[bess] PVLAN in EVPN/VXLAN

Aldrin Isaac <aldrin.isaac@gmail.com> Tue, 29 January 2019 03:52 UTC

Return-Path: <aldrin.isaac@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF9D11288BD for <bess@ietfa.amsl.com>; Mon, 28 Jan 2019 19:52:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ccf83sw6Zej for <bess@ietfa.amsl.com>; Mon, 28 Jan 2019 19:52:20 -0800 (PST)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B69D129B88 for <bess@ietf.org>; Mon, 28 Jan 2019 19:52:19 -0800 (PST)
Received: by mail-vs1-xe36.google.com with SMTP id x28so11147752vsh.12 for <bess@ietf.org>; Mon, 28 Jan 2019 19:52:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xOSANZHwgfLE1l2aGjAWNEId3tf7E7HwRQR3OLxu8kQ=; b=e/FMvM1keG3LFXhzBH0DlHV6QKN7Dl/+4AnerlGJSLHDsfpKm+teTFSpZkI36RGoHD IwQJ9HGaAWsTe5arnSgMLaVe8t4PoLt5kWCN6Y9GYt6+yQs7YG+IwHkGn8j6kD4oAnIK 5/D0NNlzzAq364/aeqkpYfqX5dsPYl/T9xnu8/JgHkz4e5ouox5OITiJD3AqFjnlnMkD LbS7FyZCUhGeaWFXuQeAXbOa/Zo5T5mCRCpXZ8SAKbrlr+ihVWqC25ueCjRfoNxQSoPB jDWUbKc6+Sg1MgFP+bAgV22/Lea59dlw2/lUZnHY+NcFHO/dRM6lNVn/4hiD1eDZW07v HQsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xOSANZHwgfLE1l2aGjAWNEId3tf7E7HwRQR3OLxu8kQ=; b=lUbFR/H7ycrJ8dnWfN+VfgYho20hJNUk8jxiYN10YcxBFPCWQ81ncxdXcGfR5uianZ WSBox+rKwkpOyflHonAxtiFX04u6nc9AfLapm9mSY+MsQyFw3uIGJ7YiuiydcnfaEZA7 sl7cRxZIpzKyYxfT01QpeMYf627QiZ6Qkp+iUcw0qPuPJ4cGy2vU44VYE1ifRCqHGPcY G0uQfVP7LhidADA+loplP0Vt+3l3SoxUfHWCYOxlR6TFfTc/7/E+FB+MMXnvEDgWmGtz rWBrQWtsMrF4pd2gpX+7bMnszgFzFnIpmwqvSybe5O7suyEFmAS7LiQneUJP2qDSu6Lg JPyQ==
X-Gm-Message-State: AHQUAuaiEbtcQGH9qJqoNZQENRyNVIcmAu30cJHcMM6UECcsCv9cURQ1 QRPyg2cyvr5IhIWlR19lKxjiucR+9UZYkXsZ5Hc=
X-Google-Smtp-Source: ALg8bN44mn4AY2RR3kkaejSR2KaeKjiVFCPGL3TRO75FtprmKtt3l4aamkHikzkDNv1+MP/HWE2BvigXzDYkwuJ1jhg=
X-Received: by 2002:a67:4dd4:: with SMTP id i81mr1462536vsg.46.1548733938038; Mon, 28 Jan 2019 19:52:18 -0800 (PST)
MIME-Version: 1.0
References: <AM0PR03MB38289E905EE9421BA529727B9DBF0@AM0PR03MB3828.eurprd03.prod.outlook.com> <7A95B86B-03C4-4D11-8A37-FFCB98BFA44B@nokia.com> <AM0PR03MB3828D22EFE13890EB08419459DB80@AM0PR03MB3828.eurprd03.prod.outlook.com> <CAOA2mbyA6SrGLU=GdHk36KSu5+ev59evo5DMSQV6V18BinOh5Q@mail.gmail.com> <AM0PR03MB3828DB9786D0CA8C7B18FC8B9D950@AM0PR03MB3828.eurprd03.prod.outlook.com> <8EAA592B-7015-4522-92D4-019A6D6AD2C1@cisco.com> <FBACDA4D-FEB4-40BC-A8B9-160BEBB7159B@nokia.com>
In-Reply-To: <FBACDA4D-FEB4-40BC-A8B9-160BEBB7159B@nokia.com>
From: Aldrin Isaac <aldrin.isaac@gmail.com>
Date: Mon, 28 Jan 2019 19:52:06 -0800
Message-ID: <CAOA2mbx+SRfm7rfg9_3FOau2MQRDmWjGBcntsXJUivR=8qRhfA@mail.gmail.com>
To: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
Cc: "Ali Sajassi (sajassi)" <sajassi@cisco.com>, "John E Drake (jdrake@juniper.net)" <jdrake@juniper.net>, Wen Lin <wlin@juniper.net>, "bess@ietf.org" <bess@ietf.org>
Content-Type: multipart/related; boundary="0000000000003acd3e058090b8c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/ciVA2qXoJ0zyUuGru-duRYma2Ps>
Subject: [bess] PVLAN in EVPN/VXLAN
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 03:52:24 -0000

