scaling overlay virtual networks
TRANSCRIPT
-
8/9/2019 Scaling Overlay Virtual Networks
1/135
Scaling Overlay Virtual Networks
Ivan Pepelnjak ([email protected])
Network Architect, ipSpace.net AG
Dimitri Stiliadis ([email protected])
CTO, Nuage Networks
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
2/135
3 ipSpace.net 2014 Scaling Overlay Virtual Networks
Past
CTO of IT and security ventures
Architect of switches and routers
Researcher with focus in systems, networking,and security
Present
CTO of Nuage Networks
Focus
Large-scale SDN and cloud environments
Distributed systems
More @ ipSpace.net/About
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
3/135
4 ipSpace.net 2014 Scaling Overlay Virtual Networks
Past
Kernel programmer, network OS and web developer
Sysadmin, database admin, network engineer, CCIE
Trainer, course developer, curriculum architect
Team lead, CTO, business owner
Present
Network architect, consultant, blogger, webinar and book author
Teaching the art of Scalable Web Application Design
Focus Large-scale data centers, clouds and network virtualization
Scalable application design
Core IP routing/MPLS, IPv6, VPN
More @ ipSpace.net/About
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
4/1355 ipSpace.net 2014 Scaling Overlay Virtual Networks
Fully distributed data plane Scale-out control plane
Availability zones
Hardware gateways
Large-scale microsegmentation Scaling stateful services
Service chaining
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
5/135This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
6/135
-
8/9/2019 Scaling Overlay Virtual Networks
7/1358 ipSpace.net 2014 Scaling Overlay Virtual Networks
Single VM (LAMP stack)
Typical SMB deployment
Simple web hosting
Multi-layer application architecture
Multiple security zones
Load balancing and firewalling
PHP
Apache
MySQL
Linux
App server
Web server Web server Web serverWeb server
App server
Cache Cache
Primary DB Slave DB
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
8/1359 ipSpace.net 2014 Scaling Overlay Virtual Networks
Multiple logical segments
IP (sometimes MAC) connectivity within a segment
Routing, load balancing and/or firewalling between segments Baseline firewalling within a segment
Connectivity to the outside world
Outside
Web servers App servers DB servers
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
9/13510 ipSpace.net 2014 Scaling Overlay Virtual Networks
All overlay virtual networking solutions use distributed L2 forwarding
Scalability is limited by the control plane(distribution of VM MAC-to-VTEP IP mappings)
IP packet
MAC unicast
IP transport (underlay) network
Overlay module
Kernel IP stack
TEP
Overlay module
Kernel IP stack
TEP
IP packet
Encapsulation
IP packet
Hypervisor/Rtr MAC
VNIVNI
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
10/13511 ipSpace.net 2014 Scaling Overlay Virtual Networks
Centralized (sometimes VM-based) inter-subnet forwarding doesnt scale
Virtual router (L3 agent) becomes a chokepoint
VM-based forwarding has limited performance
Avoid this architecture for east-west traffic forwarding
Use architecture with distributed layer-3 forwarding
Prefer dedicated in-kernel implementation over Linux Kernel TCP/IP stack withnamespaces or VM-based implementations
Sample products: Juniper Contrail, Microsoft Hyper-V, Nuage VSP, VMware NSX
OverlayVirtual
Network
OutsideNetwork
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
11/13512 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
Intra-subnet ARP caching significantly reduces overlay broadcast traffic
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
12/135
13 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
1 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
13/135
14 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
Intercepted by local L3 forwarding module
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
2 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
14/135
15 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
Intercepted by local L3 forwarding module Replied from local ARP cache
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
3 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
15/135
16 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
Intercepted by local L3 forwarding module Replied from local ARP cache
Controller is contacted on ARP cache miss
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
4 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
16/135
-
8/9/2019 Scaling Overlay Virtual Networks
17/135
18 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay virtual networking solutions implement combined L2+L3 forwarding model
Intra-subnet ARP caching significantly reduces overlay broadcast traffic
Example: ARP request C D
Intercepted by local L3 forwarding module Replied from local ARP cache
Controller is contacted on ARP cache miss
Controller can reply with authoritative information or flood ARP request
IP (layer-3) transport network
Overlay Module
VNI: 1 VNI: 2
