1 .. contents:: Table of Contents
4 =======================================================
5 Support of VXLAN based connectivity across Datacenters
6 =======================================================
8 https://git.opendaylight.org/gerrit/#/q/topic:EVPN_RT5
10 Enable realization of L3 connectivity over VXLAN tunnels using L3 BGPVPNs,
11 internally taking advantage of EVPN as the BGP Control Plane mechanism.
16 OpenDaylight NetVirt service today supports VLAN-based,
17 VXLAN-based connectivity and MPLSOverGRE-based overlays.
19 In this VXLAN-based underlay is supported only for traffic
20 within the DataCenter. For all the traffic that need to
21 go via the DC-Gateway the only supported underlay is MPLSOverGRE.
23 Though there is a way to provision an external VXLAN tunnel
24 via the ITM service in Genius, the BGPVPN service in
25 NetVirt does not have the ability to take advantage of such
26 a tunnel to provide inter-DC connectivity.
28 This spec attempts to enhance the BGPVPN service (runs on
29 top of the current L3 Forwarding service) in NetVirt to
30 embrace inter-DC L3 connectivity over external VXLAN tunnels.
35 The scope primarily includes providing ability to support Inter-subnet
36 connectivity across DataCenters over VXLAN tunnels by modeling a
37 new type of L3VPN which will realize this connectivity using
38 EVPN BGP Control plane semantics.
40 When we mention that we are using EVPN BGP Control plane, this
41 spec proposes using the RouteType 5 explained in EVPN_RT5_ as the primary
42 means to provision the control plane en enable inter-DC connectivity
43 over external VXLAN tunnels.
45 This new type of L3VPN will also inclusively support:
47 * Intra-subnet connectivity within a DataCenter over VXLAN tunnels.
48 * Inter-subnet connectivity within a DataCenter over VXLAN tunnels.
52 * Does not cover providing VXLAN connectivity between hypervisors (with OVS Datapath) and Top-Of-Rack switches that might be positioned within such DataCenters.
53 * Does not cover providing intra-subnet connectivity across DCs.
55 Both the points above will be covered by another spec that will be Phase 2 of realizing intra-subnet inter-DC connectivity.
60 The following high level use-cases will be realized by the implementation of this Spec.
62 DataCenter access from a WAN-client via DC-Gateway (Single Homing)
63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
65 This use case involves communication within the DataCenter by tenant VMs and also
66 communication between the tenant VMs to a remote WAN-based client via DC-Gateway.
67 The dataplane between the tenant VMs themselves and between the tenant VMs
68 towards the DC-Gateway will be over VXLAN Tunnels.
70 The dataplane between the DC-Gateway to its other WAN-based BGP Peers is
71 transparent to this spec. It is usually MPLS-based IPVPN.
73 The BGP Control plane between the ODL Controller and the DC-Gateway will be
74 via EVPN RouteType 5 as defined in EVPN_RT5_.
76 The control plane between the DC-Gateway and it other BGP Peers in the WAN
77 is transparent to this spec, but can be IP-MPLS.
81 1. We will have only a single DCGW for WAN connectivity
82 2. IP prefix exchange between ODL controller and DC-GW (iBGP) using EVPN RT5
83 3. WAN control plane will use L3VPN IP-MPLS route exchange.
84 4. On the DC-Gateway, the VRF instance will be configured with two sets of import/export targets. One set of import/export route targets belong to L3VPN inside DataCenter (realized using EVPN RT5) and the second set of import/export route target belongs to WAN control plane.
85 5. EVPN single homing to be used in all RT5 exchanges inside the DataCenter i.e., ESI=0 for all prefixes sent from DataCenter to the DC-Gateway.
86 6. Inter AS option B is used at DCGW, route regeneration at DCGW
88 Datacenter access from another Datacenter over WAN via respective DC-Gateways (L3 DCI)
89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
91 This use-case involves providing inter-subnet connectivity between two DataCenters.
92 Tenant VMs in one datacenter will be able to communicate with tenant VMs on the other
93 datacenter provided they are part of the same L3VPN and they are on different subnets.
95 Both the Datacenters can be managed by different ODL Controllers, but the L3VPN configured on
96 both ODL Controllers will use identical RDs and RTs.
101 The following components of an Openstack-ODL-based solution need to be enhanced to provide
102 intra-subnet and inter-subnet connectivity across DCs using EVPN IP Prefix Advertisement
103 (Route Type 5) mechanism (refer EVPN_RT5_):
105 * Openstack Neutron BGPVPN Driver
106 * OpenDaylight Controller (NetVirt)
107 * BGP Quagga Stack to support EVPN with RouteType 5 NLRI
108 * DC-Gateway BGP Neighbour that supports EVPN with RouteType 5 NLRI
110 The changes required in Openstack Neutron BGPVPN Driver and BGP Quagga Stack
111 are captured in the Solution considerations section down below.
