branching out with sdn

Copyright 2015 Alcatel-Lucent. All rights reserved.

Branching out with SDNAlastair JOHNSON

Using SDN to build L2/L3VPNsMarch 2015


Agenda

1. Introduction2. Technology recap

a. VXLANb. EVPN

3. Putting it together4. Comparison5. Conclusion

04/15/2023

2


Introduction Software Defined Networking has significantly changed the

way that networking is deployed in some environments Research facilities, datacenters, etc Gaining traction in other parts of the network (core/edge, etc)

SDN is about abstraction and separation of control and forwarding functions, and the separation of hardware and software

It offers new ways of thinking about existing ways of working

3

2/28/15


Decoupled architecture means each vendor can focus on his strengths

Decreased barrier to entry for startups provides multiple choices for customers

Feature stability, long hardware cycles do not affect software features

Management, Policy

Hardware

OS

Controller

HardwareHardware

Software Defined Networking

4

28-Feb-15


Introduction The WAN space has been relatively unchanged for the better part of

15 years IP-VPNs are fundamentally the same as they were in 2000

RFC2547 published March 1999 L2VPNs are fundamentally the same as they were in 2007

The CPE has remained unchanged for the same period of time Basically still the same device: vertically integrated hardware and software,

running routing protocols and a variety of LAN/WAN interfaces Maybe a little bit faster than it used to be

2/28/15

5


Software Defined VPN (SD-VPN) What if there was a new way of thinking about VPN services

which embraces the smart edge dumb core philosophy? What if there was a way to change the CPE paradigm? What if there was a way to transport L2 services over any L3

network? What if there was a way to do this operationally efficiently?

2/28/15

6


Technology recap: VXLAN VXLAN encapsulates Ethernet in IP

Runs over IPv4 or IPv6 Uses UDP, source port is a hash of MAC or IPs to provide load

balancing entropy 8 byte VXLAN header provides 24 bit VXLAN Network

Identifier (VNI) and flags Total encapsulation overhead is ~50 bytes

VXLAN is routable with IP, so the underlay network may be any network that uses existing resiliency and load balancing mechanisms

ECMP IGPs/BGP IP FRR

VXLAN tunnel endpoints can be on network equipment or computing infrastructure

Deliver a VPN straight to a hypervisor

IP Network(IP FRR, ECMP, IGP)

IP Network

IP Network


DataPlane

ControlPlane

EVPN MP-BGPdraft-ietf-l2vpn-evpn

Technology Recap: EVPN

EVPN over MPLS for VLL, VPLS and E-Tree services

All-active multihoming for VPWS RSVP-TE or LDP MPLS protocols

EVPN with PBB PE functionality for scaling very large networks over MPLS

All-active multihoming for PBB-VPLS

EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsulations

Provides Layer 2 and Layer 3 DCI

Multiprotocol Label Switching

(MPLS)draft-ietf-l2vpn-evpn

Provider Backbone Bridges

(PBB)draft-ietf-l2vpn-pbb-evpn

Network Virtualization Overlay

(NVO)draft-sd-l2vpn-evpn-overlay


Technology Recap: EVPN Brings proven and inherent BGP control plane scalability to MAC

routes Consistent signaled FDB in any size network instead of flooding Even more scalability and hierarchy with route reflectors

BGP advertises MACs and IPs for next hop resolution with EVPN NLRI

AFI = 25 (L2VPN) and SAFI = 70 (EVPN) Fully supports IPv4 and IPv6 in the control and data plane

Offers greater control over MAC learning What is signaled, from where and to whom Ability to apply MAC learning policies

Maintains virtualization and isolation of EVPN instances Enables traffic load balancing for multihomed CEs with ECMP

MAC routes

Route Distinguisher (8 octets)

Ethernet Segment Identifier (10 octets)

Ethernet Tag ID (4 octets)

MAC Address Length (1 octet)

MAC Address (6 octets)

IP Address Length (1 octet)

IP Address (0 or 4 or 16 octets)

MPLS Label1 (3 octets)

MPLS Label2 (0 or 3 octets)

MAC Advertisement Route(Light Green Fields are Optional)


Putting it together EVPN delivers a control plane that can distribute MAC (L2) and IP (L3)

reachability information Scale is addressed: BGP has proven to scale well; federation becomes straight-

forward Control is addressed: programmatic network topology, flexibility of routing policies Efficiency is addressed: hybrid L2/L3 services over a single interface, redundancy

and multi-homing included VXLAN delivers a data plane that can deliver Ethernet frames over an L3

transport L2VPN, L3VPN, …the Internet

2/28/15

10


A new way of delivering VPNs Controller programs forwarding plane

for all CPEs Aware of all L2/L3 topology behind each

CPE Calculate once, program many

CPE performs encapsulation of VPN traffic (VXLAN)

