VXLAN CONTROL PLANE

In the initial VXLAN solution (RFC 7348), the control plane is not defined. Instead, VXLAN tunnels require manual configuration and host MAC addresses need to be learned through traffic flooding. Although the flood-and-learn approach is much simpler, it causes a large amount of flooded traffic on the network and makes the network difficult to expand.

To address these problems, Ethernet Virtual Private Network (EVPN) is introduced as the VXLAN control plane. EVPN relies on the Border Gateway Protocol (BGP)/MPLS VPN mechanism. By extending BGP, EVPN defines three new types of BGP EVPN routes to implement VTEP autodiscovery and host MAC address learning. Using EVPN as the VXLAN control plane has the following advantages:

• • VTEPs are discovered automatically and VXLAN tunnels are established automatically, simplifying network deployment and expansion.
• • EVPN can advertise both Layer 2 MAC addresses and Layer 3 routing information.
• • Flooded traffic on the network is significantly decreased.

Understanding BGP EVPN

EVPN defines three new types of BGP EVPN routes to transmit VTEP addresses and host information by extending BGP. As such, the applications of EVPN on VXLAN move VTEP autodiscovery and host MAC address learning from the data plane to the control plane. The functions of the control-plane routes are as follows:

• Type 2 route (MAC/IP route): used to advertise host MAC addresses, host Address Resolution Protocol (ARP) entries, and host route information. ^[1]

1. Type 2 route: MAC/IP route

Figure 5.10 shows the format of a MAC/IP route.

Table 5.3 describes the fields in a MAC/IP route.

MAC/IP routes function on the VXLAN control plane as follows:

a. Advertising host MAC addresses

To implement Layer 2 communication between intrasubnet hosts, the local and remote VTEPs of a VXLAN tunnel need to learn the host MAC addresses from each other. To achieve this, the VTEPs function as BGP EVPN peers to exchange MAC/IP routes.

b. Advertising host ARP entries

A MAC/IP route can carry both the MAC and IP addresses of a host, and therefore can be used to advertise ARP entries between

FIGURE 5.10 Format of a MAC/IP route.

TABLE 5.3 Fields in a MAC/IP Route

VTEPs. This type of MAC/IP route is also called the ARP route. ARP entry advertisement applies to the following scenarios:

i. ARP broadcast suppression: After a Layer 3 gateway learns the ARP entries of hosts, it generates host information that contains the host IP and MAC addresses, Layer 2 VNI, and gateway’s VTEP IP address. The Layer 3 gateway then transmits an ARP route carrying the host information to a Layer 2 gateway. Upon receiving an ARP request, the Layer 2 gateway checks whether it includes the host information corresponding to the destination IP address of the packet. If such host information exists, the Layer 2 gateway replaces the broadcast MAC address in the ARP request with the destination unicast MAC address and unicasts the packet. This implementation suppresses ARP broadcast packets.

ii. Virtual machine (VM) migration in a distributed gateway scenario: After a VM migrates from one gateway to another, the new gateway learns the ARP entry of the VM, and generates host information that contains the host IP and MAC addresses, Layer 2 VNI, and gateways VTEP IP address. Then, the new gateway transmits an ARP route carrying the host information to the original gateway. After the original gateway receives the ARP route, it detects a VM location change and triggers ARP probe. If ARP probe fails, the original gateway withdraws the ARP entry and host route of the VM.

c. Advertising host IP routes

In a distributed VXLAN gateway scenario, to implement Layer 3 communication between intersubnet hosts, the local and remote VTEPs that function as Layer 3 gateways need to learn host IP routes from each other. To achieve this, the VTEPs function as BGP EVPN peers to exchange MAC/IP routes. This type of MAC/IP route is also called the Integrated Routing and Bridging (IRB) route.

