Ahmer Juniper LABS

Contact- +92-3065826350

Understanding EVPN with VXLAN Data Plane Encapsulation

Ethernet VPNs (EVPNs) enable you to connect groups of dispersed customer sites using Layer
2 virtual bridges, and Virtual Extensible LANs (VXLANs) allow you to stretch Layer 2 connectivity
over an intervening Layer 3 network, while providing network segmentation like a VLAN, but
without the scaling limitation of traditional VLANs. EVPN with VXLAN encapsulation handles
Layer 2 connectivity at the scale required by cloud server providers and replaces limiting protocols
like Spanning Tree Protocol (STP), freeing up your Layer 3 network to use more robust routing
protocols. EVPN with VXLAN data plane encapsulation can be used with and without Juniper
Networks Contrail virtualization software—use Contrail with EVPN VXLAN data plane
encapsulation when you have an environment that includes both virtual and bare-metal devices.

Understanding EVPN
Ethernet VPN (EVPN) is a standards-based technology that provides virtual multipoint bridged
connectivity between different Layer 2 domains over an IP or IP/MPLS backbone network. Like
other VPN technologies, such as IP VPN and virtual private LAN service (VPLS), EVPN instances
are configured on provider edge (PE) routers to maintain logical service separation between
customers. The PE routers connect to customer edge (CE) devices, which can be routers,
switches, or hosts. The PE routers then exchange reachability information using Multiprotocol
BGP (MP-BGP) and encapsulated traffic is forwarded between PE routers. Because elements of
the architecture are common with other VPN technologies, you can seamlessly introduce and
integrate EVPN into existing service environments, as shown in Figure 1.
Figure 1: EVPN Overview

The EVPN is used as a Layer 2 overlay solution to provide Layer 2 connection over an IP
underlay for the endpoints within a virtual network whenever Layer 2 connectivity is
required by an end station such as bare-metal server (BMS). Otherwise, Layer 3 routing
is used through VRF tables between Contrail vRouters and MX Series routers. EVPN
technology offers multitenancy, flexible services that can be extended on demand,
frequently using compute resources of different physical data centers for a single service
(Layer 2 extension).

EVPN’s MP-BGP control plane enables you to dynamically move live virtual machines
from one data center to another, also known as virtual machine (VM) motion. After you
move a VM to a destination server or hypervisor, it transmits a gratuitous ARP, which
updates the Layer 2 forwarding table of the PE device at the destination data center. The
PE device then transmits a MAC route update to all remote PE devices which in turn
update their forwarding tables. An EVPN tracks the movement of the VM, which is also
known as MAC mobility.

EVPN also has mechanisms that detect and stop MAC flapping, and prevent the looping
of broadcast, unknown unicast, and multicast (BUM) traffic in an all-active multi-homed
topology.

The EVPN technology, similar to Layer 3 MPLS VPN, includes the concept of routing
MAC addresses using IP/MPLS core. EVPN provides the following benefits:

 Ability to have an active multihomed edge device

 Aliasing
  Fast convergence
 Load balancing across dual-active links
 MAC address mobility
 Multitenancy

In addition, EVPN uses these techniques:

 Multihoming provides redundancy in the event that an access link or one of the
PE routing devices fails. In either case, traffic flows from the CE device towards
the PE router, using the remaining active links. For traffic in the other direction, the
remote PE router updates its forwarding table to send traffic to the remaining active
PE routers connected to the multihomed Ethernet segment. EVPN provides a fast
convergence mechanism, which reduces traffic restoration time so that the time it
takes to make this adjustment is independent of the number of media access
control (MAC) addresses learned by the PE router. All-active multihoming enables
a CE device to connect to two or more PE routers such that traffic is forwarded
using all of the links between the devices. This multihoming enables the CE device
to load-balance traffic to multiple PE routers. More importantly, multihoming
enables a remote PE router to load-balance traffic to the multihomed PE routers
across the core network. This load balancing of traffic flows between data centers
is known as aliasing, which causes different signals to become indistinguishable—
they become aliases of one another. Aliasing is used with digital audio and digital
images.
 Split horizon prevents the looping of broadcast, unknown unicast, and multicast
(BUM) traffic in a network. The split horizon basic principle is simple: Information
about the routing for a particular packet is never sent back in the direction from
which it was received.
 Local link bias conserves bandwidth by using local links to forward unicast
traffic exiting a Virtual Chassis or Virtual Chassis Fabric (VCF) that has a link
aggregation group (LAG) bundle composed of member links on different member
switches in the same Virtual Chassis or VCF. A local link is a member link in the
LAG bundle that is on the member switch that received the traffic.
 EVPN with VXLAN encapsulation is used for Layer 2 connectivity between
virtual machines and a top-of-rack (TOR) switch, for example, a QFX5100 switch,
within a Layer 2 domain.

