Overlay Transport Virtualization

Transcription

Overlay Transport
Virtualization
Brian Farnham Technical Marketing Engineer
BRKDCT-2049
Agenda
•
Introduction
•
Distributed Data Centers: Goals and Challenges
•
OTV Architecture Principles
•
Principles of Interconnecting Networks at Layer-2
•
OTV New Features
OTV – Overlay Transport Virtualization
Simplifying Data Center Interconnect
Any Workload
Anytime
Anywhere
Session Objectives
•
The main goals of this session are:
•
This session features a detailed analysis of the architectural aspects and
deployment benefits behind OTV
•
The attendees will learn how OTV is aimed at providing Layer 2 connectivity
beyond the Layer 3 boundary while maintaining the failure containment and
operational simplicity that the Layer 3 boundary provides
•
The attendees will get a deep knowledge of how the OTV control-plane and
data-plane work to provide the VLAN extension
Session Non-objectives
•
This session does not include:
•
In depth discussion of Path Optimization technologies (DNS, LISP, etc.)
•
Storage extension considerations associated to DCI deployments
•
Workload mobility application specific deployment considerations
Related Cisco Live Events
Session-ID
BRKDCT-2131
BRKDCT-3060
BRKDCT-3103
Session Name
Mobility and Virtualization in the Data Center with LISP and OTV
Deployment Considerations with Interconnecting Data Centers
Advanced OTV – Configure, Verify and Troubleshoot OTV
Agenda
•
Introduction
•
•
•
•
OTV New Features
Distributed Data Centers Goals
•
Ensure business continuity
•
Distributed applications
•
Seamless workload mobility
•
Maximize compute resources
Data Center Interconnect
Traditional Layer 2 Extensions
EoMPLS
• VSS & vPC or FabricPath
•
Applies easily for dual site interconnection
• Over dark fiber or protected D-WDM
• Easy crypto using end-to-end 802.1AE
Ethernet
IP
• OTV – Overlay Transport Virtualization
VPLS
• MAC in IP
Dark Fiber
•
MPLS
EoMPLS & VPLS & A-VPLS & H-VPLS
•
PE style
• Multi-tenants
• Most deployed today
Challenges in Traditional Layer 2 VPNs
Flooding Behavior
Pseudo-wire Maintenance
Multi-Homing
- Unknown Unicast
for MAC propagation
- Unicast Flooding reaches
all sites
- Full mesh of Pseudo-wire
is complex
- Head-End replication is
a common problem
- Requires additional
Protocols & extends STP
- Malfunctions impacts
multiple sites
Technology Pillars
No Pseudo-Wire
State Maintenance
Optimal Multicast
Replication
Dynamic Encapsulation
Multipoint Connectivity
Point-to-Cloud Model
Preserve Failure Boundary
Built-in Loop Prevention
Protocol Learning
Automated Multi-Homing
Site Independence
Any Workload
Anytime
• Nexus 7000 First platform to support OTV (since 5.0 NXOS Release)
• ASR 1000 Now also supporting OTV (since 3.5 XE Release)
Anywhere
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Control Plane and Data Plane
Failure Isolation
Multi-homing
Mobility
L2 Multicast Forwarding
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
Terminology
OTV Devices and Interfaces
•
OTV Edge
Device
Edge Device
•
Performs all OTV functionality
• Usually located at the Aggregation Layer or at the
Core Layer
• Support for multiple OTV Edge Devices (multi-homing)
in the same site
•
OTV Edge
Device
Internal Interface
•
•
•
•
•
Site facing Interfaces of the Edge Devices
Carry VLANs extended through OTV
Regular Layer 2 interfaces
No OTV configuration required
Supports IPv4 & IPv6
Core Device
Aggregation Device
OTV Internal
Interfaces
OTV Internal Interface
OTV Join Interface
OTV Overlay Interface
Terminology
OTV Devices and Interfaces
•
Join Interface
•
•
•
•
•
•
OTV Join
Interface
Overlay Interface
One of the uplink of the Edge Device
Point-to-point routed interface (physical interface,
sub-interface or port-channel supported)
Used to physically “join” the Overlay network
No OTV specific configuration required
IPv4 only
OTV Edge
Device
Core Device
Aggregation Device
Overlay Interface
•
Virtual interface with most of the OTV configuration
• Logical multi-access multicast-capable interface
• Encapsulates Layer 2 frames in IP unicast or
multicast
OTV Internal Interface
OTV Join Interface
OTV Overlay Interface
OTV Control Plane
Building the MAC Tables

No unknown unicast flooding (selective unicast flooding in 6.2)

Control Plane Learning with proactive MAC advertisement

Background process with no specific configuration

IS-IS used between OTV Edge Devices
MAC Addresses
Advertisements
OTV
IP A
OTV
IP B
East
West
IP C
OTV
South
OTV Control Plane
Neighbor Discovery and Adjacency Formation