CA B
GWOverlay Module
VNI: 2 VNI: 3
FD E
ARP: C D
MAC: C bcast
ARP: D = MAC-D
MAC: GW C
6 of 6
Available in VMware NSX for vSphere, Nuage Networks VSP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
18/135
19 ipSpace.net 2014 Scaling Overlay Virtual Networks
Scaling network services
Scale-out load balancing is mission impossible(shared state tied to outside IP address)
Scale-out firewalls are common(state tied to a single VM)
Scale-out NAT is an interesting challenge
Implement traffic filters with VM NIC firewalls
Stateful firewalls or reflexive ACLs
Reflexive ACLs might be good enough for well-designedapplications
VM-based solutions severely limit performance use in-kernel filters
Sample solutions: Nuage VSP, VMware NSX, OpenStack/CloudStack on KVM
ACL-only solutions: Microsoft Hyper-V, VMware vSphere, Cisco Nexus 1000V
Hypervisor
OutsideNetwork
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
19/135
20 ipSpace.net 2014 Scaling Overlay Virtual Networks
Requirements for scalable data plane
Distributed L3 forwarding
Local ARP handling (ARP caching or pure L3 solution)
Distributed security groups implemented in hypervisors
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
20/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
21/135
22 ipSpace.net 2014 Scaling Overlay Virtual Networks
Crucial overlay virtual network challenge: VM-MAC-to-VTEP-IP mappings
Initial implementations used IP multicast and Ethernet-like learning Modern solutions use network controllers in combination with orchestration systems
Sample solutions: Cisco Nexus 1000V, Juniper Contrail, Nuage VSP, VMware NSX
IP transport network
Kernel IP stack Kernel IP stack
Overlay OverlaySDN Controller
VTEP VTEP
Cloud
Management
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
22/135
23 ipSpace.net 2014 Scaling Overlay Virtual Networks
Some overlay networking solutions lack
SDN controller element
Cloud management platform programsvirtual switches directly
Hard to integrate with the physical network:static routes/MAC learning or VM-based
solutions
SDN controller enables inter-cloudfederation
Reachability data exchanged betweencontrollers
Most SDN controllers use BGP for easy integration with existinghardware
SDN
CMP
Federation
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
23/135
24 ipSpace.net 2014 Scaling Overlay Virtual Networks
Network controller becomes the scalability bottleneck
Control-plane-only controllers scale much better than controllers participating in
data plane (hint: use CMP to get MAC and IP address information)
Every controller implementation eventually hits its limits scale-out is the only answer
IP transport network
Kernel IP stack Kernel IP stack
Overlay OverlayController
VTEP VTEP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
24/135
25 ipSpace.net 2014 Scaling Overlay Virtual Networks
Scale-out architecture is the only viable way forward
Requirement: Synchronization of policy and reachability information between controllers
Typical solution: multi-protocol BGP (MP-BGP)
L3VPN for IP routing (sometimes using host routes for VM IP addresses)
EVPN for layer-2 forwarding Easy integration with existing hardware gateways
Additional benefits:
Clean failure domain separation (availability zones)
Adjustable size of failure domains to meet scalability and convergence requirements
BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
25/135
26 ipSpace.net 2014 Scaling Overlay Virtual Networks
Terminology:
VSP: Virtual Services Platform
CMP: Cloud Management Platform
VSD: Virtual Services Directory
VSC: Virtual Services Controller
VRS: Virtual Routing & Switching
Plane of operation
VSD: Management/Policy
VSC: Control plane
VRS: Data plane
Scale-out architecture
Single VSD per CMP
Multiple VSC per VSD (scale-out within CMP)
VSC confederation via MP-BGP (scale-out across CMP)
REST
VSC
VRS VRS
VSC
VRS VRS
VSG/PE
VSDCMP
XMPP
BGP BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
26/135
-
8/9/2019 Scaling Overlay Virtual Networks
27/135
28 ipSpace.net 2014 Scaling Overlay Virtual Networks
Failure Domain: area impacted when a key device or service experiences
problems
Sample failure domains
VLAN (broadcast storms)
OSPF area (LSA flooding) Controller-based network
(controller failure)
Cloud instance(cloud management system failure)
REST
VSC
VRS VRS
VSC
VRS VRS
VSDCMP
XMPP
BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
28/135
29 ipSpace.net 2014 Scaling Overlay Virtual Networks
Regions: cloud instances with separate API endpoints
Separate instances of cloud management systems
Availability zone: logical group that provides aform of physical isolation and redundancyfrom other availability zones (OpenStack)
Common cloud management
Isolated compute/storage/networkingfailure domains
Each availability zone SHOULD have a
different network services controller
REST
VSC
VRS VRS
VSC
VRS VRS
VSDCMP
XMPP
BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
29/135
30 ipSpace.net 2014 Scaling Overlay Virtual Networks
Cloud management platform fails?
