VPLS, PPB, EVPN and VxLAN Diagrams

Transcription

1 VLS, B, EVN and VxLAN Diagrams Contents 1. VLS Signalling: An overview of how VLS is signalled to create the pseudowires and how the different labels are chosen. This based on the following document: VLS with BG Signalling - Cisco TAC Document ID VLS Issues: Common issues experienced within a VLS setup. 3. B Switching: A look at the path a packet will take through a BB Switched network, including the different labels and identifiers used. This is partially based on Any images marked with taken from the document, I claim no credit for their creation. are 4. EVN Overview: Shows the operation and principles involved in EVN. This is partially based on apricot-evpn-presentation_ pdf. Any images marked with credit for their creation. are taken from the document, I claim no 5. EVN Operation: More detailed notes on the processes involved in EVN. 6. BB-EVN: Some of the basic processes involved when the above two technologies work together (MAC learning and advertisements) 7. Inter-operation: A conceptual diagram showing how B-EVN and VLS technologies could interrelated in a Service rovider core. 8. VxLAN: A very brief overview of a VxLAN packet. by Steven Crutchley

2 router bgp 1 l2vpn context ONE vpn id 100 autodiscovered bgp singaling bgp ve id 1001 ve range 50 route-target export 32:64 route-target import 32:64 If A BG Router Reflector runs software that does not support RFC 4761, but does have support for RFC 4762, the special BG neighbor x.x.x.x prefixlength-size 2 configuration command is needed on the Route Reflector so it can reflect the BG updates used for RFC RFC 4762: VLS Discovery = BG (auto) Signalling = LD RFC 4761: VLS Discovery = BG (auto) Signalling = BG (auto) VLS - BG Signalling Operation Based on VLS with BG Signalling - Cisco TAC Document ID LD still used as hop-by-hop used for tunnel labels 3 If the process of selecting a label fails 1 will notice, when it gets an update from 3. Knowing its own advertised label range, it will see that the VE-ID will fall outside of the VBO <= VE-ID < (VBO + VBS) test. So in reaction, 1 will send a new update with new VBO and LB values. It should now accommodate the VE-ID of 3. 3 may do the same in the opposite direction. Both advertised blocks will show in show bgp commands. Blocks of contiguous VE-IDs are less likely to require second BG messages to be sent. mpls label range router bgp 1 roblem Statement VLS needs point-to-mutlipoint Ws. s within one VLS Realm could be manually configured or discovered using BG. But targeted LD would still be needed for signalling. This diagram shows how to use BG for signalling (RFC4761). ibg is used because of its full mesh requirement with Router Reflectors. There would be two methods to send updates: 1. Send one update per W. But this goes to all routers and only one of them can use this information (the that is the other end of the W in question) 2. To avoid a high level of updates, one local router sends a set/block of local VC labels to all remote routers. Each remote picks a VC label in a unique fashion, so that no other picks the same one. There must be enough labels and they must not be wasted. This diagram describes this second method. ID N L R I C o m m u n i t i e s Signalling (octets) Indentity Length (2) RD (8) VE ID (2) VE Block Offset (2) VE Block Size (2) Label Base (3) Extended Comm Type (2) Encapsulation Type (1) Control Flags (1) Layer 2 MTU (2) Reservered (2) Additional RTs (import, export ) BG Signalling Update BG sender - afi/safi 25/65. l2 router-id <id> identity of the VLS domain. If not configured format is ASN:vpn_id (VE-ID) must be a unique to each to identify it within the VLS domain RR (VBO) gap used if more than one block needs to be sent. VBO = RND (VE-ID/VBS) * VBS (VBS) size of the block set (default 10). ve range (LB) first free label in the block 0x800A Encapsulation Type (1) 0-5 must be zero. 6 = C for control word. 7 = S for sequencing imports and exports from an L2VN like MLS L3VN RND = the maximum value out of the division result, rounded down or 1. Full mesh reflection 2 To select VC label from block sent by 1, it must determine if VBO is within range of its configuration. Note the VBO will be very close to the LB. This is essentially the range the 1 is offering 2. VBO <= VE-ID < (VBO + VBS) If this passes, VC label is determined using: LB + VE-ID - VBO Examples VBS of 20, VBO of 5 and LB of 10. VBO + VBS = 25. VE-ID of 6 succeeds. 5<=6<25 Label = =11 VE-ID of 26 fails. 26>25 Label = =31 (above block) VE-ID of 3 fails. 3<5 Label = =8 (below block) The successful label is used as the remote label in the output (10002 in the example shown) The same process is done in the opposite direction l2vpn context ONE vpn id 100 autodiscovered bgp singaling bgp ve id 1002 ve range 50 route-target export 32:64 route-target import 32:64 mpls label range VE-ID = 3 (VC Label 8) VE-ID = 6 (VC Label 11) VE-ID = 26 (VC Label 31)

