Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Technology Primer: EVPN-VXLAN Fabrics for the Campus

 

Overview of EVPN-VXLAN Based Campus Networks

Need for an Overlay-Based Campus Fabric

Enterprise networks are adopting cloud-based applications to improve their competitiveness, lower IT costs, and provide users with anytime, anywhere access to resources and data. Mobile devices, social media, and collaboration tools place new demands on networks. Modern enterprise networks must scale rapidly and provide immediate access to devices with limited networking capabilities as the use of Internet of Things (IoT) devices increases.

Most traditional campus architectures use single-vendor, chassis-based technologies that work well in small, static campuses with few endpoints. However, they are too rigid to support the scalability and changing needs of modern large enterprises.

The Juniper Networks EVPN-VXLAN fabric is a highly scalable architecture that is simple, programmable, and built on a standards-based architecture that is common across campuses and data centers.

The EVPN-VXLAN campus architecture uses a Layer 3 IP-based underlay network and an EVPN-VXLAN overlay network. The simple IP-based Layer 3 network underlay limits the Layer 2 broadcast domain. A flexible overlay network based on a VXLAN overlay with an EVPN control plane efficiently provides Layer 3 or Layer 2 connectivity.

This architecture decouples the virtual topology from the physical topology, which improves network flexibility and simplifies network management. Endpoints that require Layer 2 adjacency, such as IoT devices, can be placed anywhere in the network and remain connected to the same logical Layer 2 network.

With an EVPN-VXLAN campus architecture, you can easily add core, distribution, and access layer devices as your business grows without having to redesign the network. EVPN-VXLAN is vendor-agnostic, so you can use the existing access layer infrastructure and gradually migrate to access layer switches that support EVPN-VXLAN capabilities.

EVPN-VXLAN Benefits

An EVPN-VXLAN fabric is an efficient and scalable way to build and connect campus, data center, and public cloud networks. With a robust BGP/EVPN implementation on all platforms, this architecture provides optimized, seamless, and standards-compliant Layer 2 or Layer 3 connectivity.

Juniper Networks EVPN-VXLAN campus networks provide the following benefits:

  • Consistent, scalable architecture—Enterprises typically have multiple sites with different size requirements. A common EVPN-VXLAN-based campus architecture is consistent across all sites, irrespective of the size. EVPN-VXLAN scales out or scales in as a site evolves.

  • Multi-vendor deployment—The EVPN-VXLAN architecture uses standards-based protocols so enterprises can deploy campus networks using multi-vendor network equipment. There is no single vendor lock-in requirement.

  • Reduced flooding and learning—Control plane-based Layer 2/Layer 3 learning reduces the flood and learn issues associated with data plane learning. Learning MAC addresses in the forwarding plane has an adverse impact on network performance as the number of endpoints grows. The EVPN control plane handles the exchange and learning of routes, so newly learned MAC addresses are not exchanged in the forwarding plane.

  • Location-agnostic connectivity—The EVPN-VXLAN campus architecture provides a consistent endpoint experience no matter where the endpoint is located. Some endpoints require Layer 2 reachability, such as legacy building security systems or IoT devices. The Layer 2 VXLAN overlay provides Layer 2 reachability across campuses without any changes to the underlay network. With our standards-based network access control integration, an endpoint can be connected anywhere in the network.

  • Underlay agnostic—VXLAN as an overlay is underlay agnostic. With a VXLAN overlay, you can connect multiple campuses with a Layer 2 VPN or Layer 3 VPN service from a WAN provider or by using IPsec over Internet.

  • Consistent network segmentation—A universal EVPN-VXLAN-based architecture across campuses and data centers means consistent end-to-end network segmentation for endpoints and applications.

  • Simplified management—Campuses and data centers based on a common EVPN-VXLAN design can use common tools and network teams to deploy and manage campus and data center networks.

EVPN-VXLAN Technical Overview

Understanding VXLAN

Network overlays are created by encapsulating traffic and tunneling it over a physical network. The Virtual Extensible LAN (VXLAN) tunneling protocol encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets. VXLAN enables virtual Layer 2 subnets or segments that can span the underlying physical Layer 3 network.

In a VXLAN overlay network, each Layer 2 subnet or segment is uniquely identified by a virtual network identifier (VNI). A VNI segments traffic the same way that a VLAN ID segments traffic. As is the case with VLANs, endpoints within the same virtual network can communicate directly with each other. Endpoints in different virtual networks require a device that supports inter-VXLAN routing, which is typically a router or a high-end switch.

The entity that performs VXLAN encapsulation and decapsulation is called a VXLAN tunnel endpoint. Each VXLAN tunnel endpoint is typically assigned a unique IP address.

VXLAN Control Plane Limitations

VXLAN can be deployed as a tunneling protocol across a Layer 3 IP fabric data center without a control plane protocol. The VXLAN abstraction does not change the flood and learn behavior of the Ethernet protocol, which has inherent limitations in terms of scalability and efficiency.

