![Page 1: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/1.jpg)
Scaling Overlay Virtual Networks
Ivan Pepelnjak ([email protected])
Network Architect, ipSpace.net AG
Dimitri Stiliadis ([email protected])
CTO, Nuage Networks
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 2: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/2.jpg)
3 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Past
• CTO of IT and security ventures
• Architect of switches and routers
• Researcher with focus in systems, networking, and security
Present
• CTO of Nuage Networks
Focus
• Large-scale SDN and cloud environments
• Distributed systems
More @ ipSpace.net/AboutThis material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 3: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/3.jpg)
4 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Past
• Kernel programmer, network OS and web developer
• Sysadmin, database admin, network engineer, CCIE
• Trainer, course developer, curriculum architect
• Team lead, CTO, business owner
Present
• Network architect, consultant, blogger, webinar and book author
• Teaching the art of Scalable Web Application Design
Focus
• Large-scale data centers, clouds and network virtualization
• Scalable application design
• Core IP routing/MPLS, IPv6, VPN
More @ ipSpace.net/AboutThis material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 4: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/4.jpg)
5 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Fully distributed data plane
• Scale-out control plane
• Availability zones
• Hardware gateways
• Large-scale microsegmentation
• Scaling stateful services
• Service chaining
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 5: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/5.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 6: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/6.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 7: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/7.jpg)
8 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Single VM (LAMP stack)
• Typical SMB deployment
• Simple web hosting
Multi-layer application architecture
• Multiple security zones
• Load balancing and firewalling
PHP
Apache
MySQL
Linux
App server
Web server Web serverWeb serverWeb server
App server
Cache Cache
Primary DB Slave DB
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 8: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/8.jpg)
9 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Multiple logical segments
• IP (sometimes MAC) connectivity within a segment
• Routing, load balancing and/or firewalling between segments
• Baseline firewalling within a segment
• Connectivity to the outside world
Outside
Web servers App servers DB servers
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 9: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/9.jpg)
10 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• All overlay virtual networking solutions use distributed L2 forwarding
• Scalability is limited by the control plane (distribution of VM MAC-to-VTEP IP mappings)
IP packet
MAC unicast
IP transport (underlay) network
Overlay module
Kernel IP stack
TEP
Overlay module
Kernel IP stack
TEP
IP packet
Encapsulation
IP packet
Hypervisor/Rtr MAC
VNIVNI
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 10: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/10.jpg)
11 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Centralized (sometimes VM-based) inter-subnet forwarding doesn’t scale
• Virtual router (L3 agent) becomes a chokepoint
• VM-based forwarding has limited performance
• Avoid this architecture for east-west traffic forwarding
Use architecture with distributed layer-3 forwarding
• Prefer dedicated in-kernel implementation over Linux Kernel TCP/IP stack with namespaces or VM-based implementations
• Sample products: Juniper Contrail, Microsoft Hyper-V, Nuage VSP, VMware NSX
OverlayVirtual
Network
OutsideNetwork
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 11: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/11.jpg)
12 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 12: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/12.jpg)
13 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
1 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 13: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/13.jpg)
14 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
• Intercepted by local L3 forwarding module
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
2 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 14: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/14.jpg)
15 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
• Intercepted by local L3 forwarding module
• Replied from local ARP cache
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
3 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 15: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/15.jpg)
16 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
• Intercepted by local L3 forwarding module
• Replied from local ARP cache
• Controller is contacted on ARP cache miss
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
4 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 16: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/16.jpg)
17 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
• Intercepted by local L3 forwarding module
• Replied from local ARP cache
• Controller is contacted on ARP cache miss
• Controller can reply with authoritative information or flood ARP request
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
5 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 17: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/17.jpg)
18 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
• Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
• Intercepted by local L3 forwarding module