No moves, adds or changes
Overlay virtual networking topology is frozen
High-availability clusters cannot recover
SDN controller fails?
Controllers involved in data plane (MAC learning orARP replies) total failure
Control-plane controllers loss of reachabilityinformation
Controllers without external control plane no visibility, no topology change
Each availability zone SHOULD have an independentSDN controller
CMP
SDN
CMP
Federation
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
30/135
31 ipSpace.net 2014 Scaling Overlay Virtual Networks
Controller/orchestration infrastructure
Single CMP/VSD per region VSD works on policy plane VSD failure is similar to CMP failure
VSC per availability zone VSC failure does not spread across zones
BGP information exchange through a set of route reflectorsuse BGP security mechanisms to
protect availability zones Pair of VSGs per availability zone
(when needed)
Underlying infrastructure
Each availability zone = independentL3 forwarding domain
REST
VSC
VRS VRS
VSC
VRS VRS
VSG/PE
VSDCMP
XMPP
BGP BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
31/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
32/135
33 ipSpace.net 2014 Scaling Overlay Virtual Networks
VMs within an overlay virtual network must interact with the physical world
L2 gateways (VNI-to-VLAN)
P2V migrations
Integration with legacy equipment
L3 gateways
Multiple VNIs routed to a VLAN
Simple P2V or WAN integration
Network services gateway
Firewalls and load balancers
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
33/135
34 ipSpace.net 2014 Scaling Overlay Virtual Networks
Deployment format
VM-based
Hypervisor kernel module
Bare-metal x86 server
Hardware VTEP
Design and deployment considerations
Performance
Control-plane integration with overlay fabric
Management plane integration with overlay network controller and
orchestration system Integration with existing network infrastructure (example: MPLS/VPN)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
34/135
35 ipSpace.net 2014 Scaling Overlay Virtual Networks
VM
OutsideIP transport network
VXLAN
Kernel IP stack
VTEP
VXLAN
Kernel IP stack
VTEP
IP packet
VLAN tag
Next-hop MAC
IP packet
Appliance MAC
Gateway function implemented in a VM with multiple virtual NICs
VM performs traditional bridging/routing/network services functionality
Use any product available in VM format (including Linux instances)
Forwarded traffic goes through a VM performance usually limited to few Gbps
IP packet
VXLAN
UDP
IP multicast
MAC multicast
VNI VNI VLAN
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
35/135
36 ipSpace.net 2014 Scaling Overlay Virtual Networks
Typical gateway deployment scenarios
Integrate overlay networks with outside world maximum performance = WAN link speed
Integrate overlay networks with legacy hardware maximum performance = legacy hardware network I/O performance
Software gateway performance
Few Gbps for VM-based solutions
~10Gbps for kernel-based and bare-metal gateways
Hardware gateways offer the performance needed in large-scale deployments
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
36/135
37 ipSpace.net 2014 Scaling Overlay Virtual Networks
Hardware Gateway needs the following information
Mapping between VXLAN VNI and external VLANs
VM-MAC-to-VTEP-IP mappings
VXLAN flooding information (IP MC address or VTEP list)
Solutions Do-it-yourself
OVSDB (VMware NSX, Nuage VSP)
EVPN (Nuage VSP, Juniper Contrail)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
37/135
38 ipSpace.net 2014 Scaling Overlay Virtual Networks
OVSDB
Lightweight JSON-RPC-based database query/update protocol OVSDB database table schema defines the actual data
Hardware VTEP schema
Physical switch + ports
Logical switch + router Local and remote MAC mappings
SDN controller uses OVSDB to
Configure VXLAN-to-VLAN mappings
Push MAC mappings to VTEP
Receive physical MAC addressesfrom VTEP
OVSDB
MPLS/VPN integration through VLANs (Inter-AS Option A)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
38/135
39 ipSpace.net 2014 Scaling Overlay Virtual Networks
Network virtualization controller and
hardware gateway use EVPN and L3VPNto exchange forwarding data
EVPN provides MAC-to-VTEP mappings
L3VPN provides integrates overlayvirtual networks with MPLS/VPN
Gateway provisioning usesa different protocol (ex: NETCONF)
EVPN forwarding information
VTEP flood list (Inclusive Multicast Ethernet Tag route)
MAC-to-VTEP mapping (MAC/IP Address Advertisement route)
Propagation of IP addresses enables proxy ARP functionality
EVPN
L3VPN
MPLS/VPN integration through MP-BGP (same domain or inter-AS Option B/C)
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
39/135
40 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
Underlay IP transport network
Nuage VRS
+
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
40/135
-
8/9/2019 Scaling Overlay Virtual Networks
41/135
42 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
PE-router sends VPNv4 or EVPNupdate to Nuage VSC
VSC installs forwarding entries with
BGP next hop + label in VRS
Underlay IP transport network
Nuage VRS
MP-BGP
2 of 7
OpenFlow
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
42/135
43 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
PE-router sends VPNv4 or EVPNupdate to Nuage VSC
VSC installs forwarding entries with
BGP next hop + label in VRS
VM sends IP packet to server (and GW MAC)
