hub-and-spoke IP EVPN Border VRF-G Import RT-X Export RT-G Leaf1 VRF-X Import RT-G Export RT-X X i G G Type-5 X j Import RT-G Export RT-X VRF-X Leaf2 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

29 Edge Routed Bridging with IP Border Gateway (N-S) Function Detail Aggregates Border VRF-G Type-2 MAC, Type-3 IMET Local Type-5 IP Host Type-5 IP Prefix Leaf1 VRF-T Host IP Default IP EVPN Host IP Default Host IP VRF-T Leaf2 MAC-VRF-T MAC-VRF-T VLAN1 VLAN2 MAC/IP VLAN2 VLAN1 L2 EVPN H1 H2 H3 H4 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

30 IP Routed Overlay with Host Mobility L3VPN VRF1 VRF1 VRF1 VRF1 Gateway VLAN1 VLAN2 VLAN2 IP Border WAN IP Only Mobility Like ERB, but with no bridging overlay. Mobility here means a host IP can only be at one VTEP or another, not both. This is typical for Ethernet bridging, but not typical for IP routing. ARP entries from local VLAN are imported to RIB and exported as mobile Type-5 host routes. Uses Mobility Extended Community with Type-5 routes like with Type-2 routes. VTEPs with nonhighest sequence number must clear their local ARP entry and withdraw their advertisement. Requires IP-move suppression like with MAC-move suppression Supports subnets stretched across multiple VTEP. Classical proxy ARP used for non-local members of subnet Broadcasts and multicast are local-only All gateways for a distributed subnet must share same MAC and IP for workload mobility Caveat: No Ethernet multi-homing RFC/Drafts: draft-ietf-bess-evpn-prefix-advertisement, RFC7814, draft-malhotra-bess-evpn-irb-extended-mobility-04#section-8

31 IP Routed Overlay with Host Mobility Classical Proxy ARP and Type-5 Host with Mobility Type-5 IP Host with Mobility Local Leaf1 VRF-T IP EVPN Host IP Leaf2 VRF-T VLAN1 VLAN2 VLAN2 VLAN1 H1 H2 H3 H4 RFC/Drafts: draft-ietf-bess-evpn-prefix-advertisement, RFC7814, draft-malhotra-bess-evpn-irb-extended-mobility-04#section-8

32 Multi-homing

33 Ethernet Multihoming EVPN supports N-way Ethernet multihoming where N can be greater than 2 No ICL link required Uses EVPN Type-1 and Type-4 routes Adds EVPN Type-7 and Type-8 routes for selective multicast Multi-homed end-systems are identified in the overlay by unique Ethernet Segment ID (ESI). ESI identify unique split horizon boundary. Only one member link of an ESI is allowed to forward BUM packets. This member is known as the Designated Forwarder (DF) ESI may be at the granularity of physical port or at the granularity of logical interface (VLAN ID) EVPN Auto-ESI -- ESI generated automatically from LACP system-id or from BPDU root bridge snooping VRF1 VRF1 VRF1 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 ESI-1 ESI-2 ESI-1 ESI-2 LAG Trunk LAG VLAN1 VLAN2 ESI-1 ESI-2 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay 33

34 IP Multihoming Ethernet-connected IP-connected VRF1 VRF1 VRF1 VLAN1 VLAN2 VLAN3 ebgp Leaf Ethernet port IP port ebgp VRF1 VRF1 VRF1 Leaf IP port Routed BMS / H-visor / NF Routed NF End-system IP ports connect Ethernet ports into local subnet on each leaf Routed via a local IRB on each local subnet Less address management -- well suited for server attachment Floating IP, loopback and other routes advertised into overlay via ebgp peering between end-system and leaf IRB interface Routed IP interface on either side of the link No VLANs or IRB interfaces required at the leaf Better for network functions, like routers ebgp for advertising routes into overlay

35 Special Use Case Examples (with EVPN-native multi-homing support)

36 Example 1 Underlay Routed Overlay Subnets

37 GRT-based Edge Routed Bridging Single-tenant variant of symmetric ERB where IP routing is performed in the global routing table. No network virtualization and tunneling for IP. Basic use case is EVPN-based Ethernet multihoming for a GRT-routed end-system instead of MC-LAG inet.0 inet.0 L2VNs inet.0 inet.0 VLAN1 VLAN2 VLAN1 VLAN2 GRT ERB Expanded use case allows a subnet to exist across any number of leaf, with routing performed in the global routing table WAN Supports ARP suppression RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay

