Ethernet VPN – What’s the big deal about it?
Co-authored with Ali Sajassi, Distinguished Engineer, Engineering.
Ethernet VPN (EVPN) may be considered by some as the new kid on the block in VPN protocols. It is dubbed as next-generation all-in-one VPN technology that provides a wide of range of services such as E-LAN, E-Line, E-TREE, L3VPN, DCI, DC-Overlay, IRB, … These services were previously provided by different and disjoint VPN technologies such as VPWS, VPLS, SPB/TRILL and L3VPN.
Simplification comes to mind when you think about EVPN – indeed, EVPN is largely considered as a unified control plane solution that applies to many data-plane encapsulations (e.g. MPLS, Segment Routing, VxLAN, NvGRE, …)
In that respect, we are currently witnessing a strong traction for this technology in many market segments – Data Centers, Enterprise and Service Providers.
Although having a single control-plane protocol based on BGP that does the job of several different VPN protocols can be a compelling driver, it may not be the only reason why so many major networking vendors and customers are currently embracing EVPN.
So, why should you care about EVPN?
It’s simple – EVPN not only does the job of many legacy VPN technologies but it does it better than each one of them in a one-to-one comparison. In other words,
The whole is greater than the sum of its parts
Let’s see why EVPN makes a difference compared to other legacy solutions.
VPLS has been the VPN technology of choice for delivering E-LAN services but had some limitations from day one.
EVPN has some noteworthy benefits over VPLS (be it tLDP or BGP):
- It provides All-Active multi-homing (and not just dual-homing). Prior to EVPN, different vendors where using proprietary solutions for multi-chassis LAG to provide All-Active dual-homing. All these proprietary solutions required dedicated inter-chassis links which translated into additional links and thus line cards (e.g. increase in CAPEX). EVPN not only provides such solution without the use of inter-chassis links but it also provides it with unparalleled flexibility where a multi-homed device can be connected to N number of PE devices and a PE device can participate in dual-homing, triple-homing, quad-homing, … simultaneously!
- Prevents loop for both All-Active & Single-Active redundancy even in transient states
- Ease of use – ability to auto-sense what kind of access device or network is attached (e.g., LACP, MSTP, G.8032, REP, …) and auto-discover all other PE devices that attached to the same access device/network. Then perform Designated Forwarder (DF) election procedure to elect a DF for BUM traffic (Layer 2 broadcast, unknown unicast, and multicast) to/from the access device/network.
Layer2/Layer3 Overlay in Data Centers
EVPN not only does the job of 802.1Q, 802.1aq or FabricPath, but does even better by providing the following additional functionalities:
- Maximizing bi-sectional bandwidth utilization in data center fabric by performing per-flow load-balancing to all multi-homing PE devices, even if a specific MAC/IP address is learned by only one of the multi-homing PEs! This is referred to Aliasing in EVPN lingo.
- Fast convergence upon link/node failure by withdrawing a single route associated with each failed Ethernet Segment regardless of number of MAC/IP addresses sitting behind it (e.g., there can be 10K or 100K MACs). Withdrawing these routes results in remote PE devices to switch to other PEs in the redundancy group. This feature is referred to mass-withdraw in EVPN lingo.
- Providing optimum forwarding within fabric for both intra-subnet and inter-subnet traffic simultaneously to avoid tromboning of traffic in DC. Intra-subnet forwarding is done via Ethernet switching therefore supporting all IP and non-IP applications in data centers and inter-subnet forwarding is done via IP switching to provide optimum forwarding among different IP subnets of a given tenant. This service is provided over a single virtual interface (attachment circuit) to the host/tenant and L2/L3 forwarding decision is made on a packet by packet basis.
- Providing distributed Anycast gateway functionality
- Flexible workload placement – e.g. VMs can be placed anywhere within the DC without constraints of rack boundary
- Seamless workload mobility
- Per flow active/active redundancy for dually attached servers using MC-LAG
- Support for both IP and MPLS fabric
EVPN not only does the job of traditional VPWS (either tLDP or BGP), but it also provides the following additional functionalities:
- Support of segmented service tunnel across multiple domains with ease
- Support of P2P service between a pair of CE devices that are multi-homed to a set of PE devices and operating in All-Active mode. Prior to EVPN, such service was simply not possible!
- Providing auto-discovery & signaling via single protocol (based on BGP)
- Providing local switching with All-Active multi-homing w/ optimum forwarding
- Providing new services such as Flexible Cross Connect services
Compared to VPLS, EVPN delivers E-TREE service with the following additional functionalities:
- Very efficient filtering – when a traffic is originated from a leaf and destined to a leaf, it is dropped right away at ingress PE
- Flexible support of leaf/root site connectivity where root/leaf designation can be attachment circuit or per MAC address.
For further information, refer to draft-ietf-bess-evpn-etree-09.txt.
Layer3 VPN services
EVPN complements existing IP VPN solutions by providing the following additional functionalities:
- Ability to provide multi-homing service to a CE device while only a single IP peering session is maintained from the CE device
- Ability to provide rapid failure detection, minimal fail-over time, and make-before-break paradigm for maintenance for such multi-homing scenario
EVPN brings availability and resiliency of IP VPN services to the next level.
For further information, refer to draft-sajassi-bess-evpn-l3vpn-multihoming-01.txt.
If you’ve missed my previous blog on EVPN, have a look at it.