• Replied from local ARP cache
• Controller is contacted on ARP cache miss
• Controller can reply with authoritative information or flood ARP request
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
6 of 6
Available in VMware NSX for vSphere, Nuage Networks VSP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 18: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/18.jpg)
19 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Scaling network services
• Scale-out load balancing is mission impossible(shared state tied to outside IP address)
• Scale-out firewalls are common(state tied to a single VM)
• Scale-out NAT is an interesting challenge
Implement traffic filters with VM NIC firewalls
• Stateful firewalls or reflexive ACLs
• Reflexive ACLs might be good enough for well-designedapplications
• VM-based solutions severely limit performance use in-kernel filters
• Sample solutions: Nuage VSP, VMware NSX, OpenStack/CloudStack on KVM
• ACL-only solutions: Microsoft Hyper-V, VMware vSphere, Cisco Nexus 1000V
Hypervisor
OutsideNetwork
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 19: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/19.jpg)
20 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Requirements for scalable data plane
• Distributed L3 forwarding
• Local ARP handling (ARP caching or pure L3 solution)
• Distributed security groups implemented in hypervisors
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 20: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/20.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 21: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/21.jpg)
22 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Crucial overlay virtual network challenge: VM-MAC-to-VTEP-IP mappings
• Initial implementations used IP multicast and Ethernet-like learning
• Modern solutions use network controllers in combination with orchestration systems
Sample solutions: Cisco Nexus 1000V, Juniper Contrail, Nuage VSP, VMware NSX
IP transport network
Kernel IP stack Kernel IP stack
Overlay OverlaySDN Controller
VTEP VTEP
Cloud
Management
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 22: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/22.jpg)
23 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay networking solutions lackSDN controller element
• Cloud management platform programsvirtual switches directly
• Hard to integrate with the physical network:static routes/MAC learning or VM-based solutions
SDN controller enables inter-cloud federation
• Reachability data exchanged betweencontrollers
• Most SDN controllers use BGP for easy integration with existing hardware
SDN
CMP
Federation
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 23: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/23.jpg)
24 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Network controller becomes the scalability bottleneck
• Control-plane-only controllers scale much better than controllers participating in data plane (hint: use CMP to get MAC and IP address information)
• Every controller implementation eventually hits its limits scale-out is the only answer
IP transport network
Kernel IP stack Kernel IP stack
Overlay OverlayController
VTEP VTEP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 24: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/24.jpg)
25 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Scale-out architecture is the only viable way forward
• Requirement: Synchronization of policy and reachability information between controllers
Typical solution: multi-protocol BGP (MP-BGP)
• L3VPN for IP routing (sometimes using host routes for VM IP addresses)
• EVPN for layer-2 forwarding
• Easy integration with existing hardware gateways
Additional benefits:
• Clean failure domain separation (availability zones)
• Adjustable size of failure domains to meet scalability and convergence requirements
BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 25: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/25.jpg)
26 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Terminology:
• VSP: Virtual Services Platform
• CMP: Cloud Management Platform
• VSD: Virtual Services Directory
• VSC: Virtual Services Controller
• VRS: Virtual Routing & Switching
Plane of operation
• VSD: Management/Policy
• VSC: Control plane
• VRS: Data plane
Scale-out architecture
• Single VSD per CMP
• Multiple VSC per VSD (scale-out within CMP)
• VSC confederation via MP-BGP (scale-out across CMP)
REST
VSC
VRS VRS
VSC
VRS VRS
VSG/PE
VSDCMP
XM
PP
BGP BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 26: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/26.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 27: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/27.jpg)
28 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Failure Domain: area impacted when a key device or service experiences problems
Sample failure domains
• VLAN (broadcast storms)
• OSPF area (LSA flooding)
• Controller-based network (controller failure)
• Cloud instance(cloud management system failure)
REST
VSC
VRS VRS
VSC
VRS VRS
VSDCMP
XM
PP
BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 28: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/28.jpg)
29 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Regions: cloud instances with separate API endpoints
• Separate instances of cloud management systems
Availability zone: logical group that provides a form of physical isolation and redundancy from other availability zones (OpenStack)
• Common cloud management
• Isolated compute/storage/networkingfailure domains
• Each availability zone SHOULD have adifferent network services controller
REST
VSC
VRS VRS
VSC
VRS VRS
VSDCMP
XM
PP
BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 29: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/29.jpg)
30 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Cloud management platform fails?
