branching out with sdn apricot 2015
TRANSCRIPT
Copyright 2015 Alcatel-Lucent. All rights reserved.
BRANCHING OUT WITH SDNUSING SDN TO BUILD L2/L3VPNS
Alastair JOHNSONMarch 2015
9-Mar-15
1
Copyright 2015 Alcatel-Lucent. All rights reserved.
AGENDA
1. INTRODUCTION
2. TECHNOLOGY RECAPa. VXLAN
b. EVPN
3. PUTTING IT TOGETHER
4. COMPARISON
5. CONCLUSION
9-Mar-15
2
Copyright 2015 Alcatel-Lucent. All rights reserved.
New ways of thinking about existing ways of working
Decoupled architecture means each vendor can focus on his strengths
Decreased barrier to entry for startups provides multiple choices for customers
Feature stability, long hardware cycles do not affect software features
Management, Policy
Hardware
OS
Controller
HardwareHardware
SOFTWARE DEFINED NETWORKING
3
9-Mar-15
Copyright 2015 Alcatel-Lucent. All rights reserved.
INTRODUCTION The WAN space has been relatively unchanged for the better part
of 15 years IP-VPNs are fundamentally the same as they were in 2000
RFC2547 published March 1999
L2VPNs are fundamentally the same as they were in 2007
The CPE has remained unchanged for the same period of time Basically still the same device: vertically integrated hardware and software,
running routing protocols and a variety of LAN/WAN interfaces
Maybe a little bit faster than it used to be
9-Mar-15
4
Copyright 2015 Alcatel-Lucent. All rights reserved.
SOFTWARE DEFINED VPN (SD-VPN)
What if there was a new way of thinking about VPN services which embraces the smart edge dumb core philosophy?
What if there was a way to change the CPE paradigm?
What if there was a way to transport L2 services over any L3 network?
What if there was a way to do this operationally efficiently?
9-Mar-15
5
Copyright 2015 Alcatel-Lucent. All rights reserved.
TECHNOLOGY RECAP: VXLAN VXLAN encapsulates Ethernet in IP
Runs over IPv4 or IPv6
Uses UDP, source port is a hash of MAC or IPs to provide load balancing entropy
8 byte VXLAN header provides 24 bit VXLAN Network Identifier (VNI) and flags
Total encapsulation overhead is ~50 bytes
VXLAN is routable with IP, so the underlay network may be any network that uses existing resiliency and load balancing mechanisms ECMP
IGPs/BGP
IP FRR
VXLAN tunnel endpoints can be on network equipment or computing infrastructure Deliver a VPN straight to a hypervisor
IP Network(IP FRR, ECMP, IGP)
IP Network
IP Network
9-Mar-15
6
Copyright 2015 Alcatel-Lucent. All rights reserved.
DataPlane
ControlPlane
EVPN MP-BGPRFC7432
TECHNOLOGY RECAP: EVPN
EVPN over MPLS for VLL, VPLS and E-Tree services
All-active multihoming for VPWS RSVP-TE or LDP MPLS protocols
EVPN with PBB PE functionality for scaling very large networks over MPLS
All-active multihoming for PBB-VPLS
EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsulations
Provides Layer 2 and Layer 3 DCI
Multiprotocol Label Switching
(MPLS)RFC7432
Provider Backbone Bridges
(PBB)draft-ietf-l2vpn-pbb-evpn
Network Virtualization Overlay
(NVO)draft-ietf-bess-evpn-overlay
9-Mar-15
7
Copyright 2015 Alcatel-Lucent. All rights reserved.
TECHNOLOGY RECAP: EVPN Brings proven and inherent BGP control plane scalability to MAC
routes
Consistent signaled FDB in any size network instead of flooding
Even more scalability and hierarchy with route reflectors
BGP advertises MACs and IPs for next hop resolution with EVPN NLRI
AFI = 25 (L2VPN) and SAFI = 70 (EVPN)
Fully supports IPv4 and IPv6 in the control and data plane
Offers greater control over MAC learning
What is signaled, from where and to whom
Ability to apply MAC learning policies
Maintains virtualization and isolation of EVPN instances
Enables traffic load balancing for multihomed CEs with ECMP MAC routes
Route Distinguisher (8 octets)
Ethernet Segment Identifier (10 octets)
Ethernet Tag ID (4 octets)
MAC Address Length (1 octet)
MAC Address (6 octets)
IP Address Length (1 octet)
IP Address (0 or 4 or 16 octets)
MPLS Label1 (3 octets)
MPLS Label2 (0 or 3 octets)
MAC Advertisement Route(Light Green Fields are Optional)
9-Mar-15
8
Copyright 2015 Alcatel-Lucent. All rights reserved.
PUTTING IT TOGETHER EVPN delivers a control plane that can distribute MAC (L2) and IP (L3)
reachability information Scale is addressed: BGP has proven to scale well; federation becomes straight-
forward Control is addressed: programmatic network topology, flexibility of routing
policies Efficiency is addressed: hybrid L2/L3 services over a single interface,
redundancy and multi-homing included
VXLAN delivers a data plane that can deliver Ethernet frames over an L3 transport L2VPN, L3VPN, …the Internet
9-Mar-15
9
Copyright 2015 Alcatel-Lucent. All rights reserved.
