Network Virtualization using Extreme Fabric Connect

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesHigh-end Wiring Closet Switches

111

112

113

114

115

116

117

118

119

120

Table Of Contents

Table of Contents
Table of Contents
Table of Contents
Table of Figures
Table of Figures
Table of Tables
Conventions
Introduction
Reference Architecture
- Shortest Path Bridging Fabric
- Layer 3 Virtualization Overview
- Layer 2 Virtualization Overview
- Data Center Virtualization Overview
- Fabric Connect Positioning
Guiding Principles
- Fabric Connect and Fabric Attach
- Fabric Extend
- Data Center Architecture
Architecture Components
- User to Network Interface
- Network to Network Interface
- Backbone Core Bridge
- Backbone Edge Bridge
- Customer MAC Address
- Backbone MAC Address
- SMLT-Virtual-BMAC
- IS-IS Area
- IS-IS System ID
- IS-IS Overload Function
- SPB Bridge ID
- SPBM Nick-name
- Dynamic Nick-name Assignment
- Customer VLAN
- Backbone VLAN
- Virtual Services Networks
- I-SID
- Inter-VSN Routing
- Fabric Area Network
- Fabric Attach / Auto-Attach
- FA Server
- FA Client
- FA Proxy
- FA Standalone Proxy
- VPN Routing and Forwarding Instance
- Global Router Table
- Distributed Virtual Routing
  - DVR Domain
  - DVR Controller
  - DVR Leaf
  - DVR Backbone
- Zero Touch Fabric (ZTF)
Foundations for the Service Enabled Fabric
- SPB Service primitives
- SPB Equal Cost Trees (ECT)
IP Routing and L3 Services over Fabric Connect
- Core IGP / GRT IP Shortcuts
- Virtualized L3 VPNs / L3 VSNs
- VPN Security Zones / IP IS-IS Accept Policies
- ISIS IP Route Types and Protocol Preference
L2 Services Over SPB IS-IS Core
- E-LAN / L2 VSNs with CVLAN/Switched UNI
- E-LINE / L2 VSNs with Transparent UNI
- E-TREE / L2 VSNs with Private-VLAN UNI
Fabric Attach
- FA Element Signalling
- FA Service Assignment (I-SID) Signalling
- FA Message Authentication
- FA Zero Touch Provisioning
IP Multicast Enabled VSNs
- Initial Considerations
- IP Multicast Over SPB
- Multicast Services
- SPB Multicast PIM Gateway
  - Deployment Model with PIM-SM
  - PIM Gateway with PIM-SSM
- Inter VSN IP Multicast
Extending the Fabric Across the WAN
- Fabric Extend
- Fabric Extend over IPVPN Service
- Fabric Extend over the Public Internet with IPSec
- Fabric Extend over E-LAN/VPLS Service
- Fabric Extend over E-LINE Service
- VSN Extend with VXLAN Gateway
Distributed Virtual Routing
- Traffic Tromboning Challenges
- DVR Deployment Model
- DVR Host Tracking and Traffic Forwarding
- Eliminating North-South Tromboning
- DVR limitations and Design Alternatives
Quality of Service
- Initial Considerations
- QoS Implementation Over SPB
- QoS Considerations with Fabric Extend
Consolidated Design Overview
- Campus Distribution
- Data Center Distribution
- Data Center Access
High Availability
- System Level Resiliency
  - Hardware Component Redundancy
  - High-Availability Mode
- Network Level Resiliency
- Human Level Resiliency
  - Loop Detection and Protection Mechanisms
Fabric and VSN Security
- Address Space, Routing, and Traffic Separation
- Concealment of the Core Infrastructure
  - Extreme’s Fabric Connect Stealth Networking
- Resistance to Attacks
- Impossibility of Spoofing Attacks
- Stealth Networking Design Guidelines
Fabric as Best Foundation for SDN
Glossary
Reference Documentation
Revisions

Network Virtualization Using Extreme Fabric Connect

Distributed Virtual Routing

This section will go into greater depth about Distributed Virtual Routing (DVR) in the context of the

Extreme Fabric Connect architecture. DVR is an enhancement of Fabric Connect that allows both the use of

a distributed anycast gateway and the ability to compute the shortest path to the individual host IP. This

becomes hugely important in environments where the host IPs are mobile. The data center is the most

challenging environment in this respect since the advent of server virtualization. VMs can be moved with

ease, without even being stopped, from one physical hypervisor to the next and indeed across geo-

redundant data centers. When those VMs migrate, they always take their IP address with them; this is

necessary lest the applications running on those VMs would lose all their connections (open sockets) in the

process.

Traffic Tromboning Challenges

The best way to understand the benefits of DVR is to first of all understand what would be the limitations of

a Data Canter Fabric Connect architecture if it was not DVR enabled.

We already know that the SPB Fabric by definition always calculates the shortest path. But it will always

calculate the shortest path towards some already defined Backbone MAC (BMAC) which constitutes the

destination BEB for the traffic at hand. But since all traffic carried over the SPB Fabric is part of a service

type (VSN), and the addressing used in these virtual networks is not the BMAC but some other L2 or L3

addressing scheme, there has to be a mapping between the two.

Hence if we look at L2 VSNs, these services learn end-user MAC addresses (CMAC) and associate these

with the BEB’s BMAC from which they have been learned. The assumption is that a given CMAC is behind a

given BMAC and thus taking the shortest path to that BMAC also ensures the shortest path to that CMAC.

This works fine for L2 flows that remain within the same L2 segment (source and destination are in same IP

subnet) and is equally applicable to L2 flows within the data center.

Similarly with L3 VSNs, they exchange IP routes via IS-IS and install these IP routes in the relevant VRF IP

routing table. In this case, it is an IP network that is being associated with the BEB’s BMAC that has a local

IP interface on that IP network. Again, the assumption is that any host with an IP address belonging to that

network is residing behind that BEB and that taking the shortest path to that BMAC also ensures the

shortest path to that IP address. This assumption generally holds true in the campus, but does not hold true

in the data center where VM hosts are highly mobile in the east-west direction along server VLAN L2 VSNs.

Figure 64 illustrates the worst-case scenario of what could happen in an architecture where two geo-

redundant data centers have been made into a single SPB Fabric, leveraging Fabric Extend, and where DVR

is not being used. The server VLAN is L2 extended across both data centers using an L2 VSN. Both core

routers in both data centers have an IP interface on the server L2 segment and act as default gateways for

that same segment. They thus all announce the server subnet northwards toward the wider campus and

the branch offices in the example. They will also have to use some form of gateway redundancy protocol,

like standard VRRP, southwards toward the data center hosts (VMs). This can result in two forms of traffic

tromboning.

In the first case, traffic from a branch office destined to a data center VM will make a forwarding decision

based on the lowest cost to reach one of the four IP routers announcing the VM’s IP network, but since

there is no knowledge about where the VM is actually located, there is a 50% chance that the traffic will

arrive to the wrong data center and then need to take a second high latency hop over potentially the same

WAN (if the L2 VSN is Fabric Extended between the two data centers) to reach its destination.

In the second case, any data center L3 flow that needs to be IP routed either to reach another host in the

data centers (L3 east-west flow) or to reach the wider campus (south-north) will need to hit the default

gateway for the server segment. With standard VRRP, only one IP router will be acting as that default