• No moves, adds or changes
• Overlay virtual networking topology is frozen
• High-availability clusters cannot recover
SDN controller fails?
• Controllers involved in data plane (MAC learning or ARP replies) total failure
• Control-plane controllers loss of reachability information
• Controllers without external control plane no visibility, no topology change
Each availability zone SHOULD have an independent SDN controller
CMP
SDN
CMP
Federation
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 30: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/30.jpg)
31 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Controller/orchestration infrastructure
• Single CMP/VSD per region
• VSD works on policy plane VSD failure is similar to CMP failure
• VSC per availability zone VSC failure does not spread across zones
• BGP information exchange through a set of route reflectors use BGP security mechanisms toprotect availability zones
• Pair of VSGs per availability zone(when needed)
Underlying infrastructure
• Each availability zone = independentL3 forwarding domain
REST
VSC
VRS VRS
VSC
VRS VRS
VSG/PE
VSDCMP
XM
PP
BGP BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 31: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/31.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 32: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/32.jpg)
33 © ipSpace.net 2014 Scaling Overlay Virtual Networks
VMs within an overlay virtual network must interact with the physical world
L2 gateways (VNI-to-VLAN)
• P2V migrations
• Integration with legacy equipment
L3 gateways
• Multiple VNIs routed to a VLAN
• Simple P2V or WAN integration
Network services gateway
• Firewalls and load balancers
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 33: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/33.jpg)
34 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Deployment format
• VM-based
• Hypervisor kernel module
• Bare-metal x86 server
• Hardware VTEP
Design and deployment considerations
• Performance
• Control-plane integration with overlay fabric
• Management plane integration with overlay network controller and orchestration system
• Integration with existing network infrastructure (example: MPLS/VPN)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 34: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/34.jpg)
35 © ipSpace.net 2014 Scaling Overlay Virtual Networks
VM
OutsideIP transport network
VXLAN
Kernel IP stack
VTEP
VXLAN
Kernel IP stack
VTEP
IP packet
VLAN tag
Next-hop MAC
IP packet
Appliance MAC
• Gateway function implemented in a VM with multiple virtual NICs
• VM performs traditional bridging/routing/network services functionality
• Use any product available in VM format (including Linux instances)
• Forwarded traffic goes through a VM performance usually limited to few Gbps
IP packet
VXLAN
UDP
IP multicast
MAC multicast
VNI VNI VLAN
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 35: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/35.jpg)
36 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Typical gateway deployment scenarios
• Integrate overlay networks with outside world maximum performance = WAN link speed
• Integrate overlay networks with legacy hardware maximum performance = legacy hardware network I/O performance
Software gateway performance
• Few Gbps for VM-based solutions
• ~10Gbps for kernel-based and bare-metal gateways
Hardware gateways offer the performance needed in large-scale deployments
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 36: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/36.jpg)
37 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Hardware Gateway needs the following information
• Mapping between VXLAN VNI and external VLANs
• VM-MAC-to-VTEP-IP mappings
• VXLAN flooding information (IP MC address or VTEP list)
Solutions
• Do-it-yourself
• OVSDB (VMware NSX, Nuage VSP)
• EVPN (Nuage VSP, Juniper Contrail)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 37: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/37.jpg)
38 © ipSpace.net 2014 Scaling Overlay Virtual Networks
OVSDB
• Lightweight JSON-RPC-based database query/update protocol
• OVSDB database table schema defines the actual data
Hardware VTEP schema
• Physical switch + ports
• Logical switch + router
• Local and remote MAC mappings
SDN controller uses OVSDB to
• Configure VXLAN-to-VLAN mappings
• Push MAC mappings to VTEP
• Receive physical MAC addressesfrom VTEP
OVSDB
MPLS/VPN integration through VLANs (Inter-AS Option A)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 38: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/38.jpg)
39 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Network virtualization controller and hardware gateway use EVPN and L3VPNto exchange forwarding data
• EVPN provides MAC-to-VTEP mappings
• L3VPN provides integrates overlayvirtual networks with MPLS/VPN
• Gateway provisioning uses a different protocol (ex: NETCONF)
EVPN forwarding information
• VTEP flood list (Inclusive Multicast Ethernet Tag route)
• MAC-to-VTEP mapping (MAC/IP Address Advertisement route)
• Propagation of IP addresses enables proxy ARP functionality
EVPN
L3VPN
MPLS/VPN integration through MP-BGP (same domain or inter-AS Option B/C)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 39: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/39.jpg)
40 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
Underlay IP transport network
Nuage VRS
+
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 40: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/40.jpg)
41 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
Underlay IP transport network
Nuage VRS
MP-BGP
1 of 7
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 41: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/41.jpg)
42 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
• VSC installs forwarding entries with BGP next hop + label in VRS
Underlay IP transport network
Nuage VRS
MP-BGP
2 of 7
OpenFlow
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 42: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/42.jpg)
43 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