38 Example 2 Legacy Access Switch on EVPN

39 Legacy Access Switch Support Collapsed Spine ERB VRF1 VRF1 VRF1 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 L3VNs L2VNs EVPN ESI MC-LAG Access Switch VLAN1 VLAN2 VLAN1 VLAN2 VRF1 VRF1 VRF1 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN2 Bridged H-visor / NF Bridged BMS / NF Form of ERB where legacy Ethernet access switches (vs endsystems) are multihomed to a set of leaf VTEP Leaf VTEP may advertise subnet routes instead of host routes if subnet is not distributed EVPN multihoming down and proprietary MC-LAG up Great example of EVPN N-way multi-homing Collapsed spine pod may be part of a larger IP fabric Typical use case: transitional step from traditional MC- LAG model to a full overlay model with support for existing access switches from any vendor

40 Example 3 BUM-free Subnets

41 Bum-free Subnet (Only Known MAC Unicast and IP Unicast) 1 GARP 2 MAC, MAC/IP Route Leaf1 Leaf2 BUM X Leaf3 Subnet 1 Subnet 1 Subnet 1 H1 Regenerated GARP 3 H2 4 Generated ARP Response 5 ARP Request H3 Regenerated GARP 3 Problem Statement Some Ethernet services are unicast-only, but unfortunately still need BUM support for ARP Operators of these services do not want any packet replication on their network (ex: IX, CX, Hosting, IaaS, etc) Solution Enable ARP suppression with GARP support Do not import/export BUM and IP Multicast route types 3 (IMET) and 6/7/8 (SMET). Benefits No BUM = no loop issues No flood list state and related scale issues IPVPN-like with Ethernet plug-and-play Note Requires GARP from host on startup ( arping -A -c 4 - I eth0 in dhcpcd-run-hooks ) and whenever MAC/IP binding changes or endpoint moves. RFC/Drafts: RFC7432, draft-ietf-bess-evpn-proxy-arp-nd 41

42 Example 4 PVLAN Emulation

43 PVLAN Emulation using ERB with A/S Gateway With support for A/A multihoming Different subnet from Group A & B DHCP Located in underlay Supports option-82 ERB Tenant-A VRF-A, VNI-A IRB IP /24 DHCP Relay for ERB IRB filters for PVLAN ERB Tenant-G VRF-G, VNI-G GW IP /29 FW-VIP FW1a FW1b Routing table filter Default E1 E3 Group-A Community Gateway FW1a FW1b Hub-and-Spoke IP EVPN Host IP Static route 0/0 FW-VIP E2 E4 Group-B Isolated Problem statement: Subnet /24 must be shared without overlap across two server groups, A & B Servers in group A and servers in group B must not be reachable to one another Servers within group A must be reachable to other servers within group A ( community ) Servers in group-b must not be reachable to other servers in Group-B ( isolated ) Both group A & B servers must share a common active-standby firewall gateway pair, FW1, to communicate with external endpoints ERB Tenant-B VRF-B, VNI-B IRB IP /24 DHCP Relay for ERB IRB filters for PVLAN Port filters for Isolated PVLAN Caveats: Need logical VRF per group No north-south multicast yet Same as Group-A

44 PVLAN Emulation with ERB Server Group A & B Detail (5) ADD Hub-Spoke IP EVPN Host IP Default VRF-A Hub-and-Spoke IP EVPN Import RT-G (Default) Export RT-AB (Host) Default Host IP VRF-B DHCP Located in underlay For opt82 remote-id =.*: pool = /24 DHCP Relay VRF-B MAC-VRF-B VLAN-B as VNI-B Anycast IRB IP /24 Anycast IRB MAC xe:xx:xx:xx:xx:xx DHCP Relay: remote-id = <IRB>: source & giaddr = underlay loopback IP (1) ERB All server groups in a PVLAN use same subnet and same DHCP pool (2) ADD DHCP for ERB MAX-VRF-A VNI-A MAC-VRF-B VNI-B IRB Input Filter deny src deny src except /24 deny dst /24 except IRB Output Filter deny dst except /24 deny src /24 except (3) ADD IRB filters for PVLAN E1 E3 E2 E4 Port Input Filter: deny src Anycast-IRB-MAC Port Output Filter: deny src except Anycast-IRB-MAC (4) ADD port filters for Isolated PVLAN