The two primary methods for using VXLAN without a control plane protocol—static unicast VXLAN tunnels and VXLAN with a multicast underlay—do not solve the inherent flood and learn problem and are difficult to scale in large multitenant environments. EVPN-VXLAN is a scalable solution for the flood and learn problems with Ethernet.

Understanding EVPN

Ethernet VPN (EVPN) is a standards-based protocol that provides virtual multipoint bridged connectivity between different domains over an IP or IP/MPLS backbone network. EVPN enables seamless multitenant, flexible services that can be extended on demand.

EVPN is an extension to BGP that allows the network to carry both Layer 2 MAC and Layer 3 IP information simultaneously to optimize routing and switching decisions. This control plane technology uses Multiprotocol BGP (MP-BGP) for MAC and IP address endpoint distribution, where MAC addresses are treated as routes. EVPN enables devices acting as virtual tunnel endpoints (VTEPs) to exchange reachability information with each other about their endpoints.

EVPN provides multipath forwarding and redundancy through an all-active model. The access layer can connect to two or more distribution devices and forward traffic using all of the links. If an access link or distribution device fails, traffic flows from the access layer toward the distribution layer using the remaining active links. For traffic in the other direction, remote distribution devices update their forwarding tables to send traffic to the remaining active distribution devices connected to the multihomed Ethernet segment.

The benefits of using EVPNs include:

  • MAC address mobility

  • Multitenancy

  • Load balancing across multiple links

  • Fast convergence

The technical capabilities of EVPN include:

  • Minimal flooding—EVPN creates a control plane that shares end host MAC addresses between VTEPs in the same EVPN segment, which minimizes flooding and facilitates MAC address learning.

  • Multihoming—EVPN supports multihoming for client devices. A control protocol like EVPN that enables synchronization of endpoint addresses between the distribution switches is needed to support multihoming, because traffic traveling across the topology needs to be intelligently moved across multiple paths.

  • Aliasing—EVPN leverages all-active multihoming to allow a remote distribution device to load-balance traffic across the network toward the access layer.

  • Split horizon—Split horizon prevents the looping of broadcast, unknown unicast, and multicast (BUM) traffic in a network. With split horizon, a packet is never sent back in the direction it came from.

The Underlay Network

An EVPN-VXLAN fabric architecture makes the network infrastructure simple and consistent across campuses and data centers. All the core and distribution devices must be connected to each other using a Layer 3 infrastructure. We recommend deploying a Clos-based IP fabric with a spine-leaf-based topology to ensure predictable performance and to enable a consistent, scalable architecture.

The primary requirement in the underlay network is that all core and distribution devices have loopback reachability to one another. The loopback addresses are used to establish IBGP peering relationships for the overlay network.

You can use any Layer 3 routing protocol to exchange loopback addresses between the core and distribution devices. BGP provides benefits like better prefix filtering, traffic engineering, and traffic tagging, while OSPF is relatively simple to configure and troubleshoot.

We are using eBGP as the underlay routing protocol in this example because of its ease of use. You can also use OSPF as the underlaying routing protocol if you choose to. Figure 1 shows the topology of the underlay network.

Figure 1: Underlay Network Topology
Underlay Network Topology

The Overlay Network Control Plane

MP-BGP with EVPN signaling acts as the overlay control plane protocol. The core and distribution devices establish IBGP sessions between each other.

To eliminate the need for full mesh IBGP sessions between all devices, the core switches act as route reflectors and the distribution devices act as route reflector clients. Route reflectors enable simple and consistent IBGP configuration on all distribution switches.

Figure 2 shows the topology of the overlay network.

Figure 2: Overlay Network Topology
Overlay Network Topology

The Overlay Data Plane

This architecture uses VXLAN as the overlay data plane encapsulation protocol. A Juniper switch that functions as a Layer 2 or Layer 3 VXLAN gateway acts as the VXLAN tunnel endpoint and can encapsulate and decapsulate data packets.

Access Layer

The access layer provides network connectivity to end-user devices, such as personal computers, VoIP phones, printers, IoT devices, as well as connectivity to wireless access point devices. The access layer does not participate in the EVPN-VXLAN fabric and operates at Layer 2 only. The uplinks from the access layer to the distribution layer are Layer 2 trunk link aggregation group (LAG) ports with VLANs relevant to the access switch or Virtual Chassis.

In this example, each access switch or Virtual Chassis is multihomed to two distribution switches. With EVPN running as the control plane protocol, any access switch or Virtual Chassis device can enable active-active multihoming on its interfaces. EVPN provides a standards-based multihoming solution that scales horizontally across any number of distribution layer switches. The access layer switches can use LAG with Link Aggregation Control Protocol (LACP) for multihoming to two more distribution layer switches.

Figure 3 shows the topology of the access layer devices after multihoming.

Figure 3: Access Layer Topology
Access Layer Topology

Mist Access points

In our network, we choose Mist Access points as our preferred access point devices. They are designed from the ground up to meet the stringent networking needs of the modern cloud and smart-device era. Mist delivers unique capabilities for both wired and wireless LAN.

