EVPN – MPLS-based Layer 2 VPN
In the late 1990’s we witnessed the introduction of Layer 3 VPNs and Multiprotocol Label Switching (MPLS). Layer 3 VPNs distribute IP prefixes with a control plane, offering any to any connectivity. Layer 2 VPNs arrived more humbly with a standard point to point connectivity model using Frame Relay, ATM and, of course, Ethernet. In the early 2000s, along came the arrival of pseudowires and layer 2 VPNs. Point to point connectivity models no longer satisfied all designs, services required multipoint Ethernet connectivity. As a result, Virtual Private LAN Service (VPLS) was introduced. VPLS offered a data plane learning solution that could emulate a bridge and provide multipoint connectivity for Ethernet stations. It was widely deployed but had many shortcomings, such as support for multihoming, BUM (BUM = Broadcast, Unknown unicast and Multicast) optimization, flow-based load balancing, and multipathing.
In the last few years, we have entered a different era of data center architecture, which obviously holds different requirements. We now need efficient Layer 2 multipoint connectivity, active – active flows, and better multihoming capability. Unfortunately, the shortcomings of existing data plane solutions hinder these requirements.
How do you connect data centre together and provide multihoming with better per flow capabilities?
Some data centres require Layer 2 DCI (data centre interconnect) and active – active flows between locations. These DCI requirements were not fully addressed by current L2VPN technologies. A DCI with better multihoming capability was needed without compromising network convergence and forwarding. Per flow redundancy and proper load balancing drove the introduction of a BGP MPLS-based solution called Ethernet VPN (EVPN). With EVPN, there is no more need for pseudowires. All the hard work is done with BGP.
A major benefit of EVPN operations is that MAC learning between PEs occurs not in the data plane but in the control plane (unlike VPLS). It actually utilises a hybrid control/data plane model. Data plane address learning occurs in the access layer. In an SP model, this would be the CE to PE link; using IEEE 802.1x, LLDP, or ARP. Then we have control-plane address advertisements / learning over the MPLS core. The PE’s run MP-BGP to advertise and learn customer MAC addresses.
EVPN has many capabilities and its use case is extended to act as the control plane for open standard VXLAN overlays.
Layer 2 VPN Challenges
There are a number of challenges with traditional Layer 2 VPNs. They do not offer an ALL-active per-flow redundancy model, traffic can loop between PE’s, MAC flip-flopping may occur, and there is the duplication of BUM traffic (BUM = Broadcast, Unknown unicast and Multicast).
In the diagram below, a CE has an Ethernet bundle terminating on two PE’s; PE1 and PE2. The problem with pseudowires VPLS data plane learning approach is that traffic is received by PE1 on one of the bundle member links and will be sent over the full mesh of PW, eventually learnt by PE2. PE2 has no way of knowing traffic originated on CE1 and PE2 will send it back. CE’s also get duplicated BUM traffic.
Another challenge with VPLS is MAC Flip-Flopping over pseudowires. Similar scenario to above, you have dual homed CE’s sending traffic from same MAC but with different IP address. Now, you have MAC address learning by PE1 and sent to the remote PE3. PE3 learns that MAC address is via PE1, but the same MAC with a different flow can arrive via PE2. In turn, PE3 learns the same MAC over the different link so it keeps flipping the MAC learning from one link to another. All these problems are forcing us to move to a control plane Layer 2 VPN solution – EVPN.
What is EVPN
EVPN operates with the same principles and operational experiences of Layer 3 VPNs; for example, MP-BGP, route targets (RT) and route distinguishers (RD). EVPN takes BGP, puts a Layer 2 address in it and advertises as if they were Layer 3 destinations with an MPLS rewrite or MPLS tag as the rewrite header or as the next hop. It enables routing of Layer 2 addresses through MP-BGP. Instead of having an Ethernet frame and encapsulating it in IPv4, you have MAC address with MPLS tags being sent across the MPLS core. The MPLS core is swapping labels as usual and thinks it just another IPv4 packet. It conceptually similar to IPv6 transportation across an IPv4 LDP core, a feature known as 6PE.
All Layer 3 principles apply, allowing you to prepend MAC addresses with RD’s to make it unique, permitting overlapping addresses for Layer 2. RTs offer separation allowing constraints on flooding to segments that are interested. EVPN gives all the policies you have with BGP – LP, MED etc enabling efficient MAC address flooding control.
EVPN is more efficient on your BGP tables, you can control the distribution of the MAC address to the edge of your network. You have control over where the MAC addresses are going and where the state in being pushed. It’s a lot simpler than VPLS. At the network edge, you look at the destination MAC address and shove a label on it.
EVPN has many capabilities. Not only do we use BGP to advertise reachability of MAC addresses and Ethernet segments, it may also advertise MAC to IP correlation. BGP can provide information that host A has this IP and MAC address.
VXLAN & EVPN Control Plane
Data centre fabrics started with STP and back in the day, this was the only thing you could do at Layer 2. Its main deficiency was that you could only have one active link. We later introduced VPC and VSS, allowing all link forwarding in a non-looped topology. Fabricpath / BGP introduce MAC-in-MAC layer 2 multipathing. In the gateway area, they added Anycast HSRP, which was limited to 4 gateways. More importantly, there was state exchange between them.
The industry is moving on and we now see the introduction of VXLAN as an MAC in IP mechanism. VXLAN allows us to cross a layer 3 boundary and build an overlay over a layer 3 network. Its initial forwarding mechanism was to flood and learn with plenty of drawbacks So now, they added a control plane to VXLAN – EVPN. A VXLAN/EVPN solution is an MP-BGP based control-plane using the EVPN NLRI. Layer-2 MAC and Layer-3 IP information distribution is carried out by BGP. It reduces flooding as forwarding decisions are based on the control plane. The VPN control plane offers VTEP peer discovery and end-host reachability information distribution.