L2VPN Workgroup Ali Sajassi INTERNET-DRAFT Samer Salam Intended Status: Standards Track Cisco Yakov Rekhter John Drake Juniper Expires: August 18, 2013 February 18, 2013 IP Inter-Subnet Forwarding in E-VPN draft-sajassi-l2vpn-evpn-inter-subnet-forwarding-00 Abstract E-VPN provides an extensible and flexible multi-homing VPN solution for intra-subnet connectivity among hosts/VMs over an MPLS/IP network. However, there are scenarios in which inter-subnet forwarding among hosts/VMs across different IP subnets is required, while maintaining the multi-homing capabilities of E-VPN. This document describes an IRB solution based on E-VPN to address such requirements. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Sajassi et al. Expires August 18, 2013 [Page 1] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 Copyright and License Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Inter-Subnet Forwarding Scenarios . . . . . . . . . . . . . . . 4 2.1 Connecting E-VPN NVEs within a DC . . . . . . . . . . . . . 5 2.2 Connecting E-VPN NVEs in different DCs without route aggregation . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 Connecting E-VPN NVEs in different DCs with route aggregation . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4 Connecting IP-VPN sites and E-VPN NVEs with route aggregation . . . . . . . . . . . . . . . . . . . . . . . . 6 3 Concepts needed before solution description . . . . . . . . . . 6 4 Operational Models for Inter-Subnet Forwarding . . . . . . . . 7 4.1 Among E-VPN NVEs within a DC . . . . . . . . . . . . . . . . 7 4.2 Among E-VPN NVEs in Different DCs Without Route Aggregation . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 Among E-VPN NVEs in Different DCs with Route Aggregation . . 8 4.4 Among IP-VPN Sites and E-VPN NVEs with Route Aggregation . . 9 5 VM Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . 10 6 Security Considerations . . . . . . . . . . . . . . . . . . . . 10 7 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 10 8 References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1 Normative References . . . . . . . . . . . . . . . . . . . 11 8.2 Informative References . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", Sajassi et al. Expires August 18, 2013 [Page 2] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Sajassi et al. Expires August 18, 2013 [Page 3] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 1 Introduction E-VPN provides an extensible and flexible multi-homing VPN solution for intra-subnet connectivity among hosts/VMs over an MPLS/IP network. However, there are scenarios where, in addition to intra- subnet forwarding, inter-subnet forwarding is required among hosts/VMs across different IP subnets, while maintaining the multi- homing capabilities of E-VPN. This document describes an IRB solution based on E-VPN to address such requirements. 2 Inter-Subnet Forwarding Scenarios The inter-subnet forwarding scenarios for E-VPN can be divided into six categories. The first two scenarios, along with their corresponding solutions, are described in [EVPN-IPVPN-INTEROP]. The solutions for scenarios 3 through 6 are the focus of this document. 1. Connecting IP-VPN sites and E-VPN NVEs without route aggregation 2. Connecting IP-VPN NVEs and E-VPN NVEs without route aggregation 3. Connecting E-VPN NVEs within a DC 4. Connecting E-VPN NVEs in different DCs without route aggregation 5. Connecting E-VPN NVEs in different DCs with route aggregation 6. Connecting IP-VPN sites and E-VPN NVEs with route aggregation In the above scenarios, the term "route aggregation" refers to the case where a node situated at the edge of the data center network behaves as a default gateway for all VM addresses that are unknown to the data center switches. Effectively, this WAN edge switch implements a gateway functionality. The absence of route aggregation refers to the scenario where all data center switches are aware of all VM addresses (in a given EVI/VRF context), for both VMs in the local as well as remote data centers. Sajassi et al. Expires August 18, 2013 [Page 4] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 +---+ Enterprise Site 1 |PE1|----- H1 +---+ / ,---------. Enterprise Site 2 ,' `. +---+ ,---------. /( MPLS/IP )---|PE2|----- H2 ' DCN 3 `./ `. Core ,' +---+ `-+------+' `-+------+' __/__ / / \ \ :NVE4 : +---+ \ \ '-----' ,----|GW |. \ \ | ,' +---+ `. ,---------. VM6 ( DCN 1 ) ,' `. `. ,' ( DCN 2 ) `-+------+' `. ,' __/__ `-+------+' :NVE1 : __/__ __\__ '-----' :NVE2 : :NVE3 : | | '-----' '-----' VM1 VM2 | | | VM3 VM4 VM5 Figure 2: Interoperability Use-Cases In what follows, we will describe scenarios 3 through 6 in more detail. 