idnits 2.17.1 draft-ietf-rtgwg-bgp-routing-large-dc-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 28, 2015) is 3157 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-15) exists of draft-ietf-idr-add-paths-10 == Outdated reference: A later version (-07) exists of draft-ietf-idr-link-bandwidth-06 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Area Working Group P. Lapukhov 3 Internet-Draft Facebook 4 Intended status: Informational A. Premji 5 Expires: February 29, 2016 Arista Networks 6 J. Mitchell, Ed. 7 August 28, 2015 9 Use of BGP for routing in large-scale data centers 10 draft-ietf-rtgwg-bgp-routing-large-dc-07 12 Abstract 14 Some network operators build and operate data centers that support 15 over one hundred thousand servers. In this document, such data 16 centers are referred to as "large-scale" to differentiate them from 17 smaller infrastructures. Environments of this scale have a unique 18 set of network requirements with an emphasis on operational 19 simplicity and network stability. This document summarizes 20 operational experience in designing and operating large-scale data 21 centers using BGP as the only routing protocol. The intent is to 22 report on a proven and stable routing design that could be leveraged 23 by others in the industry. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on February 29, 2016. 42 Copyright Notice 44 Copyright (c) 2015 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Network Design Requirements . . . . . . . . . . . . . . . . . 4 61 2.1. Bandwidth and Traffic Patterns . . . . . . . . . . . . . 4 62 2.2. CAPEX Minimization . . . . . . . . . . . . . . . . . . . 4 63 2.3. OPEX Minimization . . . . . . . . . . . . . . . . . . . . 5 64 2.4. Traffic Engineering . . . . . . . . . . . . . . . . . . . 5 65 2.5. Summarized Requirements . . . . . . . . . . . . . . . . . 5 66 3. Data Center Topologies Overview . . . . . . . . . . . . . . . 6 67 3.1. Traditional DC Topology . . . . . . . . . . . . . . . . . 6 68 3.2. Clos Network topology . . . . . . . . . . . . . . . . . . 7 69 3.2.1. Overview . . . . . . . . . . . . . . . . . . . . . . 7 70 3.2.2. Clos Topology Properties . . . . . . . . . . . . . . 8 71 3.2.3. Scaling the Clos topology . . . . . . . . . . . . . . 9 72 3.2.4. Managing the Size of Clos Topology Tiers . . . . . . 10 73 4. Data Center Routing Overview . . . . . . . . . . . . . . . . 11 74 4.1. Layer 2 Only Designs . . . . . . . . . . . . . . . . . . 11 75 4.2. Hybrid L2/L3 Designs . . . . . . . . . . . . . . . . . . 12 76 4.3. Layer 3 Only Designs . . . . . . . . . . . . . . . . . . 12 77 5. Routing Protocol Selection and Design . . . . . . . . . . . . 13 78 5.1. Choosing EBGP as the Routing Protocol . . . . . . . . . . 13 79 5.2. EBGP Configuration for Clos topology . . . . . . . . . . 15 80 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 15 81 5.2.2. Private Use ASNs . . . . . . . . . . . . . . . . . . 16 82 5.2.3. Prefix Advertisement . . . . . . . . . . . . . . . . 17 83 5.2.4. External Connectivity . . . . . . . . . . . . . . . . 18 84 5.2.5. Route Summarization at the Edge . . . . . . . . . . . 19 85 6. ECMP Considerations . . . . . . . . . . . . . . . . . . . . . 19 86 6.1. Basic ECMP . . . . . . . . . . . . . . . . . . . . . . . 20 87 6.2. BGP ECMP over Multiple ASNs . . . . . . . . . . . . . . . 21 88 6.3. Weighted ECMP . . . . . . . . . . . . . . . . . . . . . . 21 89 6.4. Consistent Hashing . . . . . . . . . . . . . . . . . . . 22 90 7. Routing Convergence Properties . . . . . . . . . . . . . . . 22 91 7.1. Fault Detection Timing . . . . . . . . . . . . . . . . . 22 92 7.2. Event Propagation Timing . . . . . . . . . . . . . . . . 23 93 7.3. Impact of Clos Topology Fan-outs . . . . . . . . . . . . 23 94 7.4. Failure Impact Scope . . . . . . . . . . . . . . . . . . 24 95 7.5. Routing Micro-Loops . . . . . . . . . . . . . . . . . . . 25 96 8. Additional Options for Design . . . . . . . . . . . . . . . . 26 97 8.1. Third-party Route Injection . . . . . . . . . . . . . . . 26 98 8.2. Route Summarization within Clos Topology . . . . . . . . 26 99 8.2.1. Collapsing Tier-1 Devices Layer . . . . . . . . . . . 27 100 8.2.2. Simple Virtual Aggregation . . . . . . . . . . . . . 28 101 8.3. ICMP Unreachable Message Masquerading . . . . . . . . . . 29 102 9. Security Considerations . . . . . . . . . . . . . . . . . . . 29 103 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 104 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 105 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 106 12.1. Normative References . . . . . . . . . . . . . . . . . . 30 107 12.2. Informative References . . . . . . . . . . . . . . . . . 30 108 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 110 1. Introduction 112 This document describes a practical routing design that can be used 113 in a large-scale data center ("DC") design. Such data centers, also 114 known as hyper-scale or warehouse-scale data centers, have a unique 115 attribute of supporting over a hundred thousand servers. In order to 116 accommodate networks of this scale, operators are revisiting 117 networking designs and platforms to address this need. 119 The design presented in this document is based on operational 120 experience with data centers built to support large-scale distributed 121 software infrastructure, such as a Web search engine. The primary 122 requirements in such an environment are operational simplicity and 123 network stability so that a small group of people can effectively 124 support a significantly sized network. 126 Experimentation and extensive testing has shown that External BGP 127 (EBGP) [RFC4271] is well suited as a stand-alone routing protocol for 128 these type of data center applications. This is in contrast with 129 more traditional DC designs, which may use simple tree topologies and 130 rely on extending Layer 2 domains across multiple network devices. 131 This document elaborates on the requirements that led to this design 132 choice and presents details of the EBGP routing design as well as 133 explores ideas for further enhancements. 135 This document first presents an overview of network design 136 requirements and considerations for large-scale data centers. Then 137 traditional hierarchical data center network topologies are 138 contrasted with Clos networks [CLOS1953] that are horizontally scaled 139 out. This is followed by arguments for selecting EBGP with a Clos 140 topology as the most appropriate routing protocol to meet the 141 requirements and the proposed design is described in detail. 142 Finally, this document reviews some additional considerations and 143 design options. 145 2. Network Design Requirements 147 This section describes and summarizes network design requirements for 148 large-scale data centers. 150 2.1. Bandwidth and Traffic Patterns 152 The primary requirement when building an interconnection network for 153 large number of servers is to accommodate application bandwidth and 154 latency requirements. Until recently it was quite common to see the 155 majority of traffic entering and leaving the data center, commonly 156 referred to as "north-south" traffic. Traditional "tree" topologies 157 were sufficient to accommodate such flows, even with high 158 oversubscription ratios between the layers of the network. If more 159 bandwidth was required, it was added by "scaling up" the network 160 elements, e.g. by upgrading the device's linecards or fabrics or 161 replacing the device with one with higher port density. 