Traffic is carried encapsulated over underlay network Underlay network could be any

infrastructure Unaware of topology of VPN service

CPE

Site 1

LAN

CPE

Site 3

LAN

CPE

Site 2

LAN

Underlay

Policy DB

SDN Controllers

SP Central Functions

Copyright 2015 Alcatel-Lucent. All rights reserved.12

A new way of delivering VPNs OpenFlow provides a mechanism to program the

L2/L3 forwarding information base (FIB) and provide notifications to the controller MAC/IP address learning on LAN ports are alerted

to the controller Controller determines whether the MAC/IP is to

be programmed into FIB Federation of topology between controllers via

BGP-EVPN MAC and IP reachability signaled VXLAN VNI information combined with NEXT_HOP

Redundancy of controllers is supported – CPE vSwitch registers and determines active/standby controllers

3/2/15

CPE

SDN Controller

OpenFlowOVSDB

BGP EVPN

10.0.0.0/24 10.1.0.0/24


A new way of delivering VPNs CPE forward directly between each

other using VXLAN as overlay 10.0.0.0/24 NEXT_HOP 192.0.2.1 VNI

xyz 10.1.0.0/24 NEXT_HOP 192.0.2.3 VNI

xyz Underlay network sees VXLAN traffic

between endpoints Dataplane can be further

encapsulated for confidentiality (e.g. IPsec)

3/2/15

10.0.0.0/24 10.1.0.0/24

192.0.2.1 192.0.2.3


VPN Flexibility Overlays simplify network

topology SP network needs to know less

about customer topology Increases flexibility of delivery – L2

services over L3, On Net, Off Net, Internet, etc

Provisioning simplified Reuse of activation processes from

broadband networks

3/2/15

VRF VRF

Many provisioning touch points

BGPRouting Policy

RIB scale Failover RedundancyLAN ports

WAN portsAggregation network

GRT GRT

Dynamic Provisioning

One-time Provisioning


Overlays enable service chaining Centralized policy enforcement

Firewall Between zones/subnets/branch types Extranet applications To Internet through central functions

Content filtering Selective content filtering (schools –

teacher/student; public WiFi in retail environments bypasses)

Network analytics and monitoring Tap and mirror IDS/IDP DPI and DLP

3/2/15

15

LANWAN

CPE DC

LAN CPE

LANWAN

CPEDC

LAN CPE


Interworking

How do I connect the new to the existing?1.EVPN with VXLAN termination direct

into existing MPLS PE routers End-to-end network is BGP and VXLAN

aware allowing for PE routers to act as VXLAN/MPLS interworking function

Streamlined and simplified routing

2.Use CPE as gateway Break VXLAN services out to Ethernet

VLANs at PE router Faster to deploy but less flexible

3/2/15

GRT VRFInternet IP/MPLS

VRF

VRFInternet

IP/MPLSVRF

Traditional VPN environmentOverlay VPN Environment IWF

Traditional VPN environmentOverlay VPN Environment


Comparison

Traditional VPN model• Well understood and widely

deployed• Expensive to maintain and scale• Inflexible for “cloud scale” service

consumption• Constrained by network reach• Service chaining challenging to

deploy

Overlay VPN model• New approach to networking that is

being aggressively proven in datacenters• Centralized control model reduces direct

operational cost• Scales to cloud: speed, flexibility• Service providers can extend services out

of network footprint and effectively use all network assets

• Natively enables service-chaining

2/28/15


Conclusion SDN as a technology has now found proven deployment use-

cases that make sense Not just experiments or ‘doing the same thing but differently’

Real service provider use-cases exist for leveraging the same technology as deployed in datacenters

Speed, flexibility, optimization of network service delivery points

2/28/15

18


nuagenetworks.net/vns @nuagenetworks


References VXLAN

RFC7348 BGP MPLS-Based Ethernet VPN

RFC7209 RFC7432 Greg Hankins’ NANOG presentation

OpenVSwitch

2/28/15

20

https://tools.ietf.org/html/rfc7348



https://www.youtube.com/watch?v=bueNa5-xTZ0

http://www.openvswitch.org/

branching out with sdn

Internet

vxlan vxlan

evpn evpn

igp ip network ip network

hypervisor ip network

network equipment

network coreedge

underlay network

l3 network