116 For both the use-cases above, we have put together the required pipeline changes here.
117 For ease of understanding, we have made subsections that talk about Intra-DC
118 traffic and Inter-DC traffic.
123 Intra Subnet, Local DPN: VMs on the same subnet, same VPN, same DPN
124 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
126 There are no explicit pipeline changes for this use-case. However the tables that
127 a packet will traverse through is shown below for understanding purposes.
129 | Classifier Table (0) =>
130 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
131 | L3 Gateway MAC Table (19) ``tablemiss: goto_table=17`` =>
132 | Lport Dispatcher Table (17) ``elan service: set elan-id=elan-tag`` =>
133 | ELAN Source MAC Table (50) ``match: elan-id=elan-tag, src-mac=source-vm-mac`` =>
134 | ELAN Destination MAC Table (51) ``match: elan-id=elan-tag, dst-mac=dst-vm-mac set output to port-of-dst-vm``
136 Intra Subnet, Remote DPN: VMs on two different DPNs, both VMs on the same subnet and same VPN
137 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
139 There are no explicit pipeline changes for this use-case. However the tables that
140 a packet will traverse through is shown below for understanding purposes.
142 VM sourcing the traffic (Ingress DPN)
143 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
145 | Classifier Table (0) =>
146 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
147 | L3 Gateway MAC Table (19) ``l3vpn service: tablemiss: goto_table=17`` =>
148 | Lport Dispatcher Table (17) ``elan service: set elan-id=elan-tag`` =>
149 | ELAN Source MAC Table (50) ``match: elan-id=elan-tag, src-mac=source-vm-mac`` =>
150 | ELAN Destination MAC Table (51) ``match: elan-id=elan-tag, dst-mac=dst-vm-mac set tun-id=dst-vm-lport-tag, output to vxlan-tun-port``
153 VM receiving the traffic (Egress DPN)
154 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
156 | Classifier Table (0) =>
157 | Internal Tunnel Table (36) ``match: tun-id=lport-tag set reg6=dst-vm-lport-tag`` =>
158 | Lport Egress Table (220) ``Output to dst vm port``
160 Inter Subnet, Local DPN: VMs on different subnet, same VPN, same DPN
161 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
163 There are no explicit pipeline changes for this use-case. However the tables that
164 a packet will traverse through is shown below for understanding purposes.
166 | Classifier Table (0) =>
167 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
168 | L3 Gateway MAC Table (19) ``match: vpn-id=l3vpn-id, dst-mac=vpn-subnet-gateway-mac-address`` =>
169 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=dst-vm-ip-address set output to nexthopgroup-dst-vm`` =>
170 | NextHopGroup-dst-vm: ``set-eth-dst dst-mac-vm, reg6=dst-vm-lport-tag`` =>
171 | Lport Egress Table (220) ``Output to dst vm port``
175 cookie=0x8000000, table=0, priority=4,in_port=1 actions=write_metadata:0x10000000000/0xffffff0000000001,goto_table:17
176 cookie=0x8000001, table=17, priority=5,metadata=0x5000010000000000/0xffffff0000000000 actions=write_metadata:0x60000100000222e0/0xfffffffffffffffe,goto_table:19
177 cookie=0x8000009, table=19, priority=20,metadata=0x222e0/0xfffffffe,dl_dst=de:ad:be:ef:00:01 actions=goto_table:21
178 cookie=0x8000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.2 actions=apply_actions(group:150001)
180 Inter Subnet, Remote DPN: VMs on two different DPNs, both VMs on different subnet, but same VPN
181 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
183 For this use-case there is a change in the remote flow rule to L3 Forward the traffic to the remote VM.
184 The flow-rule will use the LPortTag as the vxlan-tunnel-id, in addition to setting the destination mac address of the
185 remote destination vm.