Before any MAC address can be advertised the OTV Edge Devices must:
‒
‒

Discover each other
Build a neighbor relationship with each other
Neighbor Relationship built over a transport infrastructure:
‒
‒
Multicast-enabled (all shipping releases)
Unicast-only (from NX-OS release 5.2 & IOS-XE 3.9)
OTV Control Plane
Neighbor Discovery (over Multicast Transport)
Multicast-enable
Transport
OTV Control Plane
OTV
OTV
OTV Control Plane
IP A
IP B
East
West
End Result
Mechanism
•
Edge Devices (EDs) join an
multicast group in the transport, as
they were hosts (no PIM on EDs)
•
OTV hellos and updates are
encapsulated in the multicast group
•
Adjacencies are maintained
over the multicast group
•
A single update reaches all
neighbors
OTV Control Plane (Multicast Transport)
Neighbor IP Addr
West
IP A
Neighbor IP Addr
3
OTV Hello
OTV Control Plane
4
OTV Hello
IP A  G
7
OTV
OTV
OTV Hello
OTV Control Plane
Multicast-enabled
Transport
IP A
West
IGMP Join G
IP B
OTV Hello
OTV Hello
IP A  G
East
6
Encap
Decap
IGMP Join G
1
OTV Hello
OTV Hello
All edge devices join
OTV control-group G
IP A  G
IP A  G
5
Transport natively replicates
multicast to all OIFs
2
IGMP Join G
Multicast state for group G
established throughout transport
Decap
6
IP C
OTV
OTVHello
Hello
OTV
IP A  G
OTV Control Plane
7
OTV Hello
Neighbor IP Addr
West
IP A
South
OTV Control Plane (Multicast Transport)
Neighbor IP Addr
South
IP C
OTV Hello
Bidirectional
adjacency formed
5
OTV Control Plane
5
OTV
OTV
IP C  G
OTV
OTV Hello
Hello
Neighbor IP Addr
West
IP A
South
IP C
OTV Control Plane
Multicast-enabled
Transport
IP A
IP B
OTV
OTV Hello
Hello
East
West
4
OTV Hello
Decap
Decap
3
OTV Hello
OTV Hello
IP C  G
IP C  G
Encap
The South Site creates its
hello with West’s address
in the TLV
2
IP C
OTV
OTV Hello
IP C  G
OTV Control Plane
1
OTV Hello
Neighbor IP Addr
West
IP A
South
4
IP C  G
OTV Control Plane
MAC Advertisements (over Multicast Transport)
Craft OTV
2 update with
new MACs
VLAN
100
Update A
OTV
West
MAC Table
VLAN
100
100
101
100
102
MAC
MAC A
MAC B
MAC C
Multicast-enabled
Transport
IP A  G
Update A
East
MAC Table
5
Encap
Decap
4
Update A
Update A
IP A  G
IP A  G
VLAN
100
101
102
MAC
MAC A
MAC B
MAC C
Add MACs
learned
through OTV
1
New MACs learned
in VLANs that are
OTV extended
Decap
7
5
OTV
Update
UpdateAA
6
VLAN
100
MAC IF
MAC A
100
MACA
B
Update
100
MAC C
IP A
IP A
IP A
IP A  G
MAC Table
South
IP A
IP A
IP A
IP A  G
Update
UpdateAA
3
IF
e1/1
e1/1
e1/1
MAC IF
MAC A
100 A
MAC B
Update
100
MAC C
OTV
VLAN
100
100
101
100
102
MAC
MAC A
MAC B
MAC C
IF
IP A
IP A
IP A
7
Add MACs
learned
through OTV
IF
IP A
IP A
IP A
6
Multicast Transport
OTV Control and Data Plane over Multicast Transport
•
Use a High-Available Multicast RendezVous Point (RP) configuration
‒
•
Requirements to Control Plane
‒
•
PIM Anycast (RFC4610) or MSDP (Multicast Source
Discovery Protocol)
PIM Any-Source-Multicast (ASM) Sparse-Mode
Requirements to Data Plane
‒
PIM Source-Specific-Multicast (SSM) or BiDir
Example:
Multicast for OTV on
Nexus 7000
feature pim
!
interface loopback 0
ip pim spare-mode
ip address 192.168.1.100/32
!
interface loopback 1
ip pim sparse-mode
ip address 10.254.254.n1-x/32
!
ip pim rp-address 192.168.1.100
ip pim anycast-rp 192.168.1.100
ip pim anycast-rp 192.168.1.100
ip pim ssm range 232.239.1.0/24
!
interface port-channel1
# This Interface peers with the
ip igmp version3
group-list 239.1.1.1
10.254.254.n1
10.254.254.n2
OTV Join Interface
* “n” in the last Octet reflects a unique IP address per
Router joining the PIM Anycast Group
Release 5.2
and above
OTV Control Plane
Neighbor Discovery (Unicast-only Transport)
• Ideal for connecting a small number of sites
•
With a higher number of sites a multicast transport is the best choice
Unicast-only
Transport
OTV Control Plane
OTV
OTV
OTV Control Plane
IP A
IP B
East
West
Mechanism
End Result
• Edge Devices (EDs) register with
an “Adjacency Server” ED
• Neighbor Discovery is automated
by the “Adjacency Server”
• EDs receive a full list of
Neighbors (oNL) from the AS
• All signaling must be replicated
for each neighbor
• OTV hellos and updates are
encapsulated in IP and unicast
to each neighbor
• Data traffic must also be
replicated at the head-end
OTV Control Plane
CLI Verification

