idnits 2.17.1
draft-ietf-rtgwg-bgp-routing-large-dc-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (February 12, 2015) is 3361 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
== Outdated reference: A later version (-15) exists of
draft-ietf-idr-add-paths-10
== Outdated reference: A later version (-07) exists of
draft-ietf-idr-link-bandwidth-06
Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Routing Area Working Group P. Lapukhov
3 Internet-Draft Facebook
4 Intended status: Informational A. Premji
5 Expires: August 16, 2015 Arista Networks
6 J. Mitchell, Ed.
7 Microsoft Corporation
8 February 12, 2015
10 Use of BGP for routing in large-scale data centers
11 draft-ietf-rtgwg-bgp-routing-large-dc-01
13 Abstract
15 Some network operators build and operate data centers that support
16 over one hundred thousand servers. In this document, such data
17 centers are referred to as "large-scale" to differentiate them from
18 smaller infrastructures. Environments of this scale have a unique
19 set of network requirements with an emphasis on operational
20 simplicity and network stability. This document summarizes
21 operational experience in designing and operating large-scale data
22 centers using BGP as the only routing protocol. The intent is to
23 report on a proven and stable routing design that could be leveraged
24 by others in the industry.
26 Status of This Memo
28 This Internet-Draft is submitted in full conformance with the
29 provisions of BCP 78 and BCP 79.
31 Internet-Drafts are working documents of the Internet Engineering
32 Task Force (IETF). Note that other groups may also distribute
33 working documents as Internet-Drafts. The list of current Internet-
34 Drafts is at http://datatracker.ietf.org/drafts/current/.
36 Internet-Drafts are draft documents valid for a maximum of six months
37 and may be updated, replaced, or obsoleted by other documents at any
38 time. It is inappropriate to use Internet-Drafts as reference
39 material or to cite them other than as "work in progress."
41 This Internet-Draft will expire on August 16, 2015.
43 Copyright Notice
45 Copyright (c) 2015 IETF Trust and the persons identified as the
46 document authors. All rights reserved.
48 This document is subject to BCP 78 and the IETF Trust's Legal
49 Provisions Relating to IETF Documents
50 (http://trustee.ietf.org/license-info) in effect on the date of
51 publication of this document. Please review these documents
52 carefully, as they describe your rights and restrictions with respect
53 to this document. Code Components extracted from this document must
54 include Simplified BSD License text as described in Section 4.e of
55 the Trust Legal Provisions and are provided without warranty as
56 described in the Simplified BSD License.
58 Table of Contents
60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
61 2. Network Design Requirements . . . . . . . . . . . . . . . . . 4
62 2.1. Bandwidth and Traffic Patterns . . . . . . . . . . . . . 4
63 2.2. CAPEX Minimization . . . . . . . . . . . . . . . . . . . 4
64 2.3. OPEX Minimization . . . . . . . . . . . . . . . . . . . . 5
65 2.4. Traffic Engineering . . . . . . . . . . . . . . . . . . . 5
66 2.5. Summarized Requirements . . . . . . . . . . . . . . . . . 5
67 3. Data Center Topologies Overview . . . . . . . . . . . . . . . 6
68 3.1. Traditional DC Topology . . . . . . . . . . . . . . . . . 6
69 3.2. Clos Network topology . . . . . . . . . . . . . . . . . . 7
70 3.2.1. Overview . . . . . . . . . . . . . . . . . . . . . . 7
71 3.2.2. Clos Topology Properties . . . . . . . . . . . . . . 8
72 3.2.3. Scaling the Clos topology . . . . . . . . . . . . . . 9
73 3.2.4. Managing the Size of Clos Topology Tiers . . . . . . 10
74 4. Data Center Routing Overview . . . . . . . . . . . . . . . . 10
75 4.1. Layer 2 Only Designs . . . . . . . . . . . . . . . . . . 11
76 4.2. Hybrid L2/L3 Designs . . . . . . . . . . . . . . . . . . 11
77 4.3. Layer 3 Only Designs . . . . . . . . . . . . . . . . . . 12
78 5. Routing Protocol Selection and Design . . . . . . . . . . . . 12
79 5.1. Choosing EBGP as the Routing Protocol . . . . . . . . . . 13
80 5.2. EBGP Configuration for Clos topology . . . . . . . . . . 14
81 5.2.1. Example ASN Scheme . . . . . . . . . . . . . . . . . 14
82 5.2.2. Private Use BGP ASNs . . . . . . . . . . . . . . . . 15
83 5.2.3. Prefix Advertisement . . . . . . . . . . . . . . . . 16
84 5.2.4. External Connectivity . . . . . . . . . . . . . . . . 17
85 5.2.5. Route Summarization at the Edge . . . . . . . . . . . 18
86 6. ECMP Considerations . . . . . . . . . . . . . . . . . . . . . 19
87 6.1. Basic ECMP . . . . . . . . . . . . . . . . . . . . . . . 19
88 6.2. BGP ECMP over Multiple ASNs . . . . . . . . . . . . . . . 20
89 6.3. Weighted ECMP . . . . . . . . . . . . . . . . . . . . . . 20
90 6.4. Consistent Hashing . . . . . . . . . . . . . . . . . . . 21
91 7. Routing Convergence Properties . . . . . . . . . . . . . . . 21
92 7.1. Fault Detection Timing . . . . . . . . . . . . . . . . . 21
93 7.2. Event Propagation Timing . . . . . . . . . . . . . . . . 22
94 7.3. Impact of Clos Topology Fan-outs . . . . . . . . . . . . 22
95 7.4. Failure Impact Scope . . . . . . . . . . . . . . . . . . 23
96 7.5. Routing Micro-Loops . . . . . . . . . . . . . . . . . . . 24
97 8. Additional Options for Design . . . . . . . . . . . . . . . . 25
98 8.1. Third-party Route Injection . . . . . . . . . . . . . . . 25
99 8.2. Route Summarization within Clos Topology . . . . . . . . 25
100 8.2.1. Collapsing Tier-1 Devices Layer . . . . . . . . . . . 26
101 8.2.2. Simple Virtual Aggregation . . . . . . . . . . . . . 27
102 8.3. ICMP Unreachable Message Masquerading . . . . . . . . . . 27
103 9. Security Considerations . . . . . . . . . . . . . . . . . . . 28
104 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
105 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28
106 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
107 12.1. Normative References . . . . . . . . . . . . . . . . . . 29
108 12.2. Informative References . . . . . . . . . . . . . . . . . 29
109 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31
111 1. Introduction
113 This document describes a practical routing design that can be used
114 in a large-scale data center ("DC") design. Such data centers, also
115 known as hyper-scale or warehouse-scale data-centers, have a unique
116 attribute of supporting over a hundred thousand servers. In order to
117 accommodate networks of this scale, operators are revisiting
118 networking designs and platforms to address this need.
120 The design presented in this document is based on operational
121 experience with data centers built to support large scale distributed
122 software infrastructure, such as a Web search engine. The primary
123 requirements in such an environment are operational simplicity and
124 network stability so that a small group of people can effectively
125 support a significantly sized network.
127 After experimentation and extensive testing, Microsoft chose to use
128 an end-to-end routed network infrastructure with External BGP (EBGP)
129 [RFC4271] as the only routing protocol for some of its DC
130 deployments. This is in contrast with more traditional DC designs,
131 which may use simple tree topologies and rely on extending Layer 2
132 domains across multiple network devices. This document elaborates on
133 the requirements that led to this design choice and presents details
134 of the EBGP routing design as well as explores ideas for further
135 enhancements.
137 This document first presents an overview of network design
138 requirements and considerations for large-scale data centers. Then
139 traditional hierarchical data center network topologies are
140 contrasted with Clos networks that are horizontally scaled out. This
141 is followed by arguments for selecting EBGP with a Clos topology as
142 the most appropriate routing protocol to meet the requirements and
143 the proposed design is described in detail. Finally, the document
144 reviews some additional considerations and design options.
146 2. Network Design Requirements
148 This section describes and summarizes network design requirements for
149 large-scale data centers.
151 2.1. Bandwidth and Traffic Patterns
153 The primary requirement when building an interconnection network for
154 large number of servers is to accommodate application bandwidth and
155 latency requirements. Until recently it was quite common to see the
156 majority of traffic entering and leaving the data center, commonly
157 referred to as "north-south" traffic. As a result, traditional
158 "tree" topologies were sufficient to accommodate such flows, even
159 with high oversubscription ratios between the layers of the network.