187 VM sourcing the traffic (Ingress DPN)
188 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
190 | Classifier Table (0) =>
191 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
192 | L3 Gateway MAC Table (19) ``match: vpn-id=l3vpn-id, dst-mac=vpn-subnet-gateway-mac-address`` =>
193 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=dst-vm-ip-address set eth-dst-mac=dst-vm-mac, tun-id=dst-vm-lport-tag, output to vxlan-tun-port``
197 cookie=0x8000000, table=0, priority=4,in_port=1 actions=write_metadata:0x10000000000/0xffffff0000000001,goto_table:17
198 cookie=0x8000001, table=17, priority=5,metadata=0x5000010000000000/0xffffff0000000000 actions=write_metadata:0x60000100000222e0/0xfffffffffffffffe,goto_table:19
199 cookie=0x8000009, table=19, priority=20,metadata=0x222e0/0xfffffffe,dl_dst=de:ad:be:ef:00:01 actions=goto_table:21
200 cookie=0x8000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.2 actions=apply_actions(group:150001)
201 cookie=0x8000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.3 actions=apply_actions(set_field:fa:16:3e:f8:59:af->eth_dst,set_field:0x2->tun_id,output:2)
203 As you can notice 0x2 set in the above flow-rule as tunnel-id is the LPortTag assigned to VM holding IP Address 10.0.0.3.
205 VM receiving the traffic (Egress DPN)
206 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
208 | Classifier Table (0) =>
209 | Internal Tunnel Table (36) ``match: tun-id=lport-tag set reg6=lport-tag-dst-vm`` =>
210 | Lport Egress Table (220) ``Output to dst vm port``
214 cookie=0x8000001, table=0, priority=5,in_port=2 actions=write_metadata:0x40000000001/0xfffff0000000001,goto_table:36
215 cookie=0x9000001, table=36, priority=5,tun_id=0x2 actions=load:0x400->NXM_NX_REG6[],resubmit(,220)
217 As you notice, 0x2 tunnel-id match in the above flow-rule in INTERNAL_TUNNEL_TABLE (Table 36), is the LPortTag assigned
218 to VM holding IP Address 10.0.0.3.
226 Not supported in this Phase
231 For this use-case we are doing a couple of pipeline changes:
233 a. Introducing a new Table aka L3VNI_EXTERNAL_TUNNEL_DEMUX_TABLE (Table 23).
234 **L3VNI_EXTERNAL_TUNNEL_DEMUX_TABLE (Table 23)** - This table is a new table in the L3VPN pipeline and will be
235 responsible only to process VXLAN packets coming from External VXLAN tunnels.
237 The packets coming from External VXLAN Tunnels (note: not Internal VXLAN Tunnels), would be directly punted
238 to this new table from the CLASSIFIER TABLE (Table 0) itself. Today when multiple services bind to a
239 tunnel port on GENIUS, the service with highest priority binds directly to Table 0 entry for the tunnel port.
240 So such a service should make sure to provide a fallback to Dispatcher Table so that subsequent service interested
241 in that tunnel traffic would be given the chance.
243 The new table L3VNI_EXTERNAL_TUNNEL_DEMUX_TABLE will have flows to match on VXLAN
244 VNIs that are L3VNIs. On a match, their action is to fill the metadata with the VPNID, so that further
245 tables in the L3VPN pipeline would be able to continue and operate with the VPNID metadata seamlessly.
246 After filling the metadata, the packets are resubmitted from this new table to the L3_GW_MAC_TABLE (Table 19).
247 The TableMiss in L3VNI_EXTERNAL_TUNNEL_DEMUX_TABLE will resubmit the packet to LPORT_DISPATCHER_TABLE to enable
248 next service if any to process the packet ingressing from the external VXLAN tunnel.
250 b. For all packets going from VMs within the DC, towards the external gateway device via the External VXLAN Tunnel,
251 we are setting the VXLAN Tunnel ID to the L3VNI value of VPNInstance to which the VM belongs to.
253 Traffic from DC-Gateway to Local DPN (SYMMETRIC IRB)
254 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
256 | Classifier Table (0) =>
257 | L3VNI External Tunnel Demux Table (23) ``match: tun-id=l3vni set vpn-id=l3vpn-id`` =>
258 | L3 Gateway MAC Table (19) ``match: vpn-id=l3vpn-id, dst-mac=vpn-subnet-gateway-mac-address`` =>
259 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=dst-vm-ip-address set output to nexthopgroup-dst-vm`` =>
260 | NextHopGroup-dst-vm: ``set-eth-dst dst-mac-vm, reg6=dst-vm-lport-tag`` =>
261 | Lport Egress Table (220) ``Output to dst vm port``
266 cookie=0x8000001, table=0, priority=5,in_port=9 actions=write_metadata:0x70000000001/0x1fffff0000000001,goto_table:23
267 cookie=0x8000001, table=19, priority=20,metadata=0x222e0/0xffffffff,dl_dst=de:ad:be:ef:00:06 actions=goto_table:21
268 cookie=0x8000001, table=23, priority=5,tun_id=0x16 actions= write_metadata:0x222e0/0xfffffffe,resubmit(19)
269 cookie=0x8000001, table=23, priority=0,resubmit(17)
270 cookie=0x8000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.2 actions=apply_actions(group:150001)
271 cookie=0x8000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.3 actions=apply_actions(set_field:fa:16:3e:f8:59:af->eth_dst,set_field:0x2->tun_id,output:2)
273 In the above flow rules, Table 23 is the new L3VNI_EXTERNAL_TUNNEL_DEMUX_TABLE. The in_port=9 reprsents an
274 external VXLAN Tunnel port.