• VSC installs forwarding entries with BGP next hop + label in VRS
• VM sends IP packet to server (and GW MAC)
Underlay IP transport network
Nuage VRS
MP-BGP
3 of 7
OpenFlow
PEVSC
IP: A S
MAC: A GW
GW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 43: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/43.jpg)
44 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
• VSC installs forwarding entries with BGP next hop + label in VRS
• VM sends IP packet to server (and GW MAC)
• IP router in VRS performs L3 lookup
Underlay IP transport network
Nuage VRS
MP-BGP
4 of 7
OpenFlow
PEVSC
IP: A S
MAC: A GW
GW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 44: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/44.jpg)
45 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
• VSC installs forwarding entries with BGP next hop + label in VRS
• VM sends IP packet to server (and GW MAC)
• IP router in VRS performs L3 lookup
• IP packet is encapsulated in MPLS-GRE-IP or VXLAN-UDP-IP envelope
Underlay IP transport network
Nuage VRS
MP-BGP
5 of 7
OpenFlow
PEVSCIP: A S
MPLS label
GRE header
IP to PE
GW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 45: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/45.jpg)
46 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
• VSC installs forwarding entries with BGP next hop + label in VRS
• VM sends IP packet to server (and GW MAC)
• IP router in VRS performs L3 lookup
• IP packet is encapsulated in MPLS-GRE-IP or VXLAN-UDP-IP envelope
• PE router receives MPLS/VPN or VXLAN packet
Underlay IP transport network
Nuage VRS
IP to PE VTEP
MP-BGP
6 of 7
OpenFlow
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 46: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/46.jpg)
47 © ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
• PE-router sends VPNv4 or EVPN update to Nuage VSC
• VSC installs forwarding entries with BGP next hop + label in VRS
• VM sends IP packet to server (and GW MAC)
• IP router in VRS performs L3 lookup
• IP packet is encapsulated in MPLS-GRE-IP or VXLAN-UDP-IP envelope
• PE router receives MPLS/VPN or VXLAN packet
• PE router forwards VPN IP packet
Underlay IP transport network
Nuage VRS
MP-BGP
IP/MPLS to S
7 of 7
OpenFlow
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 47: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/47.jpg)
48 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Deployment format
• Low bandwidth VM
• High bandwidth hardware VTEP
Integration requirements
• Physical VLANs OVSDB or EVPN
• MPLS/VPN WAN EVPN + L3VPN
Choose an SDN controller that supports all the options you need
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 48: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/48.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 49: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/49.jpg)
50 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security Groups Concepts
• Replace subnet-level firewalls (or ACLs) with per-VM firewalls/ACLs
• Increased intra-subnet security due to microsegmentation
• No chokepoint, no traffic tromboning
• No subnets no addressing limitations
Implementations
• CloudStack (on Linux-based hypervisors)
• OpenStack (Neutron plugin extension)
• VMware vCD/vCAC with vShield Edge or VMware NSX
Outside
Outside
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 50: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/50.jpg)
51 © ipSpace.net 2014 Scaling Overlay Virtual Networks
High-level view
• Assign VMs to groups
• Specify filtering rules between groups
Typical implementations
• Packet filter (OVS or Linux iptables)
• Each group exploded into a list of IP addresses
• ACL = Cartesian product of source-destination IP addresses
Outside
From To Port
Any Web 80
Any Web 443
Web App 9000
App DB 3306
Mgmt All-VM 22
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 51: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/51.jpg)
52 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Outside
From To Port
Any Web 80
Any Web 443
Web App 9000
App DB 3306
Mgmt All-VM 22
W1 W2 W3 A1 A2
D1 D2
From To Port
Any W1 80
Any W2 80
Any W3 80
Any W1 443
Any W2 443
Any W3 443
W1 A1 9000
W1 A2 9000
W2 A1 9000
W2 A2 9000
W3 A1 9000
W3 A2 9000
…
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 52: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/52.jpg)
53 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security group ACL = Cartesian product of IP addresses
• Long ACLs (performance usually degrades linearly with the ACL length)
• Whole ACL deployed on all VM NICs even further performance degradation
• Any change in security group membership (VM adds or removals) propagates to all hypevisors running tenant’s VMs
Hypervisor
From To Port
Any Web 80
Any Web 443
Web App 9000
App DB 3306
Mgmt All-VM 22
OutsideNetwork
SDN
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 53: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/53.jpg)
54 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
VRS VRS
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 54: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/54.jpg)
55 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
VRS VRS
1 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 55: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/55.jpg)
56 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
VRS VRS
2 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 56: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/56.jpg)
57 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
VRS VRS
3 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 57: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/57.jpg)
58 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
VRS VRS
4 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 58: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/58.jpg)
59 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
VRS VRS
5 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 59: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/59.jpg)
60 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
• Remote VM security group attached to IP or MAC route
• Local VM security group attached to VM port