160 If more bandwidth was required, it was added by "scaling up" the
161 network elements, e.g. by upgrading the device's line-cards or
162 fabrics or replacing the device with one with higher port density.
164 Today many large-scale data centers host applications generating
165 significant amounts of server-to-server traffic, which does not
166 egress the DC, commonly referred to as "east-west" traffic. Examples
167 of such applications could be compute clusters such as Hadoop,
168 massive data replication between clusters needed by certain
169 applications, or virtual machine migrations. Scaling traditional
170 tree topologies to match these bandwidth demands becomes either too
171 expensive or impossible due to physical limitations, e.g. port
172 density in a switch.
174 2.2. CAPEX Minimization
176 The cost of the network infrastructure alone (CAPEX) constitutes
177 about 10-15% of total data center expenditure (see [GREENBERG2009]).
178 However, the absolute cost is significant, and hence there is a need
179 to constantly drive down the cost of individual network elements.
180 This can be accomplished in two ways:
182 o Unifying all network elements, preferably using the same hardware
183 type or even the same device. This allows for volume pricing on
184 bulk purchases.
186 o Driving costs down using competitive pressures, by introducing
187 multiple network equipment vendors.
189 In order to allow for good vendor diversity it is important to
190 minimize the software feature requirements for the network elements.
192 This strategy provides maximum flexibility of vendor equipment
193 choices while enforcing interoperability using open standards.
195 2.3. OPEX Minimization
197 Operating large-scale infrastructure could be expensive, provided
198 that larger amount of elements will statistically fail more often.
199 Having a simpler design and operating using a limited software
200 feature-set minimizes software issue related failures.
202 An important aspect of OPEX minimization is reducing size of failure
203 domains in the network. Ethernet networks are known to be
204 susceptible to broadcast or unicast traffic storms that have dramatic
205 impact on network performance and availability. The use of a fully
206 routed design significantly reduces the size of the data-plane
207 failure domains - i.e. limits them to the lowest level in the network
208 hierarchy. However, such designs introduce the problem of
209 distributed control-plane failures. This observation calls for
210 simpler control-plane protocols that are expected to have less
211 chances of network meltdown. Minimizing software feature
212 requirements as described in the CAPEX section above also reduces
213 testing and training requirements.
215 2.4. Traffic Engineering
217 In any data center, application load-balancing is a critical function
218 performed by network devices. Traditionally, load-balancers are
219 deployed as dedicated devices in the traffic forwarding path. The
220 problem arises in scaling load-balancers under growing traffic
221 demand. A preferable solution would be able to scale load-balancing
222 layer horizontally, by adding more of the uniform nodes and
223 distributing incoming traffic across these nodes. In situation like
224 this, an ideal choice would be to use network infrastructure itself
225 to distribute traffic across a group of load-balancers. The
226 combination of Anycast prefix advertisement [RFC4786] and Equal Cost
227 Multipath (ECMP) functionality can be used to accomplish this goal.
228 To allow for more granular load-distribution, it is beneficial for
229 the network to support the ability to perform controlled per-hop
230 traffic engineering. For example, it is beneficial to directly
231 control the ECMP next-hop set for Anycast prefixes at every level of
232 network hierarchy.
234 2.5. Summarized Requirements
236 This section summarizes the list of requirements outlined in the
237 previous sections:
239 o REQ1: Select a topology that can be scaled "horizontally" by
240 adding more links and network devices of the same type without
241 requiring upgrades to the network elements themselves.
243 o REQ2: Define a narrow set of software features/protocols supported
244 by a multitude of networking equipment vendors.
246 o REQ3: Choose a routing protocol that has a simple implementation
247 in terms of programming code complexity and ease of operational
248 support.
250 o REQ4: Minimize the failure domain of equipment or protocol issues
251 as much as possible.
253 o REQ5: Allow for traffic engineering, preferably via explicit
254 control of the routing prefix next-hop using built-in protocol
255 mechanics.
257 3. Data Center Topologies Overview
259 This section provides an overview of two general types of data center
260 designs - hierarchical (also known as tree based) and Clos based
261 network designs.
263 3.1. Traditional DC Topology
265 In the networking industry, a common design choice for data centers
266 typically look like a (upside-down) tree with redundant uplinks and
267 three layers of hierarchy namely core, aggregation/distribution and
268 access layers (see Figure 1). To accommodate bandwidth demands, each
269 higher layer, from server towards DC egress or WAN, has higher port
270 density and bandwidth capacity where the core functions as the
271 "trunk" of the tree based design. To keep terminology uniform and
272 for comparison with other designs, in this document these layers will
273 be referred to as Tier-1, Tier-2 and Tier-3 "tiers" instead of Core,
274 Aggregation or Access layers.
276 +------+ +------+
277 | | | |
278 | |--| | Tier-1
279 | | | |
280 +------+ +------+
281 | | | |
282 +---------+ | | +----------+
283 | +-------+--+------+--+-------+ |
284 | | | | | | | |
285 +----+ +----+ +----+ +----+
286 | | | | | | | |
287 | |-----| | | |-----| | Tier-2
288 | | | | | | | |
289 +----+ +----+ +----+ +----+
290 | | | |
291 | | | |
292 | +-----+ | | +-----+ |
293 +-| |-+ +-| |-+ Tier-3
294 +-----+ +-----+
295 | | | | | |
296 <- Servers -> <- Servers ->
298 Figure 1: Typical DC network topology
300 3.2. Clos Network topology
302 This section describes a common design for horizontally scalable
303 topology in large scale data centers in order to meet REQ1.
305 3.2.1. Overview
307 A common choice for a horizontally scalable topology is a folded Clos
308 topology, sometimes called "fat-tree" (see, for example, [INTERCON]
309 and [ALFARES2008]). This topology features an odd number of stages
310 (sometimes known as dimensions) and is commonly made of uniform
311 elements, e.g. network switches with the same port count. Therefore,
312 the choice of folded Clos topology satisfies REQ1 and facilitates
313 REQ2. See Figure 2 below for an example of a folded 3-stage Clos
314 topology (3 stages counting Tier-2 stage twice, when tracing a packet
315 flow):
317 +-------+
318 | |----------------------------+
319 | |------------------+ |
320 | |--------+ | |
321 +-------+ | | |
322 +-------+ | | |
323 | |--------+---------+-------+ |
324 | |--------+-------+ | | |
325 | |------+ | | | | |
326 +-------+ | | | | | |
327 +-------+ | | | | | |
328 | |------+-+-------+-+-----+ | |
329 | |------+-+-----+ | | | | |
330 | |----+ | | | | | | | |
331 +-------+ | | | | | | ---------> M links
332 Tier-1 | | | | | | | | |
333 +-------+ +-------+ +-------+
334 | | | | | |
335 | | | | | | Tier-2
336 | | | | | |
337 +-------+ +-------+ +-------+
338 | | | | | | | | |
339 | | | | | | ---------> N Links
340 | | | | | | | | |
341 O O O O O O O O O Servers
343 Figure 2: 3-Stage Folded Clos topology
345 This topology is often also referred to as a "Leaf and Spine"
346 network, where "Spine" is the name given to the middle stage of the
347 Clos topology (Tier-1) and "Leaf" is the name of input/output stage
348 (Tier-2). For uniformity, this document will refer to these layers
349 using the "Tier-n" notation.
351 3.2.2. Clos Topology Properties
353 The following are some key properties of the Clos topology:
355 o The topology is fully non-blocking (or more accurately: non-
356 interfering) if M >= N and oversubscribed by a factor of N/M
357 otherwise. Here M and N is the uplink and downlink port count
358 respectively, for a Tier-2 switch as shown in Figure 2.
360 o Utilizing this topology requires control and data plane supporting
361 ECMP with the fan-out of M or more.
363 o Tier-1 switches have exactly one path to every server in this
364 topology. This is an important property that makes route
365 summarization impossible in this topology (see Section 8.2 below).
367 o Traffic flowing from server to server is load-balanced over all
368 available paths using ECMP.