163 Today many large-scale data centers host applications generating 164 significant amounts of server-to-server traffic, which does not 165 egress the DC, commonly referred to as "east-west" traffic. Examples 166 of such applications could be compute clusters such as Hadoop 167 [HADOOP], massive data replication between clusters needed by certain 168 applications, or virtual machine migrations. Scaling traditional 169 tree topologies to match these bandwidth demands becomes either too 170 expensive or impossible due to physical limitations, e.g. port 171 density in a switch. 173 2.2. CAPEX Minimization 175 The Capital Expenditures (CAPEX) associated with the network 176 infrastructure alone constitutes about 10-15% of total data center 177 expenditure (see [GREENBERG2009]). However, the absolute cost is 178 significant, and hence there is a need to constantly drive down the 179 cost of individual network elements. This can be accomplished in two 180 ways: 182 o Unifying all network elements, preferably using the same hardware 183 type or even the same device. This allows for volume pricing on 184 bulk purchases and reduced maintenance and sparing costs. 186 o Driving costs down using competitive pressures, by introducing 187 multiple network equipment vendors. 189 In order to allow for good vendor diversity it is important to 190 minimize the software feature requirements for the network elements. 191 This strategy provides maximum flexibility of vendor equipment 192 choices while enforcing interoperability using open standards. 194 2.3. OPEX Minimization 196 Operating large-scale infrastructure can be expensive as a larger 197 amount of elements will statistically fail more often. Having a 198 simpler design and operating using a limited software feature set 199 minimizes software issue-related failures. 201 An important aspect of Operational Expenditure (OPEX) minimization is 202 reducing size of failure domains in the network. Ethernet networks 203 are known to be susceptible to broadcast or unicast traffic storms 204 that can have a dramatic impact on network performance and 205 availability. The use of a fully routed design significantly reduces 206 the size of the data plane failure domains - i.e. limits them to the 207 lowest level in the network hierarchy. However, such designs 208 introduce the problem of distributed control plane failures. This 209 observation calls for simpler and less control plane protocols to 210 reduce protocol interaction issues, reducing the chance of a network 211 meltdown. Minimizing software feature requirements as described in 212 the CAPEX section above also reduces testing and training 213 requirements. 215 2.4. Traffic Engineering 217 In any data center, application load balancing is a critical function 218 performed by network devices. Traditionally, load balancers are 219 deployed as dedicated devices in the traffic forwarding path. The 220 problem arises in scaling load balancers under growing traffic 221 demand. A preferable solution would be able to scale load balancing 222 layer horizontally, by adding more of the uniform nodes and 223 distributing incoming traffic across these nodes. In situations like 224 this, an ideal choice would be to use network infrastructure itself 225 to distribute traffic across a group of load balancers. The 226 combination of Anycast prefix advertisement [RFC4786] and Equal Cost 227 Multipath (ECMP) functionality can be used to accomplish this goal. 228 To allow for more granular load distribution, it is beneficial for 229 the network to support the ability to perform controlled per-hop 230 traffic engineering. For example, it is beneficial to directly 231 control the ECMP next-hop set for Anycast prefixes at every level of 232 network hierarchy. 234 2.5. Summarized Requirements 236 This section summarizes the list of requirements outlined in the 237 previous sections: 239 o REQ1: Select a topology that can be scaled "horizontally" by 240 adding more links and network devices of the same type without 241 requiring upgrades to the network elements themselves. 243 o REQ2: Define a narrow set of software features/protocols supported 244 by a multitude of networking equipment vendors. 246 o REQ3: Choose a routing protocol that has a simple implementation 247 in terms of programming code complexity and ease of operational 248 support. 250 o REQ4: Minimize the failure domain of equipment or protocol issues 251 as much as possible. 253 o REQ5: Allow for some traffic engineering, preferably via explicit 254 control of the routing prefix next-hop using built-in protocol 255 mechanics. 257 3. Data Center Topologies Overview 259 This section provides an overview of two general types of data center 260 designs - hierarchical (also known as tree based) and Clos based 261 network designs. 263 3.1. Traditional DC Topology 265 In the networking industry, a common design choice for data centers 266 typically look like a (upside down) tree with redundant uplinks and 267 three layers of hierarchy namely; core, aggregation/distribution and 268 access layers (see Figure 1). To accommodate bandwidth demands, each 269 higher layer, from server towards DC egress or WAN, has higher port 270 density and bandwidth capacity where the core functions as the 271 "trunk" of the tree based design. To keep terminology uniform and 272 for comparison with other designs, in this document these layers will 273 be referred to as Tier-1, Tier-2 and Tier-3 "tiers", instead of Core, 274 Aggregation or Access layers. 276 +------+ +------+ 277 | | | | 278 | |--| | Tier-1 279 | | | | 280 +------+ +------+ 281 | | | | 282 +---------+ | | +----------+ 283 | +-------+--+------+--+-------+ | 284 | | | | | | | | 285 +----+ +----+ +----+ +----+ 286 | | | | | | | | 287 | |-----| | | |-----| | Tier-2 288 | | | | | | | | 289 +----+ +----+ +----+ +----+ 290 | | | | 291 | | | | 292 | +-----+ | | +-----+ | 293 +-| |-+ +-| |-+ Tier-3 294 +-----+ +-----+ 295 | | | | | | 296 <- Servers -> <- Servers -> 298 Figure 1: Typical DC network topology 300 3.2. Clos Network topology 302 This section describes a common design for horizontally scalable 303 topology in large-scale data centers in order to meet REQ1. 305 3.2.1. Overview 307 A common choice for a horizontally scalable topology is a folded Clos 308 topology, sometimes called "fat-tree" (see, for example, [INTERCON] 309 and [ALFARES2008]). This topology features an odd number of stages 310 (sometimes known as dimensions) and is commonly made of uniform 311 elements, e.g. network switches with the same port count. Therefore, 312 the choice of folded Clos topology satisfies REQ1 and facilitates 313 REQ2. See Figure 2 below for an example of a folded 3-stage Clos 314 topology (3 stages counting Tier-2 stage twice, when tracing a packet 315 flow): 317 +-------+ 318 | |----------------------------+ 319 | |------------------+ | 320 | |--------+ | | 321 +-------+ | | | 322 +-------+ | | | 323 | |--------+---------+-------+ | 324 | |--------+-------+ | | | 325 | |------+ | | | | | 326 +-------+ | | | | | | 327 +-------+ | | | | | | 328 | |------+-+-------+-+-----+ | | 329 | |------+-+-----+ | | | | | 330 | |----+ | | | | | | | | 331 +-------+ | | | | | | ---------> M links 332 Tier-1 | | | | | | | | | 333 +-------+ +-------+ +-------+ 334 | | | | | | 335 | | | | | | Tier-2 336 | | | | | | 337 +-------+ +-------+ +-------+ 338 | | | | | | | | | 339 | | | | | | ---------> N Links 340 | | | | | | | | | 341 O O O O O O O O O Servers 343 Figure 2: 3-Stage Folded Clos topology 345 This topology is often also referred to as a "Leaf and Spine" 346 network, where "Spine" is the name given to the middle stage of the 347 Clos topology (Tier-1) and "Leaf" is the name of input/output stage 348 (Tier-2). For uniformity, this document will refer to these layers 349 using the "Tier-n" notation. 