[ new thread ]

Hi Jorge,

Thanks for the reference.  I will review this.  However I am in search of
an answer for PVLAN in existing VXLAN installed base ASIC.

Btw, with Geneve encap, I suspect most operators will simply use group
based policy (GBP) as-is without tying to overlay control plane.  GBP
provides greater flexibility and is simpler.   (Ex: set GBP tag “leaf” on
ingress ports, filter drop packets with “leaf” tag on egress ports.)  But
as you noted, the intent in the EVPN geneve draft is focused on interop
with the EVPN MPLS e-tree procedures.

Thanks!
Aldrin


On Mon, Jan 28, 2019 at 6:45 AM Rabadan, Jorge (Nokia - US/Mountain View) <
jorge.rabadan@nokia.com> wrote:

> Hi Aldrin,
>
>
>
> About this:
>
> Need to address E-Tree for non-MPLS encaps and in DC settings (think
> PVLAN).
>
>
>
> Please check out the Ethernet Option TLV that we are defining for GENEVE.
> The intent is to be able to use RFC8317 E-Tree procedures.
>
> https://tools.ietf.org/html/draft-boutros-bess-evpn-geneve-03
>
>
>
> Thanks.
>
> Jorge
>
>
>
> *From: *"Ali Sajassi (sajassi)" <sajassi@cisco.com>
> *Date: *Sunday, January 27, 2019 at 9:55 PM
> *To: *Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>om>, "Rabadan,
> Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>om>, "
> sboutros@vmware.com" <sboutros@vmware.com>om>, "ju1738@att.com" <
> ju1738@att.com>gt;, "Samer Salam (ssalam)" <ssalam@cisco.com>om>, "John E Drake
> (jdrake@juniper.net)" <jdrake@juniper.net>
> *Cc: *"bess@ietf.org" <bess@ietf.org>rg>, Aldrin Isaac <
> aldrin.isaac@gmail.com>
> *Subject: *Re: [bess] A question about RFC 8317
>
>
>
> Hi Sasha,
>
>
>
> That is correct and sub-sections 4.2.1 and 4.2.3 have captured these.
>
>
>
> Cheers,
>
> Ali
>
>
>
>
>
>
>
> *From: *Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
> *Date: *Sunday, January 27, 2019 at 7:09 AM
> *To: *"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>om>,
> Cisco Employee <sajassi@cisco.com>om>, "sboutros@vmware.com" <
> sboutros@vmware.com>gt;, "ju1738@att.com" <ju1738@att.com>om>, "Samer Salam
> (ssalam)" <ssalam@cisco.com>om>, "John E Drake (jdrake@juniper.net)" <
> jdrake@juniper.net>
> *Cc: *"bess@ietf.org" <bess@ietf.org>rg>, Aldrin Isaac <
> aldrin.isaac@gmail.com>
> *Subject: *RE: [bess] A question about RFC 8317
>
>
>
> Hi all,
>
> I think now that I could have misinterpreted RFC 8317 and that, in fact,
> it works in a different way:
>
> -          E-Tree Extended Community is always advertised (in an per-ES
> EAD route with ESI set to 0) by a PE to which at least one Leaf CE is
> attached
>
> -          The Leaf Label advertised in this route is always included in
> the EVPN encapsulation of BUM frames that have been received by such a PE
> from any Leaf CE, while the ESI label would only be included in the EVPN
> encapsulation of BUM frames if they are received from Root CEs attached to
> a multi-homed ES.
>
>
>
> Is this interpretation correct?
>
>
>
> Regards,
>
> Sasha
>
>
>
> Office: +972-39266302
>
> Cell:      +972-549266302
>
> Email:   Alexander.Vainshtein@ecitele.com
>
>
>
> *From:* Alexander Vainshtein
> *Sent:* Sunday, January 27, 2019 5:02 PM
> *To:* Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com>om>;
> Ali Sajassi <sajassi@cisco.com> (sajassi@cisco.com) <sajassi@cisco.com>om>;
> sboutros@vmware.com; ju1738@att.com; Samer Salam (ssalam) <