Underlay IP transport network
Nuage VRS
MP-BGP
3 of 7
OpenFlow
PEVSC
IP: A S
MAC: A GW
GW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
43/135
44 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
PE-router sends VPNv4 or EVPNupdate to Nuage VSC
VSC installs forwarding entries with
BGP next hop + label in VRS
VM sends IP packet to server (and GW MAC)
IP router in VRS performs L3 lookup
Underlay IP transport network
Nuage VRS
MP-BGP
4 of 7
OpenFlow
PEVSC
IP: A S
MAC: A GW
GW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
44/135
45 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
PE-router sends VPNv4 or EVPNupdate to Nuage VSC
VSC installs forwarding entries with
BGP next hop + label in VRS
VM sends IP packet to server (and GW MAC)
IP router in VRS performs L3 lookup
IP packet is encapsulated in MPLS-GRE-IP or
VXLAN-UDP-IP envelope
Underlay IP transport network
Nuage VRS
MP-BGP
5 of 7
OpenFlow
PEVSCIP: A S
MPLS label
GRE header
IP to PE
GW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
45/135
46 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
PE-router sends VPNv4 or EVPNupdate to Nuage VSC
VSC installs forwarding entries with
BGP next hop + label in VRS
VM sends IP packet to server (and GW MAC)
IP router in VRS performs L3 lookup
IP packet is encapsulated in MPLS-GRE-IP or
VXLAN-UDP-IP envelope PE router receives MPLS/VPN or VXLAN
packet
Underlay IP transport network
Nuage VRS
IP to PE VTEP
MP-BGP
6 of 7
OpenFlow
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
46/135
47 ipSpace.net 2014 Scaling Overlay Virtual Networks
MPLS/VPN
PE-router sends VPNv4 or EVPNupdate to Nuage VSC
VSC installs forwarding entries with
BGP next hop + label in VRS
VM sends IP packet to server (and GW MAC)
IP router in VRS performs L3 lookup
IP packet is encapsulated in MPLS-GRE-IP or
VXLAN-UDP-IP envelope PE router receives MPLS/VPN or VXLAN
packet
PE router forwards VPN IP packet
Underlay IP transport network
Nuage VRS
MP-BGP
IP/MPLS to S
7 of 7
OpenFlow
PEVSCGW
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
47/135
48 ipSpace.net 2014 Scaling Overlay Virtual Networks
Deployment format
Low bandwidth VM High bandwidth hardware VTEP
Integration requirements
Physical VLANs OVSDB or EVPN MPLS/VPN WAN EVPN + L3VPN
Choose an SDN controller that supports all the options you need
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
48/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
49/135
-
8/9/2019 Scaling Overlay Virtual Networks
50/135
51 ipSpace.net 2014 Scaling Overlay Virtual Networks
High-level view
Assign VMs to groups Specify filtering rules between groups
Typical implementations
Packet filter (OVS or Linux iptables)
Each group exploded into a list of IP addresses
ACL = Cartesian product of source-destinationIP addresses
Outside
From To Port
Any Web 80
Any Web 443
Web App 9000
App DB 3306
Mgmt All-VM 22
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
51/135
52 ipSpace.net 2014 Scaling Overlay Virtual Networks
Outside
From To Port
Any Web 80
Any Web 443
Web App 9000
App DB 3306
Mgmt All-VM 22
W1 W2 W3 A1 A2
D1 D2
From To Port
Any W1 80
Any W2 80
Any W3 80
Any W1 443
Any W2 443
Any W3 443
W1 A1 9000
W1 A2 9000
W2 A1 9000
W2 A2 9000
W3 A1 9000
W3 A2 9000
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
52/135
53 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security group ACL = Cartesian product of IP
addresses Long ACLs (performance usually degrades
linearly with the ACL length)
Whole ACL deployed on all VM NICs even further performance degradation
Any change in security group membership(VM adds or removals) propagates to allhypevisors running tenants VMs
Hypervisor
From To Port
Any Web 80
Any Web 443
Web App 9000
App DB 3306
Mgmt All-VM 22
OutsideNetwork
SDN
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
53/135
54 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
VRS VRS
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
54/135
55 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
Typical sequence of events New VM is started on a hypervisor
VRS VRS
1 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
55/135
56 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
Typical sequence of events New VM is started on a hypervisor
VRS notifies VSC
VRS VRS
2 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
56/135
57 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
Typical sequence of events New VM is started on a hypervisor
VRS notifies VSC
VSC notifies VSD
VRS VRS
3 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
57/135
58 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
Typical sequence of events New VM is started on a hypervisor
VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group and
replies to VSCVRS VRS
4 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
58/135
59 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
Typical sequence of events New VM is started on a hypervisor
VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group and
replies to VSC VSC updates MAC-to-VTEP and IP-to-VTEP
forwarding entries (incl. security group)VRS VRS
5 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
59/135
60 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
Security group membership = BGP community
Remote VM security group attached to IP or MAC route Local VM security group attached to VM port
VSC
VSD
