Copyright 2015 Alcatel-Lucent. All rights reserved.

BRANCHING OUT WITH SDNUSING SDN TO BUILD L2/L3VPNS

Alastair JOHNSONMarch 2015

9-Mar-15

1

Copyright 2015 Alcatel-Lucent. All rights reserved.

AGENDA

1. INTRODUCTION

2. TECHNOLOGY RECAPa. VXLAN

b. EVPN

3. PUTTING IT TOGETHER

4. COMPARISON

5. CONCLUSION

9-Mar-15

2

Copyright 2015 Alcatel-Lucent. All rights reserved.

New ways of thinking about existing ways of working

Decoupled architecture means each vendor can focus on his strengths

Decreased barrier to entry for startups provides multiple choices for customers

Feature stability, long hardware cycles do not affect software features

Management, Policy

Hardware

OS

Controller

HardwareHardware

SOFTWARE DEFINED NETWORKING

3

9-Mar-15

Copyright 2015 Alcatel-Lucent. All rights reserved.

INTRODUCTION The WAN space has been relatively unchanged for the better part

of 15 years IP-VPNs are fundamentally the same as they were in 2000

RFC2547 published March 1999

L2VPNs are fundamentally the same as they were in 2007

The CPE has remained unchanged for the same period of time Basically still the same device: vertically integrated hardware and software,

running routing protocols and a variety of LAN/WAN interfaces

Maybe a little bit faster than it used to be

9-Mar-15

4

Copyright 2015 Alcatel-Lucent. All rights reserved.

SOFTWARE DEFINED VPN (SD-VPN)

What if there was a new way of thinking about VPN services which embraces the smart edge dumb core philosophy?

What if there was a way to change the CPE paradigm?

What if there was a way to transport L2 services over any L3 network?

What if there was a way to do this operationally efficiently?

9-Mar-15

5

Copyright 2015 Alcatel-Lucent. All rights reserved.

TECHNOLOGY RECAP: VXLAN VXLAN encapsulates Ethernet in IP

Runs over IPv4 or IPv6

Uses UDP, source port is a hash of MAC or IPs to provide load balancing entropy

8 byte VXLAN header provides 24 bit VXLAN Network Identifier (VNI) and flags

Total encapsulation overhead is ~50 bytes

VXLAN is routable with IP, so the underlay network may be any network that uses existing resiliency and load balancing mechanisms ECMP

IGPs/BGP

IP FRR

VXLAN tunnel endpoints can be on network equipment or computing infrastructure Deliver a VPN straight to a hypervisor

IP Network(IP FRR, ECMP, IGP)

IP Network

IP Network

9-Mar-15

6

Copyright 2015 Alcatel-Lucent. All rights reserved.

DataPlane

ControlPlane

EVPN MP-BGPRFC7432

TECHNOLOGY RECAP: EVPN

EVPN over MPLS for VLL, VPLS and E-Tree services

All-active multihoming for VPWS RSVP-TE or LDP MPLS protocols

EVPN with PBB PE functionality for scaling very large networks over MPLS

All-active multihoming for PBB-VPLS

EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsulations

Provides Layer 2 and Layer 3 DCI

Multiprotocol Label Switching

(MPLS)RFC7432

Provider Backbone Bridges

(PBB)draft-ietf-l2vpn-pbb-evpn

Network Virtualization Overlay

(NVO)draft-ietf-bess-evpn-overlay

9-Mar-15

7

Copyright 2015 Alcatel-Lucent. All rights reserved.

TECHNOLOGY RECAP: EVPN Brings proven and inherent BGP control plane scalability to MAC

routes

Consistent signaled FDB in any size network instead of flooding

Even more scalability and hierarchy with route reflectors

BGP advertises MACs and IPs for next hop resolution with EVPN NLRI

AFI = 25 (L2VPN) and SAFI = 70 (EVPN)

Fully supports IPv4 and IPv6 in the control and data plane

Offers greater control over MAC learning

What is signaled, from where and to whom

Ability to apply MAC learning policies

Maintains virtualization and isolation of EVPN instances

Enables traffic load balancing for multihomed CEs with ECMP MAC routes

Route Distinguisher (8 octets)

Ethernet Segment Identifier (10 octets)

Ethernet Tag ID (4 octets)

MAC Address Length (1 octet)

MAC Address (6 octets)

IP Address Length (1 octet)

IP Address (0 or 4 or 16 octets)

MPLS Label1 (3 octets)

MPLS Label2 (0 or 3 octets)

MAC Advertisement Route(Light Green Fields are Optional)

9-Mar-15

8

Copyright 2015 Alcatel-Lucent. All rights reserved.

PUTTING IT TOGETHER EVPN delivers a control plane that can distribute MAC (L2) and IP (L3)

reachability information Scale is addressed: BGP has proven to scale well; federation becomes straight-

forward Control is addressed: programmatic network topology, flexibility of routing

policies Efficiency is addressed: hybrid L2/L3 services over a single interface,

redundancy and multi-homing included

VXLAN delivers a data plane that can deliver Ethernet frames over an L3 transport L2VPN, L3VPN, …the Internet

9-Mar-15

9

Copyright 2015 Alcatel-Lucent. All rights reserved.