351 3.2.2. Clos Topology Properties 353 The following are some key properties of the Clos topology: 355 o The topology is fully non-blocking, or more accurately non- 356 interfering, if M >= N and oversubscribed by a factor of N/M 357 otherwise. Here M and N is the uplink and downlink port count 358 respectively, for a Tier-2 switch as shown in Figure 2. 360 o Utilizing this topology requires control and data plane support 361 for ECMP with a fan-out of M or more. 363 o Tier-1 switches have exactly one path to every server in this 364 topology. This is an important property that makes route 365 summarization dangerous in this topology (see Section 8.2 below). 367 o Traffic flowing from server to server is load balanced over all 368 available paths using ECMP. 370 3.2.3. Scaling the Clos topology 372 A Clos topology can be scaled either by increasing network element 373 port density or adding more stages, e.g. moving to a 5-stage Clos, as 374 illustrated in Figure 3 below: 376 Tier-1 377 +-----+ 378 Cluster | | 379 +----------------------------+ +--| |--+ 380 | | | +-----+ | 381 | Tier-2 | | | Tier-2 382 | +-----+ | | +-----+ | +-----+ 383 | +-------------| DEV |------+--| |--+--| |-------------+ 384 | | +-----| C |------+ | | +--| |-----+ | 385 | | | +-----+ | +-----+ +-----+ | | 386 | | | | | | 387 | | | +-----+ | +-----+ +-----+ | | 388 | | +-----------| DEV |------+ | | +--| |-----------+ | 389 | | | | +---| D |------+--| |--+--| |---+ | | | 390 | | | | | +-----+ | | +-----+ | +-----+ | | | | 391 | | | | | | | | | | | | 392 | +-----+ +-----+ | | +-----+ | +-----+ +-----+ 393 | | DEV | | DEV | | +--| |--+ | | | | 394 | | A | | B | Tier-3 | | | Tier-3 | | | | 395 | +-----+ +-----+ | +-----+ +-----+ +-----+ 396 | | | | | | | | | | 397 | O O O O | O O O O 398 | Servers | Servers 399 +----------------------------+ 401 Figure 3: 5-Stage Clos topology 403 The small example topology on Figure 3 is built from devices with a 404 port count of 4 and provides full bisectional bandwidth to all 405 connected servers. In this document, one set of directly connected 406 Tier-2 and Tier-3 devices along with their attached servers will be 407 referred to as a "cluster". For example, DEV A, B, C, D, and the 408 servers that connect to DEV A and B, on Figure 3 form a cluster. The 409 concept of a cluster may also be a useful concept as a single 410 deployment or maintenance unit which can be operated on at a 411 different frequency than the entire topology. 413 In practice, the Tier-3 layer of the network, which are typically top 414 of rack switches (ToRs), is where oversubscription is introduced to 415 allow for packaging of more servers in the data center while meeting 416 the bandwidth requirements for different types of applications. The 417 main reason to limit oversubscription at a single layer of the 418 network is to simplify application development that would otherwise 419 need to account for multiple bandwidth pools: within rack (Tier-3), 420 between racks (Tier-2), and between clusters (Tier-1). Since 421 oversubscription does not have a direct relationship to the routing 422 design it is not discussed further in this document. 424 3.2.4. Managing the Size of Clos Topology Tiers 426 If a data center network size is small, it is possible to reduce the 427 number of switches in Tier-1 or Tier-2 of Clos topology by a factor 428 of two. To understand how this could be done, take Tier-1 as an 429 example. Every Tier-2 device connects to a single group of Tier-1 430 devices. If half of the ports on each of the Tier-1 devices are not 431 being used then it is possible to reduce the number of Tier-1 devices 432 by half and simply map two uplinks from a Tier-2 device to the same 433 Tier-1 device that were previously mapped to different Tier-1 434 devices. This technique maintains the same bisectional bandwidth 435 while reducing the number of elements in the Tier-1 layer, thus 436 saving on CAPEX. The tradeoff, in this example, is the reduction of 437 maximum DC size in terms of overall server count by half. 439 In this example, Tier-2 devices will be using two parallel links to 440 connect to each Tier-1 device. If one of these links fails, the 441 other will pick up all traffic of the failed link, possible resulting 442 in heavy congestion and quality of service degradation if the path 443 determination procedure does not take bandwidth amount into account 444 since the number of upstream Tier-1 devices is likely wider than two. 445 To avoid this situation, parallel links can be grouped in link 446 aggregation groups (LAGs, such as [IEEE8023AD]) with widely available 447 implementation settings that take the whole "bundle" down upon a 448 single link failure. Equivalent techniques that enforce "fate 449 sharing" on the parallel links can be used in place of LAGs to 450 achieve the same effect. As a result of such fate-sharing, traffic 451 from two or more failed links will be re-balanced over the multitude 452 of remaining paths that equals the number of Tier-1 devices. This 453 example is using two links for simplicity, having more links in a 454 bundle will have less impact on capacity upon a member-link failure. 456 4. Data Center Routing Overview 458 This section provides an overview of three general types of data 459 center protocol designs - Layer 2 only, Hybrid L2/L3 and Layer 3 460 only. 462 4.1. Layer 2 Only Designs 464 Originally most data center designs used Spanning-Tree Protocol (STP) 465 originally defined in [IEEE8021D-1990] for loop free topology 466 creation, typically utilizing variants of the traditional DC topology 467 described in Section 3.1. At the time, many DC switches either did 468 not support Layer 3 routed protocols or supported it with additional 469 licensing fees, which played a part in the design choice. Although 470 many enhancements have been made through the introduction of Rapid 471 Spanning Tree Protocol (RSTP) in the latest revision of 472 [IEEE8021D-2004] and Multiple Spanning Tree Protocol (MST) specified 473 in [IEEE8021Q] that increase convergence, stability and load 474 balancing in larger topologies, many of the fundamentals of the 475 protocol limit its applicability in large-scale DCs. STP and its 476 newer variants use an active/standby approach to path selection and 477 are therefore hard to deploy in horizontally-scaled topologies as 478 described in Section 3.2. Further, operators have had many 479 experiences with large failures due to issues caused by improper 480 cabling, misconfiguration, or flawed software on a single device. 481 These failures regularly affected the entire spanning-tree domain and 482 were very hard to troubleshoot due to the nature of the protocol. 483 For these reasons, and since almost all DC traffic is now IP, 484 therefore requiring a Layer 3 routing protocol at the network edge 485 for external connectivity, designs utilizing STP usually fail all of 486 the requirements of large-scale DC operators. Various enhancements 487 to link-aggregation protocols such as [IEEE8023AD], generally known 488 as Multi-Chassis Link-Aggregation (M-LAG) made it possible to use 489 Layer 2 designs with active-active network paths while relying on STP 490 as the backup for loop prevention. The major downsides of this 491 approach are the lack of ability to scale linearly past two in most 492 implementations, lack of standards based implementations, and added 493 failure domain risk of keeping state between the devices. 