Typical sequence of events New VM is started on a hypervisor
VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group and
replies to VSC VSC updates MAC-to-VTEP and IP-to-VTEP
forwarding entries (incl. security group)
ACL is not changed
VRS VRS
6 of 6This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
60/135
61 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
New VM is started on a hypervisor VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group andreplies to VSC
VRS VRS
VSC
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
61/135
62 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
New VM is started on a hypervisor VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group andreplies to VSC
VSC updates MAC-to-VTEP and IP-to-VTEPforwarding entries (incl. security group)
VRS VRS
VSC
1 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
62/135
63 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
New VM is started on a hypervisor VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group andreplies to VSC
VSC updates MAC-to-VTEP and IP-to-VTEPforwarding entries (incl. security group)
VSC originates new EVPN and IPVPN route(security group = BGP community)
VRS VRS
VSC
2 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
63/135
64 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
New VM is started on a hypervisor VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group andreplies to VSC
VSC updates MAC-to-VTEP and IP-to-VTEPforwarding entries (incl. security group)
VSC originates new EVPN and IPVPN route(security group = BGP community)
VSC sends BGP update to itsBGP peers
VRS VRS
VSC
3 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
64/135
65 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
New VM is started on a hypervisor VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group andreplies to VSC
VSC updates MAC-to-VTEP and IP-to-VTEPforwarding entries (incl. security group)
VSC originates new EVPN and IPVPN route(security group = BGP community)
VSC sends BGP update to itsBGP peers
Remote VSC updates forwardingentries in remote VRS VRS VRS
VSC
4 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
65/135
66 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
Typical sequence of events
New VM is started on a hypervisor VRS notifies VSC
VSC notifies VSD
VSD assigns VM into a security group andreplies to VSC
VSC updates MAC-to-VTEP and IP-to-VTEPforwarding entries (incl. security group)
VSC originates new EVPN and IPVPN route(security group = BGP community)
VSC sends BGP update to itsBGP peers
Remote VSC updates forwardingentries in remote VRS
ACL is not changed
VRS VRS
VSC
5 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
66/135
67 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VRS VRS
VSC
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
67/135
-
8/9/2019 Scaling Overlay Virtual Networks
68/135
69 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
From security group = VM NIC group
To security group = BGP community
VRS VRS
VSC
2 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
69/135
70 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
From security group = VM NIC group
To security group = BGP community
Encapsulated VM frame is sent across thetransport network
VRS VRS
VSC
3 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
70/135
71 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
From security group = VM NIC group
To security group = BGP community
Encapsulated VM frame is sent across thetransport network
Egress ACL check on egress VRS
From security group = BGP community
To security group = VM NIC group
VRS VRS
VSC
4 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
71/135
72 ipSpace.net 2014 Scaling Overlay Virtual Networks
Transport Network
VSC
VSD
VM sends an IP packet
Ingress ACL check on ingress VRS
From security group = VM NIC group
To security group = BGP community
Encapsulated VM frame is sent across thetransport network
Egress ACL check on egress VRS
From security group = BGP community
To security group = VM NIC group
Packet is delivered to target VM
VRS VRS
VSC
5 of 5This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
72/135
73 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
MPLSbackbone
Transport Network
VSC
VRS
+ This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
73/135
74 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
MPLSbackbone
Transport Network
VSC
VRS
1 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
74/135
75 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
IngressACL on VRS
Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
2 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
75/135
76 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
IngressACL on VRS
IP packet sent from VRS to PE-router
Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
3 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
76/135
-
8/9/2019 Scaling Overlay Virtual Networks
77/135
78 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
IngressACL on VRS
IP packet sent from VRS to PE-router
IP packet delivered to remote host
Remote host to VM:
IP packet received by PE-router
Packet delivered to VMMPLS
backbone
Transport Network
VSC
VRS
5 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
78/135
79 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
IngressACL on VRS
IP packet sent from VRS to PE-router