370 3.2.3. Scaling the Clos topology
372 A Clos topology can be scaled either by increasing network element
373 port density or adding more stages, e.g. moving to a 5-stage Clos, as
374 illustrated in Figure 3 below:
376 Tier-1
377 +-----+
378 | |
379 +--| |--+
380 | +-----+ |
381 Tier-2 | | Tier-2
382 +-----+ | +-----+ | +-----+
383 +-------------| DEV |--+--| |--+--| |-------------+
384 | +-----| C |--+ | | +--| |-----+ |
385 | | +-----+ +-----+ +-----+ | |
386 | | | |
387 | | +-----+ +-----+ +-----+ | |
388 | +-----+-----| DEV |--+ | | +--| |-----+-----+ |
389 | | | +---| D |--+--| |--+--| |---+ | | |
390 | | | | +-----+ | +-----+ | +-----+ | | | |
391 | | | | | | | | | |
392 +-----+ +-----+ | +-----+ | +-----+ +-----+
393 | DEV | | DEV | +--| |--+ | | | |
394 | A | | B | Tier-3 | | Tier-3 | | | |
395 +-----+ +-----+ +-----+ +-----+ +-----+
396 | | | | | | | |
397 O O O O O O O O
398 Servers Servers
400 Figure 3: 5-Stage Clos topology
402 The small example topology on Figure 3 is built from devices with a
403 port count of 4 and provides full bisectional bandwidth to all
404 connected servers. In this document, one set of directly connected
405 Tier-2 and Tier-3 devices along with their attached servers will be
406 referred to as a "cluster". For example, DEV A, B, C, D, and the
407 servers that connect to DEV A and B, on Figure 3 form a cluster.
409 In practice, the Tier-3 layer of the network, which are typically top
410 of rack switches (ToRs), is where oversubscription is introduced to
411 allow for packaging of more servers in the data center while meeting
412 the bandwidth requirements for different types of applications. The
413 main reason to limit oversubscription at a single layer of the
414 network is to simplify application development that would otherwise
415 need to account for multiple bandwidth pools: within rack (Tier-3),
416 between racks (Tier-2), and between clusters (Tier-1). Since
417 oversubscription does not have a direct relationship to the routing
418 design it is not discussed further in this document.
420 3.2.4. Managing the Size of Clos Topology Tiers
422 If a data-center network size is small, it is possible to reduce the
423 number of switches in Tier-1 or Tier-2 of Clos topology by a power of
424 two. To understand how this could be done, take Tier-1 as an
425 example. Every Tier-2 device connects to a single group of Tier-1
426 devices. If half of the ports on each of the Tier-1 devices are not
427 being used then it is possible to reduce the number of Tier-1 devices
428 by half and simply map two uplinks from a Tier-2 device to the same
429 Tier-1 device that were previously mapped to different Tier-1
430 devices. This technique maintains the same bisectional bandwidth
431 while reducing the number of elements in the Tier-1 layer, thus
432 saving on CAPEX. The tradeoff, in this example, is the reduction of
433 maximum DC size in terms of overall server count by half.
435 In this example, Tier-2 devices will be using two parallel links to
436 connect to each Tier-1 device. If one of these links fails, the
437 other will pick up all traffic of the failed link, possible resulting
438 in heavy congestion and quality of service degradation if the path
439 determination procedure, does not take bandwidth amount into account.
440 To avoid this situation, parallel links can be grouped in link
441 aggregation groups (LAGs, such as [IEEE8023AD]) with widely available
442 implementation settings that take the whole "bundle" down upon a
443 single link failure. Equivalent techniques that enforce "fate
444 sharing" on the parallel links can be used in place of LAGs to
445 achieve the same effect. As a result of such fate-sharing, traffic
446 from two or more failed links will be re-balanced over the multitude
447 of remaining paths that equals the number of Tier-1 devices. This
448 example is using two links for simplicity it should be noted, that
449 having more links in a bundle will have less impact on capacity upon
450 a member-link failure.
452 4. Data Center Routing Overview
454 This section provides an overview of three general types of data
455 center protocol designs - Layer 2 only, Hybrid L2/L3 and Layer 3
456 only.
458 4.1. Layer 2 Only Designs
460 Originally most data center designs used Spanning-Tree Protocol (STP)
461 for loop free topology creation, typically utilizing variants of the
462 traditional DC topology described in Section 3.1. At the time, many
463 DC switches either did not support Layer 3 routed protocols or
464 supported it with additional licensing fees, which played a part in
465 the design choice. Although many enhancements have been made through
466 the introduction of Rapid Spanning Tree Protocol and Multiple
467 Spanning Tree Protocol that increase convergence, stability and load
468 balancing in larger topologies many of the fundamentals of the
469 protocol limit its applicability in large scale DC's. STP and its
470 newer variants use an active/standby approach to path selection and
471 are therefore hard to deploy in horizontally scaled topologies
472 described in Section 3.2. Further, operators have had many
473 experiences with large failures due to issues caused by improper
474 cabling, misconfiguration, or flawed software on a single device.
475 These failures regularly affected the entire spanning-tree domain and
476 were very hard to troubleshoot due to the nature of the protocol.
477 For these reasons, and since almost all DC traffic is now IP,
478 therefore requiring a Layer 3 routing protocol at the network edge
479 for external connectivity, designs utilizing STP usually fail all of
480 the requirements of large scale DC operators. Various enhancements
481 to link-aggregation protocols such as [IEEE8023AD], generally known
482 as Multi-Chassis Link-Aggregation (M-LAG) made it possible to use
483 Layer 2 designs with active-active network paths while relying on STP
484 as the backup for loop prevention. The major downside of this
485 approach is proprietary nature of such extensions.
487 It should be noted that building large, horizontally scalable, Layer
488 2 only networks without STP is possible recently through the
489 introduction of TRILL [RFC6325]. TRILL resolves many of the issues
490 STP has for large scale DC design however currently the maturity of
491 the protocol, limited number of implementations, and requirement for
492 new equipment that supports it has limited its applicability and
493 increased the cost of such designs.
495 Finally, neither TRILL nor M-LAG approach eliminate the fundamental
496 problem of the shared broadcast domain, that is so detrimental to the
497 operations of any Layer 2, Ethernet based solutions.
499 4.2. Hybrid L2/L3 Designs
501 Operators have sought to limit the impact of data-plane faults and
502 build larger scale topologies through implementing routing protocols
503 in either the Tier-1 or Tier-2 parts of the network and dividing the
504 Layer-2 domain into numerous, smaller domains. This design has
505 allowed data centers to scale up, but at the cost of complexity in
506 the network managing multiple protocols. For the following reasons,
507 operators have retained Layer 2 in either the access (Tier-3) or both
508 access and aggregation (Tier-3 and Tier-2) parts of the network:
510 o Supporting legacy applications that may require direct Layer 2
511 adjacency or use non-IP protocols.
513 o Seamless mobility for virtual machines that require the
514 preservation of IP addresses when a virtual machine moves to
515 different Tier-3 switch.
517 o Simplified IP addressing = less IP subnets is required for the
518 data center.
520 o Application load-balancing may require direct Layer 2 reachability
521 to perform certain functions such as Layer 2 Direct Server Return
522 (DSR).
524 o Continued CAPEX differences between Layer-2 and Layer-3 capable
525 switches.
527 4.3. Layer 3 Only Designs
529 Network designs that leverage IP routing down to Tier-3 of the
530 network have gained popularity as well. The main benefit of these
531 designs is improved network stability and scalability, as a result of
532 confining L2 broadcast domains. Commonly an IGP such as OSPF
533 [RFC2328] is used as the primary routing protocol in such a design.
534 As data centers grow in scale, and server count exceeds tens of
535 thousands, such fully routed designs have become more attractive.
537 Choosing a Layer 3 only design greatly simplifies the network,
538 facilitating the meeting of REQ1 and REQ2, and has widespread
539 adoption in networks where large Layer 2 adjacency and larger size
540 Layer 3 subnets are not as critical compared to network scalability
541 and stability. Application providers and network operators continue
542 to also develop new solutions to meet some of the requirements that
543 previously have driven large Layer 2 domains.
545 5. Routing Protocol Selection and Design
547 In this section the motivations for using External BGP (EBGP) as the
548 single routing protocol for data center networks having a Layer 3
549 protocol design and Clos topology are reviewed. Then, a practical
550 approach for designing an EBGP based network is provided.