Establishment of control plane adjacencies between
OTV Edge Devices (multicast or unicast transport):
dc1-agg-7k1# show otv adjacency
Overlay Adjacency database
Overlay-Interface Overlay100
Hostname
System-ID
dc2-agg-7k1
001b.54c2.efc2
dc1-agg-7k2
001b.54c2.e1c3
dc2-agg-7k2
001b.54c2.e142
:
Dest Addr
20.11.23.2
20.12.23.2
20.22.23.2
Up Time
15:08:53
15:43:27
14:49:11
Adj-State
UP
UP
UP
 Unicast MAC reachability information:
dc1-agg-7k1# show otv route
OTV Unicast MAC Routing Table For Overlay100
VLAN MAC-Address
Metric Uptime
Owner
---- -------------- ------ -------- --------2001 0000.0c07.ac01 1
3d15h
site
2001 0000.1641.d70e 1
3d15h
site
2001 0000.49f3.88ff 42
2d22h
overlay
2001 0000.49f3.8900 42
2d22h
overlay
Next-hop(s)
----------Ethernet1/1
Ethernet1/2
dc2-agg-7k1
dc2-agg-7k2
Local Site
MAC
Remote Site
MAC
OTV Data Plane
Inter-Site Packet Flow
4
Transport
Infrastructure
MAC TABLE
VLAN
100
2
Layer 2
Lookup
MAC
IF
MAC 1
Eth 2
100 OTV MAC 2
Eth 1
100
MAC 3
IP B
100
MAC 4
IP B
MAC 1  MAC 3
1
Server 1
IP A
Decap
5 IP B
3
OTV
MAC TABLE
West
Site
IP A IP B
MAC
IF
100
MAC 1
IP A
OTV
Encap
MAC 1  MAC 3
VLAN
MAC
MAC11
MAC
MAC33
East
Site
IP A  IP B
OTV
100
MAC 2
IP A
100
MAC 3
Eth 3
100
MAC 4
Eth 4
MAC 1  MAC 3
Server 3
7
6
Layer 2
Lookup
OTV Data Plane
Encapsulation
•
42 Bytes overhead to the packet IP MTU size (IPv4 packet)
•
Outer IP + OTV Shim - Original L2 Header (w/out the .1Q header)
•
802.1Q header is removed and the VLAN field copied over to the OTV shim
header
• Outer OTV shim header contains VLAN, overlay number, etc.
802.1Q header removed
• Consider Jumbo MTU Sizing
802.1Q
DMAC
SMAC
Ether
Type
6B
6B
2B
* The 4 Bytes of .1Q header have
already been removed
IP Header
20B
802.1Q
DMAC
SMAC
OTV Shim
8B
L2
Header
14B*
Ether
Type
CRC
Payload
Original L2 Frame
20B + 8B + 14B* = 42 Bytes
of total overhead
4B
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
Spanning-Tree and OTV
Site Independence
•
Site transparency: no changes to the STP topology
•
Total isolation of the STP domain
•
Default behavior: no configuration is required
OTV
•
BPDUs sent and received ONLY on
Internal Interfaces
The BPDUs
stop here
OTV
L3 The BPDUs
L2
stop here
Unknown Unicast and OTV
No Longer Unknown Unicast Storms Across the DCI
MAC TABLE
VLAN
OTV
MAC
IF
100
MAC 1
Eth1
L3
100
MAC 2
IP B
L2
-
-
-
OTV
MAC 1  MAC 3
•
No requirements to forward
unknown unicast frames
•
Assumption: end-host are not silent
or uni-directional
•
Default behavior: no
configuration is required
No MAC 3 in the
MAC Table
New
Release 6.2
Unknown Unicast and OTV
Selective Unicast Flooding
•
Some Application requirement to forward
unknown unicast frames
•
Selective Unicast Flooding can be enabled per
mac address
•
Default behavior: no unknown
unicast forwarding
Enable Flooding
for MAC .0101
OTV-a # conf
Enter configuration commands, one per line. End with
CNTL/Z
OTV-a(config)# otv flood mac 0000.2102.1111 vlan 172
Unknown Unicast
OTV
OTV
MAC
State
IF
.0000
Blk
Overlay1
L3
.0101
Blk
Overlay1
L2
.1111
Fwd
Overlay1
MAC 1  MAC 3
VLAN 100
MAC 6  MAC 7
VLAN 102
Controlling ARP Traffic
New
Release 6.1
ARP Neighbor-Discovery (ND) Cache
• ARP cache maintained in Edge Device by snooping ARP replies
• First ARP request is broadcasted to all sites. Subsequent ARP requests are
replied by local Edge Device
• Timeout can be adjusted (as per NX-OS 6.1(1))
• Drastic reduction of ARP traffic on DCI
• ARP spoofing can be disabled
• IPv4 only feature
• Default behavior: no configuration is required
OTV-a(config)# interface overlay 1
OTV-a(config-if-overlay)# no otv surpress-arp-nd
# Allows ARP requests over an overlay network and
disables ARP caching on edge devices. This command
does not support IPv6.
OTV-a(config)# interface overlay 1
OTV-a(config-if-overlay)# otv arp-nd timeout 70