> ssalam@cisco.com>gt;; John E Drake (jdrake@juniper.net) <jdrake@juniper.net>
> *Cc:* bess@ietf.org; 'Aldrin Isaac' <aldrin.isaac@gmail.com>
> *Subject:* RE: [bess] A question about RFC 8317
>
>
>
> Hi all,
>
> Yet another question regarding 8317 – this time it is related to egress
> filtering of BUM traffic and Leaf labels.
>
>
>
> The relevant scenario is shown in the embedded diagram below.
>
>
>
> [image: cid:image005.png@01D4B663.00B8DE00]
>
>
>
> In this diagram there are 4 Leaf CEs attached to two PEs:
>
> 1.      CE-1 is attached to PE-2 and PE-3 via an all-active multi-homed
> ES with ESI-x
>
> 2.      CE-2 is attached to PE-2 and PE-3 via an all-active multi-homed
> ES with ESI-y
>
> 3.      CE-3 is attached just to PE-2 via a single-homed ES with ESI=0
>
> 4.      CE-4 is attached just to PE-3 via a single-homed ES with ESI=0.
>
>
>
>
>
> My understanding of 8317 is that:
>
> 1.      PE-2:
>
> a.       Allocates a valid ESI label E2 and advertises it with the per-ES
> EAD route for ESI-x
>
> b.      Allocates a valid Leaf label L2 and advertises it with the per-ES
> EAD route with ESI=0
>
> c.       Includes label E2 in encapsulation of BUM frames it receives
> from CE-1
>
> d.      Includes label L2 in encapsulation of BUM frames it receives from
> CE-3
>
> 2.      Similarly, PE-3:
>
> a.       Allocates a valid ESI label E2 and advertises it with the per-ES
> EAD route for ESI-y
>
> b.      Allocates a valid Leaf label L2 and advertises it with the per-ES
> EAD route with ESI=0
>
> c.       Includes label E2 in encapsulation of BUM frames it receives
> from CE-2
>
> d.      Includes label L2 in encapsulation of BUM frames it receives from
> CE-4
>
>
>
> If the above is correct, *why should PE-3 block transmission of a BUM
> frame it receives from PE-2 and that has originated from CE-1 to CE-4*?
> Please note that:
>
> 1.      This frame uses label ESI-2 in its encapsulation, therefore
> transmission of such a frame to CE-2 will be blocked by egress filtering
> defined in RFC 7432
>
> 2.      PE-3 does not know whether CE-1 is a Root or a Leaf CE because *E-Tree
> Extended Community is only advertised with EAD routes with ESI 0*.
>
>
>
> Note that PE-3 can block transmission of a BUM frame it receives from PE-2
> and that has originated from CE-3 to both CE-2 and CE-4 because:
>
> -          The Leaf Label in the encapsulation of this frame identifies
> it as a originating from a Leaf CE
>
> -          PE-3 knows from local configuration that both CE-2 and CE-4
> are Leaf CEs.
>
>
>
> What, if anything, did I miss? Your timely feedback will be highly
> appreciated.
>
>
>
> Regards, and lots of thanks in advance,
>
> Sasha
>
>
>
> Office: +972-39266302
>
> Cell:      +972-549266302
>
> Email:   Alexander.Vainshtein@ecitele.com
>
>
>
> *From:* Aldrin Isaac <aldrin.isaac@gmail.com>
> *Sent:* Sunday, January 27, 2019 4:06 AM
> *To:* Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
> *Cc:* Ali Sajassi <sajassi@cisco.com> (sajassi@cisco.com) <
> sajassi@cisco.com>gt;; John E Drake (jdrake@juniper.net) <jdrake@juniper.net>et>;
> Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com>om>;
> Samer Salam (ssalam) <ssalam@cisco.com>om>; bess@ietf.org; ju1738@att.com;
> sboutros@vmware.com
> *Subject:* Re: [bess] A question about RFC 8317
>
>
>