3 VLS Issues MAC Learning Flood ARs and BUM traffic Learn Source MAC Multihoming BDUs Multi homed s can get their own packet back from the core MAC Move MAC moves - wait for MaxAge

4 acket ath through Switched BB Network Customer C Legend S = Assigned by supplier for bridged network B = Assigned by supplier for backbone bridged network C = Assigned by customer DA = Destination MAC Address SA = Source MAC Address TAG = VLAN tag (also termed VLAN) SID = Service ID C-Switch BUM = Broadcast, Multicast or Unknown Unicast (when referring to traffic) 802.1ad QinQ Devices B = rovider Edge Bridge CB = Core rovider Bridge 802.1ah BB Devices BEB = rovider Backbone Edge Bridge BCB = rovider Backbone Core Bridge Customer switch adds a VLAN tag onto the packet and sends it over a trunk link across their network and ultimately up to the provider B CB B assed to rovider s Backbone Network Service rovider, using QinQ, adds their own VLAN tag (S- TAG) to the frame S-TAG assed through Service rovider 802.1ad core S-TAG BEBs > Each BEB is identified by a unique unicast B-MAC Address. > BEBs learn and forward based on both C-MAC and B- MAC addresses. > It builds a map of C-MAC to B-MAC addresses. Bridge Forwarding Database (Bridge FDB) Within the B-MAC address space or core: The FDB to use is selected based on the B-TAG. Within the C-MAC Address space: Frames coming in from access (from 802.1ad) have their FDB selected based on the S-TAG. Frames coming in from the B-MAC core: Have their FDB selected based on the I-SID Set to egress BEBs MAC (BEB2-MAC) BEB1 Entire Frame is encapsulated using 802.1ah. This includes a 24bit SID (breakdown below), an optional VLAN tag for the BB network and the source and destination MAC addresses within the BB network. B-MAC address space. Forwarding based on outer B-MAC. B-DA B-SA B-TAG B BEB2 BCB S-TAGs are mapped to SIDs SID same length as VLAN header SIDs are bundled into B-TAG VLANs if used. B-TAG defines the transport topology in the BB network C DEI UCA RES I-SID S-TAG S-TAG CB C = priority code points DEI = drop eligibility indication UCA = Use customer address RES = Reserved I-SID = Actual identifier value for the SID (Service Instance Identifier) B C-Switch Customer C you only care about the ORT. Not the tagging. ort-based Service Interface (UNI) Each I-SID will have a multicast group for BUM traffic so think how this will affect things if many customers map to one I-SID (See BUM Network acket Flow diagrams below) Looking at S-TAG Service Interfaces (below) as an example, this depends on how customers are mapped to S-TAGs or SIDs. It could be one customer per S-TAG in the 802.1ad realm. If the provider doesn t want to separate them in the core you could use S- TAG port mode. Or give them each their own setup and use S-TAG Mode. Or some customers could use multiple S-TAGs (in which case you might what S-TAG bundle mode). Or maybe each customer does only have one S- TAG each and you want to give a fixed number of internal topologies rather than one each (also bundle mode) similar to mapping VLANs to MST instances S-Tagged Service Interface (UNI) s, Untagged and riority tagged frames all map to one SID. All S-TAGs map to one SID Each S-TAG maps to own SID Some S-TAGs map to some SIDs I-Tagged Service Instance (Inter-provider NNI) (In these diagrams the term TAG has been replaced with VLAN) C-Tagged Service Interface (UNI) (In these diagrams the term TAG has been replaced with VLAN) Looking one level deeper just at I-SIDs. I-TAG = SID + + In this instance there is no 802.1ad network. Comes straight from customer VLANs. If it is a one to one mapping you don t need to worry about the VLAN tag but if multiple VLANs map to one SID (either because it is multiple customers or one customer wants different treatment for multiple VLANs) you do need to carry the VLANs. SIDs translated. SIDs can be bundle into B-TAGs allowing for independent provider topologies Each SID limited to single provider. B-DA might need translating. Single on UNI mapped to one SID each - doesn t need to carry over. However Bundle Mode means that multiple s are mapped to single SID (i.e. the C- TAG does matter) Some parts of this diagram have been based on BRKSG-2203.pdf