495 It should be noted that building large, horizontally scalable, Layer 496 2 only networks without STP is possible recently through the 497 introduction of the TRILL protocol in [RFC6325]. TRILL resolves many 498 of the issues STP has for large-scale DC design however due to the 499 limited number of implementations, and often the requirement for 500 specific equipment that supports it, this has limited its 501 applicability and increased the cost of such designs. 503 Finally, neither the base TRILL specification nor the M-LAG approach 504 totally eliminate the problem of the shared broadcast domain, that is 505 so detrimental to the operations of any Layer 2, Ethernet based 506 solutions. Later TRILL extensions have been proposed to solve the 507 this problem statement primarily based on the approaches outlined in 508 [RFC7067], but this even further limits the number of available 509 interoperable implementations that can be used to build a fabric, 510 therefore TRILL based designs have issues meeting REQ2, REQ3, and 511 REQ4. 513 4.2. Hybrid L2/L3 Designs 515 Operators have sought to limit the impact of data plane faults and 516 build large-scale topologies through implementing routing protocols 517 in either the Tier-1 or Tier-2 parts of the network and dividing the 518 Layer 2 domain into numerous, smaller domains. This design has 519 allowed data centers to scale up, but at the cost of complexity in 520 the network managing multiple protocols. For the following reasons, 521 operators have retained Layer 2 in either the access (Tier-3) or both 522 access and aggregation (Tier-3 and Tier-2) parts of the network: 524 o Supporting legacy applications that may require direct Layer 2 525 adjacency or use non-IP protocols. 527 o Seamless mobility for virtual machines that require the 528 preservation of IP addresses when a virtual machine moves to 529 different Tier-3 switch. 531 o Simplified IP addressing = less IP subnets are required for the 532 data center. 534 o Application load balancing may require direct Layer 2 reachability 535 to perform certain functions such as Layer 2 Direct Server Return 536 (DSR). 538 o Continued CAPEX differences between Layer 2 and Layer 3 capable 539 switches. 541 4.3. Layer 3 Only Designs 543 Network designs that leverage IP routing down to Tier-3 of the 544 network have gained popularity as well. The main benefit of these 545 designs is improved network stability and scalability, as a result of 546 confining L2 broadcast domains. Commonly an Interior Gateway 547 Protocol (IGP) such as OSPF [RFC2328] is used as the primary routing 548 protocol in such a design. As data centers grow in scale, and server 549 count exceeds tens of thousands, such fully routed designs have 550 become more attractive. 552 Choosing a Layer 3 only design greatly simplifies the network, 553 facilitating the meeting of REQ1 and REQ2, and has widespread 554 adoption in networks where large Layer 2 adjacency and larger size 555 Layer 3 subnets are not as critical compared to network scalability 556 and stability. Application providers and network operators continue 557 to also develop new solutions to meet some of the requirements that 558 previously have driven large Layer 2 domains by using various overlay 559 or tunneling techniques. 561 5. Routing Protocol Selection and Design 563 In this section the motivations for using External BGP (EBGP) as the 564 single routing protocol for data center networks having a Layer 3 565 protocol design and Clos topology are reviewed. Then, a practical 566 approach for designing an EBGP based network is provided. 568 5.1. Choosing EBGP as the Routing Protocol 570 REQ2 would give preference to the selection of a single routing 571 protocol to reduce complexity and interdependencies. While it is 572 common to rely on an IGP in this situation, sometimes with either the 573 addition of EBGP at the device bordering the WAN or Internal BGP 574 (IBGP) throughout, this document proposes the use of an EBGP only 575 design. 577 Although EBGP is the protocol used for almost all inter-domain 578 routing on the Internet and has wide support from both vendor and 579 service provider communities, it is not generally deployed as the 580 primary routing protocol within the data center for a number of 581 reasons (some of which are interrelated): 583 o BGP is perceived as a "WAN only protocol only" and not often 584 considered for enterprise or data center applications. 586 o BGP is believed to have a "much slower" routing convergence 587 compared to IGPs. 589 o Large scale BGP deployments typically utilize an IGP for BGP next- 590 hop resolution as all nodes in the iBGP topology are not directly 591 connected. 593 o BGP is perceived to require significant configuration overhead and 594 does not support neighbor auto-discovery. 596 This document discusses some of these perceptions, especially as 597 applicable to the proposed design, and highlights some of the 598 advantages of using the protocol such as: 600 o BGP has less complexity in parts of its protocol design - internal 601 data structures and state machine are simpler as compared to most 602 link-state IGPs such as OSPF. For example, instead of 603 implementing adjacency formation, adjacency maintenance and/or 604 flow-control, BGP simply relies on TCP as the underlying 605 transport. This fulfills REQ2 and REQ3. 607 o BGP information flooding overhead is less when compared to link- 608 state IGPs. Since every BGP router calculates and propagates only 609 the best-path selected, a network failure is masked as soon as the 610 BGP speaker finds an alternate path, which exists when highly 611 symmetric topologies, such as Clos, are coupled with EBGP only 612 design. In contrast, the event propagation scope of a link-state 613 IGP is an entire area, regardless of the failure type. In this 614 way, BGP better meets REQ3 and REQ4. It is also worth mentioning 615 that all widely deployed link-state IGPs feature periodic 616 refreshes of routing information, even if this rarely causes 617 impact to modern router control planes, while BGP does not expire 618 routing state. 620 o BGP supports third-party (recursively resolved) next-hops. This 621 allows for manipulating multipath to be non-ECMP based or 622 forwarding based on application-defined paths, through 623 establishment of a peering session with an application 624 "controller" which can inject routing information into the system, 625 satisfying REQ5. OSPF provides similar functionality using 626 concepts such as "Forwarding Address", but with more difficulty in 627 implementation and far less control of information propagation 628 scope. 630 o Using a well-defined ASN allocation scheme and standard AS_PATH 631 loop detection, "BGP path hunting" (see [JAKMA2008]) can be 632 controlled and complex unwanted paths will be ignored. See 633 Section 5.2 for an example of a working ASN allocation scheme. In 634 a link-state IGP accomplishing the same goal would require multi- 635 (instance/topology/processes) support, typically not available in 636 all DC devices and quite complex to configure and troubleshoot. 637 Using a traditional single flooding domain, which most DC designs 638 utilize, under certain failure conditions may pick up unwanted 639 lengthy paths, e.g. traversing multiple Tier-2 devices. 