# Configures the time, in seconds, that an entry
remains in the ARP-ND cache.
The time is in seconds varying from 60 to 86400. The
default timeout value is 480 seconds.
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
OTV Multi-homing
Fully Automated Multi-homing
•
No additional protocols required (i.e. BGP)
•
OTV site-vlan used to discover OTV neighbor in the same site
•
Authoritative Edge Device (AED) Election takes place
•
Extended VLANs are split across the AEDs
•
The AED is responsible for:
‒
MAC address advertisement for its VLANs
‒ Forwarding its VLANs’ traffic inside and outside the site
AED
OTV
OTV
Site Adjacency
AED
L3
L2
Site Adjacency used for AED election
Release 5.2
and above
Hardened Multi-homing
Introducing OTV Site-identifier
•
Same site devices must use common site-identifier
•
Site-id information is included in the control plane
•
Makes OTV multi-homing more robust and resilient
‒
•
Site Adjacency and Overlay Adjacency are now both leveraged for
AED election
An overlay will not come up until a site-id is
configured
‒
Site and Overlay Adjacency are both leveraged for AED election
Overlay Adjacency
AED
OTV
OTV
Site Adjacency
AED
L3
L2
feature otv
otv site-identifier 0x1
otv site-vlan 99
OTV Multi-homing
VLANs Split across AEDs
Remote OTV Device
MAC Table
•
Automated and deterministic algorithm
•
In a dual-homed site:
VLAN
MAC
IF
100
MAC 1
IP A
101
MAC 2
IP B
•
Lower IS-IS System-ID (Ordinal 0) = EVEN VLANs
• Higher IS-IS System-ID (Ordinal 1) = ODD VLANs
OTV-a# show otv vlan
OTV Extended VLANs and Edge Device State Information (* - AED)
VLAN
---100
101*
102
Auth. Edge Device
-----------------East-b
East-a
East-b
Vlan State
---------inactive(Non AED)
active
inactive(Non AED)
Overlay
------Overlay100
Overlay100
Overlay100
AED
IP A
ODD VLANs
OTV
Overlay Adjacency
OTV
AED
IP B
EVEN VLANs
Site Adjacency
OTV-a
OTV-b# show otv vlan
OTV Extended VLANs and Edge Device State Information (* - AED)
VLAN
---100*
101
102*
Auth. Edge Device
-----------------East-b
East-a
East-b
Vlan State
---------active
inactive(Non AED)
active
Overlay
------Overlay100
Overlay100
Overlay100
OTV-b
OTV Multi-homing
AED and Broadcast Handling
Broadcast reaches all the Edge Devices within the site
2. Only the AED forwards the traffic to the Overlay
3. All the Edge Devices at the other sites receive the broadcast
4. At the remote sites only the AEDs forward it into the site
1.
OTV
Broadcast
stops here
OTV
Broadcast
stops here
OTV
Bcast
pkt
OTV
Core
AED
AED
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
OTV and MAC Mobility
MAC Moving and OTV Updates (1)
1.
Workload moved between Data Center sites
VM Moves
OTV
OTV
MAC X
MAC X
MAC X
OTV
ESX
OTV
MAC X
ESX
Core
MAC X
MAC X
AED
AED
2. Workload is detected in East DC and OTV control plane is triggered
1.
2.3) AED advertises MAC
X with a metric of zero
OTV
OTV
MAC X
MAC X
MAC X
MAC X
MAC X
OTV
ESX
Core
OTV
MAC X
MAC X
MAC X
MAC X
MAC X
MAC X
AED
AED
2.4) EDs in site West see MAC X advertisement with a
better metric from site East and change them to remote
MAC address.
ESX
2.2) AED detects
MAC X is now local
2.1) Server originates
an ARP (RARP)
frame
2. Workload is detected in East DC and OTV control plane is triggered
3. East to West OTV data plane traffic allows to update the MAC tables of the L2
devices in West Site
1.
3.2) AED in site West forwards the RARP
into the site and the L2 switches update
their CAM tables
OTV
OTV
MAC X
MAC X
MAC X
MAC X
OTV
ESX
MAC X
Core
OTV
MAC X
MAC X
MAC X
AED
3.1) AED in site East forwards
the RARP broadcast frame
across the overlay
AED
ESX
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
L2 Multicast Traffic between Sites
Multicast Enabled Transport
•
OTV can leverage the multicast support available in the transport network to