552 5.1. Choosing EBGP as the Routing Protocol
554 REQ2 would give preference to the selection of a single routing
555 protocol to reduce complexity and interdependencies. While it is
556 common to rely on an IGP in this situation, sometimes with either the
557 addition of EBGP at the device bordering the WAN or Internal BGP
558 (IBGP) throughout, this document proposes the use of an EBGP only
559 design.
561 Although EBGP is the protocol used for almost all inter-provider
562 routing on the Internet and has wide support from both vendor and
563 service provider communities, it is not generally deployed as the
564 primary routing protocol within the data center for a number of
565 reasons (some of which are interrelated):
567 o BGP is perceived as a "WAN only protocol only" and not often
568 considered for enterprise or data center applications.
570 o BGP is believed to have a "much slower" routing convergence
571 compared to IGPs.
573 o BGP deployment within an Autonomous System typically assumes the
574 presence of an IGP for next-hop resolution.
576 o BGP is perceived to require significant configuration overhead and
577 does not support neighbor auto-discovery.
579 This document discusses some of these perceptions, especially as
580 applicable to the proposed design, and highlights some of the
581 advantages of using the protocol such as:
583 o BGP has less complexity within its protocol design - internal data
584 structures and state-machines are simpler when compared to a link-
585 state IGP such as OSPF. For example, instead of implementing
586 adjacency formation, adjacency maintenance and/or flow-control,
587 BGP simply relies on TCP as the underlying transport. This
588 fulfills REQ2 and REQ3.
590 o BGP information flooding overhead is less when compared to link-
591 state IGPs. Since every BGP router calculates and propagates only
592 the best-path selected, a network failure is masked as soon as the
593 BGP speaker finds an alternate path, which exists when highly
594 symmetric topologies, such as Clos, are coupled with EBGP only
595 design. In contrast, the event propagation scope of a link-state
596 IGP is an entire area, regardless of the failure type. This meets
597 REQ3 and REQ4. It is worth mentioning that all widely deployed
598 link-state IGPs also feature periodic refreshes of routing
599 information, while BGP does not expire routing state, even if this
600 rarely causes significant impact to modern router control planes.
602 o BGP supports third-party (recursively resolved) next-hops. This
603 allows for manipulating multi-path to be non-ECMP based or
604 forwarding based on application-defined forwarding paths, through
605 establishment of a peering session with an application
606 "controller" which can inject routing information into the system,
607 satisfying REQ5. OSPF provides similar functionality using
608 concepts such as "Forwarding Address", but with more difficulty in
609 implementation and lack of protocol simplicity.
611 o Using a well-defined BGP ASN allocation scheme and standard
612 AS_PATH loop detection, "BGP path hunting" (see [JAKMA2008]) can
613 be controlled and complex unwanted paths will be ignored. See
614 Section 5.2 for an example of a working BGP ASN allocation scheme.
615 In a link-state IGP accomplishing the same goal would require
616 multi-(instance/topology/processes) support, typically not
617 available in all DC devices and quite complex to configure and
618 troubleshoot. Using a traditional single flooding domain, which
619 most DC designs utilize, under certain failure conditions may pick
620 up unwanted lengthy paths, e.g. traversing multiple Tier-2
621 devices.
623 o EBGP configuration that is implemented with minimal routing policy
624 is easier to troubleshoot for network reachability issues. In
625 most implementations, it is straightforward to view contents of
626 BGP Loc-RIB and compare it to the router's RIB. Also every BGP
627 neighbor has corresponding Adj-RIB-In and Adj-RIB-Out structures
628 with incoming and outgoing NRLI information that can be easily
629 correlated on both sides of a BGP session. Thus, BGP satisfies
630 REQ3.
632 5.2. EBGP Configuration for Clos topology
634 Clos topologies that have more than 5 stages are very uncommon due to
635 the large numbers of interconnects required by such a design.
636 Therefore, the examples below are made with reference to the 5-stage
637 Clos topology (5 stages in unfolded state).
639 5.2.1. Example ASN Scheme
641 The diagram below illustrates an example ASN allocation scheme. The
642 following is a list of guidelines that can be used:
644 o Only EBGP sessions established over direct point-to-point links
645 interconnecting the network nodes.
647 o 16-bit (two octet) BGP ASNs are used, since these are widely
648 supported and have better vendor interoperability.
650 o Private BGP ASNs from the range 64512-65534 are used so as to
651 avoid ASN conflicts.
653 o A single BGP ASN is allocated to all of the Clos topology's Tier-1
654 devices.
656 o Unique BGP ASN is allocated per each group of Tier-2 devices.
658 o Unique BGP ASN is allocated to every Tier-3 device (e.g. ToR) in
659 this topology.
661 ASN 65534
662 +---------+
663 | +-----+ |
664 | | | |
665 +-|-| |-|-+
666 | | +-----+ | |
667 ASN 646XX | | | | ASN 646XX
668 +---------+ | | | | +---------+
669 | +-----+ | | | +-----+ | | | +-----+ |
670 +-----------|-| |-|-+-|-| |-|-+-|-| |-|-----------+
671 | +---|-| |-|-+ | | | | +-|-| |-|---+ |
672 | | | +-----+ | | +-----+ | | +-----+ | | |
673 | | | | | | | | | |
674 | | | | | | | | | |
675 | | | +-----+ | | +-----+ | | +-----+ | | |
676 | +-----+---|-| |-|-+ | | | | +-|-| |-|---+-----+ |
677 | | | +-|-| |-|-+-|-| |-|-+-|-| |-|-+ | | |
678 | | | | | +-----+ | | | +-----+ | | | +-----+ | | | | |
679 | | | | +---------+ | | | | +---------+ | | | |
680 | | | | | | | | | | | |
681 +-----+ +-----+ | | +-----+ | | +-----+ +-----+
682 | ASN | | | +-|-| |-|-+ | | | |
683 |65YYY| | ... | | | | | | ... | | ... |
684 +-----+ +-----+ | +-----+ | +-----+ +-----+
685 | | | | +---------+ | | | |
686 O O O O <- Servers -> O O O O
688 Figure 4: BGP ASN layout for 5-stage Clos
690 5.2.2. Private Use BGP ASNs
692 The original range of Private Use BGP ASNs [RFC6996] limited
693 operators to 1023 unique ASNs. Since it is quite likely that the
694 number of network devices may exceed this number, a workaround is
695 required. One approach is to re-use the ASNs assigned to the Tier-3
696 devices across different clusters. For example, Private Use BGP ASNs
697 65001, 65002 ... 65032 could be used within every individual cluster
698 and assigned to Tier-3 devices.
700 To avoid route suppression due to the AS_PATH loop detection
701 mechanism in BGP, upstream EBGP sessions on Tier-3 devices must be
702 configured with the "AllowAS In" feature that allows accepting a
703 device's own ASN in received route advertisements. Introducing this
704 feature does not create an opportunity for routing loops under
705 misconfiguration since the AS_PATH is always incremented when routes
706 are propagated between topology tiers. Loop protection is also in
707 place at the Tier-1 device, which does not accept routes with a path
708 including its own ASN.
710 Another solution to this problem would be using four-octet BGP ASNs
711 ([RFC6793]), where there are additional Private Use ASN's available,
712 see [IANA.AS]. Use of Four-Octet BGP ASNs put additional protocol
713 complexity in the BGP implementation so should be considered against
714 the complexity of re-use when considering REQ3 and REQ4. Perhaps
715 more importantly, they are not yet supported by all BGP
716 implementations, which may limit vendor selection of DC equipment.
718 5.2.3. Prefix Advertisement
720 A Clos topology features a large number of point-to-point links and
721 associated prefixes. Advertising all of these routes into BGP may
722 create FIB overload conditions in the network devices. Advertising
723 these links also puts additional path computation stress on the BGP
724 control plane for little benefit. There are two possible solutions:
726 o Do not advertise any of the point-to-point links into BGP. Since
727 the EBGP based design changes the next-hop address at every
728 device, distant networks will automatically be reachable via the
729 advertising EBGP peer and do not require reachability to these
730 prefixes. However, this may complicate operational
731 troubleshooting or monitoring systems if the addresses are not
732 reachable: e.g. using the popular "traceroute" tool will display
733 IP addresses that are not reachable.
735 o Advertise point-to-point links, but summarize them on every
736 device. This requires an address allocation scheme such as
737 allocating a consecutive block of IP addresses per Tier-1 and
738 Tier-2 device to be used for point-to-point interface addressing
739 to the lower layers (Tier-2 uplinks will be numbered out of Tier-1
740 addressing and so forth).