641 o EBGP configuration that is implemented with minimal routing policy 642 is easier to troubleshoot for network reachability issues. In 643 most implementations, it is straightforward to view contents of 644 BGP Loc-RIB and compare it to the router's RIB. Also, in most 645 implementations an operator can view every BGP neighbors Adj-RIB- 646 In and Adj-RIB-Out structures and therefore incoming and outgoing 647 NLRI information can be easily correlated on both sides of a BGP 648 session. Thus, BGP satisfies REQ3. 650 5.2. EBGP Configuration for Clos topology 652 Clos topologies that have more than 5 stages are very uncommon due to 653 the large numbers of interconnects required by such a design. 654 Therefore, the examples below are made with reference to the 5-stage 655 Clos topology (in unfolded state). 657 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 659 The diagram below illustrates an example ASN allocation scheme. The 660 following is a list of guidelines that can be used: 662 o EBGP single-hop sessions are established over direct point-to- 663 point links interconnecting the network nodes, no multi-hop or 664 loopback sessions are used even in the case of multiple links 665 between the same pair of nodes. 667 o Private Use ASNs from the range 64512-65534 are used so as to 668 avoid ASN conflicts. 670 o A single ASN is allocated to all of the Clos topology's Tier-1 671 devices. 673 o A unique ASN is allocated to each set of Tier-2 devices in the 674 same cluster. 676 o A unique ASN is allocated to every Tier-3 device (e.g. ToR) in 677 this topology. 679 ASN 65534 680 +---------+ 681 | +-----+ | 682 | | | | 683 +-|-| |-|-+ 684 | | +-----+ | | 685 ASN 646XX | | | | ASN 646XX 686 +---------+ | | | | +---------+ 687 | +-----+ | | | +-----+ | | | +-----+ | 688 +-----------|-| |-|-+-|-| |-|-+-|-| |-|-----------+ 689 | +---|-| |-|-+ | | | | +-|-| |-|---+ | 690 | | | +-----+ | | +-----+ | | +-----+ | | | 691 | | | | | | | | | | 692 | | | | | | | | | | 693 | | | +-----+ | | +-----+ | | +-----+ | | | 694 | +-----+---|-| |-|-+ | | | | +-|-| |-|---+-----+ | 695 | | | +-|-| |-|-+-|-| |-|-+-|-| |-|-+ | | | 696 | | | | | +-----+ | | | +-----+ | | | +-----+ | | | | | 697 | | | | +---------+ | | | | +---------+ | | | | 698 | | | | | | | | | | | | 699 +-----+ +-----+ | | +-----+ | | +-----+ +-----+ 700 | ASN | | | +-|-| |-|-+ | | | | 701 |65YYY| | ... | | | | | | ... | | ... | 702 +-----+ +-----+ | +-----+ | +-----+ +-----+ 703 | | | | +---------+ | | | | 704 O O O O <- Servers -> O O O O 706 Figure 4: BGP ASN layout for 5-stage Clos 708 5.2.2. Private Use ASNs 710 The original range of Private Use ASNs [RFC6996] limited operators to 711 1023 unique ASNs. Since it is quite likely that the number of 712 network devices may exceed this number, a workaround is required. 713 One approach is to re-use the ASNs assigned to the Tier-3 devices 714 across different clusters. For example, Private Use ASNs 65001, 715 65002 ... 65032 could be used within every individual cluster and 716 assigned to Tier-3 devices. 718 To avoid route suppression due to the AS_PATH loop detection 719 mechanism in BGP, upstream EBGP sessions on Tier-3 devices must be 720 configured with the "AllowAS In" feature [ALLOWASIN] that allows 721 accepting a device's own ASN in received route advertisements. 722 Introducing this feature does not make it likely for routing loops in 723 the design since the AS_PATH is being added to by routers at each of 724 the topology tiers and AS_PATH length is an early tie breaker in the 725 BGP path selection process. Further loop protection is still in 726 place at the Tier-1 device, which will not accept routes with a path 727 including its own ASN and Tier-2 devices do not have direct 728 connectivity with each other. 730 Another solution to this problem would be using Four-Octet ASNs 731 ([RFC6793]), where there are additional Private Use ASNs available, 732 see [IANA.AS]. Use of Four-Octet ASNs put additional protocol 733 complexity in the BGP implementation so should be considered against 734 the complexity of re-use when considering REQ3 and REQ4. Perhaps 735 more importantly, they are not yet supported by all BGP 736 implementations, which may limit vendor selection of DC equipment. 737 When supported, ensure that implementations in use are able to remove 738 the Private Use ASNs if required for external connectivity 739 (Section 5.2.4). 741 5.2.3. Prefix Advertisement 743 A Clos topology features a large number of point-to-point links and 744 associated prefixes. Advertising all of these routes into BGP may 745 create FIB overload conditions in the network devices. Advertising 746 these links also puts additional path computation stress on the BGP 747 control plane for little benefit. There are two possible solutions: 749 o Do not advertise any of the point-to-point links into BGP. Since 750 the EBGP-based design changes the next-hop address at every 751 device, distant networks will automatically be reachable via the 752 advertising EBGP peer and do not require reachability to these 753 prefixes. However, this may complicate operations or monitoring: 754 e.g. using the popular "traceroute" tool will display IP addresses 755 that are not reachable. 757 o Advertise point-to-point links, but summarize them on every 758 device. This requires an address allocation scheme such as 759 allocating a consecutive block of IP addresses per Tier-1 and 760 Tier-2 device to be used for point-to-point interface addressing 761 to the lower layers (Tier-2 uplinks will be numbered out of Tier-1 762 addressing and so forth). 764 Server subnets on Tier-3 devices must be announced into BGP without 765 using route summarization on Tier-2 and Tier-1 devices. Summarizing 766 subnets in a Clos topology results in route black-holing under a 767 single link failure (e.g. between Tier-2 and Tier-3 devices) and 768 hence must be avoided. The use of peer links within the same tier to 769 resolve the black-holing problem by providing "bypass paths" is 770 undesirable due to O(N^2) complexity of the peering mesh and waste of 771 ports on the devices. An alternative to the full-mesh of peer-links 772 would be using a simpler bypass topology, e.g. a "ring" as described 773 in [FB4POST], but such a topology adds extra hops and has very 774 limited bisection bandwidth, in addition requiring special tweaks to 775 make BGP routing work - such as possibly splitting every device into 776 an ASN on its own. Later in this document, Section 8.2 introduces a 777 less intrusive method for performing a limited form route 778 summarization in Clos networks and discusses it's associated trade- 779 offs. 781 5.2.4. External Connectivity 783 A dedicated cluster (or clusters) in the Clos topology could be used 784 for the purpose of connecting to the Wide Area Network (WAN) edge 785 devices, or WAN Routers. Tier-3 devices in such cluster would be 786 replaced with WAN routers, and EBGP peering would be used again, 787 though WAN routers are likely to belong to a public ASN if Internet 788 connectivity is required in the design. The Tier-2 devices in such a 789 dedicated cluster will be referred to as "Border Routers" in this 790 document. These devices have to perform a few special functions: 792 o Hide network topology information when advertising paths to WAN 793 routers, i.e. remove Private Use ASNs [RFC6996] from the AS_PATH 794 attribute. This is typically done to avoid ASN number collisions 795 between different data centers and also to provide a uniform 796 AS_PATH length to the WAN for purposes of WAN ECMP to Anycast 797 prefixes originated in the topology. An implementation specific 798 BGP feature typically called "Remove Private AS" is commonly used 799 to accomplish this. Depending on implementation, the feature 800 should strip a contiguous sequence of Private Use ASNs found in 801 AS_PATH attribute prior to advertising the path to a neighbor. 