> Btw, the other problem with “two RTs” scheme might be mobility.  The leaf
> MAC-VRF can’t  see each others sequence numbers for a MAC.  Please
> see/consider my prior email.  Need to address E-Tree for non-MPLS encaps
> and in DC settings (think PVLAN).
>
>
>
> Cheers,
>
> Aldrin
>
>
>
>
>
> On Thu, Dec 20, 2018 at 11:42 PM Alexander Vainshtein <
> Alexander.Vainshtein@ecitele.com> wrote:
>
> Jorge,
>
> Lots of thanks for a prompt response.
>
> My conclusion js tbat the "two RTs" scheme should be used with special
> care in E-tree solutions. This was not my impression from the first reading
> of 8317.
>
> Since the "two RTs" scheme is very popular in hub-and-spoke" solutiobs for
> IP VPN, the fact that it is not the universal answer in EVPN E-Tree
> deserves some expla ation IMHO- but I do not see how this can be done in
> IETF.
>
> Thumb typed by Sasha Vainshtein
>
>
> ------------------------------
>
> *From:* Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com
> >
> *Sent:* Thursday, December 20, 2018 7:31:20 PM
> *To:* Alexander Vainshtein; Ali Sajassi <sajassi@cisco.com> (
> sajassi@cisco.com)
> *Cc:* Samer Salam (ssalam); John E Drake (jdrake@juniper.net);
> ju1738@att.com; sboutros@vmware.com; bess@ietf.org
> *Subject:* Re: A question about RFC 8317
>
>
>
> Hi Sasha,
>
>
>
> What you are explaining is correct.
>
>
>
> PE3 would flood anything for which MAC DA is unknown to both local ESes.
> That is normal behavior, only that in this case CE-1’s MAC will not be
> learned on PE3 *until CE-1 hashes the traffic to PE3 and not only PE2*
> (which will happen if you have a decent number of flows). **Technically
> speaking**, the E-Tree solution works since you don’t have leaf-to-leaf
> communication. However, I would not use the two RT solution in this
> scenario since it could create unnecessary flooding to local ESes as you
> describe.
>
>
>
> For this scenario I would always use a single RT per EVI, ingress
> filtering for unicast (based on the leaf indication on MAC/IP routes), and
> egress filtering for BUM based on leaf label, as explained in RFC8317.
>
>
>
> My two cents.
>
>
>
> Thank you.
>
> Jorge
>
>
>
>
>
> *From: *Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
> *Date: *Thursday, December 20, 2018 at 12:30 PM
> *To: *"Ali Sajassi <sajassi@cisco.com> (sajassi@cisco.com)" <
> sajassi@cisco.com>
> *Cc: *"Samer Salam (ssalam)" <ssalam@cisco.com>om>, "John E Drake (
> jdrake@juniper.net)" <jdrake@juniper.net>et>, "ju1738@att.com" <
> ju1738@att.com>gt;, "sboutros@vmware.com" <sboutros@vmware.com>om>, "Rabadan,
> Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>om>, "
> bess@ietf.org" <bess@ietf.org>
> *Subject: *A question about RFC 8317
>
>
>
> Ali and all,
>
> I have read RFC 8317 <https://tools.ietf.org/html/rfc8317>, and I would
> like to clarify a question dealing with Leaf ACs of an EVPN-based E-Tree
> service on All-Active Multi-Homed Ethernet Segments (MH ES).
>
>
>
> The reference model for my question is shown in the Embedded diagram below.
>
>
>
> [image: cid:image002.png@01D49865.895588B0]
>
>
>
> It shows an EVPN E-tree service with one Root customer site and two leaf
> customer sites, where each Leaf CE is dual-homed to the same pair of PEs
> using two different All-Active multi-homed Ethernet Segments.
>
>
>
> Suppose that the scheme with two RTs (one identifying the Root site and