45 Example 5 VXLAN / MPLS / SRv6 Coexistence

46 Telco Cloud EVPN-VXLAN and MPLS-IPVPN Coexistence Use Case EVPN Type-2 MAC, MAC+IP Local EVPN Type-5 IP Host IPVPN-EVPN Local Chaining East-West Domain North-South Domain MPLS-VRF Leaf1 Route Leak VXLAN- VRF IP EVPN Host IP VXLAN- VRF Leaf2 Route Leak MPLS-VRF VXLAN-MAC-VRF VXLAN-MAC-VRF VLAN1 VLAN2 Host MAC/IP VLAN2 VLAN1 L2 EVPN FE1 BE1 BE2 FE2

47 Telco Cloud EVPN-VXLAN and SRv6 Coexistence Use Case EVPN Type-2 MAC, MAC+IP Local EVPN Type-5 IP Host EVPN-GRT Local Chaining SR segments pushed at FE ToR simply routes IPv6 East-West Domain North-South Domain IPv6 GRT Leaf1 Route Leak VXLAN- VRF IP EVPN Host IP VXLAN- VRF Leaf2 Route Leak IPv6 GRT VXLAN-MAC-VRF VXLAN-MAC-VRF VLAN1 VLAN2 Host MAC/IP VLAN2 VLAN1 L2 EVPN FE1 BE1 BE2 FE2

48 Service-chaining N-S Traffic

49 Service Chaining Reference Model for North South Traffic WAN SF SF Tenant 1 Tenant 2 E1 E2 BD1 E3 E4 BD2 E5 E6 BD3 E7 E8 BD4

50 We have seen this before Gateway Service Function (Stateful FW) FW1a FW1b Service Function Chain VRF-G, VNI-G GW IP /29 FW-VIP Default Host IP Static route 0/0 FW-VIP VRF-A, VNI-A GW IP /24 Hub-and-Spoke L3VN VRF-B, VNI-B GW IP /24 E1 E3 Group-A E2 E4 Group-B

51 And another SF/SFC example we have looked at Aggregates Border VRF-G Service Function (MPLS VPN Gwy) Service Function Chain Leaf1 VRF-T Host IP Default IP EVPN Host IP Default Host IP Leaf2 VRF-T MAC VRF MAC VRF VLAN1 VLAN2 Host MAC/IP VLAN2 VLAN1 L2 EVPN H1 H2 H3 H4 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

52 And another kind of SFC we have seen EVPN Type-2 MAC, MAC+IP Local EVPN Type-5 IPVPN-EVPN Local Chaining East-West Domain North-South Domain Service Function Chain Service Function (MPLS VPN Gwy) MPLS-VRF Leaf1 Route Leak VXLAN- VRF IP EVPN Host IP VXLAN- VRF Leaf2 Route Leak MPLS-VRF VXLAN-MAC-VRF VXLAN-MAC-VRF VLAN1 VLAN2 Host MAC/IP VLAN2 VLAN1 L2 EVPN FE1 BE1 BE2 FE2

53 BD-L1-1 BD-L1-2 BD-L2-1 BD-L2-2 8 VRF-SF1-L 9 BD-SF1-R BD-SF1-L VRF-SF1-L VRF-SF1-L VRF-SF1-L VRF-SF1-R BD-SF1-L Service Chaining Using Our Building Blocks ERB Tenant-L1 CRB Tenant-R1 SF1-L SF1a L3 SF1-R SF2-L SF2a L1 SF2-R GW1-L GW1a L3 BD-R8-FW1 VRF-R8 BD-R8-1 BD-R8-2 Tenant-L2 SF1b L3 SF2b L1 GW1b L3 Tenant-R2 BD-R9-2 ERB H & S L3VN ERB Service Function ERB H & S L3VN IP Service Function IP H & S L3VN ERB Gateway Bridged

54 Service Chains with Bi-Way Service Functions

55 VRF-R BD-L BD-R VRF-R BD-L BD-L BD-L BD-L inet.0 BD-R Playing Service Chain Lego Connector Legend Tenant Head of chain Tail of chain To left function To right function Fabric External Function Service Function Type Examples Inter VNet L1 L3 L3 VRF-T inter-tenant gateway bump-in-wire ip-forwarder l2vn-linked ip-forwarder integrated ipsec external ip links VRF-R L1 L3 L3 IPVPN L3 fabric bump-in-wire w/ external link ip-forwarder w/external link l2vn-linked ip-forwarder w/external link integrated vpn gateway external gateway RFC/Drafts: draft-ietf-bess-service-chaining