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
• ACL is not changed
VRS VRS
6 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 60: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/60.jpg)
61 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
VRS VRS
VSC
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 61: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/61.jpg)
62 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
VRS VRS
VSC
1 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 62: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/62.jpg)
63 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
• VSC originates new EVPN and IPVPN route(security group = BGP community)
VRS VRS
VSC
2 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 63: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/63.jpg)
64 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
• VSC originates new EVPN and IPVPN route(security group = BGP community)
• VSC sends BGP update to itsBGP peers
VRS VRS
VSC
3 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 64: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/64.jpg)
65 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
• VSC originates new EVPN and IPVPN route(security group = BGP community)
• VSC sends BGP update to itsBGP peers
• Remote VSC updates forwardingentries in remote VRS VRS VRS
VSC
4 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 65: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/65.jpg)
66 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
• New VM is started on a hypervisor
• VRS notifies VSC
• VSC notifies VSD
• VSD assigns VM into a security group and replies to VSC
• VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group)
• VSC originates new EVPN and IPVPN route(security group = BGP community)
• VSC sends BGP update to itsBGP peers
• Remote VSC updates forwardingentries in remote VRS
• ACL is not changed
VRS VRS
VSC
5 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 66: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/66.jpg)
67 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VRS VRS
VSC
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 67: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/67.jpg)
68 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
VRS VRS
VSC
1 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 68: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/68.jpg)
69 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
• From security group = VM NIC group
• To security group = BGP community
VRS VRS
VSC
2 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 69: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/69.jpg)
70 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
• From security group = VM NIC group
• To security group = BGP community
Encapsulated VM frame is sent across the transport network
VRS VRS
VSC
3 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 70: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/70.jpg)
71 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
• From security group = VM NIC group
• To security group = BGP community
Encapsulated VM frame is sent across the transport network
Egress ACL check on egress VRS
• From security group = BGP community
• To security group = VM NIC group
VRS VRS
VSC
4 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 71: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/71.jpg)
72 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
• From security group = VM NIC group
• To security group = BGP community
Encapsulated VM frame is sent across the transport network
Egress ACL check on egress VRS
• From security group = BGP community
• To security group = VM NIC group
Packet is delivered to target VM
VRS VRS
VSC
5 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 72: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/72.jpg)
73 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
MPLSbackbone
Transport Network
VSC
VRS
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 73: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/73.jpg)
74 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
MPLSbackbone
Transport Network
VSC
VRS
1 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 74: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/74.jpg)
75 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
2 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 75: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/75.jpg)
76 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• IP packet sent from VRS to PE-router
• Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
3 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 76: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/76.jpg)
77 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• IP packet sent from VRS to PE-router
• IP packet delivered to remote host
• Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
4 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 77: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/77.jpg)
78 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• IP packet sent from VRS to PE-router
• IP packet delivered to remote host
Remote host to VM:
• IP packet received by PE-router
• Packet delivered to VMMPLS
backbone
Transport Network
VSC
VRS
5 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 78: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/78.jpg)
79 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• IP packet sent from VRS to PE-router
• IP packet delivered to remote host
Remote host to VM:
• IP packet received by PE-router
• IP packet delivered to VRS
• Packet delivered to VMMPLS
backbone
Transport Network
VSC
VRS
6 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 79: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/79.jpg)
80 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• IP packet sent from VRS to PE-router
• IP packet delivered to remote host
Remote host to VM:
• IP packet received by PE-router
• IP packet delivered to VRS
• Egress ACL on VRSMPLS
backbone
Transport Network
VSC
VRS
7 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 80: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/80.jpg)