802 This assumes that all ASNs used for intra data center numbering 803 are from the Private Use ranges. The process for stripping the 804 Private Use ASNs is not currently standardized, see 805 [I-D.mitchell-grow-remove-private-as]. However most 806 implementations at least follow the logic described in this 807 vendor's document [VENDOR-REMOVE-PRIVATE-AS], which is enough for 808 the design specified. 810 o Originate a default route to the data center devices. This is the 811 only place where default route can be originated, as route 812 summarization is risky for the "scale-out" topology. 813 Alternatively, Border Routers may simply relay the default route 814 learned from WAN routers. Advertising the default route from 815 Border Routers requires that all Border Routers be fully connected 816 to the WAN Routers upstream, to provide resistance to a single- 817 link failure causing the black-holing of traffic. To prevent 818 black-holing in the situation when all of the EBGP sessions to the 819 WAN routers fail simultaneously on a given device it is more 820 desirable to take the "relaying" approach rather than introducing 821 the default route via complicated conditional route origination 822 schemes provided by some implementations [CONDITIONALROUTE]. 824 5.2.5. Route Summarization at the Edge 826 It is often desirable to summarize network reachability information 827 prior to advertising it to the WAN network due to high amount of IP 828 prefixes originated from within the data center in a fully routed 829 network design. For example, a network with 2000 Tier-3 devices will 830 have at least 2000 servers subnets advertised into BGP, along with 831 the infrastructure or other prefixes. However, as discussed before, 832 the proposed network design does not allow for route summarization 833 due to the lack of peer links inside every tier. 835 However, it is possible to lift this restriction for the Border 836 Routers, by devising a different connectivity model for these 837 devices. There are two options possible: 839 o Interconnect the Border Routers using a full-mesh of physical 840 links or using any other "peer-mesh" topology, such as ring or 841 hub-and-spoke. Configure BGP accordingly on all Border Leafs to 842 exchange network reachability information - e.g. by adding a mesh 843 of IBGP sessions. The interconnecting peer links need to be 844 appropriately sized for traffic that will be present in the case 845 of a device or link failure underneath the Border Routers. 847 o Tier-1 devices may have additional physical links provisioned 848 toward the Border Routers (which are Tier-2 devices from the 849 perspective of Tier-1). Specifically, if protection from a single 850 link or node failure is desired, each Tier-1 devices would have to 851 connect to at least two Border Routers. This puts additional 852 requirements on the port count for Tier-1 devices and Border 853 Routers, potentially making it a non-uniform, larger port count, 854 device compared with the other devices in the Clos. This also 855 reduces the number of ports available to "regular" Tier-2 switches 856 and hence the number of clusters that could be interconnected via 857 Tier-1 layer. 859 If any of the above options are implemented, it is possible to 860 perform route summarization at the Border Routers toward the WAN 861 network core without risking a routing black-hole condition under a 862 single link failure. Both of the options would result in non-uniform 863 topology as additional links have to be provisioned on some network 864 devices. 866 6. ECMP Considerations 868 This section covers the Equal Cost Multipath (ECMP) functionality for 869 Clos topology and discusses a few special requirements. 871 6.1. Basic ECMP 873 ECMP is the fundamental load sharing mechanism used by a Clos 874 topology. Effectively, every lower-tier device will use all of its 875 directly attached upper-tier devices to load share traffic destined 876 to the same IP prefix. Number of ECMP paths between any two Tier-3 877 devices in Clos topology equals to the number of the devices in the 878 middle stage (Tier-1). For example, Figure 5 illustrates the 879 topology where Tier-3 device A has four paths to reach servers X and 880 Y, via Tier-2 devices B and C and then Tier-1 devices 1, 2, 3, and 4 881 respectively. 883 Tier-1 884 +-----+ 885 | DEV | 886 +->| 1 |--+ 887 | +-----+ | 888 Tier-2 | | Tier-2 889 +-----+ | +-----+ | +-----+ 890 +------------>| DEV |--+->| DEV |--+--| |-------------+ 891 | +-----| B |--+ | 2 | +--| |-----+ | 892 | | +-----+ +-----+ +-----+ | | 893 | | | | 894 | | +-----+ +-----+ +-----+ | | 895 | +-----+---->| DEV |--+ | DEV | +--| |-----+-----+ | 896 | | | +---| C |--+->| 3 |--+--| |---+ | | | 897 | | | | +-----+ | +-----+ | +-----+ | | | | 898 | | | | | | | | | | 899 +-----+ +-----+ | +-----+ | +-----+ +-----+ 900 | DEV | | | Tier-3 +->| DEV |--+ Tier-3 | | | | 901 | A | | | | 4 | | | | | 902 +-----+ +-----+ +-----+ +-----+ +-----+ 903 | | | | | | | | 904 O O O O <- Servers -> X Y O O 906 Figure 5: ECMP fan-out tree from A to X and Y 908 The ECMP requirement implies that the BGP implementation must support 909 multipath fan-out for up to the maximum number of devices directly 910 attached at any point in the topology in upstream or downstream 911 direction. Normally, this number does not exceed half of the ports 912 found on a device in the topology. For example, an ECMP fan-out of 913 32 would be required when building a Clos network using 64-port 914 devices. The Border Routers may need to have wider fan-out to be 915 able to connect to multitude of Tier-1 devices if route summarization 916 at Border Router level is implemented as described in Section 5.2.5. 917 If a device's hardware does not support wider ECMP, logical link- 918 grouping (link-aggregation at layer 2) could be used to provide 919 "hierarchical" ECMP (Layer 3 ECMP followed by Layer 2 ECMP) to 920 compensate for fan-out limitations. Such approach, however, 921 increases the risk of flow polarization, as less entropy will be 922 available to the second stage of ECMP. 924 Most BGP implementations declare paths to be equal from an ECMP 925 perspective if they match up to and including step (e) in 926 Section 9.1.2.2 of [RFC4271]. In the proposed network design there 927 is no underlying IGP, so all IGP costs are assumed to be zero or 928 otherwise the same value across all paths and policies may be applied 929 as necessary to equalize BGP attributes that vary in vendor defaults, 930 such as MED and origin code. For historical reasons it is also 931 useful to not use 0 as the equalized MED value; this and some other 932 useful BGP information is available in [RFC4277] . Routing loops are 933 unlikely due to the BGP best-path selection process which prefers 934 shorter AS_PATH length, and longer paths through the Tier-1 devices 935 which don't allow their own ASN in the path and have the same ASN are 936 also not possible. 938 6.2. BGP ECMP over Multiple ASNs 940 For application load balancing purposes it is desirable to have the 941 same prefix advertised from multiple Tier-3 devices. From the 942 perspective of other devices, such a prefix would have BGP paths with 943 different AS_PATH attribute values, while having the same AS_PATH 944 attribute lengths. Therefore, BGP implementations must support load 945 sharing over above-mentioned paths. This feature is sometimes known 946 as "multipath relax" or "multipath multiple-as" and effectively 947 allows for ECMP to be done across different neighboring ASNs if all 948 other attributes are equal as already described in the previous 949 section. 