d. Advertising neighbor discovery (ND) entries

A MAC/IP route can carry both the MAC and IPv6 addresses of a host. This means that this type of route can be used to transmit ND entries between VTEPs and implement ND entry advertisement. The MAC/IP route is also called an ND route. ND entry flooding applies to the following scenarios:

i. Neighbor Solicitation (NS) multicast suppression: After a VXLAN gateway collects information about a local IPv6 host, it generates an NS multicast suppression entry and transmits the entry through a MAC/IP route. After receiving the MAC/ IP route, other VXLAN gateways (BGP EVPN peers) each generate a local NS multicast suppression entry. In this way, when a VXLAN gateway receives an NS message, it searches the local NS multicast suppression table. If a matching entry is found, the VXLAN gateway performs multicast-to-unicast processing to reduce or suppress NS message flooding.

ii. IPv6 VM migration in a distributed gateway scenario: After an IPv6 VM is migrated from one gateway to another, the VM sends a gratuitous Neighbor Advertisement (NA) message. After receiving this message, the new gateway generates an ND entry and transmits it to the original gateway through a MAC/ IP route. Upon receipt of the entry, the original gateway detects that the location of the IPv6 VM changes and triggers neighbor unreachability detection (NUD). If the original gateway cannot detect the IPv6 VM in the original location, it deletes the corresponding local ND entry and uses an MAC/IP route to instruct the new gateway to delete the old ND entry for the IPv6 VM.

e. Advertising host IPv6 routes

In a distributed VXLAN gateway scenario, to implement Layer 3 communication between intersubnet IPv6 hosts, the VTEPs that function as Layer 3 gateways need to learn host IPv6 routes from each other. To achieve this, the VTEPs function as BGP EVPN peers to exchange MAC/IP routes. In this case, MAC/IP routes are also called IRBv6 routes.

2. Type 3 route: inclusive multicast route

An inclusive multicast route encompasses a prefix and a P-Multicast Service Interface (PMSI) attribute, as shown in Figure 5.11.

Table 5.4 describes the fields in an inclusive multicast route.

FIGURE 5.11 Format of an inclusive multicast route.

The inclusive multicast route is used on the VXLAN control plane for VTEP autodiscovery and dynamic VXLAN tunnel establishment. VTEPs function as BGP EVPN peers to exchange inclusive multicast routes so that they can learn Layer 2 VNIs and VTEPs’ IP addresses from each other. If the remote VTEPs IP address is reachable at Layer 3, the local VTEP establishes a VXLAN tunnel

TABLE 5.4 Fields in an Inclusive Multicast Route

with the remote VTEP. If the remote VNI is the same as the local VNI, an ingress replication list is created for subsequent BUM packet forwarding.

3. Type 5 route: IP prefix route

Figure 5.12 shows the format of an IP prefix route.

Table 5.5 describes the fields.

The IP Prefix Length and IP Prefix fields can identify a host IP address or network segment.

a. If the IP Prefix Length and IP Prefix fields identify a host IP address, the route is used for IP route advertisement in distributed VXLAN gateway scenarios. In such cases, the route functions the same as an IRB route on the VXLAN control plane.

FIGURE 5.12 Format of an IP prefix route.

TABLE 5.5 Fields in an IP Prefix Route

b. If the IP Prefix Length and IP Prefix fields in an IP prefix route identify a network segment, the route enables access to external networks.

Advertised EVPN routes carry RDs and VPN targets (also known as route targets).

RDs are used to identify different VXLAN EVPN routes. In addition, VPN targets are BGP extended community attributes used to control the export and import of EVPN routes.

A VPN target is either an export target or an import target.

a. Export target: It is carried in the EVPN routes advertised by the local device and defines which remote devices can accept the EVPN routes.

b. Import target: It determines whether the local device accepts the EVPN routes advertised by remote devices. When receiving an EVPN route, the local device matches the export targets carried in the received route against its own import targets. If a match is found, the route is accepted. If no match is found, the route is discarded.

When BGP EVPN is used to dynamically establish a VXLAN tunnel, the local and remote VTEPs first establish a BGP EVPN peer relationship and exchange BGP EVPN routes to learn the VNIs and VTEP IP addresses from each other. This approach is applicable to both centralized and distributed VXLAN gateway scenarios. The following uses the centralized VXLAN gateway scenario to describe the process of VXLAN tunnel establishment.

• [1] Type 3 route (inclusive multicast route): used to automatically discover VTEPs and dynamically establish VXLAN tunnels. • Type 5 route (IP prefix route): used to advertise the imported external routes and host route information.