81 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
• Automatic ingress/egress filters on VM NICs
• Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
• VM sends a packet
• Ingress ACL on VRS
• IP packet sent from VRS to PE-router
• IP packet delivered to remote host
Remote host to VM:
• IP packet received by PE-router
• IP packet delivered to VRS
• Egress ACL on VRS
• Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
8 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 81: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/81.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 82: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/82.jpg)
83 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Scale-out NAT is hard problem
• No guarantee of symmetrical paths(Best case: rehashing after topology change)
• Shared state tied to outside IP address
• State must be distributed and synchronized across all NAT cluster members
Sh
are
d s
tate
Maybe we’re solving the wrong problem
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 83: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/83.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 84: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/84.jpg)
85 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Virtual machines with public IP addresses (Floating IP address) static stateless NAT
• Access to outside servers dynamic stateful NAPT, outside source address is irrelevant
Floating IP address
NAT
Equivalent to Amazon VPC behavior
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 85: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/85.jpg)
86 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 86: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/86.jpg)
87 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
1 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 87: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/87.jpg)
88 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
2 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 88: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/88.jpg)
89 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
• Packet sent to IP address in public vDRS (received by hypervisor)
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
3 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 89: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/89.jpg)
90 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
• Packet sent to IP address in public vDRS (received by hypervisor)
• Hypervisor translates destination IP address to VM IP address
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
4 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 90: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/90.jpg)
91 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
• Packet sent to IP address in public vDRS (received by hypervisor)
• Hypervisor translates destination IP address to VM IP address
Inside-to-outside
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
5 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 91: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/91.jpg)
92 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
• Packet sent to IP address in public vDRS (received by hypervisor)
• Hypervisor translates destination IP address to VM IP address
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
6 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 92: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/92.jpg)
93 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
• Packet sent to IP address in public vDRS (received by hypervisor)
• Hypervisor translates destination IP address to VM IP address
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Per-VM default route pushes the packet through NAT rule into public vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
7 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 93: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/93.jpg)
94 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• Floating IP from public vDRS isallocated to a tenant VM
• 1:1 NAT rule is created on thehypervisor
Internal communication
• Destination IP address is within tenant vDRS
• NAT rule is not invoked
Outside-to-inside
• Packet sent to IP address in public vDRS (received by hypervisor)
• Hypervisor translates destination IP address to VM IP address
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Per-VM default route pushes the packet through NAT rule into public vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
NAT rule is stateless and active on a single hypervisor
8 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 94: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/94.jpg)
95 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 95: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/95.jpg)
96 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
1 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 96: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/96.jpg)
97 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
2 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 97: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/97.jpg)
98 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
• Stateful NAT entry is created in the hypervisor
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
3 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 98: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/98.jpg)
99 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
• Stateful NAT entry is created in the hypervisor
• Packet is delivered to the outside server
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
4 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 99: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/99.jpg)
100 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
• Stateful NAT entry is created in the hypervisor
• Packet is delivered to the outside server
Outside-to-inside
• Return packet is sent to IP address in public vDRS (received by hypervisor)
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
