Lecture 8, VXLAN-EVPN
Intro
Preceded by L3 VPNs based on MPLS
Used to get a private routing instance across someone else's network
Connect multiple sites together
Lost against Multicast VPN
L2 VPNs:
No MAC learning or routing, just a "Pseudo-wire" between 2 interfaces
PE: Provider Edge
Competing standard #15: Ethernet VPN (EVPN)
Defined requirements to adhere to
BGP control plane
BGP route distinguisher & target
2 BGP peers exchange routes
Give a label to a particular route, define how to reach it (over what service)
Originally meant for MPLS dataplane only (no VXLAN)
VXLAN
Dataplane
L2 tunneling protocol over IP
MAC in IP encapsulation
Stretch L2 domains over L2 network
Allows you to bypass STP
I.e. in a triangle, you can still use the L2-disabled path
Use all links in something like ECMP
Terms
Virtual Tunnel EndPoint (VTEP)
Virtual interface present on a device
Used to add/remove VXLAN headers on frames
Virtual Tunnel Interface (VTI)
The IP interface of the VTEP
E.g. the loopback mapped to a VTEP
Virtual Network Identifier (VNI)
A 24-bit field in the VXLAN header
Used to identify VXLAN segments
Up to 16 million domains
VXLAN tunnel
L2 stateless tunnel between two VTEPs
VXLAN frame
Inner frame: the original L2 MAC frame
VXLAN header: contains the VXLAN info
8 bytes long
8bit flag field
24bit future use
24bit VNI
8bit for future use
UDP header:
Makes payload look like a regular data packet
UDP header is often used to hash packets
Changing the UDP source port is used to spread packets across links, it is not used by VXLAN
Outer frame:
L3 header: Source & destination VTEP IP
L2 header: Source & destination MAC (change hop-by-hop)
Used between L3 hops in the underlying network
Removed at each L3 hop, just like normal packet processing
Characteristics
VETPs are not bound to physical ports
Act more like loopback interfaces
VTEPs are multi-tenant
One VTEP can serve an entire switch
Tenants are segmented by VNIs
VXLAN tunnels are multipoint
Typical IP tunnelling is p2p
VXLAN tunnels are stateless
VXLAN requires MAC learning
VTEPs and Broadcast
VTEPs receive multicast packets, and unicast them to other VTEPs
Process is called Head End Replication (HER)
Flood Lists
Local table that contains which VTEPs are part of a domain
Which L2 services lives on which VTEP (which VNIs)
Manually configured
Does not scale
How to make it scale:
1. Use a proprietary controller to discover VTEPs and update Flood Lists
2. Use a standardised and distributed protocol to discover VTEPs and update flood lists
This is where EVPN comes in
EVPN
Control plane
Defines VPN services using VXLAN as the tunnelling protocol
Defines a standard that, using multi-protocol BGP
Discover remote VTEPs
Discover the VNIs of each VTEP
Update the flood lists when a new VTEP joins
VTEPs also require MAC learning to know where to send packets
Done through ARP over HER, but
EVPN also standardises the process of distributing locally learned MACs to remote VTEPs
EVPN Type-2 route updates
Terms
Network Virtualization Overlay (NVO)
Also known as a VXLAN domain
Basically maps to a VNI
Network Virtualization End0point
Usually a switch or a router
EVPN Instance (EVI)
Logical container hosting L2/L3VPN service
MAC-VRF (virtual routing function)
Isolation construct
Hold one (or more) bridge tables
Route types
Standard route types
Type 2 routes: MAC advertisement routes
"This MAC address, is with me"
Type 3 routes: Inclusive Multicast Ethernet Target (IMET)
"This particular VNI, I have it"
Type 5 routes: IP prefix route
Carry subnets for IP-VPN functionality
Service Interface Types
Service interface defines how clients are mapped to VPN services
VLAN-based Service
Each EVI maps to one L2 domain (VLAN)
Each NVE can use a diff. VLAN on its local tenant side
VLAN 100 -|> VNI 300 -|> VLAN 300
BGP config
Route distinguisher: route came from me
Route-target: both export and import
VLAN Aware Bundle Service
Multiple VLANs associated with a single MAC-VRF (and EVI)
VLAN tag is carried in route update for the EVI
Ethernet tag is retained in VXLAN encapsulated frame
ETID can remain if VLAN translation is required
Reduces config when granularity is not required
MAC learning in EVPN
MAC learning is done through a combination of data plane and control plane
When a switch receives an L2 form a local interface, it learns the source MAC
Update it's own ARP table
Actively send a BGP update to it's EVPN peers that this MAC can be reached through it's VTEP IP
Advertised between VTEPs through type-2 route advertisements
Contains MAC
Optionally also contains IP of the host that owns the MAC
By filling the tables through BGP updates
Less flooding
Switches already know IP/MAC binding
Also allows ARP proxying, so the local VTEP answers the ARP request
Mac Mobility
When a VM changes host, the new NVE will
Learn the MAC of the migrated VM locally
Update it's MAC db, and increment the sequence number for that MAC by 1 (since it already had en entry)
Send an update, with said increased seq., causing others to adopt it
If an NVE sees the same MAC moving (>5x in Z seconds)
Generate a SYSLOG message
Stop sending and processing updates for that MAC
VXLAN bridging and routing
Integrated routing and bridging (IRB) is the ability to route between L2 domains in VXLAN
Inter VLAN routing stretched across an EVPN domain
Routing is built into the VTEP
Always route as close to the source as possible
Routing in EVPN is based on a hierarchy
IRB uses an anycast IP for the IRB interface
Every IRB has the same IP
The first device the packet comes into will route it