IP packet delivered to remote host
Remote host to VM:
IP packet received by PE-router
IP packet delivered to VRS Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
6 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
79/135
80 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
IngressACL on VRS
IP packet sent from VRS to PE-router
IP packet delivered to remote host
Remote host to VM:
IP packet received by PE-router
IP packet delivered to VRS EgressACL on VRS
MPLSbackbone
Transport Network
VSC
VRS
7 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
80/135
81 ipSpace.net 2014 Scaling Overlay Virtual Networks
Security groups (in BGP communities) can extend across MPLS/VPN backbone
Automatic ingress/egress filters on VM NICs Requires trust (or strict filters) between cloud and MPLS/VPN networks
VM to remote host:
VM sends a packet
IngressACL on VRS
IP packet sent from VRS to PE-router
IP packet delivered to remote host
Remote host to VM:
IP packet received by PE-router
IP packet delivered to VRS EgressACL on VRS
Packet delivered to VM
MPLSbackbone
Transport Network
VSC
VRS
8 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
81/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
82/135
83 ipSpace.net 2014 Scaling Overlay Virtual Networks
Scale-out NAT is hard problem
No guarantee of symmetrical paths(Best case: rehashing after topology change)
Shared state tied to outside IP address
State must be distributed and synchronized across all NAT clustermembers
Sharedstate
Maybe were solving the wrong problem
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
83/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
84/135
85 ipSpace.net 2014 Scaling Overlay Virtual Networks
Virtual machines with public IP addresses (Floating IP address) static stateless NAT
Access to outside servers dynamic stateful NAPT, outside source address is irrelevant
Floating IP address
NAT
Equivalent to Amazon VPC behavior
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
85/135
86 ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
Floating IP from public vDRS is
allocated to a tenant VM
1:1 NAT rule is created on thehypervisor
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
+This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
86/135
87 ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
1 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
87/135
88 ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
2 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
88/135
89 ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Packet sent to IP address in public vDRS (received by hypervisor)
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
3 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
89/135
90 ipSpace.net 2014 Scaling Overlay Virtual Networks
Setup
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Packet sent to IP address in public vDRS (received by hypervisor)
Hypervisor translates destination IP address to VM IP address
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
4 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
90/135
91 ipSpace.net 2014 Scaling Overlay Virtual Networks
p
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Packet sent to IP address in public vDRS (received by hypervisor)
Hypervisor translates destination IP address to VM IP address
Inside-to-outside
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
5 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
91/135
92 ipSpace.net 2014 Scaling Overlay Virtual Networks
p
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Packet sent to IP address in public vDRS (received by hypervisor)
Hypervisor translates destination IP address to VM IP address
Inside-to-outside
VM sends packet to a destination unreachable in tenant vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
6 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
92/135
93 ipSpace.net 2014 Scaling Overlay Virtual Networks
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Packet sent to IP address in public vDRS (received by hypervisor)
Hypervisor translates destination IP address to VM IP address
Inside-to-outside
VM sends packet to a destination unreachable in tenant vDRS
Per-VM default route pushes the packet through NAT rule into public vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
7 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
93/135
94 ipSpace.net 2014 Scaling Overlay Virtual Networks
Floating IP from public vDRS is
allocated to a tenant VM 1:1 NAT rule is created on the
hypervisor
Internal communication
Destination IP address is within tenant vDRS
NAT rule is not invoked
Outside-to-inside
Packet sent to IP address in public vDRS (received by hypervisor)
Hypervisor translates destination IP address to VM IP address
Inside-to-outside
VM sends packet to a destination unreachable in tenant vDRS
Per-VM default route pushes the packet through NAT rule into public vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
F-IP
NAT rule is stateless and active on a single hypervisor
8 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
94/135
95 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
+This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
95/135
96 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
1 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
96/135