276 Traffic from Local DPN to DC-Gateway (SYMMETRIC IRB)
277 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
279 | Classifier Table (0) =>
280 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
281 | L3 Gateway MAC Table (19) ``match: vpn-id=l3vpn-id, dst-mac=vpn-subnet-gateway-mac-address`` =>
282 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=ext-ip-address set eth-dst-mac=dst-mac-address, tun-id=l3vni, output to ext-vxlan-tun-port``
286 cookie=0x7000001, table=0, priority=5,in_port=8, actions=write_metadata:0x60000000001/0x1fffff0000000001,goto_table:17
287 cookie=0x7000001, table=17, priority=5,metadata=0x60000000001/0x1fffff0000000001 actions=goto_table:19
288 cookie=0x7000001, table=19, priority=20,metadata=0x222e0/0xffffffff,dl_dst=de:ad:be:ef:00:06 actions=goto_table:21
289 cookie=0x7000001, table=23, priority=5,tun_id=0x16 actions= write_metadata:0x222e0/0xfffffffe,resubmit(19)
290 cookie=0x7000001, table=23, priority=0,resubmit(17)
291 cookie=0x7000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.2 actions=apply_actions(group:150001)
292 cookie=0x7000003, table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.3 actions=apply_actions(set_field:fa:16:3e:f8:59:af->eth_dst,set_field:0x2->tun_id,output:2)
295 SNAT pipeline (Access to External Network Access over VXLAN)
296 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
298 SNAT Traffic from Local DPN to External IP (assuming this DPN is NAPT Switch)
299 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
301 | Classifier Table (0) =>
302 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
303 | L3 Gateway MAC Table (19) ``match: vpn-id=l3vpn-id, dst-mac=vpn-subnet-gateway-mac-address`` =>
304 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id`` =>
305 | PSNAT Table (26) ``match: vpn-id=l3vpn-id`` =>
306 | Outbound NAPT Table (46) ``match: nw-src=vm-ip,port=int-port set src-ip=router-gateway-ip,vpn-id=external-vpn-id,port=ext-port`` =>
307 | NAPT PFIB Table (47) ``match: vpn-id=external-vpn-id`` =>
308 | L3 FIB Table (21) ``match: vpn-id=external-vpn-id nw-dst=external-entity-ip set eth-dst=external-entity-mac tun-id=external-l3vni, output to ext-vxlan-tun-port``
310 SNAT Reverse Traffic from External IP to Local DPN (assuming this DPN is NAPT Switch)
311 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
313 | Classifier Table (0) =>
314 | L3VNI External Tunnel Demux Table (23) ``match: tun-id=external-l3vni set vpn-id=external-vpn-id`` =>
315 | L3 Gateway MAC Table (19) ``match: vpn-id=external-vpn-id, dst-mac=external-router-gateway-mac-address`` =>
316 | Inbound NAPT Table (44) ``match: vpn-id=external-vpn-id nw-dst=router-gateway-ip port=ext-port set vpn-id=l3vpn-id, dst-ip=vm-ip``
317 | NAPT PFIB Table (47) ``match: vpn-id=l3vpn-id`` =>
318 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=dst-vm-ip-address set output to nexthopgroup-dst-vm`` =>
319 | NextHopGroup-dst-vm: ``set-eth-dst dst-mac-vm, reg6=dst-vm-lport-tag`` =>
320 | Lport Egress Table (220) ``Output to dst vm port``
322 DNAT pipeline (Access from External Network over VXLAN)
323 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
325 DNAT Traffic from External IP to Local DPN
326 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
328 | Classifier Table (0) =>
329 | L3VNI External Tunnel Demux Table (23) ``match: tun-id=external-l3vni set vpn-id=external-vpn-id`` =>
330 | L3 Gateway MAC Table (19) ``match: vpn-id=external-vpn-id, dst-mac=floating-ip-mac-address`` =>
331 | PDNAT Table (25) ``match: nw-dst=floating-ip set ip-dst=dst-vm-ip, vpn-id=l3vpn-id`` =>
332 | DNAT Table (27) ``match: vpn-id=l3vpn-id,nw-dst=dst-vm-ip`` =>
333 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=dst-vm-ip set output to nexthopgroup-dst-vm`` =>
334 | NextHopGroup-dst-vm: ``set-eth-dst dst-mac-vm, reg6=dst-vm-lport-tag`` =>