742 Server subnets on Tier-3 devices must be announced into BGP without
743 using route summarization on Tier-2 and Tier-1 devices. Summarizing
744 subnets in a Clos topology results in route black-holing under a
745 single link failure (e.g. between Tier-2 and Tier-3 devices) and
746 hence must be avoided. The use of peer links within the same tier to
747 resolve the black-holing problem by providing "bypass paths" is
748 undesirable due to O(N^2) complexity of the peering mesh and waste of
749 ports on the devices. An alternative to the full-mesh of peer-links
750 would be using a simpler bypass topology, e.g. a "ring" as described
751 in [FB4POST], but such a topology adds extra hops and has very
752 limited bisection bandwidth, in addition requiring special tweaks to
753 make BGP routing work - such as possibly splitting every device into
754 an ASN on its own. In Section 8.2 another, less intrusive, method
755 for performing a limited form route summarization in Clos networks
756 and the associated trade-offs are described.
758 5.2.4. External Connectivity
760 A dedicated cluster (or clusters) in the Clos topology could be used
761 for the purpose of connecting to the Wide Area Network (WAN) edge
762 devices, or WAN Routers. Tier-3 devices in such cluster would be
763 replaced with WAN routers, and EBGP peering would be used again,
764 though WAN routers are likely to belong to a public ASN if Internet
765 connectivity is required in the design. The Tier-2 devices in such a
766 dedicated cluster will be referred to as "Border Routers" in this
767 document. These devices have to perform a few special functions:
769 o Hide network topology information when advertising paths to WAN
770 routers, i.e. remove Private BGP ASNs from the AS_PATH attribute.
771 This is typically done to avoid ASN number collisions between
772 different data centers and also to provide a uniform AS_PATH
773 length to the WAN for purposes of WAN ECMP to Anycast prefixes
774 originated in the topology. An implementation specific BGP
775 feature typically called "Remove Private AS" is commonly used to
776 accomplish this. Depending on implementation, the feature should
777 strip a contiguous sequence of private ASNs found in AS_PATH
778 attribute prior to advertising the path to a neighbor. This
779 assumes that all BGP ASN's used for intra data center numbering
780 are from the private ASN range. The process for stripping the
781 private ASNs is not currently standardized, but most
782 implementations commonly follow the logic described in
783 [REMOVE-PRIVATE-AS] vendor's document.
785 o Originate a default route to the data center devices. This is the
786 only place where default route can be originated, as route
787 summarization is risky for the "scale-out" topology.
788 Alternatively, Border Routers may simply relay the default route
789 learned from WAN routers. Advertising the default route from
790 Border Routers requires that all Border Routers to be fully
791 connected to the WAN Routers upstream, to provide resistance to a
792 single-link failure causing the black-holing of traffic. To
793 prevent chance of operator or implementation error that may impact
794 EBGP sessions to the WAN routers simultaneously (although these
795 scenarios are not planned for by many operators since they
796 represents a multiple failure) it is more desirable to take this
797 approach rather than introducing complicated conditional default
798 origination schemes provided by some implementations.
800 5.2.5. Route Summarization at the Edge
802 It is often desirable to summarize network reachability information
803 prior to advertising it to the WAN network due to high amount of IP
804 prefixes originated from within the data center in a fully routed
805 network design. For example, a network with 2000 Tier-3 devices will
806 have at least 2000 servers subnets advertised into BGP, along with
807 the infrastructure or other prefixes. However, as discussed before,
808 the proposed network design does not allow for route summarization
809 due to the lack of peer links inside every tier.
811 However, it is possible to lift this restriction for the Border
812 Routers, by devising a different connectivity model for these
813 devices. There are two options possible:
815 o Interconnect the Border Routers using a full-mesh of physical
816 links or using any other "peer-mesh" topology, such as ring or
817 hub-and-spoke. Configure BGP accordingly on all Border Leafs to
818 exchange network reachability information - e.g. by adding a mesh
819 of iBGP sessions. The interconnecting peer links need to be
820 appropriately sized for traffic that will be present in the case
821 of a device or link failure underneath the Border Routers.
823 o Tier-1 devices may have additional physical links provisioned
824 toward the Border Routers (which are Tier-2 devices from the
825 perspective of Tier-1). Specifically, if protection from a single
826 link or node failure is desired, each Tier-1 devices would have to
827 connect to at least two Border Routers. This puts additional
828 requirements on the port count for Tier-1 devices and Border
829 Routers, potentially making it a non-uniform, larger port count,
830 device with the other devices in the Clos. This also reduces the
831 number of ports available to "regular" Tier-2 switches and hence
832 the number of clusters that could be interconnected via Tier-1
833 layer.
835 If any of the above options are implemented, it is possible to
836 perform route summarization at the Border Routers toward the WAN
837 network core without risking a routing black-hole condition under a
838 single link failure. Both of the options would result in non-uniform
839 topology as additional links have to be provisioned on some network
840 devices.
842 6. ECMP Considerations
844 This section covers the Equal Cost Multipath (ECMP) functionality for
845 Clos topology and discusses a few special requirements.
847 6.1. Basic ECMP
849 ECMP is the fundamental load-sharing mechanism used by a Clos
850 topology. Effectively, every lower-tier device will use all of its
851 directly attached upper-tier devices to load-share traffic destined
852 to the same IP prefix. Number of ECMP paths between any two Tier-3
853 devices in Clos topology equals to the number of the devices in the
854 middle stage (Tier-1). For example, Figure 5 illustrates the
855 topology where Tier-3 device A has four paths to reach servers X and
856 Y, via Tier-2 devices B and C and then Tier-1 devices 1, 2, 3, and 4
857 respectively.
859 Tier-1
860 +-----+
861 | DEV |
862 +->| 1 |--+
863 | +-----+ |
864 Tier-2 | | Tier-2
865 +-----+ | +-----+ | +-----+
866 +------------>| DEV |--+->| DEV |--+--| |-------------+
867 | +-----| B |--+ | 2 | +--| |-----+ |
868 | | +-----+ +-----+ +-----+ | |
869 | | | |
870 | | +-----+ +-----+ +-----+ | |
871 | +-----+---->| DEV |--+ | DEV | +--| |-----+-----+ |
872 | | | +---| C |--+->| 3 |--+--| |---+ | | |
873 | | | | +-----+ | +-----+ | +-----+ | | | |
874 | | | | | | | | | |
875 +-----+ +-----+ | +-----+ | +-----+ +-----+
876 | DEV | | | Tier-3 +->| DEV |--+ Tier-3 | | | |
877 | A | | | | 4 | | | | |
878 +-----+ +-----+ +-----+ +-----+ +-----+
879 | | | | | | | |
880 O O O O <- Servers -> X Y O O
882 Figure 5: ECMP fan-out tree from A to X and Y
884 The ECMP requirement implies that the BGP implementation must support
885 multi-path fan-out for up to the maximum number of devices directly
886 attached at any point in the topology in upstream or downstream
887 direction. Normally, this number does not exceed half of the ports
888 found on a device in the topology. For example, an ECMP fan-out of
889 32 would be required when building a Clos network using 64-port
890 devices. The Border Routers may need to have wider fan-out to be
891 able to connect to multitude of Tier-1 devices if route summarization
892 at Border Router level is implemented as described in Section 5.2.5.
893 If a device's hardware does not support wider ECMP, logical link-
894 grouping (link-aggregation at layer 2) could be used to provide
895 "hierarchical" ECMP (Layer 3 ECMP followed by Layer 2 ECMP) to
896 compensate for fan-out limitations. Such approach, however,
897 increases the risk of flow polarization, as less entropy will be
898 available to the second stage of ECMP.