optimize the delivery of the multicast traffic for the VLANs stretched across sites
•
Three steps:
Automated mapping of the sites’ multicast groups to a range of multicast groups in
the transport network
2. Creation of the Multicast state information at the OTV Edge Devices
3. Sites’ Multicast traffic delivered over the Overlay
1.
L2 Multicast with Multicast Transport
Step 1 – Mapping of the Site Multicast Group
•
The site multicast groups are mapped to a SSM group range in the core
• Each (S1,Gs1) maps to a different SSM group in round-robin fashion
3) The West ED communicates the
mapping information (including the
source VLAN) to the other EDs
Mcast Group Mapping
1) The Mcast source
starts sending traffic to
the group Gs1
Site Group
Core Group
Gs1
Gd1
Gs2
Gd2
1
Mcast Stream
2
OTV
3
The Mapping is
communicated to
the other EDs
Multicast-enabled
Transport
Mapping to a
Delivery Group
OTV
S1  Gs1
S1
West
IP B
IP A
East
OTV
S2  Gs2
S2
4
2) The West ED maps
(S1,Gs1) to a delivery
group Gd1
4) Same process happens once
source S2 is enabled (sending to
a different group Gs2)
IP C
South
Step 2 – Multicast State Creation
3.1) ED Announces the
receivers in a GroupMembership Update (GMUpdate) to all other EDs
4) The source ED adds the
Overlay interface to the
Outbound Interfaces (OIF)
OIF-List
Group
IF
Gs1  Gd1
Overlay
OTV
2) The OTV ED snoops
the IGMP join (without
forwarding it)
Multicast-enabled
Transport
4
Receive GM-Update
Update OIL
2
Client IGMP
snoop
3.1 GM-Update
OTV
1
1) A receiver in the East
site sends an IGMP join
for Gs1
Client IGMP
report to join
Gs1
S1  Gs1
S1
West
IP A
SSM Tree
for Gd1
5) The SSM tree for Gd1
(rooted at the source ED) is IP
built in the core)
3.2
OTV
C
IP B
IGMPv3 report
to join (IP A,
Gd1) , the SSM
group in the
Core.
Receiver
(for Gs1)
East
3.2) ED Sends an IGMPv3
South
report to join the (IP A, Gd1)
SSM group in the core
It is important to clarify that the edge devices join the core multicast groups as hosts, not as routers!
Step 3 – Multicast Packet Flow
OIF-List
1
Group
IF
Lookup
Gs1  Gd1
Overlay
3
Multicast-enabled
Transport
Transport
Replication
OTV
OTV
S1  Gs1
S1  Gs1
S1
S1  Gs1
IP A Gd1
East
OTV
2
Encap
S1  Gs1
Receiver
(for Gs1)
IP
4 B
IP A
West
IP A  Gd1
4
IP C
S1  Gs1
IP A  Gd1
South
Decap
5
Decap
S1  Gs1
Receiver
(for Gs1)
5
Multicast Groups in the Core
OTV can leverage the benefits of a multicast-enabled transport for both control
and data planes. The following summarizes the requirements for a multicast
transport:
•
Control group – Single PIM-SM or PIM-Bidir group used to form adjacencies
and exchange MAC reachability information
•
Data groups – Range of SSM groups used to carry multicast data traffic
generated by the sites
interface Overlay100
otv
otv
otv
otv
join-interface e1/1
control-group 239.1.1.1
data-group 232.192.1.0/24
extend-vlan 100-150
The right number of SSM groups to be used depends on a tradeoff between the amount of multicast
state to be maintained in the core and the optimization of Layer 2 multicast traffic delivery
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
Release 5.2
and above
QoS and OTV
Marking on Encapsulation
•
On Encapsulation
•
CoS bits (802.1p) copied to the OTV shim header
• If IP traffic: The original (inner) DSCP value is also copied to “outer” DSCP
DMAC
SMAC
802.1Q
ETHERTYPE
CoS
802.1p
IP (optional)
Inner DSCP
OTV
1
OTV
802.1Q
West
IP A
2
Encap
IP (optional)
Outer DSCP
OTV
OTV
shim
Original Frame
IP B
East
Release 5.2
and above
QoS and OTV
Marking on De-capsulation
•
On De-capsulation
•
CoS value is recovered from the OTV shim and added to the 802.1Q header
•
Original CoS and DSCP are both preserved
•
OTV Control Traffic is statically marked at CoS = 6/DSCP = 48
OTV
West
Decap