951 6.3. Weighted ECMP 953 It may be desirable for the network devices to implement "weighted" 954 ECMP, to be able to send more traffic over some paths in ECMP fan- 955 out. This could be helpful to compensate for failures in the network 956 and send more traffic over paths that have more capacity. The 957 prefixes that require weighted ECMP would have to be injected using 958 remote BGP speaker (central agent) over a multihop session as 959 described further in Section 8.1. If support in implementations is 960 available, weight-distribution for multiple BGP paths could be 961 signaled using the technique described in 962 [I-D.ietf-idr-link-bandwidth]. 964 6.4. Consistent Hashing 966 It is often desirable to have the hashing function used for ECMP to 967 be consistent (see [CONS-HASH]), to minimize the impact on flow to 968 next-hop affinity changes when a next-hop is added or removed to ECMP 969 group. This could be used if the network device is used as a load 970 balancer, mapping flows toward multiple destinations - in this case, 971 losing or adding a destination will not have detrimental effect of 972 currently established flows. One particular recommendation on 973 implementing consistent hashing is provided in [RFC2992], though 974 other implementations are possible. This functionality could be 975 naturally combined with weighted ECMP, with the impact of the next- 976 hop changes being proportional to the weight of the given next-hop. 977 The downside of consistent hashing is increased load on hardware 978 resource utilization, as typically more space is required to 979 implement a consistent-hashing region. 981 7. Routing Convergence Properties 983 This section reviews routing convergence properties in the proposed 984 design. A case is made that sub-second convergence is achievable if 985 the implementation supports fast EBGP peering session deactivation 986 and timely RIB and FIB update upon failure of the associated link. 988 7.1. Fault Detection Timing 990 BGP typically relies on an IGP to route around link/node failures 991 inside an AS, and implements either a polling based or an event- 992 driven mechanism to obtain updates on IGP state changes. The 993 proposed routing design does not use an IGP, so the remaining 994 mechanisms that could be used for fault detection are BGP keep-alive 995 process (or any other type of keep-alive mechanism) and link-failure 996 triggers. 998 Relying solely on BGP keep-alive packets may result in high 999 convergence delays, in the order of multiple seconds (on many BGP 1000 implementations the minimum configurable BGP hold timer value is 1001 three seconds). However, many BGP implementations can shut down 1002 local EBGP peering sessions in response to the "link down" event for 1003 the outgoing interface used for BGP peering. This feature is 1004 sometimes called as "fast fallover". Since links in modern data 1005 centers are predominantly point-to-point fiber connections, a 1006 physical interface failure is often detected in milliseconds and 1007 subsequently triggers a BGP re-convergence. 1009 Ethernet links may support failure signaling or detection standards 1010 such as Connectivity Fault Management (CFM) as described in 1011 [IEEE8021Q], which may make failure detection more robust. 1013 Alternatively, some platforms may support Bidirectional Forwarding 1014 Detection (BFD) [RFC5880] to allow for sub-second failure detection 1015 and fault signaling to the BGP process. However, use of either of 1016 these presents additional requirements to vendor software and 1017 possibly hardware, and may contradict REQ1. Until recently with 1018 [RFC7130], BFD also did not allow detection of a single member link 1019 failure on a LAG, which would have limited its usefulness in some 1020 designs. 1022 7.2. Event Propagation Timing 1024 In the proposed design the impact of BGP Minimum Route Advertisement 1025 Interval (MRAI) timer (See section 9.2.1.1 of [RFC4271]) should be 1026 considered. Per the standard it is required for BGP implementations 1027 to space out consecutive BGP UPDATE messages by at least MRAI 1028 seconds, which is often a configurable value. The initial BGP UPDATE 1029 messages after an event carrying withdrawn routes are commonly not 1030 affected by this timer. The MRAI timer may present significant 1031 convergence delays when a BGP speaker "waits" for the new path to be 1032 learned from its peers and has no local backup path information. 1034 In a Clos topology each EBGP speaker typically has either one path 1035 (Tier-2 devices don't accept paths from other Tier-2 in the same 1036 cluster due to same ASN) or N paths for the same prefix, where N is a 1037 significantly large number, e.g. N=32 (the ECMP fan-out to the next 1038 Tier). Therefore, if a link fails to another device from which a 1039 path is received there is either no backup path at all (e.g. from 1040 perspective of a Tier-2 switch losing link to a Tier-3 device), or 1041 the backup is readily available in BGP Loc-RIB (e.g. from perspective 1042 of a Tier-2 device losing link to a Tier-1 switch). In the former 1043 case, the BGP withdrawal announcement will propagate un-delayed and 1044 trigger re-convergence on affected devices. In the latter case, the 1045 best-path will be re-evaluated and the local ECMP group corresponding 1046 to the new next-hop set changed. If the BGP path was the best-path 1047 selected previously, an "implicit withdraw" will be sent via a BGP 1048 UPDATE message as described as Option b in Section 3.1 of [RFC4271] 1049 due to the BGP AS_PATH attribute changing. 1051 7.3. Impact of Clos Topology Fan-outs 1053 Clos topology has large fan-outs, which may impact the "Up->Down" 1054 convergence in some cases, as described in this section. In a 1055 situation when a link between Tier-3 and Tier-2 device fails, the 1056 Tier-2 device will send BGP UPDATE messages to all upstream Tier-1 1057 devices, withdrawing the affected prefixes. The Tier-1 devices, in 1058 turn, will relay those messages to all downstream Tier-2 devices 1059 (except for the originator). Tier-2 devices other than the one 1060 originating the UPDATE should then wait for ALL upstream Tier-1 1061 devices to send an UPDATE message before removing the affected 1062 prefixes and sending corresponding UPDATE downstream to connected 1063 Tier-3 devices. If the original Tier-2 device or the relaying Tier-1 1064 devices introduce some delay into their UPDATE message announcements, 1065 the result could be UPDATE message "dispersion", that could be as 1066 long as multiple seconds. In order to avoid such a behavior, BGP 1067 implementations must support "update groups". The "update group" is 1068 defined as a collection of neighbors sharing the same outbound policy 1069 - the local speaker will send BGP updates to the members of the group 1070 synchronously. 1072 The impact of such "dispersion" grows with the size of topology fan- 1073 out and could also grow under network convergence churn. Some 1074 operators may be tempted to introduce "route flap dampening" type 1075 features that vendors include to reduce the control plane impact of 1076 rapidly flapping prefixes. However, due to issues described with 1077 false positives in these implementations especially under such 1078 "dispersion" events, it is not recommended to turn this feature on in 1079 this design. More background and issues with "route flap dampening" 1080 and possible implementation changes that could affect this are well 1081 described in [RFC7196]. 