900 Most BGP implementations declare paths to be equal from ECMP
901 perspective if they match up to and including step (e)
902 Section 9.1.2.2 of [RFC4271]. In the proposed network design there
903 is no underlying IGP, so all IGP costs are assumed to be zero or
904 otherwise the same value across all paths and policies may be applied
905 as necessary to equalize BGP attributes that vary in vendor defaults,
906 as has been seen occasionally with MED and origin code. Routing
907 loops are unlikely due to the BGP best-path selection process which
908 prefers shorter AS_PATH length, and longer paths through the Tier-1
909 devices which don't allow their own AS in the path and have the same
910 ASN are also not possible.
912 6.2. BGP ECMP over Multiple ASNs
914 For application load-balancing purposes it is desirable to have the
915 same prefix advertised from multiple Tier-3 devices. From the
916 perspective of other devices, such a prefix would have BGP paths with
917 different AS_PATH attribute values, while having the same AS_PATH
918 attribute lengths. Therefore, BGP implementations must support load-
919 sharing over above-mentioned paths. This feature is sometimes known
920 as "multipath relax" and effectively allows for ECMP to be done
921 across different neighboring ASNs if all other attributes are equal
922 as described in the previous section.
924 6.3. Weighted ECMP
926 It may be desirable for the network devices to implement weighted
927 ECMP, to be able to send more traffic over some paths in ECMP fan-
928 out. This could be helpful to compensate for failures in the network
929 and send more traffic over paths that have more capacity. The
930 prefixes that require weighted ECMP would have to be injected using
931 remote BGP speaker (central agent) over a multihop session as
932 described further in Section 8.1. If support in implementations is
933 available, weight-distribution for multiple BGP paths could be
934 signaled using the technique described in
935 [I-D.ietf-idr-link-bandwidth].
937 6.4. Consistent Hashing
939 It is often desirable to have the hashing function used to ECMP to be
940 consistent (see [CONS-HASH]), to minimizing the impact on flow to
941 next-hop affinity changes when a next-hop is added or removed to ECMP
942 group. This could be used if the network device is used as a load-
943 balancer, mapping flows toward multiple destinations - in this case,
944 losing or adding a destination will not have detrimental effect of
945 currently established flows. One particular recommendation on
946 implementing consistent hashing is provided in [RFC2992], though
947 other implementations are possible. This functionality could be
948 naturally combined with weighted ECMP, with the impact of the next-
949 hop changes being proportional to the weight of the given next-hop.
950 Notice that the usual downside of consistent hashing is increased
951 load on hardware resource utilization, as typically more space is
952 required to implement a consistent-hashing region.
954 7. Routing Convergence Properties
956 This section reviews routing convergence properties in the proposed
957 design. A case is made that sub-second convergence is achievable if
958 the implementation supports fast EBGP peering session deactivation
959 and timely RIB and FIB update upon failure of the associated link.
961 7.1. Fault Detection Timing
963 BGP typically relies on an IGP to route around link/node failures
964 inside an AS, and implements either a polling based or an event-
965 driven mechanism to obtain updates on IGP state changes. The
966 proposed routing design does not use an IGP, so the only mechanisms
967 that could be used for fault detection are BGP keep-alive process (or
968 any other type of keep-alive mechanism) and link-failure triggers.
970 Relying solely on BGP keep-alive packets may result in high
971 convergence delays, in the order of multiple seconds (on many BGP
972 implementations the minimum configurable BGP hold timer value is
973 three seconds). However, many BGP implementations can shut down
974 local EBGP peering sessions in response to the "link down" event for
975 the outgoing interface used for BGP peering. This feature is
976 sometimes called as "fast fallover". Since links in modern data
977 centers are often point-to-point fiber connections, a physical
978 interface failure is often detected in milliseconds and subsequently
979 triggers a BGP re-convergence.
981 Ethernet technologies may support failure signaling or detection
982 standards such as [IEEE8021AG] and [IEEE8023AH], which may make
983 failure detection more robust. Alternatively, some platforms may
984 support Bidirectional Forwarding Detection (BFD) [RFC5880] to allow
985 for sub-second failure detection and fault signaling to the BGP
986 process. However, use of either of these presents additional
987 requirements to vendor software and possibly hardware, and may
988 contradict REQ1. Until recently with [RFC7130], BFD also did not
989 allow detection of a single member link failure on a LAG, which would
990 limit's it's usefulness in some designs.
992 7.2. Event Propagation Timing
994 In this design the impact of BGP Minimum Route Advertisement Interval
995 (MRAI) timer (See section 9.2.1.1 of [RFC4271]) should be considered.
996 Per the standard it is required for BGP implementations to space out
997 consecutive BGP UPDATE messages by at least MRAI seconds, which is
998 often a configurable value. The initial BGP UPDATE messages after an
999 event carrying withdrawn routes are commonly not affected by this
1000 timer. The MRAI timer may present significant convergence delays
1001 when a BGP speaker "waits" for the new path to be learned from its
1002 peers and has no local backup path information.
1004 In a Clos topology each EBGP speaker has either one path or N paths
1005 for the same prefix, where N is a significantly large number, e.g.
1006 N=32 (the ECMP fan-out). Therefore, if a path fails there is either
1007 no backup path at all, or the backup is readily available in BGP Loc-
1008 RIB. In the former case, the BGP withdrawal announcement will
1009 propagate un-delayed and trigger re-convergence on affected devices.
1010 In the latter case, the best-path will be re-evaluated and the local
1011 ECMP group corresponding to the new next-hop set changed. If the BGP
1012 path was the best-path selected previously, an "implicit withdraw"
1013 will be sent via a BGP UPDATE message as described as option b in
1014 Section 3.1 of [RFC4271] due to the BGP AS_PATH attribute changing.
1016 7.3. Impact of Clos Topology Fan-outs
1018 Clos topology has large fan-outs, which may impact the "Up->Down"
1019 convergence in some cases, as described in this section. In a
1020 situation when a link between Tier-3 and Tier-2 device fails, the
1021 Tier-2 device will send BGP WITHDRAW message to all upstream Tier-1
1022 devices, and Tier-1 devices will relay this message to all downstream
1023 Tier-2 devices (except for the originator). Tier-2 devices other
1024 than the one originating the WITHDRAW should then wait for ALL
1025 adjacent Tier-1 devices to send a WITHDRAW message before it removes
1026 the affected prefixes and sends corresponding WITHDRAW downstream to
1027 connected Tier-3 devices. If the original Tier-2 device or the
1028 relaying Tier-1 devices introduce some delay into their
1029 announcements, the result could be WITHDRAW message "dispersion",
1030 that could be as long as multiple seconds. In order to avoid such
1031 behavior, BGP implementations must support "update groups". The
1032 "update group" is defined as a collection of neighbors sharing the
1033 same outbound policy - the local speaker will send BGP updates to the
1034 members of the group synchronously.
1036 The impact of such "dispersion" grows with the size of topology fan-
1037 out and could also grow under network convergence churn.
1039 7.4. Failure Impact Scope
1041 A network is declared to converge in response to a failure once all
1042 devices within the failure impact scope are notified of the event and
1043 have re-calculated their RIB's and consequently updated their FIB's.
1044 Larger failure impact scope typically means slower convergence since
1045 more devices have to be notified, and additionally results in a less
1046 stable network. In this section we describe BGP's advantages over
1047 link-state routing protocols in reducing failure impact scope for a
1048 Clos topology.
1050 BGP is behaves like a distance-vector protocol in the sense that only
1051 the best path from the point of view of the local router is sent to
1052 neighbors. As such, some failures are masked if the local node can
1053 immediately find a backup path and does not have to send any updates
1054 further. Notice that in the worst case ALL devices in a data center
1055 topology have to either withdraw a prefix completely or update the
1056 ECMP groups in the FIB. However, many failures will not result in
1057 such a wide impact. There are two main failure types where impact
1058 scope is reduced:
1060 o Failure of a link between Tier-2 and Tier-1 devices: In this case,
1061 a Tier-2 device will update the affected ECMP groups, removing the
1062 failed link. There is no need to send new information to
1063 downstream Tier-3 devices, unless the path was selected as best by
1064 the BGP process, in which case only an "implicit withdraw" needs
1065 to be sent, which should not affect forwarding. The affected
1066 Tier-1 device will lose the only path available to reach a
1067 particular cluster and will have to withdraw the associated
1068 prefixes. Such prefix withdrawal process will only affect Tier-2
1069 devices directly connected to the affected Tier-1 device. The
1070 Tier-2 devices receiving the BGP UPDATE messages withdrawing
1071 prefixes will simply have to update their ECMP groups. The Tier-3
1072 devices are not involved in the re-convergence process.