97 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Default route pushes the packetthrough NAT rule into public vDRS
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
2 f 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
-
8/9/2019 Scaling Overlay Virtual Networks
97/135
98 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Default route pushes the packetthrough NAT rule into public vDRS
Stateful NAT entry is created in the hypervisor
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
3 f 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
98/135
Setup
IP f bli DRS (H IP) i
-
8/9/2019 Scaling Overlay Virtual Networks
99/135
100 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Default route pushes the packetthrough NAT rule into public vDRS
Stateful NAT entry is created in the hypervisor
Packet is delivered to the outside server
Outside-to-inside
Return packet is sent to IP address in public vDRS (received by hypervisor)
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
5 f 8
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
IP f bli DRS (H IP) i
-
8/9/2019 Scaling Overlay Virtual Networks
100/135
101 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Default route pushes the packetthrough NAT rule into public vDRS
Stateful NAT entry is created in the hypervisor
Packet is delivered to the outside server
Outside-to-inside
Return packet is sent to IP address in public vDRS (received by hypervisor)
Hypervisor uses PNAT entry to translate destination IP address to VM IP address
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
6 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
IP from public vDRS (H IP) is
-
8/9/2019 Scaling Overlay Virtual Networks
101/135
102 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Default route pushes the packetthrough NAT rule into public vDRS
Stateful NAT entry is created in the hypervisor
Packet is delivered to the outside server
Outside-to-inside
Return packet is sent to IP address in public vDRS (received by hypervisor)
Hypervisor uses PNAT entry to translate destination IP address to VM IP address Translated packet is delivered to target VM
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
7 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Setup
IP from public vDRS (H IP) is
-
8/9/2019 Scaling Overlay Virtual Networks
102/135
103 ipSpace.net 2014 Scaling Overlay Virtual Networks
IP from public vDRS (H-IP) is
allocated to each hypervisor
Inside-to-outside
VM sends packet to a destinationunreachable in tenant vDRS
Default route pushes the packetthrough NAT rule into public vDRS
Stateful NAT entry is created in the hypervisor
Packet is delivered to the outside server
Outside-to-inside
Return packet is sent to IP address in public vDRS (received by hypervisor)
Hypervisor uses PNAT entry to translate destination IP address to VM IP address Translated packet is delivered to target VM
Transport Network
OutsideVSG/PE
Tenant vDRS (VRF)
Public vDRS (VRF)
H-IP
The goal is connectivity, not specific NAT outside address
8 of 8This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
103/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
104/135
A
-
8/9/2019 Scaling Overlay Virtual Networks
105/135
106 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
Based on MAC (potentially IP) headers
+
S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-SIP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
106/135
107 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
Based on MAC (potentially IP) headers
1 of 11
S
A
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
107/135
108 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
Based on MAC (potentially IP) headers
2 of 11
S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
108/135
109 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
Based on MAC (potentially IP) headers
3 of 11
S
MAC-B MAC-SIP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
109/135
110 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
Based on MAC (potentially IP) headers
4 of 11
S
MAC-B MAC-SIP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-SIP-A IP-SMAC-A MAC-SIP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
110/135
111 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance
Based on MAC (potentially IP) headers
5 of 11
S
MAC-B MAC-SIP-B IP-S MAC-B MAC-SIP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
111/135
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
112/135
113 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance Based on MAC (potentially IP) headers
7 of 11
S
MAC-B MAC-SIP-B IP-S MAC-B MAC-SIP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
113/135
114 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance Based on MAC (potentially IP) headers
8 of 11
S
MAC-B MAC-S IP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
114/135
115 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance Based on MAC (potentially IP) headers
9 of 11
SMAC-B MAC-S IP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-S IP-A IP-SMAC-A MAC-S IP-A IP-SA
-
8/9/2019 Scaling Overlay Virtual Networks
115/135
116 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
Layer-2 frames redirected to a transparent (bump-in-wire) appliance Based on MAC (potentially IP) headers
10 of 11
SMAC-B MAC-S IP-B IP-SMAC-B MAC-S IP-B IP-S
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
116/135
A
-
