Ethernet VPN (EVPN) - Overlay Networks for Ethernet Services

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

probably so hopefully the the lunch was read here with a small additional serving of alphabet soup is our good friend Greg hankins to present on VPNs all right good afternoon going to talk about Ethernet VPN Z VPN and give you a little introduction overview and kind of some motivation and some things that you can do with it all right this works ok so if you look at the way that Ethernet services have evolved the VPN is just kind of an evolution of the way that we can deliver Ethernet services is not really a revolution that's kind of just fixing some things that we can't really do with VPLS or other technologies right now so first question why another technology we have MPLS VPS we have PBB and those technologies are great we've been using them for years and years to develop but Uther net services but there's a couple things that haven't really changed and that's primarily the control plane we still rely on flooding and learning in order to build the forwarding database evpn kind of builds on all that operational experience that we have with VPLS and introduces a new model for Ethernet services that again kind of fixes some things that we can't do with VPLS right now it kind of works in a layer 3 manner so it uses MP BGP to distribute MAC and IP routing information instead of a Ford flooding and learning and it you to do a couple new things to deliver Ethernet services primarily for these applications data center interconnect is really popular one virtualization services and also integrated layer 2 and layer 3 VPN services that you can run over the same interface or the same VLAN whereas before you needed a couple of different technologies to do that operational benefits what does this do for you what does this mean for you integrated services is probably one of the big value adds for e VPN like I said gives you the ability to use one technology to deliver a layer 2 and layer 3 service on the same interface whereas before you needed something like VPLS for layer 2 and then layer 3 VPN on top of that and it just gets kind of complicated efficiency is a big focus for evpn and especially the ability to do multihoming we have this concept called all active forwarding which load balances between the p/es gives you obviously more efficient service delivery and you don't waste any bandwidth with an active and a stand Lync design flexibility is also a big part of evpn you have a control plane that uses MP BGP and then under that you have a choice of data plane encapsulations and I'll go through all the different options in a little bit and then also greater control obviously if you use BGP to distribute Mac and IP routing information you can control that you also have the ability to statically provision or program max into a into the the routers forwarding database we also have this functionality which I'll go through in a little more detail that allows the p/es to proxy arpan ND so you actually don't have the flooding across the network that you have today Oh backup if we had this was kind of the the technical version if you wanted to kind of take this up a level then you know we would talk about cloud services and we throw in words like Sdn and NFV and things like that but this is the technical slide a VPN status it's really a hot new technology in the IETF and you can see that there's a bunch of different internet drafts the ones in red have expired the ones in grey are moving forward and the ones in green are kind of the ones that are going to be RFC's next and then we also have our first RFC which was just came out a couple weeks ago which is the requirements RFC so if you look at the drivers behind evpn there's kind of a diverse set of network operators and vendors that are collaborating together so it's not a vendor technology or a single vendor technology that someone's trying to push the ITF I really think that it is a collaboration approach to develop the best new technology that we can from a vendor side we have alcatel-lucent Cisco and juniper which are on the draft and then from the network operator side and we have big networks like 18t Bloomberg and Verizon as well and we also have shipping implementations alcatel-lucent Cisco and juniper are already shipping code so you can actually get this and deploy today if if you wanted to okay so let's talk about the layering a little bit as I mentioned we have an MP BGP control plane which is used to distribute the MAC and IP routing information then you have a choice of data plane encapsulations and these are the three most popular ones if you go back to the slide with the internet drafts you can see there are a bunch of other proposals to add different data points so MPLS is in the base specification this is I guess the most you know popular one it just runs over MPLS you can deliver Ethernet services he use RSVP T or LDP whatever you have in your network today you can also integrate it with PBB this is a scaling mechanism so that you can have PBB on the edge to hide the customer max and just replace it with a backbone Mac so it's a scaling scaling mechanism and then we also have I guess kind of newer one which is using nvo data plane so this could be VX land NB GRE or MPLS or GRE VX LAN is probably the one that's most popular and the ones that that's shipping today so control plane learning as I mentioned we use MP BGP we know and love BGP we've been using it for years and years to do layer 3 IP routing so now we can use it to do layer 2 mac IP routing so you get the inherent scalability of BGP you could even add route reflection or something like that to build hierarchy that's designed to support v6 from the very beginning so there is no there's no Bolton or something to do v6 it uses an IP address which can be an ipv4 or a v6 address so from the very beginning ipv6 is fully integrated so we love that and the control I think is really an interesting mechanism if you think what what we can do with bgp routing policy is for layer 3 you can kind of extend that to to develop interesting policies for layer 2 this is the alphabet soup slide that that Tony mentioned unfortunately I hate showing these kind of slides but in the short amount of time we kind of have to just have a couple concepts so that you know or even talking about in the next set of slides so as I