A NEW WAY OF DELIVERING VPNS

Controller programs forwarding plane for all CPEs Aware of all L2/L3 topology behind

each CPE Calculate once, program many

CPE performs encapsulation of VPN traffic (VXLAN)

Traffic is carried encapsulated over underlay network Underlay network could be any

infrastructure Unaware of topology of VPN service

CPE

Site 1

LAN CPE

Site 3

LAN

CPE

Site 2

LAN

Underlay

Policy DB

SDN Controllers

SP Central Functions

9-Mar-15

10

Copyright 2015 Alcatel-Lucent. All rights reserved.

A NEW WAY OF DELIVERING VPNS

OpenFlow provides a mechanism to program the L2/L3 forwarding information base (FIB) and provide notifications to the controller MAC/IP address learning on LAN ports are

alerted to the controller Controller determines whether the MAC/IP is

to be programmed into FIB

Federation of topology between controllers via BGP-EVPN MAC and IP reachability signaled VXLAN VNI information combined with

NEXT_HOP

Redundancy of controllers is supported – CPE vSwitch registers and determines active/standby controllers

11

9-Mar-15

CPE

SDN Controller

OpenFlowOVSDB

BGP EVPN

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

10.2.0.0/2410.2.0.1/32 aa:bb:cc:dd:ee:ff

Copyright 2015 Alcatel-Lucent. All rights reserved.

A NEW WAY OF DELIVERING VPNS

CPE forward directly between each other using VXLAN as overlay 10.1.0.0/24 NEXT_HOP 192.0.2.1

VNI 123456 10.3.0.0/24 NEXT_HOP 192.0.2.3

VNI xyz

Underlay network sees VXLAN traffic between endpoints

Dataplane can be further encapsulated for confidentiality (e.g. IPsec)

12

9-Mar-15

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

VNI = 123456

Copyright 2015 Alcatel-Lucent. All rights reserved.

VPN FLEXIBILITY

Overlays simplify network topology

SP network needs to know lessabout customer topology

Increases flexibility of delivery – L2 services over L3, On Net, Off Net, Internet, etc

Provisioning simplified Reuse of activation processes

from broadband networks

13

9-Mar-15

VRF VRF

Many provisioning touch points

BGP

Routing Policy

RIB scale Failover RedundancyLAN ports

WAN portsAggregation network

GRT GRT

Dynamic Provisioning

One-time Provisioning

Copyright 2015 Alcatel-Lucent. All rights reserved.

OVERLAYS ENABLE SERVICE CHAINING Centralized policy enforcement

Firewall Between zones/subnets/branch types Extranet applications To Internet through central functions

Content filtering Selective content filtering (schools –

teacher/student; public WiFi in retail environments bypasses)

Network analytics and monitoring Tap and mirror IDS/IDP DPI and DLP

LAN

WAN

CPE DC

LAN CPE

LAN

WAN

CPEDC

LAN CPE

14

9-Mar-15

Copyright 2015 Alcatel-Lucent. All rights reserved.

INTERWORKING

How do I connect the new to the existing?1. EVPN with VXLAN termination

direct into existing MPLS PE routers End-to-end network is BGP and

VXLAN aware allowing for PE routers to act as VXLAN/MPLS interworking function

Streamlined and simplified routing

2. Use CPE as gateway Break VXLAN services out to Ethernet

VLANs at PE router Faster to deploy but less flexible

15

9-Mar-15

GRTVRF

InternetIP/MPLS

VRF

VRF

Internet

IP/MPLSVRF

Traditional VPN environmentOverlay VPN Environment IWF

Traditional VPN environmentOverlay VPN Environment

Copyright 2015 Alcatel-Lucent. All rights reserved.

COMPARISONTraditional L2/L3VPN model Overlay VPN model

16

9-Mar-15

Overlay driven (MPLS) Overlay driven (VXLAN)

Services limited to network reach Service goes where IP is available

Distributed topology and controlCentralized control, distributed topology

High performance High performance with flexibility

Limited ability to introduce new functions (service chaining) Native capability for service chaining

Copyright 2015 Alcatel-Lucent. All rights reserved.

CONCLUSION SDN as a technology has now found proven deployment use-cases that make

sense Not just experiments or ‘doing the same thing but differently’ Leveraging this technology from DC to the WAN makes sense

Overlays are not new ATM, MPLS, IPv6 transition technologies have all been using overlay functions for years

Service layer overlay is a natural evolution of the network Segment Routing for TE Overlay for service

Real service provider use-cases exist for leveraging the same technology as deployed in datacenters

Speed, flexibility, optimization of network service delivery points

9-Mar-15

17

Copyright 2015 Alcatel-Lucent. All rights reserved.

nuagenetworks.net/vns @nuagenetworks

9-Mar-15

18

Copyright 2015 Alcatel-Lucent. All rights reserved.

REFERENCES VXLAN

RFC7348

BGP MPLS-Based Ethernet VPN RFC7209 RFC7432 Greg HANKINS’ NANOG presentation

OpenVSwitch Florin BALUS NANOG Presentation on Cloud Networking

9-Mar-15

19