IP A
IP (optional)
Outer DSCP
OTV
OTV
shim
1
OTV
2
Original Frame
802.1Q
IP B
East
DMAC
SMAC
802.1Q
CoS
802.1p
ETHERTYPE
IP (optional)
Inner DSCP
Release 6.2
OTV Scalability
1500
NX-OS 6.2
8*
NX-OS 5.2
6*
Sites
*
two ED per Site
256
32k
4000
16k
2000
OTV extended MAC addresses
Multicast
VLANs
across all the
Data Groups
extended VLANs
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
Path Optimization
Egress Routing Optimization
Hot Potato Routing
Path Optimization
Egress Routing with LAN Extension
•
Extended VLANs typically have associated HSRP groups
•
By default, only one HSRP router elected active, with all servers pointing to
HSRP VIP as default gateway
Packet from
•
HSRP Hellos
Result: sub-optimal routing
Vlan for
10 to Vlan 20
ARP
DMAC
HSRP
VIP = DGW
ARP reply
Routing
HSRP
Active
HSRP
Standby
HSRP
Listen
HSRP
Listen
Packet from
Vlan 10 to Vlan 20
DMAC = Host Vlan 20
VLAN
20
VLAN
10
Egress Routing Localization
FHRP Filtering Solution
•
Filter FHRP with combination of VACL and MAC route filter
•
Result: Still have one HSRP group with one VIP, but now have active router
at each site for optimal first-hop routing
HSRP Hellos
✗✗
✗✗
HSRP Hellos
HSRP Filter
HSRP
Active
HSRP
Standby
HSRP
Active
Listen
HSRP
Listen
Standby
ARP for
HSRP VIP
ARP reply
VLAN
20
VLAN
10
Path Optimization
Optimal Routing Challenges
•
Layer 2 extensions represent a challenge for optimal routing
•
Challenging placement of gateway and advertisement of routing prefix/subnet
WAN
Ingress:
Ingress:
North-South /
Client-Server
North-South /
Client-Server
HSRP Filter
HSRP
Active
HSRP
Active
HSRP
Standby
HSRP
Standby
East-West /
Server-Server
Egress:
South-North /
Server-Client
Egress:
South-North /
Server-Client
Path Optimization
Is it relevant to my Data Center model?
•
Logical Data Center or Physical Data Center?
•
High Availability or Disaster Recovery?
Ingress:
North-South /
Client-Server
WAN
Ingress:
North-South /
Client-Server
Is this ONE Logical Data Center ?
Or do I have TWO
(High Availability)
… separated Data
Physical & Logical
Center?
East-West /
…
Server-Server
Egress:
South-North /
Server-Client
Egress:
South-North /
Server-Client
Release 5.2
and above
Specific Use-Case
IPv6 and OTV
•
IPv6 Unicast Forwarding and Multicast Flooding supported across OTV
-
•
Requires to disable optimized multicast forwarding (OMF) in IGMP snooping on OTV ED
IPv6 Transport Network (Join Interface & Source Interface, not yet supported)
OTV
DC
West
OTV
DC
OTV Edge Device (VDC)
East
Global (all VLAN):
no ip igmp snooping optimise-multicast-flood
OTV
vPC/vPC+ Domain
Per VLAN with IPv6 Traffic
OTV
vlan vlan-id
vlan configuration
no ip igmp snooping optimise-multicast-flood
Ingress Routing Localization
Possible Solutions
Challenge
• Subnets are spread across locations
• Subnet information in the routing tables
is not specific enough
• Routing doesn’t know if a server has
moved between locations
• Traffic may be sent to the location
where the application is not available
Options
• DNS Based
• Route Injection
• LISP – Locator/ID Separation Protocol
For more details on LISP and OTV Deployment see: BRKDCT-2131
Any Workload
Anytime
Anywhere
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
OTV Support
ASR1000
•
OTV has been introduced in IOS XE 3.5 (Nov 2011)
•
To use OTV on ASR1000, you require:
•
•
ASR1k <-> N7k Inter-Site Interoperability has been tested
•
•
Advance Enterprise Image or Advance IP Service + OTV feature license
No ASR1k <-> N7k Multihoming Support (Intra-Site Interoperability)
OTV on ASR1000 Use Cases are:
Legacy Deployments – where DC may still be Catalyst based
• New Small Data Center and/or Disaster Recovery Sites – where Main DC is equipped with Nexus 7000
• OTV with Layer-3 Encryption – where MACSec is no option for Inter-DC Encryption