1074 o Failure of a Tier-1 device: In this case, all Tier-2 devices
1075 directly attached to the failed node will have to update their
1076 ECMP groups for all IP prefixes from non-local cluster. The
1077 Tier-3 devices are once again not involved in the re-convergence
1078 process, but may receive "implicit withdraws" as described above.
1080 Even though in case of such failures multiple IP prefixes will have
1081 to be reprogrammed in the FIB, it is worth noting that ALL of these
1082 prefixes share a single ECMP group on Tier-2 device. Therefore, in
1083 the case of implementations with a hierarchical FIB, only a single
1084 change has to be made to the FIB. Hierarchical FIB here means FIB
1085 structure where the next-hop forwarding information is stored
1086 separately from the prefix lookup table, and the latter only store
1087 pointers to the respective forwarding information.
1089 Even though BGP offers some failure scope reduction, reduction of the
1090 fault domain using summarization is not always possible with the
1091 proposed design, since using this technique may create routing black-
1092 holes as mentioned previously. Therefore, the worst control-plane
1093 failure impact scope is the network as a whole, for instance in a
1094 case of a link failure between Tier-2 and Tier-3 devices. The amount
1095 of impacted prefixes in this case would be much less than in the case
1096 of a failure in the upper layers of a Clos network topology. The
1097 property of having such large failure scope is not a result of
1098 choosing EBGP in the design but rather a result of using the "scale-
1099 out" Clos topology.
1101 7.5. Routing Micro-Loops
1103 When a downstream device, e.g. Tier-2 device, loses all paths for a
1104 prefix, it normally has the default route pointing toward the
1105 upstream device, in this case the Tier-1 device. As a result, it is
1106 possible to get in the situation when Tier-2 switch loses a prefix,
1107 but Tier-1 switch still has the path pointing to the Tier-2 device,
1108 which results in transient micro-loop, since Tier-1 switch will keep
1109 passing packets to the affected prefix back to Tier-2 device, and
1110 Tier-2 will bounce it back again using the default route. This
1111 micro-loop will last for the duration of time it takes the upstream
1112 device to fully update its forwarding tables.
1114 To minimize impact of the micro-loops, Tier-2 and Tier-1 switches can
1115 be configured with static "discard" or "null" routes that will be
1116 more specific than the default route for specific prefixes missing
1117 during network convergence. For Tier-2 switches, the discard route
1118 should be a summary route, covering all server subnets of the
1119 underlying Tier-3 devices. For Tier-1 devices, the discard route
1120 should be a summary covering the server IP address subnet allocated
1121 for the whole data-center. Those discard routes will only take
1122 precedence for the duration of network convergence, until the device
1123 learns a more specific prefix via a new path.
1125 8. Additional Options for Design
1127 8.1. Third-party Route Injection
1129 BGP allows for a "third-party", i.e. directly attached, BGP speaker
1130 to inject routes anywhere in the network topology, meeting REQ5.
1131 This can be achieved by peering via a multihop BGP session with some
1132 or even all devices in the topology. Furthermore, BGP diverse path
1133 distribution [RFC6774] could be used to inject multiple BGP next hops
1134 for the same prefix to facilitate load-balancing, or using the BGP
1135 ADD-PATH capability [I-D.ietf-idr-add-paths] if supported by the
1136 implementation. Unfortunately, in many implementations ADD-PATH has
1137 been found to only support IBGP properly due to the use cases it was
1138 originally optimized for, which limits the "third-party" peering to
1139 iBGP only, if the feature is used.
1141 To implement route injection in the proposed design a third-party BGP
1142 speaker may peer with Tier-3 and Tier-1 switches, injecting the same
1143 prefix, but using a special set of BGP next-hops for Tier-1 devices.
1144 Those next-hops are assumed to resolve recursively via BGP, and could
1145 be, for example, IP addresses on Tier-3 devices. The resulting
1146 forwarding table programming could provide desired traffic proportion
1147 distribution among different clusters.
1149 8.2. Route Summarization within Clos Topology
1151 As mentioned previously, route summarization is not possible within
1152 the proposed Clos topology since it makes the network susceptible to
1153 route black-holing under single link failures. The main problem is
1154 the limited number of parallel paths between network elements, e.g.
1155 there is only a single path between any pair of Tier-1 and Tier-3
1156 devices. However, some operators may find route aggregation
1157 desirable to improve control plane stability.
1159 If planning on using any technique to summarize within the topology
1160 modeling of the routing behavior and potential for black-holing
1161 should be done not only for single or multiple link failures, but
1162 also fiber pathway failures or optical domain failures if the
1163 topology extends beyond a physical location. Simple modeling can be
1164 done by checking the reachability on devices doing summarization
1165 under the condition of a link or pathway failure between a set of
1166 devices in every Tier as well as to the WAN routers if external
1167 connectivity is present.
1169 Route summarization would be possible with a small modification to
1170 the network topology, though the trade-off would be reduction of the
1171 total size of the network as well as network congestion under
1172 specific failures. This approach is very similar to the technique
1173 described above, which allows Border Routers to summarize the entire
1174 data-center address space.
1176 8.2.1. Collapsing Tier-1 Devices Layer
1178 In order to add more paths between Tier-1 and Tier-3 devices, group
1179 Tier-2 devices into pairs, and then connect the pairs to the same
1180 group of Tier-1 devices. This is logically equivalent to
1181 "collapsing" Tier-1 devices into a group of half the size, merging
1182 the links on the "collapsed" devices. The result is illustrated in
1183 Figure 6. For example, in this topology DEV C and DEV D connect to
1184 the same set of Tier-1 devices (DEV 1 and DEV 2), whereas before they
1185 were connecting to different groups of Tier-1 devices.
1187 Tier-2 Tier-1 Tier-2
1188 +-----+ +-----+ +-----+
1189 +-------------| DEV |------| DEV |------| |-------------+
1190 | +-----| C |--++--| 1 |--++--| |-----+ |
1191 | | +-----+ || +-----+ || +-----+ | |
1192 | | || || | |
1193 | | +-----+ || +-----+ || +-----+ | |
1194 | +-----+-----| DEV |--++--| DEV |--++--| |-----+-----+ |
1195 | | | +---| D |------| 2 |------| |---+ | | |
1196 | | | | +-----+ +-----+ +-----+ | | | |
1197 | | | | | | | |
1198 +-----+ +-----+ +-----+ +-----+
1199 | DEV | | DEV | | | | |
1200 | A | | B | Tier-3 Tier-3 | | | |
1201 +-----+ +-----+ +-----+ +-----+
1202 | | | | | | | |
1203 O O O O <- Servers -> O O O O
1205 Figure 6: 5-Stage Clos topology
1207 Having this design in place, Tier-2 devices may be configured to
1208 advertise only a default route down to Tier-3 devices. If a link
1209 between Tier-2 and Tier-3 fails, the traffic will be re-routed via
1210 the second available path known to a Tier-2 switch. It is not
1211 possible to advertise a summary route covering prefixes for a single
1212 cluster from Tier-2 devices since each of them has only a single path
1213 down to this prefix. It would require dual-homed servers to
1214 accomplish that. Also note that this design is only resilient to
1215 single link failure. It is possible for a double link failure to
1216 isolate a Tier-2 device from all paths toward a specific Tier-3
1217 device, thus causing a routing black-hole.
1219 A result of the proposed topology modification would be reduction of
1220 Tier-1 devices port capacity. This limits the maximum number of
1221 attached Tier-2 devices and therefore will limit the maximum DC
1222 network size. A larger network would require different Tier-1
1223 devices that have higher port density to implement this change.
1225 Another problem is traffic re-balancing under link failures. Since
1226 three are two paths from Tier-1 to Tier-3, a failure of the link
1227 between Tier-1 and Tier-2 switch would result in all traffic that was
1228 taking the failed link to switch to the remaining path. This will
1229 result in doubling of link utilization on the remaining link.
1231 8.2.2. Simple Virtual Aggregation
1233 A completely different approach to route summarization is possible,
1234 provided that the main goal is to reduce the FIB pressure, while
1235 allowing the control plane to disseminate full routing information.
