VXLAN EVPN

VXLAN

VXLAN is an encapsulation protocol (RFC 7384) which is used to encapsulate L2 frames (MAC) into UDP packets (and therefore IP packets). The advantages of VXLAN are:

• uses UDP so it ls transported over L3 networks which can provide a loop free, ECMP network

• uses UDP so it can reduce traffic polarization. By using variable UDP source ports, the underlay entropy (you can say variation in hashing) is increased thus making the load sharing more effective across multiple paths. The destination port remains fixed (UDP 4789) which make it easy to be identified. UDP doesn't provide reliability but this can be handled by the application whos traffic is encapsulated in the VXLAN UDP packets

• supports network segmentation at scale through the use of VXLAN VNIs (24 bits) resulting in 16 million segments instead of the traditional VLAN ID (12 bits - 4096 segments)

A key element of VXLAN is the VTEPs (VXLAN Tunnel Endpoints), also known as NVE (Network Virtualization Edge) that encapsulate frames from the hosts and sends them over to the VTEP where the destination host is attached.

Obviously now the question is how does a VTEP know how to forward the frame?

Flood and learn

The initial mechanism to learn about MAC addresses in VXLAN networks is called Flood and Learn:

1. Frame arrives at Ingress VTEP

   1. the VTEP learns about the SRC MAC Address

2. VTEP Floods the drame into the VXLAN segment using

   1. Head-end replication (Manually maintened list of VTEPs) aka Ingress Replication

   2. Multicast groups (VTEPs in the same VNI join the same multicast group - which requires the underlay to support multicast)

3. Flooded VXLAN reaches all VTEPs in the VNI

   1. Destination VTEP learns about source MAC address and the VTEP that forwarded it

   2. If the VTEP has an entry for the MAC address, it forwards the traffic to the destination port where the destination exists

   3. If the VTEP doesn't have an entry for the MAC address, it drops the packet silently.

4. Reply traffic comes back to the attached VTEP

   1. since destination is now known (as it was previously learned), the traffic is forwarded as unicast to the destination VTEP

5. Traffic reaches the intial VTEP and the frame is forwared to the destination MAC which is known since it was learned when the initial frame arrived.

   1. From now on, traffic will be all unicast since source and destination MACs are known by their attached VTEPs.

The main issue with this approach is that the traffic is multiplied across the entire fabric.

EVPN

Essentially EVPN is a control plane mechanism that allows advertismenets of MAC addresses to the VTEPs. Each VTEP advertises even before any data traffic flows:

• it's VTEP IP

• the VNIs it participates in

• the MAC/IP Addresses of local endpoints

So when a frame arrives at the ingress VTEP, it already knows which is the egress VTEP so it will unicast the frame encapsulated with the VXLAN header.

The EVPN approach reduces drastically the flooding of frames across the network.