5 EVN L3VN EVN Multihomed devices can be > Single-Active: with one active > All-Active: with multiple active s (will need split horizon and designated forwarding) EVI 4 VRF MLS or VXLAN control plane 3 1 Data lane learning can be static or dynamic LD still used as hop-by-hop for tunnel labels 1 3 Overview AFI = 25 (L2VN), SAFI = 70 (EVN). ECM from mutlihomed s is possible. EVI is a VN instance (like a VRF for L3VN). ESI is a link that connects the to the s. advertises MAC addresses and next hops from s using MBG Full mesh reflection 2 LAG (with All Active mode) L2 and L3 services in one VN. Multiple Data lane encapsulation models (MLS or VXLAN). AR or ND proxy ( responds on behalf of client) No more flood-and-learn. re-signalled FDB used instead. You can control who learns what MAC (using policies). This update will be one of the route types shown below BG Update (octets) RD (8) ESI (10) Ethernet Tag ID (4) MAC Length (1) MAC Address (6) I Length (1) I Address (0, 4 or 16) MLS Label 1 (3) MLS Label 2 (0 or 3) Each EVI (just like a VRF) has an RD (?) Ethernet Segment Identifier Broadcast domain (VLAN) for the EVN 48-bit MAC address 0 for no I, 4 for Iv4 and 16 for Iv6 MLS Label for EVI (?) Label for split horizon BUUM traffic (?) RR Services Overview VLAN Based - one to one 1:1 mapping of VLAN to EVI. VLAN translation allowed. Single bridge domain per EVI. Ethernet tag in route is set to 0. A VLAN WILL MA TO AN EVI MUCH LIKE A VLAN (S-TAG or ) MAD TO AN I-SID One EVI per VLAN (possibly indicating each customer is represented by one VLAN. OR each customers VLAN gets an EVI). When carried across an EVI the Ethernet Tag ID isn t needed to differentiate. EVN Data lanes (including VXLAN) Ext comms VLAN Bundle - EVI doesn t care about the VLAN and multiple VLANs map to it Multiple to one mapping of VLAN to EVI. Still single bridge domain for each EVI. MACs need to be unique across VLANs. No VLAN translation. Ethernet tag in route is set to 0. Mapping multiple VLANs to one EVI the only catch is that duplicate MACs could cause issues. VLANs are not carried across. (BB functionality over MLS) VLAN Aware - EVI cares about what the VLAN is Multiple to one Mapping of VLAN to EVI. Multiple broadcast domains. One bridge domain per VLAN. VLAN translation allowed (look at left then right VIDs). Ethernet tag is set to configured tag (VLAN). Some parts of this diagram have been based on conference.apnic.net/data/37/ apricot-evpnpresentation_ pdf Mapping multiple VLANs to one EVI but the VLAN is cared about, so you have one broadcast domain per EVI (e.g. the Ethernet tag is not zero) - possibly one customer with multiple VLANs.