335 | Lport Egress Table (220) ``Output to dst vm port``
338 DNAT Reverse Traffic from Local DPN to External IP
339 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
341 | Classifier Table (0) =>
342 | Lport Dispatcher Table (17) ``l3vpn service: set vpn-id=l3vpn-id`` =>
343 | L3 Gateway MAC Table (19) ``match: vpn-id=l3vpn-id, dst-mac=vpn-subnet-gateway-mac-address`` =>
344 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id`` =>
345 | PSNAT Table (26) ``match: vpn-id=l3vpn-id nw-src=src-vm-ip set ip-src=floating-ip-src-vm, vpn-id=external-vpn-id`` =>
346 | SNAT Table (28) ``match: vpn-id=external-vpn-id nw-src=floating-ip-src-vm set eth-src=floating-ip-src-vm-mac-address`` =>
347 | L3 FIB Table (21) ``match: vpn-id=external-vpn-id nw-dst=external-floating-ip set eth-dst=external-mac-address tun-id=external-l3vni, output to ext-vxlan-tun-port``
349 More details of the NAT pipeline changes are in the NAT Service section of this spec.
353 Changes will be needed in ``l3vpn.yang`` , ``odl-l3vpn.yang`` , ``odl-fib.yang`` and
354 ``neutronvpn.yang`` to start supporting EVPN functionality.
358 A new leaf l3vni and a new leaf type will be added to container ``vpn-instances``
365 "The type of the VPN Instance.
366 ipvpn indicates it is an L3VPN.
367 evpn indicates it is EVPN”;
384 "The L3 VNI to use for this L3VPN Instance.
385 If this attribute is non-zero, it indicates
386 this L3VPN will do L3Forwarding over VXLAN.
387 If this value is non-zero, and the type field is ‘l2’,
389 If this value is zero, and the type field is ‘l3’, it is
390 the legacy L3VPN that will do L3Forwarding
392 If this value is zero, and the type field is ‘l2’, it
393 is an EVPN that will provide L2 Connectivity with
394 Openstack supplied VNI”.
400 The **type** value comes from Openstack BGPVPN ODL Driver based on what type of BGPVPN is
401 orchestrated by the tenant. That same **type** value must be retrieved and stored into
402 VPNInstance model above maintained by NeutronvpnManager.
404 ODL-L3VPN YANG changes
405 ++++++++++++++++++++++
406 A new leaf l3vni and a new leaf type will be added to container ``vpn-instance-op-data``
409 :caption: odl-l3vpn.yang
413 "The type of the VPN Instance.
414 ipvpn indicates it is an L3VPN.
415 evpn indicates it is EVPN”;
432 "The L3 VNI to use for this L3VPN Instance.
433 If this attribute is non-zero, it indicates
434 this L3VPN will do L3Forwarding over VXLAN.
435 If this value is non-zero, and the type field is ‘l2’,
437 If this value is zero, and the type field is ‘l3’, it is
438 the legacy L3VPN that will do L3Forwarding
440 If this value is zero, and the type field is ‘l2’, it
441 is an EVPN that will provide L2 Connectivity with
442 Openstack supplied VNI”.
448 For every interface in the cloud that is part of an L3VPN which has an L3VNI setup, we should
449 extract that L3VNI from the config VPNInstance and use that to both program the flows as well
450 as advertise to BGP Neighbour using RouteType 5 BGP Route exchange.
451 Fundamentally, what we are accomplishing is L3 Connectivity over VXLAN tunnels by using the
456 Few new leafs like mac_address , gateway_mac_address , l2vni, l3vni and a leaf encap-type will
457 be added to container ``fibEntries``
460 :caption: odl-fib.yang
464 "This flag indicates how to interpret the existing label field.
465 A value of mpls indicates that the label will continue to
466 be considered as an MPLS Label.
467 A value of vxlan indicates that vni should be used to
472 description "MPLSOverGRE";
497 leaf gateway_mac_address {
506 The encaptype indicates whether an MPLSOverGre or VXLAN encapsulation should be used
507 for this route. If the encapType is MPLSOverGre then the usual label field will carry
508 the MPLS Label to be used in datapath for traffic to/from this VRFEntry IP prefix.
