Edge Virtual Bridging
Understanding Edge Virtual Bridging for Use with VEPA Technology on EX Series Switches
Servers using virtual Ethernet port aggregator (VEPA) do not send packets directly from one virtual machine (VM) to another. Instead, the packets are sent to virtual bridges on an adjacent switch for processing. EX Series switches use edge virtual bridging (EVB) as a virtual bridge to return the packets on the same interface that delivered the packets.
What Is EVB?
EVB is a software capability on a switch running Junos OS that allows multiple virtual machines to communicate with each other and with external hosts in the Ethernet network environment.
What Is VEPA?
VEPA is a software capability on a server that collaborates with an adjacent, external switch to provide bridging support between multiple virtual machines and external networks. The VEPA collaborates with the adjacent switch by forwarding all VM-originated frames to the adjacent switch for frame processing and frame relay (including hairpin forwarding) and by steering and replicating frames received from the VEPA uplink to the appropriate destinations.
Why Use VEPA Instead of VEB?
Even though virtual machines are capable of sending packets directly to one another with a technology called virtual Ethernet bridging (VEB), you typically want to use physical switches for switching because VEB uses expensive server hardware to accomplish the task. Instead of using VEB, you can install VEPA on a server to offload switching functionality to an adjacent, less expensive physical switch. Additional advantages of using VEPA include:
VEPA reduces complexity and allows higher performance at the server.
VEPA takes advantage of the physical switch’s security and tracking features.
VEPA provides visibility of inter-virtual-machine traffic to network management tools designed for an adjacent bridge.
VEPA reduces the amount of network configuration required by server administrators, and as a consequence, reduces work for the network administrator.
How Does EVB Work?
EVB uses two protocols, Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP) and Edge Control Protocol (ECP), to program policies for each individual virtual switch instance—specifically, EVB maintains the following information for each VSI instance:
VLAN ID
VSI type
VSI type version
MAC address of the server
VDP is used by the VEPA server to propagate VSI information to the switch. This allows the switch to program policies on individual VSIs and supports virtual machine migration by implementing logic to preassociate a VSI with a particular interface.
ECP is a Link Layer Discovery Protocol (LLDP)-like transport layer that allows multiple upper layer protocols to send and receive protocol data units (PDUs). ECP improves upon LLDP by implementing sequencing, retransmission and an ack mechanism, while at the same time remaining lightweight enough to be implemented on a single-hop network. ECP is implemented in an EVB configuration when you configure LLDP on interfaces that you have configured for EVB. That is, you configure LLDP, not ECP.
How Do I Implement EVB?
You can configure EVB on a switch when that switch is adjacent to a server that includes VEPA technology. In general, this is what you do to implement EVB:
The network manager creates a set of VSI types. Each VSI type is represented by a VSI type ID and a VSI version--the network manager can deploy one or more VSI versions at any given time.
The VM manager configures VSI (which is a virtual station interface for a VM that is represented by a MAC address and VLAN ID pair) . To accomplish this, the VM manager queries available VSI type IDs (VTIDs) and creates a VSI instance consisting of a VSI Instance ID and the chosen VTID. This instance is known as VTDB and contains a VSI manager ID, a VSI type ID, a VSI version, and a VSI instance ID.
See Also
Configuring Edge Virtual Bridging on an EX Series Switch
Configure edge virtual bridging (EVB) when a switch is connected to a virtual machine (VM) server using virtual Ethernet port aggregator (VEPA) technology. EVB does not convert packets; rather, it ensures that packets from one VM destined for another VM on the same VM server is switched. In other words, when the source and destination of a packet are the same port, EVB delivers the packet properly, which otherwise would not happen.
Configuring EVB also enables Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP).
Before you begin configuring EVB, ensure that you have:
Configured packet aggregation on the server connected to the port that you will use on the switch for EVB. See your server documentation.
Configured the EVB interface for all VLANs located on the virtual machines. See Configuring VLANs for EX Series Switches.
Note:The port security features MAC move limiting and MAC limiting are supported on interfaces that are configured for EVB; however, the port security features IP source guard, dynamic ARP inspection (DAI), and DHCP snooping are not supported by EVB. For more information about these features, see Port Security Features.
To configure EVB on the switch:
See Also
Example: Configuring Edge Virtual Bridging for Use with VEPA Technology on an EX Series Switch
Virtual machines (VMs) can use a physical switch that is adjacent to the VMs’ server to send packets both to other VMs and to the rest of the network when two conditions have been met:
Virtual Ethernet packet aggregator (VEPA) is configured on the VM server.
Edge virtual bridging (EVB) is configured on the switch.
This example shows how to configure EVB on the switch so that packets can flow to and from the virtual machines.
Requirements
This example uses the following hardware and software components:
One EX4500 or EX8200 switch
Junos OS Release 12.1 or later for EX Series switches
Before you configure EVB on a switch, be sure you have configured the server with virtual machines, the VLANs, and VEPA:
The following are the numbers of components used in this example, but you can use fewer or more to configure the feature.