A NEW WAY OF DELIVERING VPNS
Controller programs forwarding plane for all CPEs Aware of all L2/L3 topology behind
each CPE Calculate once, program many
CPE performs encapsulation of VPN traffic (VXLAN)
Traffic is carried encapsulated over underlay network Underlay network could be any
infrastructure Unaware of topology of VPN service
CPE
Site 1
LAN CPE
Site 3
LAN
CPE
Site 2
LAN
Underlay
Policy DB
SDN Controllers
SP Central Functions
9-Mar-15
10
Copyright 2015 Alcatel-Lucent. All rights reserved.
A NEW WAY OF DELIVERING VPNS
OpenFlow provides a mechanism to program the L2/L3 forwarding information base (FIB) and provide notifications to the controller MAC/IP address learning on LAN ports are
alerted to the controller Controller determines whether the MAC/IP is
to be programmed into FIB
Federation of topology between controllers via BGP-EVPN MAC and IP reachability signaled VXLAN VNI information combined with
NEXT_HOP
Redundancy of controllers is supported – CPE vSwitch registers and determines active/standby controllers
11
9-Mar-15
CPE
SDN Controller
OpenFlowOVSDB
BGP EVPN
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
10.2.0.0/2410.2.0.1/32 aa:bb:cc:dd:ee:ff
Copyright 2015 Alcatel-Lucent. All rights reserved.
A NEW WAY OF DELIVERING VPNS
CPE forward directly between each other using VXLAN as overlay 10.1.0.0/24 NEXT_HOP 192.0.2.1
VNI 123456 10.3.0.0/24 NEXT_HOP 192.0.2.3
VNI xyz
Underlay network sees VXLAN traffic between endpoints
Dataplane can be further encapsulated for confidentiality (e.g. IPsec)
12
9-Mar-15
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
VNI = 123456
Copyright 2015 Alcatel-Lucent. All rights reserved.
VPN FLEXIBILITY
Overlays simplify network topology
SP network needs to know lessabout customer topology
Increases flexibility of delivery – L2 services over L3, On Net, Off Net, Internet, etc
Provisioning simplified Reuse of activation processes
from broadband networks
13
9-Mar-15
VRF VRF
Many provisioning touch points
BGP
Routing Policy
RIB scale Failover RedundancyLAN ports
WAN portsAggregation network
GRT GRT
Dynamic Provisioning
One-time Provisioning
Copyright 2015 Alcatel-Lucent. All rights reserved.
OVERLAYS ENABLE SERVICE CHAINING Centralized policy enforcement
Firewall Between zones/subnets/branch types Extranet applications To Internet through central functions
Content filtering Selective content filtering (schools –
teacher/student; public WiFi in retail environments bypasses)
Network analytics and monitoring Tap and mirror IDS/IDP DPI and DLP
LAN
WAN
CPE DC
LAN CPE
LAN
WAN
CPEDC
LAN CPE
14
9-Mar-15
Copyright 2015 Alcatel-Lucent. All rights reserved.
INTERWORKING
How do I connect the new to the existing?1. EVPN with VXLAN termination
direct into existing MPLS PE routers End-to-end network is BGP and
VXLAN aware allowing for PE routers to act as VXLAN/MPLS interworking function
Streamlined and simplified routing
2. Use CPE as gateway Break VXLAN services out to Ethernet
VLANs at PE router Faster to deploy but less flexible
15
9-Mar-15
GRTVRF
InternetIP/MPLS
VRF
VRF
Internet
IP/MPLSVRF
Traditional VPN environmentOverlay VPN Environment IWF
Traditional VPN environmentOverlay VPN Environment
Copyright 2015 Alcatel-Lucent. All rights reserved.
COMPARISONTraditional L2/L3VPN model Overlay VPN model
16
9-Mar-15
Overlay driven (MPLS) Overlay driven (VXLAN)
Services limited to network reach Service goes where IP is available
Distributed topology and controlCentralized control, distributed topology
High performance High performance with flexibility
Limited ability to introduce new functions (service chaining) Native capability for service chaining
Copyright 2015 Alcatel-Lucent. All rights reserved.
CONCLUSION SDN as a technology has now found proven deployment use-cases that make
sense Not just experiments or ‘doing the same thing but differently’ Leveraging this technology from DC to the WAN makes sense
Overlays are not new ATM, MPLS, IPv6 transition technologies have all been using overlay functions for years
Service layer overlay is a natural evolution of the network Segment Routing for TE Overlay for service
Real service provider use-cases exist for leveraging the same technology as deployed in datacenters
Speed, flexibility, optimization of network service delivery points
9-Mar-15
17
Copyright 2015 Alcatel-Lucent. All rights reserved.
nuagenetworks.net/vns @nuagenetworks
9-Mar-15
18
Copyright 2015 Alcatel-Lucent. All rights reserved.
REFERENCES VXLAN
RFC7348
BGP MPLS-Based Ethernet VPN RFC7209 RFC7432 Greg HANKINS’ NANOG presentation
OpenVSwitch Florin BALUS NANOG Presentation on Cloud Networking
9-Mar-15
19