56 VRF-R Service Chains -- Bump-in-Wire Service Function L1 IP adjacency through bump-in-wire L1 D L L3VN to left SF or Tenant IP1 IP2 VRF-R D R IP2 IP1 D L L3VN to right SF or Tenant D R At head, tail or middle of chain L1 IP2 IP1 D L L1 D L L3VN to left SF or Tenant IP1 D R IP2 External Device D R At end of chain with external link RFC/Drafts: draft-ietf-bess-service-chaining

57 BD-L BD-L BD-R VRF-R Service Chains -- IP Routing Service Function IP2 L3 IP3 IP adjacency with ipforwarder L3 D L L3VN to left SF or Tenants IP1 IP4 VRF-R D R IP2 IP3 D L L3VN to right SF or Tenants D R At head or middle of chain IP2 L3 IP3 IP4 IP3 D L L3 D L L3VN to left SF or Tenants IP1 D R IP2 External Device D R At end of chain with external link RFC/Drafts: draft-ietf-bess-service-chaining

58 VRF-R VRF-R VRF-R Service Chains Service Function Scaling IP2 L3 active IP3 L3 active IP1 VRF-R IP4 D L L3VN to left SF or Tenants L3VN to right SF or Tenants D R L3 standby IP5 IP8 IP6 L3 active IP7

59 BD-L VRF-R BD-L BD-R VRF-R BD-R VRF-R BD-R Service Chains Active/Standby Redundancy VIP L IP2 L3 active IP3 VIP R L3 active VIP announcement over L2VN using GARP BD-L DR VIPL VIPR DL BD-R VRF-R D L L3VN to left SF or Tenants L2VN-L L2VN-R L3VN to right SF or Tenants D R L3 standby BD-L DR VIPL VIPR DL IP6 L3 standby IP7

60 BD-L BD-L BD-R BD-R BD-R BD-R Service Chains Multicast (L2 Linked Chains) VIP L IP2 L3 active IP3 VIP R L3 active In-band PIM DR and VIP election over L2VN BD-L BD-R D L BD-L L2VN to left SF or Tenants L2VN to right SF or Tenants D R L3 standby BD-L IP6 L3 standby IP7

61 BD-L1-1 BD-L1-2 BD-L1-1 BD-L1-2 BD-L2-1 BD-L2-2 BD-L2-1 BD-L VRF-R BD-L VRF-R BD-L BD-R VRF-R VRF-R BD-L VRF-R BD-L BD-R VRF-R BD-R VRF-R BD-R VRF-R Service Chains -- Multiple Chains Service Chain 1 SC1-Instance1 Tenant-L1 DLP L1 FW L3 Tenant-R1 BD-R1-1 BD-R1-1 DLP L1 SC1-Instance2 FW L3 VRF-R1 VRF-R1 BD-R1-2 BD-R1-2 Tenant-L2 Service Chain 2 Service Chain 3 Tenant-R2 Inter VNet Not all connectors in a parallel service chain may be active Inter VNet VRF-R2 VRF-R2 BD-R2-1 BD-R2-1 BD-R2-2 BD-R2-2 Inter VNet Inter VNet RFC/Drafts: draft-ietf-bess-service-chaining

62 BD-L3-1 BD-L3-2 BD-L4-1 BD-L4-2 BD-L5-1 BD-L VRF-R VRF-R VRF-R VRF-R Service Chains -- Branching Chains Tenant-L3 VNet-L3 Service Chain 4 LB L3 Only Service VIP is visible to external. Can be learned using BGP. Tenant address is not visible. Tenant-L4 LB L3 Service Chain 6 Service Chain 5 VRF-T VRF-T External Network Tenant-L5 FW L1 FW L1 RFC/Drafts: draft-ietf-bess-service-chaining

63 BD-L6-1 BD-L6-2 BD-L7-1 BD-L VRF-R VRF-R inet.0 inet.0 VRF-R VRF-R Service Chains -- Dependent Chains (IP/EVPN Transport) Tenant-L6 Service Chain 7 (depends on Service Chain 8) LB L3 IPVPN Tenant-L7 LB L3 IPVPN External IPVPN Service Chain 8 Fabric VRF-R VRF-R FW L1 FW L1 VRF-T VRF-T External Transport Network RFC/Drafts: draft-ietf-bess-service-chaining