You can use Contrail to provision an MX Series router as a Layer 2 or Layer 3

VXLAN gateway. MX Series routers implement the NETCONF XML management
protocol, which is an XML-based protocol that client applications use to request
and change configuration information on routing, switching, and security devices.
The NETCONF XML management protocol uses an XML based data encoding for
the configuration data and remote procedure calls. The NETCONF protocol
defines basic operations that are equivalent to configuration mode commands in
the command-line interface (CLI). Applications use the protocol operations to
display, edit, and commit configuration statements similarly to how administrators
use CLI configuration mode commands to perform those same operations.
 Understanding VXLAN
Virtual extensible LANs (VXLANs) introduced an overlay scheme that expands the Layer
2 network address space from 4K to 16 million, largely solving the scaling issues seen in
VLAN-based environments.

Network overlays are created by encapsulating traffic and tunneling the traffic over a
physical network. You can use a number of tunneling protocols in the data center to create
network overlays—the most common protocol is VXLAN. VXLAN tunneling protocol
encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets. This encapsulation
enables you to create virtual Layer 2 subnets or segments that can span physical Layer
3 networks.

In a VXLAN overlay network, a VXLAN network identifier (VNI) uniquely identifies each
Layer 2 subnet or segment. A VNI segments traffic the same way that an IEEE 802.1Q
VLAN ID segments traffic. As is the case with VLAN, virtual machines on the same VNI
can communicate directly with each other, whereas virtual machines on different VNIs
need a router to communicate with each other.

The entity that performs the encapsulation and de-encapsulation is called a VXLAN tunnel
endpoint (VTEP). In the physical network, a Juniper Networks device that functions as a
Layer 2 or Layer 3 VXLAN gateway can encapsulate and de-encapsulate data packets.
This type of VTEP is known as a hardware VTEP. In the virtual network, VTEPs can
reside in hypervisor hosts, such as kernel-based virtual machine (KVM) hosts. This type
of VTEP is known as a software VTEP.

Each VTEP has two interfaces.

 One interface is a switching interface that faces the virtual machines in the host
and provides communication between VMs on the local LAN segment.
 The other is an IP interface that faces the Layer 3 network.

Each VTEP has a unique IP address that is used for routing the UDP packets between
VTEPs. For example, when VTEP1 receives an Ethernet frame from VM1 addressed to
VM3, it uses the VNI and the destination MAC to look up in its forwarding table which
VTEP sends the packet to. It then adds a VXLAN header that contains the VNI to the
Ethernet frame and encapsulates the frame in a Layer 3 UDP packet and routes the
packet to VTEP2 over the Layer 3 network. VTEP2 de-encapsulates the original Ethernet
frame and forwards it to VM3. VM1 and VM3 cannot detect the VXLAN tunnel and the
Layer 3 network between them.

EVPN-VXLAN Integration Overview

VXLAN defines a tunneling scheme to overlay Layer 2 networks on top of Layer 3
networks. This tunneling scheme allows for optimal forwarding of Ethernet frames with
support for multipathing of unicast and multicast traffic with the use of UDP/IP
encapsulation for tunneling, and is mainly used for the intra-data center site connectivity.

A unique characteristic of EVPN is that MAC address learning between PE routers occurs
in the control plane. The local PE router detects a new MAC address from a CE device
and then, using MP-BGP, advertises the address to all the remote PE routers. This
method differs from existing Layer 2 VPN solutions such as VPLS, which learn by flooding
unknown unicast in the data plane. This control plane MAC learning method is the key
enabler of the many useful features that EVPN provides.

Because MAC learning is handled in the control plane, EVPN has the flexibility to support
different data plane encapsulation technologies between PE routers. This flexibility is
important because not every backbone network might be running MPLS, especially in
enterprise networks.

EVPN addresses many of the challenges faced by network operators building data
centers to offer cloud and virtualization services. The main application of EVPN is Data
Center Interconnect (DCI), which refers to the ability to extend Layer 2 connectivity
between different data centers that are deployed to improve the performance of delivering
application traffic to end users and for disaster recovery.

Although various DCI technologies are available, EVPN has an advantage over the other
MPLS technologies because of its unique features, such as active/active redundancy,
aliasing, and mass MAC withdrawal. As a result, to provide a solution for DCI, VXLAN is
integrated with EVPN.

As shown in Figure 2, each VXLAN, which is connected to the MPLS or IP core, runs an
independent instance of the interior gateway protocol (IGP) control plane. Each PE router
participates in the IGP control plane instance of its VXLAN. Each customer is a data
center, so each has its own virtual router for VXLAN underlay.

Each PE node can terminate the VXLAN data plane encapsulation where the VXLAN
network identifier (VNI) is mapped to a bridge domain or VLAN. The PE router performs
data plane learning on the traffic received from the VXLAN.