5 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 100: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/100.jpg)
101 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
• Stateful NAT entry is created in the hypervisor
• Packet is delivered to the outside server
Outside-to-inside
• Return packet is sent to IP address in public vDRS (received by hypervisor)
• Hypervisor uses PNAT entry to translate destination IP address to VM IP address
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
6 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 101: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/101.jpg)
102 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
• Stateful NAT entry is created in the hypervisor
• Packet is delivered to the outside server
Outside-to-inside
• Return packet is sent to IP address in public vDRS (received by hypervisor)
• Hypervisor uses PNAT entry to translate destination IP address to VM IP address
• Translated packet is delivered to target VM
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
7 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 102: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/102.jpg)
103 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
• IP from public vDRS (H-IP) is allocated to each hypervisor
Inside-to-outside
• VM sends packet to a destination unreachable in tenant vDRS
• Default route pushes the packet through NAT rule into public vDRS
• Stateful NAT entry is created in the hypervisor
• Packet is delivered to the outside server
Outside-to-inside
• Return packet is sent to IP address in public vDRS (received by hypervisor)
• Hypervisor uses PNAT entry to translate destination IP address to VM IP address
• Translated packet is delivered to target VM
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
The goal is connectivity, not specific NAT outside address
8 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 103: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/103.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 104: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/104.jpg)
105 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Insert physical appliances between virtual network endpoints
• Insert L4-7 and security services within a subnet
• Create multi-tier applications without routing overhead
• Combine multiple services in Network Function Virtualization deployments
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 105: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/105.jpg)
106 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
+
S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 106: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/106.jpg)
107 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
1 of 11
S
MAC-A MAC-SIP-A IP-SA
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 107: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/107.jpg)
108 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
2 of 11
S
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-SA
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 108: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/108.jpg)
109 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
3 of 11
S
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-S
MAC-B MAC-SIP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 109: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/109.jpg)
110 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
4 of 11
S
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-S
MAC-B MAC-SIP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 110: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/110.jpg)
111 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
5 of 11
S
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-S
MAC-B MAC-SIP-B IP-S MAC-B MAC-SIP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 111: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/111.jpg)
112 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
6 of 11
S
MAC-A MAC-S IP-A IP-S
MAC-B MAC-SIP-B IP-S MAC-B MAC-SIP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 112: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/112.jpg)
113 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
7 of 11
S
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-S
MAC-B MAC-SIP-B IP-S MAC-B MAC-SIP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 113: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/113.jpg)
114 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
8 of 11
S
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-S
MAC-B MAC-S IP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 114: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/114.jpg)
115 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
9 of 11
S
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-S
MAC-B MAC-S IP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 115: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/115.jpg)
116 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
10 of 11
S
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-S
MAC-B MAC-S IP-B IP-SMAC-B MAC-S IP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 116: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/116.jpg)
117 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
• Based on MAC (potentially IP) headers
Typical implementation
• VLAN chaining
• Hard to implement for individual endpoints
• Impossible to implement for individual applications
• Fantastic potential for forwarding loops
11 of 11
S
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-S
MAC-B MAC-S IP-B IP-SMAC-B MAC-S IP-B IP-S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 117: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/117.jpg)
118 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
+
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 118: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/118.jpg)
119 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-A MAC-GIP-A IP-S
1 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 119: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/119.jpg)
120 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
