VXLAN Network Design
VXLAN Network Design
VXLAN Network Design is about the overlay technology which used in Cisco Nexus 9000 series switches in the Leaf and Spine Architecture, that creates tunnels over an IP underlay network. The ingress VTEP encapsulate the traffic and sends it to the egress VTEP. The egress VTEP decapsulates the traffic so it can be delivered to the ultimate destination. There are two ways to approach address learning. the first is called data plane learning. This is the traditional method for learning about addresses. It’s similar to traditional Ethernet in many ways. The other is control plane learning which is a newer and more sophisticated approach.
This method uses BGP to share MAC address information. This is similar to the way BGP learns and shares routes. There are also two different traffic types that we will encounter. The first is unicast traffic where traffic is sent to a specific single destination. The other is called BUM traffic (Broadcast, unknown-unicast and multicast traffic) which needs special handling that needs a closer look. Collectively BUM are traffic types that need special handling. Simply put it’s any traffic that goes to more than one destination such as ARP. In a traditional Ethernet network BUM traffic may be flooded to many destinations. However, the VXLAN uses a smarter approach to scale well in the large network.
In the VXLAN network design, there are two possible ways that VXLAN can handle BUM traffic, multicast and Head End replication. Multicast is probably the most common solution which maps VNIs to a single multicast group. When a VTEP comes online it uses IGMP to join the multicast groups for the VNIs that it uses. If there is a VNI that the VTEP does not use, it does not need to join that group.
When the VTEP needs to send BUM traffic, it will send only to the relevant multicast group. This is one method of VTEP discovery. This is a very efficient method that can be complicated depending on your multicast infrastructure in Cisco ACI architecture managed by Cisco APIC.
Head End replication is an alternative to multicast but it is only available if you use BGP EVPN. When BUM traffic arrives the VTEP creates several unicast packets and sends one to each remote VTEP that supports the VNI. this is not as efficient as multicast and certainly doesn’t scale as well. However, it’s much simpler if you don’t have a multicast infrastructure. It’s fine for about 20 VTEPs or less.
VXLAN Network Design: Data Plane Learning
In the early days VXLAN network design relied on data plane learning which also known as flood and learn. Plus, it is very similar to regular Ethernet. VXLAN data plane learning only occurs to multicast group members. However, data plane learning has a serious limitation.
there’s no built-in support for routing and only is used for bridging devices at layer 2. To reach the outside world you will need an external router as your gateway. if you want a route between VNIs is you also need an external router which will cause traffic it to happen. From a security perspective keep in mind that VTEPs are not authenticated. There’s nothing built-in to prevent a rogue VTEP on the network. In most cases control plan learning is recommended.
VXLAN Network Design: Control Plane Learning
Generally, In VXLAN network design, Data plane learning is still worth investigating as it’s simpler to understand though it has several drawbacks. Control plane learning is much more functional and efficient which means that switches learn MAC addresses before they are needed and works the same as a routing protocol. Switches pair with each other using BGP and share the addresses that they know about. This method uses the EVPN address family.
If you’re not familiar with address families, there are ways for BGP to carry reach ability information for different protocols. There are ipv4, ipv6 address families address families for MPLS and etc. Each switch runs BGP and peers with other switches over the IP network. The normal BGP rules still apply here so you will need either a full mesh or route reflectors. Some or all of these switches will contain VTEPs, which means that each switch automatically learns where all the other VTEPs are in the network and provides VTEP authentication.
When VTEPs are learned through BGP, they are added to a whitelist. Then, all other VTEPs are untrusted and BGP authentication may be used to prevent rogue peers. After that, host MAC addresses are added into the local BGP process and can be discovered when they start up or send GARP messages. Their MAC address is then shared with all BGP peers.
So, when a host sends a frame to another host the switch looks up the MAC address with BGP and immediately knows which of VTEP to send the traffic to without flooding.
In VXLAN network design, when you use control plan learning you are also using ARP suppression. When hosts ARP request reaches the local switch it is not flooded out as normal. Because the local switch has already learned where the destination host is, including the IP to MAC address mapping. Rather than flooding the message the local switch sends an ARP response back to the source host.
BGP EVPN supports integrated routing and bridging. Unlike data plane learning, you don’t need to use an external router. the annoys can be configured as either a layer 2 VNI or a layer 3 VNI. Both layer 2 and layer 3 information is carried in BGP and a layer 2 VNI is used for bridging when traffic is kept within the same LAN segment.
A layer 3 VNI is used for routing when traffic needs to leave a layer 2 VNI. layer 3 VNI are technically optional but if you want to route on the local switch you need them. VTEPs only need to know about the layer 2 VNI that they service locally and on the other hand, all the VTEPs need to know about all layer 3 VNIs. This is to support a feature called Anycast gateway.
To support multi-tenancy layer 3 VNIs is are attached to a VRF. If you’re using MPLS this will feel familiar. This means that many VNIs can be associated with the customer or tenant. Routes and routing tables they kept separate by using route targets and route distinguishers. Overall, VXLAN network design makes it easier to manager data center networks.