510 If the encaptype is VXLAN, the VRFEntry implicitly refers that this route is reachable
511 via a VXLAN tunnel. The L3VNI will carry the VRF VNI and there will also be an L2VNI which
512 represents the VNI of the network to which the VRFEntry belongs to.
514 Based on whether Symmetric IRB (or) Asymmetric IRB is configured to be used by the CSC
515 (see section on Configuration Impact below). If Symmetric IRB is configured, then the L3VNI
516 should be used to program the flows rules. If Asymmetric IRB is configured, then L2VNI should
517 be used in the flow rules.
519 The mac_address field must be filled for every route in an EVPN. This mac_address field
520 will be used for support intra-DC communication for both inter-subnet and intra-subnet routing.
522 The gateway_mac_address must always be filled for every route in an EVPN.[AKMA7] [NV8]
523 This gateway_mac_address will be used for all packet exchanges between DC-GW and the
524 DPN in the DC to support L3 based forwarding with Symmetric IRB.
526 NEUTRONVPN YANG changes
527 +++++++++++++++++++++++
528 One new leaf l3vni will be added to container grouping ``vpn-instance``
531 :caption: odl-fib.yang
539 Solution considerations
540 -----------------------
542 Proposed change in Openstack Neutron BGPVPN Driver
543 +++++++++++++++++++++++++++++++++++++++++++++++++++
544 The Openstack Neutron BGPVPN’s ODL driver in Newton release needs to be changed, so that
545 it is able to relay the configured L2 BGPVPNs, to the OpenDaylight Controller.
546 As of Mitaka release, only L3 BGPVPNs configured in Openstack are being relayed to the
547 OpenDaylight Controller. So in addition to addressing the ODL BGPVPN Driver changes in
548 Newton, we will provide a Mitaka based patch that will integrate into Openstack.
550 The Newton changes for the BGPVPN Driver has merged and is here:
551 https://review.openstack.org/#/c/370547/
553 Proposed change in BGP Quagga Stack
554 ++++++++++++++++++++++++++++++++++++
555 The BGP Quagga Stack is a component that interfaces with ODL Controller to enable ODL Controller itself
556 to become a BGP Peer. This BGP Quagga Stack need to be enhanced so that it is able to embrace EVPN
557 with Route Type 5 on the following two interfaces:
559 * Thrift Interface where ODL pushes routes to BGP Quagga Stack
560 * Route exchanges from BGP Quagga Stack to other BGP Neighbors (including DC-GW).
562 Proposed change in OpenDaylight-specific features
563 +++++++++++++++++++++++++++++++++++++++++++++++++
565 The following components within OpenDaylight Controller needs to be enhanced:
568 * VPN Engine (VPN Manager and VPN Interface Manager)
571 * VPN SubnetRoute Handler
574 Import Export RT support for EVPN
575 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
576 Currently Import/Export logic for L3VPN uses a LabelRouteInfo structure to build information
577 about imported prefixes using MPLS Label as the key. However, this structure cannot be used
578 for EVPN as the L3VNI will be applicable for an entire EVPN Instance instead of the MPLS Label.
579 In lieu of LabelRouteInfo, we will maintain an IPPrefixInfo keyed structure that can be used
580 for facilitating Import/Export of VRFEntries across both EVPNs and L3VPNs.
583 :caption: odl-fib.yang
587 key "prefix, parent-rd"
604 leaf-list next-hop-ip-list {
608 leaf-list vpn-instance-list {
616 leaf vpn-interface-name {
624 leaf is-subnet-route {
630 "This flag indicates how to interpret the existing label field.
631 A value of mpls indicates that the l3label should be considered as an MPLS
633 A value of vxlan indicates that l3label should be considered as an VNI.
637 description "MPLSOverGRE";
657 leaf gateway_mac_address {
663 SubnetRoute support on EVPN
664 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
665 The subnetRoute feature will continue to be supported on EVPN and we will use RT5 to publish
666 subnetRoute entries with either the router-interface-mac-address if available (or) if not
667 available use the pre-defined hardcoded MAC Address described in section Configuration Impact.
668 For both ExtraRoutes and MIPs (invisible IPs) discovered via subnetroute, we will continue
669 to use RT5 to publish those prefixes.[AKMA9] [NV10]
670 On the dataplane, VXLAN packets from the DC-GW will carry the MAC Address of the gateway-ip
671 for the subnet in the inner DMAC.