•
OTV Support
ASR 1000
•
New Features for IOS-XE 3.9
•
OTV Adjacency Server (unicast)
• OTV with LISP ESM
• RPVST STP Support
•
New Features for IOS-XE 3.10
•
Portchannel for join interface
• VRF Aware
• Subinterface for join interface
• Layer 2 portchannel
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
Principals of Interconnecting Networks at Layer-2
•
Control-Plane
•
•
•
Using redundant Path
Providing Loop protection
V
V
V
V
Fault Containment
•
•
•
Automated Multi-Homing for Resiliency
Loop Prevention
•
•
OTV
Multi-Homing
•
•
Core
(Layer-3)
Learn and Distribute MAC information (no
Flood&Learn)
Separate Control-Plane information
Limit Flood (ARP caching)
Transport Agnostic
•
Can leverage literally any Transport Technology
Principals for Interconnecting Networks
Do Apply for Ethernet, FabricPath and VXLAN
Switch# show nve peers
Interface
Peer-IP
---------- ----------nve1
10.10.10.1
nve1
10.10.10.2
nve1
10.10.10.3
nve1
20.20.20.1
nve1
20.20.20.3
End to End VXLAN
A Very Bad Idea
• One common Control Plane
– One failure can affect all sites
Switch# show nve peers
Interface
Peer-IP
– No site concept
• Manual Multihoming
– BGP and/or vPC config
• Multicast
---------nve1
nve1
nve1
nve1
nve1
-----------
VNI
------
Up Time
---------
10.10.10.1
10.10.10.3
20.20.20.1
20.20.20.2
20.20.20.3
30000
30000
30000
30000
30000
03:18:06
05:44:24
02:17:03
03:08:44
02:58:21
VNI
------
Up Time
---------
30000
30000
30000
30000
30000
03:18:06
08:06:22
05:44:24
02:17:03
02:58:21
Core
(Layer-3)
– Multiple multicast groups required
• Reduced Scale
– Every VTEP learns all MACs
• Flooding Across Sites
V
V
V
V
– BUM Traffic is flooded
V
V
Inter-Pod Connectivity
•
Simplified Transport Requirement
•
•
OTV
Multicast Optimization
•
Offers optimized Multicast Forwarding
•
Path Diversity
•
•
Core
(Layer-3)
Multicast dependent and independent Forwarding
of BUM* Traffic (no hairpin)
Flow based Entropy
VXLAN or
VXLAN+EVPN
V
V
Multi-Site
•
Provides Site to Multi-Site connectivity
V
VXLAN or
VXLAN+EVPN
V
V
V
V
V
V
V
Interconnecting VXLAN Networks (Layer-3)
•
Interconnecting VXLAN/EVPN Pods with
VXLAN/EVPN is possible
•
•
Control-Plane Domains (EVPN) can be
separated (iBGP/eBGP)
VXLAN/EVPN
VNI 99000
With Layer-3 interconnect, Data-Plane
Encapsulation is separated
•
•
•
Core
(Layer-3)
Routing decision at DC-Edge results in
Decapsulation
Requires a Transit VNI between Sites
No Layer-2 Interconnect!
V
V
V
VXLAN or
VXLAN/EVPN
VXLAN or
VXLAN/EVPN
V
VNI 30000
VNI 31000
V
V
V
V
V
Not All Principles Satisfied
“Good Enough” Solution
V
Control-Plane
Multi-Homing
Loop
Prevention
Fault
Containment
Transport
Agnostic
Multicast
Optimization
Path Diversity
Multi-Site
FabricPath
✖
✔1
✔✔
✖
✖
✖
✔
✖
VXLAN (Flood&Learn)
✖
✔1
✔2
✖
✔
✔
✔✔
✖
VXLAN-EVPN
✔
✔1
✔2
✔✔
✔✔
✔
✔✔
✖
VPLS
✖
✔1
✔✔
✖
✖
✖
✔
✔
OTV
✔✔
✔✔
✔✔
✔✔
✔✔
✔✔
✔✔
✔✔
Good
Better
Best
1)
Only with Multi-Chassis Link Aggregation (MC-LAG / VPC)
2)
Limited Overlay Loop Prevention
OTV 2.5
VXLAN Encapsulation
UDP Header
Utilizes VXLAN Encapsulation
Original IETF draft of OTV
F3 only feature
Use in conjunction with Tunnel Depolarization
Source
Port
16
VXLAN Port
16
UDP Length
16
Checksum 0x0000
16
8 Bytes
VXLAN Header
Original Layer-2 Frame
Overlay
50 Bytes of Overhead
Outer IP Header
Underlay
Outer MAC Header
•
•
•
•
UDP 4789
VXLAN Flags
RRRRIRRR
8
Reserved
24
VNI
24
Reserved
8
8 Bytes
Agenda
•
Introduction
•
•
•
•
•
•
•
•
Failure Isolation
Multi-homing
Mobility
QoS and Scalability
Path Optimization
•
•
•
OTV New Features
New Feature for OTV in NX-OS 6.2
Nexus 7000 Hardware Support
 F3 Support for OTV in 6.2(6)
Routed Uplinks
to Core
– Enable OTV on Nexus 7700 Series
OTV
Join
Interface
– Utilize port-level VLAN Translation on F3
OTV VDC
Join-Interface
Internal Interface
M1
M1