64 External Gateways (i.e. N-Way IP forwarders)

65 BD-L9-1 BD-L BD-L8-FW1 BD-L8-1 BD-L8-2 BD-T-FW1 BD-L9-FW1 VRF-T External Gateway ERB Tenant-L8 External Gateway interfaces are members of tenant overlays ERB Service Chain 6 Transit Tenant-L9 FW1a L3 FW1b L3 VRF-T VRF-T External Network ERB External Gateway connected to a service chain using a transit overlay External Gateway is L3 RFC/Drafts: draft-ietf-bess-service-chaining

66 BD-L9-1 BD-L BD-L8-FW1 BD-L8-1 BD-L8-2 BD-L BD-L9-FW1 BD-L BD-L BD-R BD-R L2 Linked Service Chain for Multicast Support ERB Tenant-L8 CRB Tenant-R8 FW1a L3 Bridged Transit Service Chain 9 L3 Bridged Transit FW2a L3 BD-R8-FW1 VRF-R8 BD-R8-1 BD-R8-2 Tenant-L9 FW1b L3 L3 BD-R FW2b L3 External Network Tenant-R9 BD-R9-FW1 VRF-R9 BD-R9-2 BD-R9-1 ERB Service Chain BD extended to External Gateway CRB

67 Overlay Replication

68 Pure Overlay BUM Replication (i.e Not Underlay Assisted) Overlay replication uses over-the-top signaling No hop-by-hop per-flow or per-group multicast signaling or BUM state in underlay No traditional underlay multicast protocols translates to lean core network design Multicast convergence same as unicast convergence on transit link or node failure VTEP 1 BD1 Source Stateless IP Core VTEP 2 VTEP 3 BD1 Receivers BD1 Receiver s

69 Pure Overlay Efficient Replication Capabilities in EVPN

70 Selective Multicast Replication Selective Replication IP Multicast VTEP 1 VTEP 2 VTEP 3 VLAN1 Source IP Multicast 3 2 EVPN SMET (*,G) Advertise VLAN1 Receivers SMET VLAN1 No Receivers IP Multicast EVPN SMET (*,*) Advertise VTEP 4 VLAN1 1 PIM Report Hello MRouter Ensures IP multicast flow is replicated by an ingress VTEP only to egress VTEP that have at least one active receiver for that flow Optimizes replication load on ingress edge and also prevents consuming bandwidth at an egress edge where there is no active receivers Uses EVPN Type-6 SMET route Consumes more state use policy to control which groups can participate in SMET JOIN SYNC EVPN Join Sync EVPN SMET Advertise Withdraw Join Sync EVPN Leave Sync VTEP 1 VLAN1 Join Receiver VTEP 2 DF VLAN1 5 EVPN SMET Withdraw VTEP 1 VLAN1 DF Receiver LEAVE SYNC VTEP 2 VLAN1 IGMP 1 LMQ 1 Report 3 Leave JOIN and LEAVE SYNC ensures that multicast is only forwarded to the local receivers that requested it via IGMP Required to support multihomed end-systems since IGMP PDUs sent by end-system may be hashed to non-df. Ensures DF installs appropriate forwarding state. Uses EVPN Type-7 Join Sync and Type-8 Leave Sync routes RFC/Drafts: draft-sajassi-bess-evpn-igmp-mld-proxy

71 Optimized Overlay Replication (continued) Optimized Inter-subnet Multicast Replication (OISM) Assisted BUM Replication (AR) SRC RCV VTEP1 VRF1 S-BD BD1 BD2 Replicates to S-BD if Source BD is absent OISM ensures that, for any tenant, only a single copy of an IP multicast packet is delivered to an egress VTEP, regardless of the number of subnets of the tenant at that egress VTEP with active receivers Works only with ERB Introduces distributed DR and S-BD New procedures, but no new route types VRF1 BD1 BD2 S-BD VTEP2 VTEP3 VRF1 S-BD BD2 RCV RCV RCV S-BD S-BD Assisted VRF1 VRF1 Replicators VLAN1 VLAN2 VLAN1 VLAN2 Assisted replication reduces the replication load on the ingress node using designated VNI-aware replicators Can load-balance across replicators in a replicator set Significantly reduces flood-next hop state at Leaf VTEP New procedures, new PMSI tunnel flags, no new route types Together with Selective Replication and OISM, Assisted Replication brings highly efficient replication without any need for hop-by-hop replication state RFC/Drafts: draft-lin-bess-evpn-irb-mcast, draft-ietf-bess-evpn-optimized-ir NVE