673 NAT Service support for EVPN
674 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
675 However, since external network NAT should continue to be supported on VXLAN, making NAT
676 service work on L3VPNs that use VXLAN as the tunnel type becomes imperative.
678 Existing SNAT/DNAT design assumed internetVpn to be using mplsogre as the connectivity
679 from external network towards DCGW. This needs to be changed such that it can handle even
680 EVPN case with VXLAN connectivity as well.
682 As of the implementation required for this specification, the workflow will be to create
683 InternetVPN with and associate a single external network to that is of VXLAN Provider Type.
684 The Internet VPN itself will be an L3VPN that will be created via the ODL RESTful API and
685 during creation an L3VNI parameter will be supplied to enable this L3VPN to operate on a
686 VXLAN dataplane. The L3VNI provided to the Internet VPN can be different from the VXLAN
687 segmentation ID associated to the external network.
689 However, it will be a more viable use-case in the community if we mandate in our workflow
690 that both the L3VNI configured for Internet VPN and the VXLAN segmentation id of the
691 associated external network to the Internet VPN be the same.
692 NAT service can use vpninstance-op-data model to classify the DCGW connectivity for internetVpn.
694 For the Pipeline changes for NAT Service, please refer to 'Pipeline changes' section.
696 SNAT to start using Router Gateway MAC, in translated entry in table 46 (Outbound SNAT table)
697 and in table 19 (L3_GW_MAC_Table). Presently Router gateway mac is already stored in odl-nat model
700 DNAT to start using Floating MAC, in table 28 (SNAT table) and in table 19 (L3_GW_MAC Table).
701 Change in pipeline mainly reverse traffic for SNAT and DNAT so that when packet arrives from DCGW,
702 it goes to 0->38->17->19 and based on Vni and MAC matching, take it back to SNAT or DNAT pipelines.
704 Also final Fib Entry pointing to DCGW in forward direction also needs modification where we should
705 start using VXLAN’s vni, FloatingIPMAC (incase of DNAT) and ExternalGwMacAddress(incase of SNAT)
706 and finally encapsulation type as VXLAN.
708 For SNAT advertise to BGP happens during external network association to Vpn and during High
709 availability scenarios where you need to re-advertise the NAPT switch. For DNAT we need to
710 advertise when floating IP is associated to the VM.
711 For both SNAT and DNAT this IS mandates that we do only RT5 based advertisement. That RT5
712 advertisement must carry the external gateway mac address assigned for the respective Router
713 for SNAT case while for DNAT case the RT5 will carry the floating-ip-mac address.
715 ARP request/response and MIP handling Support for EVPN
716 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
717 Will not support ARP across DCs, as we donot support intra-subnet inter-DC scenarios.
719 * For intra-subnet intra-DC scenarios, the ARPs will be serviced by existing ELAN pipeline.
720 * For inter-subnet intra-DC scenarios, the ARPs will be processed by ARP Responder implementation that is already pursued in Carbon.
721 * For inter-subnet inter-DC scenarios, ARP requests won’t be generated by DC-GW. Instead the DC-GW will use ‘gateway mac’ extended attribute MAC Address information and put that directly into DSTMAC field of Inner MAC Header by the DC-GW for all packets sent to VMs within the DC.
722 * As quoted, intra-subnet inter-DC scenario is not a supported use-case as per this Implementation Spec.
724 Tunnel state handling Support
725 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
726 We have to handle both the internal and external tunnel events for L3VPN (with L3VNI) the same way
727 it is handled for current L3VPN.
729 InterVPNLink support for EVPN
730 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
731 Not supported as this is not a requirement for this Spec.
733 Supporting VLAN Aware VMs (Trunk and SubPorts)
734 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
735 Not supported as this is not a requirement for this Spec.
739 We will continue to support cold migration of VMs across hypervisors across L3VPNs as supported
740 already in current ODL Carbon Release.
744 This feature support all the following Reboot Scenarios for EVPN:
746 * Entire Cluster Reboot
748 * Candidate PL reboot
749 * OVS Datapath reboots
750 * Multiple PL reboots
751 * Multiple Cluster reboots
752 * Multiple reboots of the same OVS Datapath.
753 * Openstack Controller reboots
758 The following parameters have been initially made available as configurable for EVPN. These
759 configurations can be made via the RESTful interface:
761 **1.Multi-homing-mode** – For multi-homing use cases where redundant DCGWs are used ODL can be configured with ‘none’, ‘all-active’ or ‘single-active’ multi-homing mode. Default will be ‘none’.