2.1 Connecting E-VPN NVEs within a DC In this scenario, connectivity is required between hosts (e.g. VMs) in the same data center, and those hosts belong to different IP subnets. Each subnet is associated with a single EVI on the NVEs. Furthermore, all the EVIs in question belong to the same VRF. As an example, consider VM3 and VM5 of Figure 2 above. Assume that connectivity is required between these two VMs where VM3 belongs to the IP3 subnet whereas VM5 belongs to the IP5 subnet. NVE2 has an EVI3 associated with IP3 subnet and NVE3 has an EVI5 associated with the IP5 subnet. Both EVI3 and EVI5 are associated with the same VRFa. 2.2 Connecting E-VPN NVEs in different DCs without route aggregation This case is similar to that of section 2.1 above albeit for the fact that the hosts belong to different data centers that are interconnected over a WAN (e.g. MPLS/IP PSN). The data centers in question here are seamlessly interconnected to the WAN, i.e. no gateways are used on the data center WAN edge. Sajassi et al. Expires August 18, 2013 [Page 5] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 As an example, consider VM3 and VM6 of Figure 2 above. Assume that connectivity is required between these two VMs where VM3 belongs to the IP3 subnet whereas VM6 belongs to the IP6 subnet. NVE2 has an EVI3 associated with IP3 subnet and NVE4 has an EVI6 associated with the IP6 subnet. Both EVI3 and EVI6 are associated with the same VRFa. 2.3 Connecting E-VPN NVEs in different DCs with route aggregation In this scenario, connectivity is required between hosts (e.g. VMs) in different data centers, and those hosts belong to different IP subnets. What makes this case different from that of Section 2.2 is that at least one of the data centers in question has a gateway as the WAN edge switch. Because of that, the NVEs in the data centers with gateways do not have the addresses of the hosts situated in remote data centers. As an example, consider VM1 and VM5 of Figure 2 above. Assume that connectivity is required between these two VMs where VM1 belongs to the IP1 subnet whereas VM5 belongs to the IP5 subnet. NVE3 has an EVI5 associated with the IP5 subnet and NVE1 has an EVI1 associated with the IP1 subnet. Both EVI1 and EVI5 are associated with the same VRFa. Due to the gateway at the edge of DCN 1, NVE1 does not have the address of VM5 in its VRFa table. 2.4 Connecting IP-VPN sites and E-VPN NVEs with route aggregation In this scenario, connectivity is required between hosts (e.g. VMs) in a data center and hosts in an enterprise site connected through IP-VPN. The NVE within the data center is an E-VPN NVE, whereas the NVE in the enterprise site is an IP-VPN NVE. Furthermore, the data center in question has a gateway as the WAN edge switch. Because of that, the NVE in the data center does not have the addresses of the hosts situated in the enterprise site. As an example, consider end-station H1 and VM2 of Figure 2. Assume that connectivity is required between the end-station and the VM, where VM2 belongs to the IP2 subnet whereas H1 belongs to the IP1 subnet. NVE1 has and EVI2 associated with the IP2 subnet. EVI2 is associated with VRFa. On IP-VPN PE1, the IP1 subnet is in VRFa as well. Due to the gateway at the edge of DCN 1, NVE1 does not have the address of H1 in its VRFa table. 3 Concepts needed before solution description 3.1 Default GW & MAC address aliasing versus single MAC/IP 3.2 VM Mobility we can go from scenarios 2.2 to scenario 2.4 (describe how E-VPN provides capability Sajassi et al. Expires August 18, 2013 [Page 6] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 4 Operational Models for Inter-Subnet Forwarding 4.1 Among E-VPN NVEs within a DC When an E-VPN MAC advertisement route is received by the NVE, the IP address associated with the route is used to populate the VRF, whereas the MAC address associated with the route is used to populate both the bridge-domain MAC table, as well as the adjacency associated with the IP route in the VRF. When an Ethernet frame is received by an ingress NVE, it performs a lookup on the destination MAC address in the associated EVI. If the MAC address corresponds to its IRB Interface MAC address, the ingress NVE deduces that the packet must be inter-subnet routed. Hence, the ingress NVE performs an IP lookup in the associated VRF table. The lookup identifies both the next-hop (i.e. egress) NVE to which the packet must be forwarded, in addition to an adjacency that contains a MAC rewrite and an