8/9/2019 Scaling Overlay Virtual Networks
117/135
118 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
+This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-A MAC-GIP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
118/135
119 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
1 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-G MAC-SIP-A IP-SMAC-A MAC-GIP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
119/135
120 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
2 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-G MAC-SIP-A IP-SMAC-A MAC-GIP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
120/135
121 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-B MAC-GIP-B IP-S
3 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
MAC-G MAC-SIP-A IP-SMAC-A MAC-GIP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
121/135
122 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-B MAC-GIP-B IP-S
MAC-F
4 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
122/135
MAC-G MAC-S IP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
123/135
124 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-B MAC-GIP-B IP-S
MAC-F
MAC-F MAC-SIP-B IP-S
6 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
S
MAC-G MAC-S IP-A IP-SMAC-A MAC-G IP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
124/135
125 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-B MAC-GIP-B IP-S
MAC-F
MAC-F MAC-SIP-B IP-S
7 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
S
MAC-G MAC-S IP-A IP-SMAC-A MAC-G IP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
125/135
126 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-G MAC-S IP-B IP-S
8 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
S
MAC-G MAC-S IP-A IP-SMAC-A MAC-G IP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
126/135
127 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-G MAC-S IP-B IP-SMAC-F
9 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
S
MAC-G MAC-S IP-A IP-SMAC-A MAC-G IP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
127/135
128 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
MAC-G MAC-S IP-B IP-SMAC-B MAC-F IP-B IP-S MAC-F
10 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
S
MAC-G MAC-S IP-A IP-SMAC-A MAC-G IP-A IP-S
A
-
8/9/2019 Scaling Overlay Virtual Networks
128/135
129 ipSpace.net 2014 Scaling Overlay Virtual Networks
B
S
Layer-3 frames redirected to a transparent or inter-subnet appliance Based on IP headers
Might require MAC header rewrite
Typical implementation
Policy-based routing (PBR)
MAC rewrite is automatic
Hard to implement for appliances not close to the forwarding path
MAC-G MAC-S IP-B IP-SMAC-B MAC-F IP-B IP-S MAC-F
11 of 11This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
129/135
Appliances (physical or virtual) are identified by virtual port tags
A dedicated VNI (VXLAN segment) is allocated to each appliance port
Appliance reachability information (ESI VNI transport next hop) is
-
8/9/2019 Scaling Overlay Virtual Networks
130/135
131 ipSpace.net 2014 Scaling Overlay Virtual Networks
Appliance reachability information (ESI, VNI, transport next hop) ispropagated in EVPN updates
Information from EVPN update is used as PBR next hop
Transport Network
VSC
VRS VRS
VSC
MP-BGP
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Appliances (physical or virtual) are identified by virtual port tags
A dedicated VNI (VXLAN segment) is allocated to each appliance port
L2VPN is create between appliance
-
8/9/2019 Scaling Overlay Virtual Networks
131/135
132 ipSpace.net 2014 Scaling Overlay Virtual Networks
L2VPN is create between appliance
Active appliance IP address is detected by monitoring GARP packets
A host route is created for each appliance IP address
L3VPN host route (prefix, VNI, transport
next hop) toward appliance port ispropagated across MP-BGProuting domain
Information from L3VPN route isused as PBR next hop
Transport Network
VSC
VRS VRS
VSC
GARP
MP-BGP
VRS
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
132/135
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Architectural elements:
Distributed forwarding plane (L2 and L3)
-
8/9/2019 Scaling Overlay Virtual Networks
133/135
134 ipSpace.net 2014 Scaling Overlay Virtual Networks
Distributed forwarding plane (L2 and L3) Control plane with scale-out architecture
Distributed L4 services (security, NAT)
Scalable security mechanisms
Additional considerations:
High-performance gateways
Control- and management-plane integration with external networks
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
Define the services
Define the virtual infrastructure requirements
Connectivity (L2 and/or L3)
-
8/9/2019 Scaling Overlay Virtual Networks
134/135
135 ipSpace.net 2014 Scaling Overlay Virtual Networks
Connectivity (L2 and/or L3)
Security
Performance
Integration with legacy infrastructure
Integration with WAN networks
Select the orchestration system
Select the hypervisor platform
Select an overlay virtual networking solution that will support the servicesyou want to offer
Easy integration with the orchestration system
Scalable implementation of network services
Scalable integration with external networks
This material is copyrighted and licensed for the sole use by Dimitar Stojanovski ([email protected] [164.143.240.34]). More information at http://www.ipSpace.net/Webinars
-
8/9/2019 Scaling Overlay Virtual Networks
135/135