763 **2.IRB-mode** – Depending upon the support on DCGW, ODL can be configured with either ‘Symmetric’ or ‘Asymmetric’ IRB mode. Default is ‘Symmetric’.
765 There is another important parameter though it won’t be configurable:
767 **MAC Address Prefix for EVPN** – This MAC Address prefix represents the MAC Address prefix that will be hardcoded and that MACAddress will be used as the gateway mac address if it is not supplied from Openstack. This will usually be the case when networks are associated to an L3VPN with no gateway port yet configured in Openstack for such networks.
770 Clustering considerations
771 -------------------------
772 The feature should operate in ODL Clustered environment reliably.
774 Other Infra considerations
775 --------------------------
778 Security considerations
779 -----------------------
782 Scale and Performance Impact
783 ----------------------------
784 Not covered by this Design Document.
792 Alternatives considered and why they were not selected.
799 This feature can be used by installing odl-netvirt-openstack.
800 This feature doesn't add any new karaf feature.
804 The creational RESTful API for the L3VPN will be enhanced to accept
805 the L3VNI as an additional attribute as in the below request format:
812 'export-RT': ['50:2'],
813 'route-distinguisher': ['50:2'],
814 'import-RT': ['50:2'],
815 'id': '4ae8cd92-48ca-49b5-94e1-b2921a260007',
817 'tenant-id': 'a565b3ed854247f795c0840b0481c699'
820 There is no change in the REST API for associating networks, associating routers (or) deleting
823 On the Openstack-side configuration, the vni_ranges configured in Openstack Neutron ml2_conf.ini
824 should not overlap with the L3VNI provided in the ODL RESTful API.
825 In an inter-DC case, where both the DCs are managed by two different Openstack Controller
826 Instances, the workflow will be to do the following:
828 1. Configure the DC-GW2 facing OSC2 and DC-GW1 facing OSC1 with the same BGP configuration parameters.
829 2. On first Openstack Controller (OSC1) create an L3VPN1 with RD1 and L3VNI1
830 3. Create a network Net1 and Associate that Network Net1 to L3VPN1
831 4. On second Openstack Controller (OSC2) create an L3VPN2 with RD1 with L3VNI2
832 5. Create a network Net2 on OSC2 and associate that Network Net2 to L3VPN2.
833 6. Spin-off VM1 on Net1 in OSC1.
834 7. Spin-off VM2 on Net2 in OSC2.
835 8. Now VM1 and VM2 should be able to communicate.
845 Kiran N Upadhyaya (kiran.n.upadhyaya@ericsson.com)
847 Sumanth MS (sumanth.ms@ericsson.com)
849 Basavaraju Chickmath (basavaraju.chickmath@ericsson.com)
852 Vivekanandan Narasimhan (n.vivekanandan@ericsson.com)
856 The Trello cards have already been raised for this feature
859 Here is the link for the Trello Card:
860 https://trello.com/c/Tfpr3ezF/33-evpn-evpn-rt5
862 New tasks into this will be added to cover Java UT and
867 Requires a DC-GW that is supporting EVPN RT5 on BGP Control plane.
871 Capture details of testing that will need to be added.
875 Appropriate UTs will be added for the new code coming in once framework is in place.
879 There won't be any Integration tests provided for this feature.
883 CSIT will be enhanced to cover this feature by providing new CSIT tests.
887 This will require changes to User Guide and Developer Guide.
889 User Guide will need to add information on how OpenDaylight can
890 be used to deploy L3 BGPVPNs and enable communication across
891 datacenters between virtual endpoints in such L3 BGPVPN.
893 Developer Guide will capture the ODL L3VPN API changes to enable
894 management of an L3VPN that can use VXLAN overlay to enable
895 communication across datacenters.
899 [1] `EVPN_RT5 <https://tools.ietf.org/html/draft-ietf-bess-evpn-prefix-advertisement-03>`_
901 [2] `Network Virtualization using EVPN <https://www.ietf.org/id/draft-ietf-bess-evpn-overlay-07.txt>`_
903 [3] `Integrated Routing and Bridging in EVPN <https://tools.ietf.org/html/draft-ietf-bess-evpn-inter-subnet-forwarding-04>`_
905 [4] `VXLAN DCI using EVPN <https://tools.ietf.org/html/draft-boutros-bess-vxlan-evpn-02>`_
907 [5] `BGP MPLS-Based Ethernet VPN <https://tools.ietf.org/html/rfc7432>`_
909 * http://docs.opendaylight.org/en/latest/documentation.html
910 * https://wiki.opendaylight.org/view/Genius:Carbon_Release_Plan