mentioned we have the control plane learning and the data plane learning we already talked about that a couple interesting and key concepts that evpn introduces is this concept called all active mode primarily it's probably dual homing but in theory you could you know actually well multi-home to any number of different devices and the way that this works is that you just used LACP to from the c e to the p es and you don't actually need a multi chassis legs this just works with standard la c P and evpn actually introduces all the loop control mechanisms and things that you would need so that you don't have looping and things like that the other key concept is the concept of a C II this can be yeah it can be anything can be a router it could be a switch it could be a server with a VM or something like that it's just some sort of edge device that's connected to the B II and then there are a couple other terminology things the evpn instanceid that's just the e VI and then it also has a concept of Ethernet segment the es is that's just the you know the ethernet segment that's attached to the CES from the PE s and it uses this in the routing information so a quick introduction to the alphabet-soup their their services these are any new services that we aren't offering today evpn decided to just kind of define them so that we're all on the same page for services so you have your standard VLAN based service this is you know it's a pipe from one location to another you have a bundle service interface which uses one bridge domain and then you have something called the VLAN aware bundle service interface which actually uses multiple bridge domains so just defining the terminology and making sure that we're we have a standard to talk about okay so now you know a little bit about the background and motivation let's talk about operations there's a lot to it I'm kind of going to skip through these slides in order to get to the interesting part which is the applications but evpn basically has a bunch of mechanisms to make Ethernet work over a wide area network so we have to do a couple things to control loops and you provide for Mac mobility and things like that and then I'll tell you about the different data planes too so obviously when we have a you know a dual path we have to worry about looping and flooding so evpn has two mechanisms one is control broadcast unknown unicast and multicast from the core to the Cee and then we also have to control it in the other direction so from the core to the C II we have this thing called the designated forward and this is a router that's elected in order to forward the broadcast onion you test a multicast frame so that way you only have one router that forwards month.the on to the ethernet segment and we don't get duplication so kind of the other way around from the core to the seee we also have two control loops because we want to echo frames back onto the segment from which they just came so we have another mechanism to control looping from the flick seee to the core proxy ARP and unknown unicast flooding suppression this is a really important mechanism so I do want to spend a little bit of time on this slide but if you think about networks today a lot of them are static a lot of them can be provisioned and there's really no no need to have ARP and Andy flooding and all this unknown in unicast anymore so it's kind of also a security issue if you can lock down all the Macs in your network I obviously you have greater security and maybe you don't have rogue stations coming on the network or you know our spoofing and things like that so what you VPN can do is actually suppress or even just completely eliminate unknown unicast flooding through a couple different mechanisms you can have the ability to statically provision the our per you know the our Brandie on the on the PE and then all the PE s can locally proxy for those addresses so it reduces the flooding to just that that local segment the other thing you can do is you can have snooping functionality if you didn't want to program all the Macs statically where I could snoop things like like DHCP or things like that and it would build the forwarding database that way if you wanted to just provision everything statically you can completely disable learning and then you don't have any of those problems aliasing this is kind of a mechanism to control if a Mac has learned on one interface but not on the other so if you look at this case if you have a computer or server or something that doesn't have a lot of traffic you could have you know just the Mac learn on one PE so aliasing allows multipathing on the return so that you always have a multipathing and all active forwarding Mac mobility is another important one so I want to spend a little bit of time on this slide basically in a network Mac's move that's that's reasonable and that's completely expected but evpn has to have a mechanism to advertise those Mac moves so what it does is when you have a Mac and Peter out it has a sequence number and then those sequence numbers are incremented so that you can tell which one is the newest one and then if there's a Mack move then then it knows which route to use so kind of as a corollary or function of Mack moves is also Mack duplication also you know we don't have loops we don't want to have loops on the network so we have to have a mechanism to avoid loops and the way that this work is that there's a timer that is configurable on implementations and basically if it sees a number of moves within a certain period of time then it stops advertising the route and withdraws it and depending on the implementation it'll restart after a timer or something like that you could have the operator clear it but basically what this does is it provides a per Mak loop control so this is a kind of an interesting mechanism because today if we have a loop the network then generally the whole port gets shut down or the whole VLAN gets shut down or something like this but this is a per MACT loop control mechanism mass withdraw this is just really an optimization on withdrawing so if segment goes down then all max for that segment will be withdrawn instead of you know sending several withdraw messages for each individual Mac and then default gateway this is an interesting thing this is what allows you to do the integrated layer 2 and layer 3 services there's a draft right now in the