M2


F1


F2e


F3
•
M2

F3

Aggregation VDC
L3
(M-only, M1-F1 or F2/F2e)
L2
Interfaces to Access
(Classic-Ethernet or FabricPath)

F1 and F2e support for OTV internal
Interface
•
OTV
Internal
Interface (CE)
F1 and F2e linecards have the ability to be
internal interfaces when M series linecard is used
for OTV
M-Series interface
F/M-Series interface
New Features for OTV
Tunnel Depolarization & Secondary IP
•
Secondary IP command introduced
•
•
Configured within interface, not OTV interface
OTV VDC
Introduction of multiple IPs results in tunnel depolarization
OTV-a (config-if)# sh otv
OTV-a(config-if)# ip address 2.100.11.1/24 secondary
OTV Overlay Information
Disabling IP Redirects on port-channel11 :secondary address
Site Identifier 0000.0000.0011
configured.
OTV-a(config-if)# sh run int po11
Overlay interface Overlay1
!Command: show running-config interface port-channel11
VPN name
: Overlay1
!Time: Wed Mar 27 23:05:21 2013
VPN state
: UP
Extended vlans
: 25-50 72-227 (Total:182)
version 6.2(2)
Control group
: 224.1.1.0
Data
group
range(s)
:
232.1.0.0/24
interface port-channel11
Broadcast group
: 224.1.1.0
no ip redirects
Join interface(s)
: Po11 (2.100.11.100)
ip address 2.100.11.100/24
Secondary
IP
Addresses:
: 2.100.11.1
ip address 2.100.11.1/24 secondary
Site vlan
: 1 (up)
ip ospf network point-to-point
AED-Capable
: Yes1
ip router ospf 1 area 0.0.0.0
Capability
: Multicast-Reachable
ip igmp version 3
Release 6.2
VLAN Translation: Translation through transit VLAN
•
When a different VLAN is used at multiple sites
•
Usually for 3 or more sites
VLAN
OTV400
VLAN
200
OTV
VLAN 100
DC
West
DC
East
OTV
OTV
Release 6.2
VLAN Translation: Translation through transit VLAN
OTV-a(config)# int overlay1
OTV-a(config-if-overlay)# otv vlan mapping 100 to 400
OTV-B(config)# int overlay1
OTV-B(config-if-overlay)# otv vlan mapping 200 to 400
OTV-B(config-if-overlay)# sh run int overlay1
OTV-a(config-if-overlay)# sh run int overlay1
!Command: show running-config interface Overlay1
!Time: Fri Mar 29 19:01:04 2013
!Command: show running-config interface Overlay1
!Time: Fri Mar 29 19:02:29 2013
version 6.2(2)
version 6.2(2)
interface Overlay1
otv isis hello-multiplier 9
otv join-interface port-channel11
otv control-group 224.1.1.0
otv data-group 232.1.0.0/24
otv extend-vlan 25-50, 72-497
otv vlan mapping 100 to 400
no shutdown
OTV-a(config-if-overlay)# sh otv vlan-mapping
Original VLAN -> Translated VLAN
-------------------------------100 -> 400
interface Overlay1
otv isis hello-multiplier 9
otv join-interface port-channel21
otv control-group 224.1.1.0
otv data-group 232.1.0.0/24
otv extend-vlan 25-50, 72-497
otv vlan mapping 200 to 400
no shutdown
OTV-B(config-if-overlay)# sh otv vlan-mapping
Original VLAN -> Translated VLAN
-------------------------------200 -> 400
New
Release 6.2
OTV Convergence
Small and Large Scale Targets (Extreme Failures)
Large Scale
•
•
Small Scale
<30sec
<10sec
< 10sec
<5sec
Remember to place join-interface into a dynamic routing protocol (OSPF, EIGRP, etc)
Configure BFD in site-vlan
Challenges in Traditional Layer 2 VPNs
Solved by OTV
Flooding Behavior
✔
Pseudo-wire Maintenance
✔
Multi-Homing
Control-Plane
Based
- Unknown
Unicast
for MACLearning
propagation
- Unicast Flooding reaches
all sites
Dynamic
- Full
mesh Encapsulation
of Pseudo-wire
is complex
- Head-End replication is
a common problem
Native additional
Automated
- Requires
Multi-Homing
Protocols
& extends STP
- Malfunctions impacts
multiple sites
✔
Any Workload
Anytime
Anywhere
Thank you

Overlay Transport Virtualization

Transcription

Similar documents

October 2012

Fadi Sabbagha (Born Interactive

Booklet PROPAGANDA

LA FAVORITA

Village Crier - Old Town Village

Pebble Camera - Joyful Living Services

The Most Advanced Electronic Highlighter The IRISPen™ Executive

Get the look

tv sports shop food voices sex