MAC-G MAC-SIP-A IP-S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-A MAC-GIP-A IP-S
2 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 120: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/120.jpg)
121 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
MAC-G MAC-SIP-A IP-S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-A MAC-GIP-A IP-S
MAC-B MAC-GIP-B IP-S
3 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 121: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/121.jpg)
122 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
MAC-G MAC-SIP-A IP-S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-A MAC-GIP-A IP-S
MAC-B MAC-GIP-B IP-S
M
AC
-F
4 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 122: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/122.jpg)
123 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
MAC-G MAC-SIP-A IP-S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-A MAC-GIP-A IP-S
MAC-B MAC-GIP-B IP-S
M
AC
-F
MAC-F MAC-SIP-B IP-S
5 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 123: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/123.jpg)
124 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-B MAC-GIP-B IP-S
M
AC
-F
MAC-F MAC-SIP-B IP-S
MAC-G MAC-S IP-A IP-S
6 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 124: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/124.jpg)
125 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-B MAC-GIP-B IP-S
M
AC
-F
MAC-F MAC-SIP-B IP-S
MAC-G MAC-S IP-A IP-SMAC-A MAC-G IP-A IP-S
7 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 125: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/125.jpg)
126 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-G MAC-S IP-A IP-S
MAC-G MAC-S IP-B IP-S
MAC-A MAC-G IP-A IP-S
8 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 126: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/126.jpg)
127 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-G MAC-S IP-A IP-S
MAC-G MAC-S IP-B IP-S
MAC-A MAC-G IP-A IP-S
M
AC
-F
9 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 127: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/127.jpg)
128 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
MAC-G MAC-S IP-A IP-S
MAC-G MAC-S IP-B IP-SMAC-B MAC-F IP-B IP-S
MAC-A MAC-G IP-A IP-S
M
AC
-F
10 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 128: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/128.jpg)
129 © ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
Typical implementation
• Policy-based routing (PBR)
• MAC rewrite is automatic
• Hard to implement for appliances not close to the forwarding path
MAC-G MAC-S IP-A IP-S
MAC-G MAC-S IP-B IP-SMAC-B MAC-F IP-B IP-S
MAC-A MAC-G IP-A IP-S
M
AC
-F
11 of 11
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 129: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/129.jpg)
130 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Services and redirection (chaining) rules are defined in VSD Architect
• VSD downloads redirection rules to VSC
• VSC instantiates PBR entries onvirtual port (VM) activation
• Traffic redirection uses the samescalability mechanisms as security groups
• Multiple forwarding domains are usedto further scale the implementation
Transport Network
VSC
VSD
VRS VRS
VSC
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 130: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/130.jpg)
131 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Appliances (physical or virtual) are identified by virtual port tags
• A dedicated VNI (VXLAN segment) is allocated to each appliance port
• Appliance reachability information (ESI, VNI, transport next hop) is propagated in EVPN updates
• Information from EVPN update is used as PBR next hop
Transport Network
VSC
VRS VRS
VSC
MP-BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 131: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/131.jpg)
132 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Appliances (physical or virtual) are identified by virtual port tags
• A dedicated VNI (VXLAN segment) is allocated to each appliance port
• L2VPN is create between appliance
• Active appliance IP address is detected by monitoring GARP packets
• A host route is created for each appliance IP address
• L3VPN host route (prefix, VNI, transport next hop) toward appliance port is propagated across MP-BGP routing domain
• Information from L3VPN route is used as PBR next hop
Transport Network
VSC
VRS VRS
VSC
GA
RP
MP-BGP
VRS
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 132: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/132.jpg)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 133: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/133.jpg)
134 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Architectural elements:
• Distributed forwarding plane (L2 and L3)
• Control plane with scale-out architecture
• Distributed L4 services (security, NAT)
• Scalable security mechanisms
Additional considerations:
• High-performance gateways
• Control- and management-plane integration with external networks
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 134: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/134.jpg)
135 © ipSpace.net 2014 Scaling Overlay Virtual Networks
• Define the services
• Define the virtual infrastructure requirements
Connectivity (L2 and/or L3)
Security
Performance
Integration with legacy infrastructure
Integration with WAN networks
• Select the orchestration system
• Select the hypervisor platform
• Select an overlay virtual networking solution that will support the services you want to offer
Easy integration with the orchestration system
Scalable implementation of network services
Scalable integration with external networks
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
![Page 135: Ivan Pepelnjak (ip@ipSpace.net) Network Architect, ipSpace ...docshare01.docshare.tips/files/25438/254384886.pdf · Scaling Overlay Virtual Networks Ivan Pepelnjak (ip@ipSpace.net)](https://reader030.vdocuments.site/reader030/viewer/2022041023/5ed5059aad38025d974e4821/html5/thumbnails/135.jpg)
136 © ipSpace.net 2014 Scaling Overlay Virtual Networks
Questions?
Send them to [email protected] or @ioshints
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars