Overview of a Collapsed Core with EVPN Multihoming in a Campus Network
About This Network Configuration Example
This network configuration example (NCE) describes how to configure and manage a campus network using EVPN-VXLAN on a collapsed core architecture with EVPN multihoming (also called ESI-LAG). This example uses EX Series switches with Mist Access Points.
Juniper Networks requires a license for EVPN-VXLAN on QFX Series and EX4650 switches. See the Licensing Guide for more information.
Use Case Overview
A campus network using EVPN-VXLAN is an efficient and scalable way to build and connect campuses with data centers and public clouds. The VXLAN overlay with an EVPN control plane enables you to create logical Layer 2 networks across an Layer 3 underlay network. A collapsed core design is ideal for a campus network where there is a need to scale your network rapidly. A collapsed core architecture is less complex and easier to configure and manage. EVPN multihoming eliminates the need for Spanning Tree Protocol (STP) across the campus network by providing the multihoming capabilities from the access layer to the collapsed core layer and a L3 IP fabric from the collapsed core to the network core. EVPN multihoming also supports horizontal scaling with more than two devices in the distribution layer and extends the EVPN network to the core.
This architecture provides optimized, seamless, and standards-compliant Layer 2 or Layer 3 connectivity. Juniper Networks EVPN-VXLAN campus networks provide the following benefits:
Consistent, scalable architecture—Enterprises typically have multiple sites with different size requirements. A common EVPN-VXLAN-based campus architecture is consistent across all sites, irrespective of the size. EVPN-VXLAN scales out or scales in as a site evolves.
Multi-vendor deployment—The EVPN-VXLAN architecture uses standards-based protocols so enterprises can deploy campus networks using multi-vendor network equipment. There is no single vendor lock-in requirement.
Reduced flooding and learning—Control plane-based Layer 2/Layer 3 learning reduces the flood and learn issues associated with data plane learning. Learning MAC addresses in the forwarding plane has an adverse impact on network performance as the number of endpoints grows. The EVPN control plane handles the exchange and learning of routes, so newly learned MAC addresses are not exchanged in the forwarding plane.
Location-agnostic connectivity—The EVPN-VXLAN campus architecture provides a consistent endpoint experience no matter where the endpoint is located. Some endpoints require Layer 2 reachability, such as legacy building security systems or IoT devices. The Layer 2 VXLAN overlay provides Layer 2 reachability across campuses without any changes to the underlay network. With our standards-based network access control integration, an endpoint can be connected anywhere in the network.
Underlay agnostic—VXLAN as an overlay is underlay agnostic. With a VXLAN overlay, you can connect multiple campuses with a Layer 2 VPN or Layer 3 VPN service from a WAN provider or by using IPsec over Internet.
Consistent network segmentation—A universal EVPN-VXLAN-based architecture across campuses and data centers means consistent end-to-end network segmentation for endpoints and applications.
Simplified management—Campuses and data centers based on a common EVPN-VXLAN design can use common tools and network teams to deploy and manage campus and data center networks.
This NCE shows how to deploy a collapsed core architecture for a campus network. You can use use the EX4650 or the QFX5120 switch as the collapsed core switch. In this example, we use the EX4650 switch as the collapsed core switches and EX series switches as access switches. Figure 1 shows the collapsed core architecture on a campus network. The access point devices are connected to the access layer switches, which in turn are multihomed to the collapsed core switches. There are separate VLANs for employees, guests, and IoT devices.
Underlay and Overlay Network
This network configuration example deploys a campus fabric with a Layer 3 IP-based underlay network with EVPN-VXLAN as the overlay. You can use OSPF or BGP as the underlay protocol and iBGP as the overlay protocol, in this example we use BGP as the underlay routing protocol and MP-BGP with EVPN signaling as the overlay control plane protocol. VXLAN is the overlay data plane encapsulation protocol.
Collapsed Core Architecture
A collapsed core architecture takes the normal three-tier hierarchical network and collapses it into a two-tier network. In a two-tier network, the function of the switches in the core layer and distribution layer are “collapsed” into a combined core and distribution layer on a single switch. You can use use the EX4650 or the QFX5120 switch as the collapsed core switch. In this example, we use the EX4650 switch as the collapsed core switch.
New EVPN technology standards—including RFCs 8365, 7432, and 7348—introduce the concept of link aggregation in EVPNs with Ethernet segments. Ethernet segments in an EVPN collect links into a bundle and assign a number—called the Ethernet segment identifier (ESI)—to the bundled links. Links from multiple standalone nodes can be assigned the same ESI, an important link aggregation feature that brings node level redundancy to devices in an EVPN-VXLAN network. The bundled links that are numbered with an ESI are often referred to as ESI LAGs.
Layer 2 multihoming in EVPN networks is dependent on the EVPN multihoming feature. EVPN multihoming, which provides full active-active link support, is also frequently enabled with LACP to ensure multi-vendor support for the devices that access the campus network. Layer 2 multihoming with LACP is an especially attractive configuration option when deploying devices that connect to access points in a campus network because multihoming is transparent from the access point of view. With ESI, the access point functions as if it is connected to a single node even when it is connected to two or more switches.
EVPN multihoming provides redundant connectivity between access point devices and the collapsed core layer. This example configures ESI in an all-active mode to load-balance traffic across all the connected multihomed devices.
The access layer provides network connectivity to end-user devices, such as personal computers, VoIP phones, printers, and IoT devices as well as connectivity to wireless access point devices. In this example, we use Mist APs as the access point device. Evolving IT departments are looking for a cohesive approach for managing wired and wireless networks. Juniper Networks has a solution that can simplify and automate operations and end-to-end troubleshooting, ultimately evolving into the Self-Driving Network™. The Integration of the Mist platform in this NCE addresses both of these challenges.
Mist is designed from the ground up to meet the stringent networking needs of the modern cloud and smart-device era, Mist delivers unique capabilities for the wired and wireless LAN.
Wired and wireless assurance—Mist is enabled with wired and wireless assurance. Once configured, Service Level Expectations (SLE) for key wired and wireless performance metrics such as throughput, capacity, roaming, and uptime are addressed in the Mist platform. This NCE uses Mist wired assurance services.
Marvis—An integrated AI engine that provides rapid wired and wireless troubleshooting, trending analysis, anomaly detection, and proactive problem remediation.
For more details on Mist integration and EX switches, see How to Connect Mist Access Points and Juniper EX Series Switches.
VRF segmentation is used to organize users and devices in groups on a shared network while separating and isolating the different groups. The routing devices on the network create and maintain separate virtual routing and forwarding (VRF) table for each group. The users and devices in a group are placed in one VRF segment and can communicate with each other, but they cannot communicate with users in another VRF segment. If you want to send and receive traffic from one VRF segment to another VRF segment, then you must configure the routing path. In this example, we configure routing paths to go through an SRX series router. This allows you to define policies to permit or deny access to specific resources on a VRF segment to other groups. The SRX series router enforces policy rules for transit traffic by identifying and allowing the traffic that can pass through and denying the traffic that is not permitted. For information on configuring a routing path via an SRX router, see How to Configure the SRX Router. Figure 2 shows our collapsed core network topology with the 3 VRF segments (Employees, Guests, and IoT devices).