  • Wired and wireless assurance—Mist is enabled with wired and wireless assurance. Once configured, Service Level Expectations (SLE) for key wired and wireless performance metrics such as throughput, capacity, roaming, and uptime are addressed in the Mist platform. This NCE uses Mist wired assurance services.

  • Marvis—An integrated AI engine that provides rapid wired and wireless troubleshooting, trending analysis, anomaly detection, and proactive problem remediation.

Evolving IT departments look for a cohesive approach for managing wired and wireless networks. Juniper Networks has a solution that simplifies and automate operations, provides end-to-end troubleshooting, and ultimately evolves into the Self-Driving Network™. The Integration of the Mist platform in this NCE addresses both of these challenges. For more details on Mist integration and EX switches, see How to Connect Mist Access Points and Juniper EX Series Switches.

VRF Segmentation

VRF segmentation is used to organize users and devices in groups on a shared network while separating and isolating the different groups. The routing devices on the network create and maintain separate virtual routing and forwarding (VRF) table for each group. The users and devices in a group are placed in one VRF segment and can communicate with each other, but they cannot communicate with users in another VRF segment. If you want to send and receive traffic from one VRF segment to another VRF segment, then you must configure the routing path.

Figure 4 shows an ERB based EVPN-VXLAN campus network with 3 VRF segments (Employees, Guests, and IoT devices).

Figure 4: VRF Segmentation in an ERB Architecture
VRF Segmentation in an ERB Architecture

Campus EVPN-VXLAN Fabric High-Level Architecture: CRB

At a high level, a CRB based EVPN-VXLAN fabric architecture for campus network deployments consists of the following:

  • Core switches that can be configured as Layer 2/Layer 3 VXLAN gateways.

  • A centrally-routed bridging (CRB) overlay where the Integrated Routing and Bridging (IRB) interfaces for the virtual networks are located on the core switches.

  • Distribution switches that can be configured as Layer 2 VXLAN gateways.

  • Access layer switches that are either standalone switches or a Virtual Chassis. These switches can be Juniper or third-party devices.

  • VLANs that carry endpoint traffic from the wired and wireless devices that connect to the access layer switches and the distribution layer switches.

Figure 5 provides a high-level overview of the EVPN-VXLAN fabric architecture for wired and wireless integration.

Figure 5: The CRB EVPN-VXLAN Campus Network Architecture
The CRB EVPN-VXLAN Campus
Network Architecture

Campus EVPN-VXLAN Fabric High-Level Architecture: ERB

At a high level, an ERB based EVPN-VXLAN fabric architecture for campus network deployments consists of the following:

  • Core switches provides transport of EVPN type-2 and type-5 routes

  • Distribution switches can be configured as Layer 2/Layer 3 VXLAN gateways.

  • An Edge-routed bridging (ERB) overlay where the Integrated Routing and Bridging (IRB) interfaces for the virtual networks are located on the distribution switches.

  • Access layer switches that are either standalone switches or a Virtual Chassis. These switches can be Juniper or third-party devices.

  • VLANs that carry endpoint traffic from the wired and wireless devices that connect to the access layer switches and the distribution layer switches.

  • ERB design also enables faster server-to-server, intra-campus traffic (also known as east-west traffic). As a result, routing happens much closer to the end systems than with Centrally-routed bridging (CRB) overlays.

    Figure 6 shows an EVPN-VXLAN campus network based on the ERB architecture.

    Figure 6: The ERB EVPN-VXLAN Campus Network Architecture
    The ERB EVPN-VXLAN
Campus Network Architecture

Campus IP Clos Fabric High-Level Architecture

The campus fabric, with an EVPN-VXLAN architecture, decouples the overlay network from the underlay network. This approach addresses the needs of the modern enterprise network by allowing network administrators to create logical Layer 2 networks across different Layer 3 networks. By configuring different routing instances, you can create separate virtual networks and each routing instance will have its own separate routing and switching table.

VXLAN is the overlay data plane encapsulation protocol that tunnels Ethernet frames between network endpoints on the Layer 3 IP network. Devices that perform VXLAN encapsulation and decapsulation for the network are referred to as a VXLAN tunnel endpoint (VTEP). Before a VTEP sends a frame into a VXLAN tunnel, it wraps the original frame in a VXLAN header that includes a virtual network identifier (VNI). The VNI maps the packet to the original VLAN that at the ingress switch. After applying a VXLAN header, the frame is encapsulated into a UDP/IP packet for transmission to another VTEP over an IP network.

A campus fabric with EVPN-VXLAN is a more modern and scalable network that uses a BGP or OSPF underlay from the core to the access layer switches. The access layer switches are VTEPs that encapsulate and decapsulate the VXLAN traffic. In addition, the VTEPs route packets in and out of VXLAN tunnels.

Figure 7 shows an EVPN-VXLAN Campus network based on the IP Clos architecture.

Figure 7: An IP Clos Topology
 An IP Clos Topology