base specification it supports a default route and there's a draft right now on the ITF to allow just you know arbitrary routes to be injected but the interesting thing is that if you have a data center or something like that and if you configure that the default gateways with the same MAC address then when you have mac moves the traffic is always forwarded to the to the closest destination you don't have this situation where you have a station that moves across the network but still has the MAC address of the Gateway that's across a network so you don't want to keep trombone in that traffic around and then let's talk a little bit about the data plane so MPLS as I mentioned is isn't the base specification evpn is really easy to deploy by the way if you have an MPLS network or just an IP network you can put it on your p/es fire it up you don't have to change anything in the core and that makes it really easy to deploy so evpn over MPLS just runs over MPLS what are your MPLS Network is today evpn will run over that it supports all the features and functionality that we know and love from MPLS so you know fast reroute traffic engineering all those kind of things so you know just standard stuff you could integrate it with PBV as I mentioned this is really just a scaling or a MAC address hiding mechanism so you can use the PBB backbone edge bridge functionality to hide the customer max and aggregate them with a backbone Mac so you could do this for example if you had very large layer 2 networks and you wanted to reduce the number of routes in the e VPN or also if you have customer Mac's that you don't want in your backbone you know you don't want to protect your backbone from from customers doing things with their MAC addresses you could also use this mechanism and then the last data plane as I mentioned this really popular is V excellence o the X line is typically kind of started out as a data center technology but you could absolutely run EVP on just over an IP network using the X LAN as the data plane so the excellent in case you haven't heard about it it just encapsulate cyou thir net and IP it's a really lightweight protocol it's like things like 50 bytes overhead or something like that and because VX LAN doesn't depend on any MPLS functionality it's as I mentioned simple deploy and you can deploy it over any IP network and then it takes advantage of all the IP mechanisms that you have so you know ecmp IP fast reroute all those kind of things and the neat thing is that you could actually even terminate the VX land endpoint in a VM on a hypervisor so you could actually you know run the endpoint all the way down to the VM which I don't think you can do with VPS today ok let's talk about some of the use cases these are the most the most popular ones that our customers are asking us about data center interconnect as I mentioned obviously is a huge you know a huge business with data centers layer 2 or layer 3 is is equally easy to do again because we're using a VPN we have the ability to do layer 3 or lei two on the same interface on the same VLAN or whatever you have terminating so provides all the the benefits of data center interconnects you have the ability to do mac moves you know the programming or Andy proxying all those kind of things and again also the the optimized routing so you send traffic to the nearest destination to get routed instead of sending it all over the network business services and infrastructure networks this is kind of from the perspective of you as a service writer if you had customers that wanted a layer 2 or layer 3 VPN service really easy to do you can have again the a call active forwarding or if they just wanted that you know sort of a primary and a redundant connection you could do that - absolutely and you know again any data plane will work you can use IP MPLS you have a nebulous core already and you know it's really real simple to provision because you just have that single technology and then this is kind of from the perspective the other way around if you were a service provider and you need to build simple sites into the site networks well maybe you're buying transit from a number of different providers across your network and it's hard to do MPLS inter provider right now so e VPN is a real easy way for you as a network operator just to fire up a simple VPN between sites so it just uses IP so you can use simple IP routing over any number of a SS you know if you have one transit provider or number of transit providers and you just set up evpn and you know there's your there's your interconnect service ok summary a VPN is a next-generation VPN technology uses bgp to distribute the Mac and IP routing information we have a layer 3 like operations so using MP BGP it delivers layer 2 and layer 3 services integrated over the same interface and you can use any control plane MPLS PPP MPLS or VX LAN and we have the ARP and nd proxying security function and ability to program the network and there is more information I listed all the the ITF l2 VPN working group and then the the most important RFC and and giraffes are there well it was fast so I went kind of fast because I gave this presentation a tripe a couple weeks and ago and I think we had at least 15 minutes of Q&A so I wanted to leave some extra time for Q&A in case you had some questions so if there are questions for house we are all tired after one comas may be set in I don't know here's one at least hello Brandon Ewing with layered technologies all your slides on the sea II showed a single seee at each site when you were talking about the loop prevention mechanisms is there anything built in the protocol for loop prevention if you have multiple SI devices for a specific customer in a site yes so it uses this the same mechanism because they're all attached to the same that was the ESI that I mentioned they're all attached the same uther net segment so they all have the same Ethernet segment identifier and that's what's used for loop control thank you okay thanks you

Info

Channel: NANOG

Views: 33,622

Rating: 4.6867471 out of 5

Keywords: Verilan, nanog, Network Operators, Overlay Network, The Internet Issue, Conference, nanog 61, Washington, Virtual Private Network (Invention), Internet Service Provider Industry, Bellevue (City/Town/Village)

Id: bueNa5-xTZ0

Channel Id: undefined

Length: 19min 53sec (1193 seconds)

Published: Mon Jun 02 2014