Virtual network based tunneling

Segment definition

Each segment has its own policies. For example, if a group of clients belong to an admin segment, then this segment can have better QoS and security privileges as compared to the segments assigned to guest clients.

Inter-segment traffic is prohibited between two segments based on policy.

A segment does not map to a network construct such as a VLAN or a VRF. Multiple segments can co-exist within a VLAN or a segment can span multiple VLANs and VRFs. However, the switch must realize segmentation using network constructs such as VLANs, VRFs ACLs, etc.

Example

This example illustrates a simple deployment using two VLANs and VRFs.

Overlay Client VLAN L2 VLAN Subnet
10 100 1.1.1.0/24
20 200 2.2.2.0/24
Overlay Client VRF L3 VNI Overlay SVIs on VRF Overlay ROPs on VRF
A 10000
  • VLAN interface of 10, 20 on access..
  • VLAN interface to the north of Core (if any needed).
ROP interfaces to the north of Core.
Configuration on switches A1 A2 Core
  • L2 VNI 100.
  • Anycast Gateway for 1.1.1.0/24.
  • VLAN interface for 10.

Y Y N
  • L2 VNI 200.
  • Anycast Gateway for 2.2.2.0/24.
  • VLAN interface for 20.

Y Y N
  • VRF A.
  • L3 VRF for A.

Y Y Y
  • RD, RTs for VRF A. (Can be derived from L3 VNI too.)
Y Y Y

The two VRFs are configured on the core switch, and the two VLANs and VRFs are configured on the two access switches as required. The two VLANs and the VRF are part of the running config on both access switches.

Initially, the status of the two VLANs on the access switches is down. This means that:

  • EVPN routes - RT-3 (IMET) route, and RT-5 and RT-2 with respect to the VLAN interfaces are not announced by the switches.
  • No VXLAN tunnels are established between any pairs of switches.

When Host H1 connects to A1, the host is authenticated with CPPM and the client is mapped to Role-1 on VLAN 10. This results in the following:

  • The VLAN state changes to up in show commands on A1.

  • The L2 and L3 forwarding constructs for the local MAC of H1 are programmed onto VLAN 10 inside A1.

  • The IMET route for L2VNI is advertised by A1.

    • This route is not used by the core as it does not have footprint of VLAN 10 on it.

    • This route is not used by A2 either - this is because it does not have a local VLAN 10 on "up" state as yet.

  • RT-5 prefix route (if enabled) is advertised by A1.

    • Upon receiving the route, the core programs the prefix route (1.1.1.0/24). This also results in VxLAN tunnel programming on the core towards A1.

    • A2 still does not use this route, because the VRF is not instantiated on A2 yet.

  • The RT-4 and the RT-2 routes are advertised by A1.

    • Upon receiving the route, the core programs the route host route (1.1.1.1/32) with BH as A1. But the existing tunnel towards A1 is reused.

    • A2 still does not use this route.

  • The BUM domain for VLAN 10 on A1 is still the local host H1. This is because VLAN 10 is not instantiated on any other switch as yet.

  • Any prefix routes from the core is programmed by A1 and it also programs a VxLAN tunnel towards the core.

When Host H2 connects to A2, the host is authenticated with CPPM and the client is mapped to say Role-1 and the role's VLAN is VLAN 10. This results in the following:

  • The VLAN state is changes to "up" in the show commands.

  • The L2 and L3 forwarding constructs for the local MAC of H2 is programmed into VLAN 10 inside A2.

  • The IMET route for L2VNI is advertised by A2.

    • This route is not used by the core again as it does not have footprint of VLAN 10 on it.

    • This route is used by A1. It creates a VXLAN tunnel towards A2 and adds it to the BUM domain for VLAN 10.

  • RT-5 prefix route (if enabled) is advertised by A2.

    • Upon receiving the route, the core programs the prefix route (1.1.1.0/24). In the absence of ECMP, the existing route in the core is overwritten. This also results in VxLAN tunnel programming on the core towards A2.

    • A1 still does not use this route, this is because the local connected route for 1.1.1.0/24 has higher priority.

  • The RT-4 and the RT-2 routes are advertised by A2.

    • Upon receiving the route, the core programs the route host route (1.1.1.2/32). The existing tunnel is reused.

    • A1 programs the 1.1.1.2/32 route into its FIB with NH as VTEP towards A2.

  • Any prefix routes from the core are programmed by A2 and it also programs a VxLAN tunnel towards the core

  • Thus a full mesh of VxLAN tunnels is created.

If host H3 connects to A2 and it is on boarded on VLAN 20. This results in the following:

  • The VLAN state of VLAN 20 changes to "up" in the show commands

  • The L2 and L3 forwarding constructs for the local MAC of H3 is programmed into VLAN 20 inside A2.

  • The IMET route for L2VNI is advertised by A2

    • This route is not used by the core again as it does not have footprint of VLAN 20 on it.

    • This route is not used by A1 either for the same reason.

  • RT-5 prefix route (if enabled) is advertised by A2

    • Upon receiving the route, the core programs the prefix route (2.2.2.0/24). The core reuses the existing tunnel.

    • A1 also programs the prefix route with NH as A2.

  • The RT-4 and the RT-2 routes with respect to H3 are advertised by A2.

    • A1 programs its FIB for host route 2.2.2.2/24 with NH as A2. But it reuses the existing tunnel.

    • Same behavior on the core.

Additional notes

  • Reference counts maintained in the access switches ensure that existing tunnels are reused as and when new clients come up.
  • The clients leaving the VLAN (disconnect/Auth time out etc.) can lead to the reversal of the procedure described above - i.e. deletion of local programming, withdrawal of routes, VLAN status change, etc. The reversal is initiated based on reference count.
  • Dynamic VLAN instantiation does not mandate VNI association for VLANs. Even local VLANs with secure clients (if any) are also dynamically instantiated.