Each PE node implements EVPN to distribute the client MAC addresses learned over the
VXLAN tunnel into BGP. Each PE node encapsulates the VXLAN or Ethernet frames with
MPLS when sending the packets over the MPLS core and with the VXLAN tunnel header
when sending the packets over the VXLAN network.
Figure 2: EVPN-VXLAN Integration Overview

Firewall Filtering and Policing Support for EVPN-VXLAN

For each firewall filter that you apply to a VXLAN, specify family ethernet-switching to
filter Layer 2 (Ethernet) packets, or family inet to filter on IRB interfaces. The IRB
interface acts as a Layer 3 routing interface to connect the VXLANs in one-layer or two-
layer IP fabric topologies. The following limitations apply:

 Filtering and policing are not supported for VXLAN transit traffic.
 Firewall filtering on VNI at the egress VTEP device is not supported.
 Policing on VNI at the egress VTEP device is not supported.
 Match conditions against VXLAN header fields are not supported.

NOTE:

EVPN-VXLAN firewall filters are configured on the interface after the VXLAN header is
stripped by the VXLAN tunnel endpoint (VTEP).
 Understanding Contrail Virtual Networks Use with EVPN-
VXLAN
Juniper Networks Contrail virtualization software is a software-defined networking
(SDN) solution that automates and orchestrates the creation of highly scalable virtual
networks. These virtual networks enable you to harness the power of the cloud—for
new services, increased business agility, and revenue growth. MX Series routers can
use EVPN-VXLAN to provide both Layer 2 and Layer 3 connectivity for end stations
within a Contrail virtual network (VN).

The Contrail software for virtual networks provides both Layer 2 and Layer 3
connectivity. With Contrail, Layer 3 routing is preferred over Layer 2 bridging whenever
possible. Layer 3 routing is used through virtual routing and forwarding (VRF) tables
between Contrail vRouters and physical MX Series routers. MX Series routers provide
Layer 3 gateway functionality between virtual networks.

Contrail enables you to use EVPN-VXLAN when your network includes both virtual and
bare-metal devices.

Two types of encapsulation methods are used in virtual networks.

 MPLS-over-GRE (generic routing encapsulation) is used for Layer 3 routing

between Contrail and MX Series routers.
 EVPN-VXLAN is used for Layer 2 connectivity between virtual machines and top-
of-rack (TOR) switches, for example, QFX5100 switches, within a Layer 2
domain. For Layer 2 connectivity, traffic load balancing in the core is achieved by
using the multihoming all-active feature provided by EVPN. Starting with Junos
OS Release 17.3R1, EX9200 switches also support EVPN-VXLAN with Contrail.
NOTE:

MPLS core is not supported on switches—only MX Series routers support this feature.

You cannot simultaneously mix EVPN-VXLAN with Open vSwitch Database (OVSDB)-
VXLAN on QFX Series switches. After a switch is set to OVSDB-managed, the
controller treats all ports as managed by OVSDB.

EVPN-VXLAN Support for VXLAN Underlays on MX Series Routers and

the EX9200 Line of Switches

MX Series routers and the EX92xx line of switches support Virtual Extensible LAN
(VXLAN) gateways. Each VXLAN gateway supports the following functionalities:

 Switching functionality with traditional Layer 2 networks and VPLS networks

 Inter-VXLAN routing and VXLAN-only bridging domain with IRB
 Virtual switches
 VXLAN with VRF functionality
  Configurable load balancing
 Statistics for remote VTEP

Starting in Junos OS Release 17.3R1, EVPN-VXLAN support on MX Series routers is

extended to VXLAN gateway implementation using an IPv6 underlay. We support EVPN
Type 1, Type 2, Type 3, and Type 4 routes with an IPv6 underlay on MX Series routers.

We support the following service types with the IPv6 underlay support:

 VLAN-based service
 VLAN-bundle service
 Port-based service
 VLAN-aware service
Both IPv4 and IPv6 EVPN-VXLAN underlays support EVPN Type 2 MAC addresses
with IP address advertisement and proxy MAC addresses with IP address
advertisement.

EVPN-VXLAN Support for VXLAN Underlays on QFX Series

Switches
QFX Series switches support VXLAN gateways in an EVPN-VXLAN network. All
devices that support EVPN-VXLAN can use an IPv4 underlay for the VXLAN overlay.

We support configuring an IPv6 underlay for the VXLAN overlay in EVPN-VXLAN

networks on QFX Series switches as follows:

 On the QFX10000 line of switches and QFX5120 switches: Starting in Junos OS

Releases 21.2R2 and 21.4R1
 On QFX5130-32CD and QFX5700 switches: Starting in Junos OS Evolved
Releases 22.3R1
You can only configure an IPv6 underlay using MAC-VRF EVPN instances. With an
IPv6 underlay, the outer IP header in the VXLAN packet is an IPv6 header, and you
configure the VTEP source address as an IPv6 address. See EVPN-VXLAN with an
IPv6 Underlay for more about IPv6 underlay support and how to configure a VXLAN
gateway device to use an IPv6 underlay.

EVPN-VXLAN Packet Format

The EVPN-VXLAN packet format is shown in Figure 3.

Figure 3: EVPN-VXLAN Packet Format