On the server, configure six virtual machines, VM 1 through VM 6 as shown in Figure 1. See your server documentation.
On the server, configure three VLANs named VLAN_Purple, VLAN_Orange, and VLAN_Blue, and add two virtual machines to each VLAN. See your server documentation.
On the server, install and configure VEPA to aggregate the virtual machine packets.
On the switch, configure one interface with the same three VLANs as the server (VLAN_Purple, VLAN_Orange, and VLAN_Blue). See Configuring VLANs for EX Series Switches.
Overview and Topology
EVB is a software capability that provides multiple virtual end stations that communicate with each other and with external switches in the Ethernet network environment.
This example demonstrates the configuration that takes place on a switch when that switch is connected to a server with VEPA configured. In this example, a switch is already connected to a server hosting six virtual machines (VMs) and configured with VEPA for aggregating packets. The server’s six virtual machines are VM 1 through VM 6, and each virtual machine belongs to one of the three server VLANs—VLAN_Purple, VLAN_Orange, or VLAN_Blue. Because VEPA is configured on the server, no two VMs can communicate directly—all communication between VMs must happen via the adjacent switch. Figure 1 shows the topology for this example.
Edge Virtual Bridging Example Topology
The VEPA component of the server pushes all packets from any VM, regardless of whether the packets are destined to other VMs on the same server or to any external host, to the adjacent switch. The adjacent switch applies policies to incoming packets based on the interface configuration and then forwards the packets to appropriate interfaces based on the MAC learning table. If the switch has not yet learned a destination MAC, it floods the packet to all interfaces, including the source port on which the packet arrived.
Table 1 shows the components used in this example.
| Component | Description |
|---|---|
EX Series switch |
For a list of switches that support this feature, see EX Series Switch Software Features Overview or EX Series Virtual Chassis Software Features Overview. |
ge-0/0/20 |
Switch interface to the server. |
Server |
Server with virtual machines and VEPA technology. |
Virtual machines |
Six virtual machines located on the server, named VM 1, VM 2, VM 3, VM 4, VM 5, and VM 6. |
VLANs |
Three VLANs, named VLAN_Purple, VLAN_Orange, and VLAN_Blue. Each VLAN has two virtual machine members. |
VEPA |
A virtual Ethernet port aggregator (VEPA) is a software capability on a server that collaborates with an adjacent, external switch to provide bridging support between multiple virtual machines and with external networks. The VEPA collaborates with the switch by forwarding all VM-originated frames to the adjacent bridge for frame processing and frame relay (including hairpin forwarding) and by steering and replicating frames received from the VEPA uplink to the appropriate destinations. |
Configuring EVB also enables Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP).
Configuration
Procedure
CLI Quick Configuration
To quickly configure EVB, copy the following
commands and paste them into the switch’s CLI at the [edit] hierarchy level.
set interfaces ge-0/0/20 unit 0 family ethernet-switching port-mode tagged-access set protocols lldp interface ge-0/0/20.0 set vlans vlan_purple interface ge-0/0/20.0 set vlans vlan_orange interface ge-0/0/20.0 set vlans vlan_blue interface ge-0/0/20.0 set protocols edge-virtual-bridging vsi-discovery interface ge-0/0/20.0 set policy-options vsi-policy P1 from vsi-manager 98 vsi-type 998 vsi-version 4 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb998 set policy-options vsi-policy P1 then filter f2 set policy-options vsi-policy P3 from vsi-manager 97 vsi-type 997 vsi-version 3 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 set policy-options vsi-policy P3 then filter f3 set firewall family ethernet-switching filter f2 term t1 then accept set firewall family ethernet-switching filter f2 term t1 then count f2_accept set firewall family ethernet-switching filter f3 term t1 then accept set firewall family ethernet-switching filter f3 term t1 then count f3_accept set protocols edge-virtual-bridging vsi-discovery vsi-policy P1 set protocols edge-virtual-bridging vsi-discovery vsi-policy P3
Step-by-Step Procedure
To configure EVB on the switch:
Configure tagged-access mode for the interfaces on which you will enable EVB:
[edit interfaces ge-0/0/20] user@switch# set unit 0 family ethernet-switching port-mode tagged-access
Enable the Link Layer Discovery Protocol (LLDP) on the ports interfaces on which you will enable EVB:
[edit protocols] user@switch# set lldp interface ge-0/0/20.0
Configure the interface as a member of all VLANs located on the virtual machines.