MPLS label stack. The MAC rewrite holds the MAC address associated with the destination host (as populated by the E- VPN MAC route), instead of the MAC address of the next-hop NVE. The ingress NVE then rewrites the destination MAC address in the packet with the address specified in the adjacency. It also rewrites the source MAC address with its IRB Interface MAC address. The ingress NVE, then, forwards the frame to the next-hop (i.e. egress) NVE after encapsulating it with the MPLS label stack. Note that this label stack includes the LSP label as well as the EVI label that was advertised by the egress NVE. When the MPLS encapsulated packet is received by the egress NVE, it uses the EVI label to identify the bridge-domain table. It then performs a MAC lookup in that table, which yields the outbound interface to which the Ethernet frame must be forwarded. Figure 2 below depicts the packet flow, where NVE1 and NVE2 are the ingress and egress NVEs, respectively. NVE1 NVE2 +------------+ +------------+ | ... ... | | ... ... | |(EVI)-[VRF] | |[VRF]-(EVI) | | .|. .|. | | ... |..| | +------------+ +------------+ ^ v ^ V | | | | VM1->-+ +-->--------------+ +->-VM2 Figure 2: Inter-Subnet Forwarding Among E-VPN NVEs within a DC Note that the forwarding behavior on the egress NVE is similar to E- Sajassi et al. Expires August 18, 2013 [Page 7] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 VPN intra-subnet forwarding. In other words, all the packet processing associated with the inter-subnet forwarding semantics is confined to the ingress NVE. It should also be noted that [E-VPN] provides different level of granularity for the EVI label. Besides identifying bridge domain table, it can be used to identify the egress interface or a destination MAC address on that interface. If EVI label is used for egress interface or destination MAC address identification, then no MAC lookup is needed in the egress EVI and the packet can be directly forwarded to the egress interface just based on EVI label lookup. 4.2 Among E-VPN NVEs in Different DCs Without Route Aggregation [This section will be expanded in the future revision]. 4.3 Among E-VPN NVEs in Different DCs with Route Aggregation In this scenario, the NVEs within a given data center do not have entries for the MAC/IP addresses of hosts in remote data centers. Rather, the NVEs have a default IP route pointing to the WAN gateway for each VRF. This is accomplished by the WAN gateway advertising for a given E-VPN that spans multiple DC a default VPN-IP route that is imported by the NVEs of that E-VPN that are in the gateway's own DC. When an Ethernet frame is received by an ingress NVE, it performs a lookup on the destination MAC address in the associated EVI. If the MAC address corresponds to the IRB Interface MAC address, the ingress NVE deduces that the packet must be inter-subnet routed. Hence, the ingress NVE performs an IP lookup in the associated VRF table. The lookup, in this case, matches the default route which points to the local WAN gateway. The ingress NVE then rewrites the destination MAC address in the packet with the IRB Interface MAC address of the local WAN gateway. It also rewrites the source MAC address with its own IRB Interface MAC address. The ingress NVE, then, forwards the frame to the WAN gateway after encapsulating it with the MPLS label stack. Note that this label stack includes the LSP label as well as the IP- VPN label that was advertised by the local WAN gateway. When the MPLS encapsulated packet is received by the local WAN gateway, it uses the IP-VPN label to identify the VRF table. It then performs an IP lookup in that table. The lookup identifies both the remote WAN gateway (of the remote data center) to which the packet must be forwarded, in addition to an adjacency that contains a MAC rewrite and an MPLS label stack. The MAC rewrite holds the MAC address associated with the ultimate destination host (as populated by the E-VPN MAC route). The local WAN gateway then rewrites the destination MAC address in the packet with the address specified in the adjacency. It also rewrites the source MAC address with its IRB Interface MAC address. Sajassi et al. Expires August 18, 2013 [Page 8] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 The local WAN gateway, then, forwards the frame to the remote WAN gateway after encapsulating it with the MPLS label stack. Note that this label stack includes the LSP label as well as a VPN label that was advertised by the remote WAN gateway. When the MPLS encapsulated packet is received by the remote WAN gateway, it simply swaps the VPN label with the EVI label advertised by the egress NVE. This implies that the remote WAN gateway must allocate the VPN label at least at the granularity of a (VRF, egress NVE) tuple. The remote WAN gateway then forward the packet to the egress NVE. The egress NVE then performs a MAC lookup in the EVI (identified by the received EVI label) to determine the outbound port to send the traffic on. Figure 4 below depicts the forwarding model. NVE1 GW1 GW2 NVE2 +------------+ +------------+ +------------+ +------------+ | ... ... | | ... ... | | ... | | ... ... | |(EVI)-[VRF] | |[VRF]-(EVI) | | [LS ] | |[VRF]-(EVI) | | .