72 IP Multicast Options in Overlay Service Models

73 IP Multicast Routing with External Multicast-only Routers Operators who do not want to support IP multicast routing within the overlay network can delegate multicast routing to external multicast routers Should use incongruent multicast with MVPN based external multicast routers (such as MX) where unicast and multicast would follow different paths NVE VRF1 VRF1 BD1 BD2 BD1 BD2 BD1 VRF1 BD2 VRF1 BD2 NVE Inter-subnet multicast hairpins at external multicast routers where it is replicated into each subnet that has receivers Works with both Central and Edge Routed models BD1 BD2 MRT MR1 BD1 MRT MR2 BD2 The replication heavy-lifting is performed in the overlay. Ingress leaf perform replication to egress leaf. Egress leaf performs per-end-system replication External Multicast Routers Can be optimized with selective replication, and further optimized with assisted replication when available RFC/Drafts: draft-sajassi-bess-evpn-igmp-mld-proxy, draft-ietf-bess-evpn-optimized-ir

74 IP Multicast in CRB Overlay Classical model with PIM DR election at central gateway. Additional unique addresses are required for at gateways for PIM protocol signaling CRB Border Gateway BD1 VRF1 BD2 BD1 VRF1 BD2 BD1 BD2 BD2 CRB Access Inter-subnet multicast hairpins at a CRB gateway where it is replicated into each subnet that has receivers Multicast routing at CRB gateways with classical PIM DR election Can be optimized with selective replication, and further optimized with assisted replication RFC/Drafts: draft-sajassi-bess-evpn-igmp-mld-proxy, draft-ietf-bess-evpn-optimized-ir

75 IP Multicast in ERB Overlay (OISM) Leaf1 Leaf2 Leaf3 Multicast with external sources and receivers via border gateway VRF1 VRF1 VRF1 DR DR DR SRC RCV RCV RCV RCV RCV SBD ERB Border Gateway S-BD VRF1 S-BD VRF1 S-BD VRF1 BD1 BD2 S-BD VRF1 BD2 ERB w/ SBD Introduces distributed DR and Supplemental BD. All ERB anycast gateways act as local DRs and maintain IGMP state for local receivers across all its local subnets Ingress VTEP replicates to egress VTEP only over source subnet or S-BD (if egress VTEP does not have source subnet) IP multicast received over the source subnet is forwarded at each ERB gateway to local receivers across all local subnets Egress ERB gateways never re/forward IP multicast across core (i.e. into tunnels) A Supplemental BD is the one VLAN that must be present at all ERB VRF for a tenant. If a source subnet is not present at an egress VTEP, the ingress VTEP replicates to that VTEP on the S-BD VNI. Optimized with selective replication, and further optimized with assisted replication RFC/Drafts: draft-lin-bess-evpn-irb-mcast, draft-ietf-bess-evpn-optimized-ir

76 ERB with CRB Border Gateway Short-term solution for lack of native multicast support in ERB (i.e. OISM). Add bridging to Border Gateway East-west unicast is edge-routed CRB Border Gateway BD2 BD1 VRF1 BD2 VRF1 Multicast routing at central gateways with classical PIM DR election BD1 VRF1 VRF1 BD1 BD2 BD2 ERB North-south and east-west IP multicast forwarded at CRB Border Gateway More complex options possible where CRB gateway is not coupled with Border Gateway.

77 ERB with CRB Border Gateway Multicast Aggregates VRF-G MAC-VRF-T VLAN1 VLAN2 Border Type-2 MAC, Type-3 IMET Local Type-5 IP Host Type-5 IP Prefix Type-3 IMET, Type-6 SMET Default Default Leaf1 VRF-T SMET Host IP Host IP IP EVPN Host IP SMET VRF-T Leaf2 MAC-VRF-T MAC-VRF-T VLAN1 VLAN2 MAC/IP VLAN2 VLAN1 L2 EVPN H1 H2 H3 H4 RFC/Drafts: RFC7432, draft-ietf-bess-evpn-overlay, draft-ietf-bess-evpn-prefix-advertisement

78 RECAP EVPN overlay types for intra-tenant east-west networking Service chain concepts for extra-tenant north-south networking using EVPN VXLAN Optimized replication options for different overlay service models in EVPN VXLAN EVPN based networks are only as complex as they need to be Most use cases can be satisfied with only a few key building blocks Complexity is proportional to the functionality required EVPN VXLAN is an open standard. Equivalent proprietary technology is not any simpler. 78

79 The End