[edit] user@switch# set vlans vlan_purple interface ge-0/0/20.0 user@switch# set vlans vlan_orange interface ge-0/0/20.0 user@switch# set vlans vlan_blue interface ge-0/0/20.0
Enable the VSI Discovery and Control Protocol (VDP) on the interface:
[edit protocols] user@switch# set edge-virtual-bridging vsi-discovery interface ge-0/0/20.0
Define policies for VSI information. VSI information is based on a VSI manager ID, VSI type, VSI version, and VSI instance ID:
[edit policy-options] user@switch# set vsi-policy P1 from vsi-manager 98 vsi-type 998 vsi-version 4 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb998 user@switch# set vsi-policy P1 then filter f2 user@switch# set vsi-policy P3 from vsi-manager 97 vsi-type 997 vsi-version 3 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 user@switch# set vsi-policy P3 then filter f3
Two VSI policies were defined in the previous step, each of them mapping to different firewall filters. Define the firewall filters:
[edit firewall family ethernet-switching] user@switch# set filter f2 term t1 then accept user@switch# set filter f2 term t1 then count f2_accept user@switch# set filter f3 term t1 then accept user@switch# set filter f3 term t1 then count f3_accept
Associate VSI policies with VSI-discovery protocol
[edit] user@switch# set protocols edge-virtual-bridging vsi-discovery vsi-policy P1 user@switch# set protocols edge-virtual-bridging vsi-discovery vsi-policy P3
Results
user@switch# show protocols
edge-virtual-bridging {
vsi-discovery {
interface {
ge-0/0/20.0;
}
vsi-policy {
P1;
P3;
}
}
}
lldp {
interface ge-0/0/20.0;
user@switch# show policy-options
vsi-policy P1 {
from {
vsi-manager 98 vsi-type 998 vsi-version 4 vsi-instance 09b11c53-8b5c-4ee
b-8f00-c84ebb0bb998;
}
then {
filter f2;
}
}
vsi-policy P3 {
from {
vsi-manager 97 vsi-type 997 vsi-version 3 vsi-instance 09b11c53-8b5c-4ee
b-8f00-c84ebb0bb997;
}
then {
filter f3;
}
}user@switch# show vlans
vlan_blue {
interface {
ge-0/0/20.0;
}
}
vlan_orange {
interface {
ge-0/0/20.0;
}
}
vlan_purple {
interface {
ge-0/0/20.0;
interface;
}
}user@switch# show firewall
family ethernet-switching {
filter f2 {
term t1 {
then {
accept;
count f2_accept;
}
}
}
filter f3 {
term t1 {
then {
accept;
count f3_accept;
}
}
}
}
Verification
To confirm that EVB is enabled and working correctly, perform these tasks:
- Verifying That EVB is Correctly Configured
- Verifying That the Virtual Machine Successfully Associated With the Switch
- Verifying That VSI Profiles Are Being Learned at the Switch
Verifying That EVB is Correctly Configured
Purpose
Verify that EVB is correctly configured
Action
user@switch# show edge-virtual-bridging Interface Forwarding Mode RTE Number of VSIs Protocols ge-0/0/20.0 Reflective-relay 25 400 ECP, VDP, RTE
Meaning
When LLDP is first enabled, an EVB LLDP exchange takes place between switch and server using LLDP. As part of this exchange the following parameters are negotiated: Number of VSIs supported, Forwarding mode, ECP support, VDP support, and Retransmission Timer Exponent (RTE). If the output has values for the negotiated parameters, EVB is correctly configured.
Verifying That the Virtual Machine Successfully Associated With the Switch
Purpose
Verify that the virtual machine successfully associated with the switch. After successful association of VSI Profile with the switch interface, verify the learning of the VM’s MAC address on MAC-Table or Forwarding database Table. The learn type of the VM’s MAC addresses will be VDP, and upon successful shutdown of VM the corresponding MAC-VLAN entry will get flushed out from FDB table otherwise it will never shutdown.
Action
user@switch# run show ethernet-switching table Ethernet-switching table: 10 entries, 4 learned VLAN MAC address Type Age Interfaces v3 * Flood - All-members v3 00:02:a6:11:bb:1a VDP - ge-1/0/10.0 v3 00:02:a6:11:cc:1a VDP - ge-1/0/10.0 v3 00:23:9c:4f:70:01 Static - Router v4 * Flood - All-members v4 00:02:a6:11:bb:bb VDP - ge-1/0/10.0 v4 00:23:9c:4f:70:01 Static - Router v5 * Flood - All-members v5 00:23:9c:4f:70:01 Static - Router v5 52:54:00:d5:49:11 VDP - ge-1/0/20.0
Verifying That VSI Profiles Are Being Learned at the Switch
Purpose
Verify that VSI profiles are being learned at the switch.
Action
user@switch# show edge-virtual-bridging vsi-profiles
Interface: ge-0/0/20.0
Manager: 97, Type: 997, Version: 3, VSI State: Associate
Instance: 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997
MAC VLAN
00:10:94:00:00:04 3Meaning
Whenever VMs configured for VEPA are started at the server, the VMs start sending VDP messages. As part of this protocol VSI profiles are learned at the switch.
If the output has values for Manager, Type, Version, VSI State, and Instance, VSI profiles are being learned at the switch.