|. .|. | | |..| | | |...| | | ... |..| | +------------+ +------------+ +------------+ +------------+ ^ v ^ V ^ V ^ V | | | | | | | | VM1->-+ +-->-----+ +--------------+ +---------------+ +->-VM2 Figure 4: Inter-Subnet Forwarding Among E-VPN NVEs in Different DCs with Route Aggregation 4.4 Among IP-VPN Sites and E-VPN NVEs with Route Aggregation In this scenario, the NVEs within a given data center do not have entries for the IP addresses of hosts in remote enterprise sites. Rather, the NVEs have a default IP route pointing to the WAN gateway for each VRF. When an Ethernet frame is received by an ingress NVE, it performs a lookup on the destination MAC address in the associated EVI. If the MAC address corresponds to the IRB Interface MAC address, the ingress NVE deduces that the packet must be inter-subnet routed. Hence, the ingress NVE performs an IP lookup in the associated VRF table. The lookup, in this case, matches the default route which points to the local WAN gateway. The ingress NVE then rewrites the destination MAC address in the packet with the IRB Interface MAC address of the local WAN gateway. It also rewrites the source MAC address with its own IRB Interface MAC address. The ingress NVE, then, forwards the frame to the WAN gateway after encapsulating it with the MPLS label stack. Note that this label stack includes the LSP label as well as the IP- Sajassi et al. Expires August 18, 2013 [Page 9] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 VPN label that was advertised by the local WAN gateway. When the MPLS encapsulated packet is received by the local WAN gateway, it uses the IP-VPN label to identify the VRF table. It then performs an IP lookup in that table. The lookup identifies the next hop ASBR to which the packet must be forwarded. The local gateway in this case strips the Ethernet encapsulation and forwards the IP packet to the ASBR using a label stack comprising of an LSP label and a VPN label that was advertised by the ASBR. When the MPLS encapsulated packet is received by the ASBR, it simply swaps the VPN label with the IP-VPN label advertised by the egress PE. This implies that the remote WAN gateway must allocate the VPN label at least at the granularity of a (VRF, egress PE) tuple. The ASBR then forwards the packet to the egress PE. The egress PE then performs an IP lookup in the VRF (identified by the received IP-VPN label) to determine where to forward the traffic. Figure 5 below depicts the forwarding model. NVE1 GW1 ASBR PE +------------+ +------------+ +------------+ +------------+ | ... ... | | ... ... | | ... | | ... | |(EVI)-[VRF] | |[VRF]-(EVI) | | [LS ] | | [VRF]| | .|. .|. | | |..| | | |...| | | |..| | +------------+ +------------+ +------------+ +------------+ ^ v ^ V ^ V ^ V | | | | | | | | VM1->-+ +-->-----+ +--------------+ +---------------+ +->-H1 Figure 5: Inter-Subnet Forwarding Among IP-VPN Sites and E-VPN NVEs with Route Aggregation 5 VM Mobility describe how mobility works 5 Acknowledgement 6 Security Considerations 7 IANA Considerations 8 References Sajassi et al. Expires August 18, 2013 [Page 10] INTERNET DRAFT IP Inter-Subnet Forwarding in E-VPN October 22, 2012 8.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 8.2 Informative References [EVPN] Sajassi et al., "BGP MPLS Based Ethernet VPN", draft-ietf- l2vpn-evpn-00.txt, work in progress, February, 2012. [EVPN-IPVPN-INTEROP] Sajassi et al., "E-VPN Seamless Interoperability with IP-VPN", draft-sajassi-l2vpn-evpn-ipvpn-interop-01, work in progress, October, 2012. [DC-MOBILITY] Aggarwal et al., "Data Center Mobility based on BGP/MPLS, IP Routing and NHRP", draft-raggarwa-data-center-mobility- 03.txt, work in progress, June, 2012. Authors' Addresses Ali Sajassi Cisco Email: sajassi@cisco.com Samer Salam Cisco Email: ssalam@cisco.com Yakov Rekhter Juniper Networks Email: yakov@juniper.net John E. Drake Juniper Networks Email: jdrake@juniper.net Sajassi et al. Expires August 18, 2013 [Page 11]