> the other identifying the Leaf sites) is used as described in 4.3.1.
>
>
>
> Suppose also that each MAC-VRF uses per MAC-VRF label assignment as
> defined in section 9.2.1 of RFC 7432, i.e., advertises exactly one EVPN
> application label that identifies it as the Egress MAC-VRF, while the
> disposition of the received Ethernet frame within this MAC-VRF is based on
> the destination MAC address. In this case the per MAC-VRF label can be also
> used as the “aliasing” label in the per EVI EAD route.
>
>
>
> PE-1 will receive and accept per EVI EAD routes for both MH ES for PE-2
> and PE-3 with the corresponding “aliasing” labels.
>
>
>
> Suppose that MAC-VRF in PE-2 learns some {MAC, IP} pair  {X, Y}  locally
> from the Leaf CE-1 and advertises this pair in the EVPN MAC/IP
> Advertisement route. With the “two RTs” scheme this route will be accepted
> by the MAC-VRF in PE-1 but it will not be accepted by the MAC-VRF in PE3.
> As a consequence:
>
> -          MAC-VRF in PE-1 will know that this pair has been learned from
> the “blue” all-active MH ES, and therefore can decide to send locally
> received unicast frames with destination MAC address X to PE-3 using the
> corresponding “aliasing label”. No other labels will be included in the EVN
> encapsulation of such  frames because they are received from the Root AC.
>
> -          MAC-VRF in PE-3 will not know anything about MAC address X,
> therefore, when it receives an EVPN-encapsulated frame with this
> destination, *it will treat it as an “unknown unicast” and flood it to
> both Leaf CE-1 (where it should be sent) and to Leaf CE-2 (where it should
> not be sent)*.
>
>
>
> Is this what is really supposed to happen in this scenario? If not, what
> did I miss in the E-tree EVPN solution?
>
>
>
> Regards, and lots of thanks in advance,
>
> Sasha
>
>
>
> Office: +972-39266302
>
> Cell:      +972-549266302
>
> Email:   Alexander.Vainshtein@ecitele.com
>
>
>
>
> ___________________________________________________________________________
>
> This e-mail message is intended for the recipient only and contains
> information which is
> CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have
> received this
> transmission in error, please inform us by e-mail, phone or fax, and then
> delete the original
> and all copies thereof.
> ___________________________________________________________________________
>
>
> ___________________________________________________________________________
>
> This e-mail message is intended for the recipient only and contains
> information which is
> CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have
> received this
> transmission in error, please inform us by e-mail, phone or fax, and then
> delete the original
> and all copies thereof.
> ___________________________________________________________________________
>
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
>
>
> ___________________________________________________________________________
>
> This e-mail message is intended for the recipient only and contains
> information which is
> CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have
> received this
> transmission in error, please inform us by e-mail, phone or fax, and then
> delete the original
> and all copies thereof.
> ___________________________________________________________________________
>
>
>