6 EVN Operation Can have same DFs for all ESIs or different DFs for different ESIs DF All-Active MULTIHOMING and SLIT HORIZON Split horizon = BUM traffic from one ESI is not forwarded back onto the same ESI. A split horizon label is advertised by s for filtering. 1 s connected to multihomed s discover each other through auto discovery. One is selected the DF (designated forwarder). 2 Blocks BUM traffic to avoid duplication Non-BF blocks BUM flooding. 4 You could have spoofed or AR/ND roxy untrusted sources additionally you could get large levels of unknown unicast All MACs and Is are 2 advertised by all s. Snooping reduces unknown unicast flooding. 2 rovisioning MACs can eliminate it entirely. 4 MAC learned These s know that the MAC Aliasing address in question is reachable MAC not learned Load balance to All Active setups over a give ethernet segment (represented by ESI) and so can load balance between the two 1 3 s connected to that ESI. 1 (MAC Address) 2 Advertisement is mapping MAC to ESI 2 2 doesn t need to learn the source MAC to have it be involved in the load balancing. It does not need to advertise anything. This setup could also be used for Active-Standby 4 MAC Mobility MAC/I Seq# 2 Highest MAC (included in an extended If learned via Sequence wins community) data plane, may not detect move and won t send withdrawal. Device moved to new location within network 4 This triggers withdrawal of old MAC Default Gateway Inter-subnet Forwarding GATEWAY GATEWAY EVN Supports inter-subnet forwarding when I routing is required. No additional separate L3VN Functionality is needed. EVN uses the default gateway. 2 GATEWAY One or more s are configured as the default gateway, or :: MAC is advertised with default gateway extended community. Local s respond to AR/ND requests for default gateway 4 GATEWAY Enables efficient routing at local MAC Mass-Withdrawal Withdraw ESI 2 advertises two routes (1) MAC/I address and its ESI If failure affects an ESI the simply withdraws routes for that ESI. Remote s remove failed 4 (2) Connectivity to ESIs from path for all MAC addresses associated with an ESI. Fast convergence. Don t have to wait for individual MAC addresses to be withdrawn

7 BB-EVN Overview (view of the packet on the wire in the core) Tunnel Label EVN Label Flow Label Control Word B-DA B-SA I-SID MLS Core BEB MAC address to MAC address mapping BEB- Frames encapsulated in BB headers (MAC-in- MAC) BEB- BEB- RR EVN advertises MACs using BG BEB- (1) MAC Learning MLS Core aaaa.aaaa.aaaa BEB- (2) BEB- bbbb.bbbb.bbbb BEB- RR BG Core only knows B-MACs BEB- cccc.cccc.cccc (1) acket goes to BEB1: Source MAC learning (2) Doesn t know destination: Broadcast AR. All remote s learn B-MAC that aaaa.aaaa.aaaa maps to. In this way a B-MAC to C-MAC table is built.

8 Inter-operation Typhoon Cards (VLS or BB-EVN) VLS VFI Customer Bridge Domain EVI Customer Bridge Domain R2 Only Trident Cards (VLS Only) R1 VFI VLS BB- EVN Core Bridge Domain (For BEB MACs) VLS EVI Customer Bridge Domain VFI R3 Typhoon Cards (VLS or BB-EVN)

9 VxLAN is a Layer 2 overlay scheme on a Layer 3 network. Each overlay is termed a VXLAN segment. Each segment has a 24 bit identifier called a VNI (VxLAN Network Identifier). A VNI is an outer header that encapsulates the inner MAC. VxLAN Tunnel End oints hide the VxLAN infrastructure from hosts and could be on physical or virtual switches or servers. Multicast carries BUM traffic (destination is multicast group for VNI segment). VTE I to VM MAC learning needs to take place (control plane learning like BG with EVN). VTEs must not fragment VxLAN packets. VxLAN Overview DM = Destination MAC SM = Source MAC DI = Destination I SI = Source I I = Inner O = Outer (sections not to scale. Some part missing - only shown to give most important parts and general idea) O-DM O-SM O-VLAN O-SI O-DI UD source ort UD Dest ort (VXLAN) VxLAN header (incl. VNI) I-DM I-SM Underlying network is usually layer 3 Look up VNI that this host is associated with. Is destination MAC on same segment and is there a mapping? VTE1 Only hosts in same VxLAN segment can communicate with one another VTE2 Upon receipt, VTE will validate VNI and determine whether a host in that VNI matches inner MAC. If so it decapsulates it and sends it on. I-DM I-SM I-DM I-SM WWW WWW