1236 Firstly, it could be easily noted that in many cases multiple
1237 prefixes, some of which are less specific, share the same set of the
1238 next-hops (same ECMP group). For example, looking from the
1239 perspective of a Tier-3 devices, all routes learned from upstream
1240 Tier-2's, including the default route, will share the same set of BGP
1241 next-hops, provided that there is no failures in the network. This
1242 makes it possible to use the technique similar to described in
1243 [RFC6769] and only install the least specific route in the FIB,
1244 ignoring more specific routes if they share the same next-hop set.
1245 For example, under normal network conditions, only the default route
1246 need to be programmed into FIB.
1248 Furthermore, if the Tier-2 devices are configured with summary
1249 prefixes covering all of their attached Tier-3 device's prefixes the
1250 same logic could be applied in Tier-1 devices as well, and, by
1251 induction to Tier-2/Tier-3 switches in different clusters. These
1252 summary routes should still allow for more specific prefixes to leak
1253 to Tier-1 devices, to enable for detection of mismatches in the next-
1254 hop sets if a particular link fails, changing the next-hop set for a
1255 specific prefix.
1257 Re-stating once again, this technique does not reduce the amount of
1258 control plane state (i.e. BGP UPDATEs/BGP LocRIB sizing), but only
1259 allows for more efficient FIB utilization, by spotting more specific
1260 prefixes that share their next-hops with less specifics.
1262 8.3. ICMP Unreachable Message Masquerading
1264 This section discusses some operational aspects of not advertising
1265 point-to-point link subnets into BGP, as previously outlined as an
1266 option in Section 5.2.3. The operational impact of this decision
1267 could be seen when using the well-known "traceroute" tool.
1268 Specifically, IP addresses displayed by the tool will be the link's
1269 point-to-point addresses, and hence will be unreachable for
1270 management connectivity. This makes some troubleshooting more
1271 complicated.
1273 One way to overcome this limitation is by using the DNS subsystem to
1274 create the "reverse" entries for the IP addresses of the same device
1275 pointing to the same name. The connectivity then can be made by
1276 resolving this name to the "primary" IP address of the devices, e.g.
1277 its Loopback interface, which is always advertised into BGP.
1278 However, this create dependency on DNS subsystem, which may happen to
1279 be unavailable during an outage.
1281 Another option is to make the network device perform IP address
1282 masquerading, that is rewriting the source IP addresses of the
1283 appropriate ICMP messages sent off of the device with the "primary"
1284 IP address of the device. Specifically, the ICMP Destination
1285 Unreachable Message (type 3) codes 3 (port unreachable) and ICMP Time
1286 Exceeded (type 11) code 0, which are involved in proper working of
1287 the "traceroute" tool. With this modification, the "traceroute"
1288 probes sent to the devices will always be sent back with the
1289 "primary" IP address as the source, allowing the operator to discover
1290 the "reachable" IP address of the box.
1292 9. Security Considerations
1294 The design does not introduce any additional security concerns.
1295 General BGP security considerations are discussed in [RFC4271] and
1296 [RFC4272]. Furthermore, the Generalized TTL Security Mechanism
1297 [RFC5082] could be used to reduce the risk of BGP session spoofing.
1299 10. IANA Considerations
1301 This document includes no request to IANA.
1303 11. Acknowledgements
1305 This publication summarizes work of many people who participated in
1306 developing, testing and deploying the proposed network design, some
1307 of whom were George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong,
1308 Robert Toomey, and Lihua Yuan. Authors would also like to thank
1309 Linda Dunbar, Susan Hares, Russ White and Robert Raszuk for reviewing
1310 the document and providing valuable feedback and Mary Mitchell for
1311 grammar and style suggestions.
1313 12. References
1315 12.1. Normative References
1317 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
1318 Protocol 4 (BGP-4)", RFC 4271, January 2006.
1320 [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for
1321 Private Use", BCP 6, RFC 6996, July 2013.
1323 12.2. Informative References
1325 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
1327 [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC
1328 4272, January 2006.
1330 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast
1331 Services", BCP 126, RFC 4786, December 2006.
1333 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., and C.
1334 Pignataro, "The Generalized TTL Security Mechanism
1335 (GTSM)", RFC 5082, October 2007.
1337 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
1338 (BFD)", RFC 5880, June 2010.
1340 [RFC6325] Perlman, R., Eastlake, D., Dutt, D., Gai, S., and A.
1341 Ghanwani, "Routing Bridges (RBridges): Base Protocol
1342 Specification", RFC 6325, July 2011.
1344 [RFC6774] Raszuk, R., Fernando, R., Patel, K., McPherson, D., and K.
1345 Kumaki, "Distribution of Diverse BGP Paths", RFC 6774,
1346 November 2012.
1348 [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet
1349 Autonomous System (AS) Number Space", RFC 6793, December
1350 2012.
1352 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
1353 Algorithm", RFC 2992, November 2000.
1355 [RFC6769] Raszuk, R., Heitz, J., Lo, A., Zhang, L., and X. Xu,
1356 "Simple Virtual Aggregation (S-VA)", RFC 6769, October
1357 2012.
1359 [RFC7130] Bhatia, M., Chen, M., Boutros, S., Binderberger, M., and
1360 J. Haas, "Bidirectional Forwarding Detection (BFD) on Link
1361 Aggregation Group (LAG) Interfaces", RFC 7130, February
1362 2014.
1364 [I-D.ietf-idr-add-paths]
1365 Walton, D., Retana, A., Chen, E., and J. Scudder,
1366 "Advertisement of Multiple Paths in BGP", draft-ietf-idr-
1367 add-paths-10 (work in progress), October 2014.
1369 [I-D.ietf-idr-link-bandwidth]
1370 Mohapatra, P. and R. Fernando, "BGP Link Bandwidth
1371 Extended Community", draft-ietf-idr-link-bandwidth-06
1372 (work in progress), January 2013.
1374 [GREENBERG2009]
1375 Greenberg, A., Hamilton, J., and D. Maltz, "The Cost of a
1376 Cloud: Research Problems in Data Center Networks", January
1377 2009.
1379 [IEEE8021AG]
1380 IEEE 802.1Q, , "IEEE Standard for Local and metropolitan
1381 area networks - Media Access Control (MAC) Bridges and
1382 Virtual Bridged Local Area Networks", October 2012.
1384 [IEEE8023AH]
1385 IEEE 802.3, , "IEEE Standard for Information technology -
1386 Local and metropolitan area networks - Carrier sense
1387 multiple access with collision detection (CSMA/CD) access
1388 method and physical layer specifications", December 2008.
1390 [INTERCON]
1391 Dally, W. and B. Towles, "Principles and Practices of
1392 Interconnection Networks", ISBN 978-0122007514, January
1393 2004.
1395 [ALFARES2008]
1396 Al-Fares, M., Loukissas, A., and A. Vahdat, "A Scalable,
1397 Commodity Data Center Network Architecture", August 2008.
1399 [IANA.AS] IANA, , "Autonomous System (AS) Numbers", February 2015,
1400 .
1402 [IEEE8023AD]
1403 IEEE 802.3ad, , "IEEE Standard for Link aggregation for
1404 parallel links", October 2000.
1406 [REMOVE-PRIVATE-AS]
1407 Cisco Systems, , "Removing Private Autonomous System
1408 Numbers in BGP", August 2005,
1409 .
1412 [FB4POST] Farrington, N. and A. Andreyev, "Facebook's Data Center
1413 Network Architecture", May 2013,
1414 .
1416 [JAKMA2008]
1417 Jakma, P., "BGP Path Hunting", 2008,
1418 .
1420 [CONS-HASH]
1421 Wikipedia, , "Consistent Hashing",
1422 .
1424 Authors' Addresses
1426 Petr Lapukhov
1427 Facebook
1428 1 Hacker Way
1429 Menlo Park, CA 94025
1430 US
1432 Email: petr@fb.com
1434 Ariff Premji
1435 Arista Networks
1436 5453 Great America Parkway
1437 Santa Clara, CA 95054
1438 US
1440 Email: ariff@arista.com
1441 URI: http://arista.com/
1443 Jon Mitchell (editor)
1444 Microsoft Corporation
1445 One Microsoft Way
1446 Redmond, WA 98052
1447 US
1449 Email: Jon.Mitchell@microsoft.com