1083 7.4. Failure Impact Scope 1085 A network is declared to converge in response to a failure once all 1086 devices within the failure impact scope are notified of the event and 1087 have re-calculated their RIB's and consequently updated their FIB's. 1088 Larger failure impact scope typically means slower convergence since 1089 more devices have to be notified, and additionally results in a less 1090 stable network. In this section we describe BGP's advantages over 1091 link-state routing protocols in reducing failure impact scope for a 1092 Clos topology. 1094 BGP behaves like a distance-vector protocol in the sense that only 1095 the best path from the point of view of the local router is sent to 1096 neighbors. As such, some failures are masked if the local node can 1097 immediately find a backup path and does not have to send any updates 1098 further. Notice that in the worst case ALL devices in a data center 1099 topology have to either withdraw a prefix completely or update the 1100 ECMP groups in the FIB. However, many failures will not result in 1101 such a wide impact. There are two main failure types where impact 1102 scope is reduced: 1104 o Failure of a link between Tier-2 and Tier-1 devices: In this case, 1105 a Tier-2 device will update the affected ECMP groups, removing the 1106 failed link. There is no need to send new information to 1107 downstream Tier-3 devices, unless the path was selected as best by 1108 the BGP process, in which case only an "implicit withdraw" needs 1109 to be sent, which should not affect forwarding. The affected 1110 Tier-1 device will lose the only path available to reach a 1111 particular cluster and will have to withdraw the associated 1112 prefixes. Such prefix withdrawal process will only affect Tier-2 1113 devices directly connected to the affected Tier-1 device. The 1114 Tier-2 devices receiving the BGP UPDATE messages withdrawing 1115 prefixes will simply have to update their ECMP groups. The Tier-3 1116 devices are not involved in the re-convergence process. 1118 o Failure of a Tier-1 device: In this case, all Tier-2 devices 1119 directly attached to the failed node will have to update their 1120 ECMP groups for all IP prefixes from non-local cluster. The 1121 Tier-3 devices are once again not involved in the re-convergence 1122 process, but may receive "implicit withdraws" as described above. 1124 Even though in case of such failures multiple IP prefixes will have 1125 to be reprogrammed in the FIB, it is worth noting that ALL of these 1126 prefixes share a single ECMP group on Tier-2 device. Therefore, in 1127 the case of implementations with a hierarchical FIB, only a single 1128 change has to be made to the FIB. Hierarchical FIB here means FIB 1129 structure where the next-hop forwarding information is stored 1130 separately from the prefix lookup table, and the latter only stores 1131 pointers to the respective forwarding information. 1133 Even though BGP offers reduced failure scope for some cases, further 1134 reduction of the fault domain using summarization is not always 1135 possible with the proposed design, since using this technique may 1136 create routing black-holes as mentioned previously. Therefore, the 1137 worst control plane failure impact scope is the network as a whole, 1138 for instance in a case of a link failure between Tier-2 and Tier-3 1139 devices. The amount of impacted prefixes in this case would be much 1140 less than in the case of a failure in the upper layers of a Clos 1141 network topology. The property of having such large failure scope is 1142 not a result of choosing EBGP in the design but rather a result of 1143 using the "scale-out" Clos topology. 1145 7.5. Routing Micro-Loops 1147 When a downstream device, e.g. Tier-2 device, loses all paths for a 1148 prefix, it normally has the default route pointing toward the 1149 upstream device, in this case the Tier-1 device. As a result, it is 1150 possible to get in the situation when Tier-2 switch loses a prefix, 1151 but Tier-1 switch still has the path pointing to the Tier-2 device, 1152 which results in transient micro-loop, since Tier-1 switch will keep 1153 passing packets to the affected prefix back to Tier-2 device, and 1154 Tier-2 will bounce it back again using the default route. This 1155 micro-loop will last for the duration of time it takes the upstream 1156 device to fully update its forwarding tables. 1158 To minimize impact of the micro-loops, Tier-2 and Tier-1 switches can 1159 be configured with static "discard" or "null" routes that will be 1160 more specific than the default route for prefixes missing during 1161 network convergence. For Tier-2 switches, the discard route should 1162 be a summary route, covering all server subnets of the underlying 1163 Tier-3 devices. For Tier-1 devices, the discard route should be a 1164 summary covering the server IP address subnets allocated for the 1165 whole data center. Those discard routes will only take precedence 1166 for the duration of network convergence, until the device learns a 1167 more specific prefix via a new path. 1169 8. Additional Options for Design 1171 8.1. Third-party Route Injection 1173 BGP allows for a "third-party", i.e. directly attached, BGP speaker 1174 to inject routes anywhere in the network topology, meeting REQ5. 1175 This can be achieved by peering via a multihop BGP session with some 1176 or even all devices in the topology. Furthermore, BGP diverse path 1177 distribution [RFC6774] could be used to inject multiple BGP next hops 1178 for the same prefix to facilitate load balancing, or using the BGP 1179 ADD-PATH capability [I-D.ietf-idr-add-paths] if supported by the 1180 implementation. Unfortunately, in many implementations ADD-PATH has 1181 been found to only support IBGP properly due to the use cases it was 1182 originally optimized for, which limits the "third-party" peering to 1183 IBGP only, if the feature is used. 1185 To implement route injection in the proposed design, a third-party 1186 BGP speaker may peer with Tier-3 and Tier-1 switches, injecting the 1187 same prefix, but using a special set of BGP next-hops for Tier-1 1188 devices. Those next-hops are assumed to resolve recursively via BGP, 1189 and could be, for example, IP addresses on Tier-3 devices. The 1190 resulting forwarding table programming could provide desired traffic 1191 proportion distribution among different clusters. 1193 8.2. Route Summarization within Clos Topology 1195 As mentioned previously, route summarization is not possible within 1196 the proposed Clos topology since it makes the network susceptible to 1197 route black-holing under single link failures. The main problem is 1198 the limited number of redundant paths between network elements, e.g. 1199 there is only a single path between any pair of Tier-1 and Tier-3 1200 devices. However, some operators may find route aggregation 1201 desirable to improve control plane stability. 1203 If planning on using any technique to summarize within the topology 1204 modeling of the routing behavior and potential for black-holing 1205 should be done not only for single or multiple link failures, but 1206 also fiber pathway failures or optical domain failures if the 1207 topology extends beyond a physical location. Simple modeling can be 1208 done by checking the reachability on devices doing summarization 1209 under the condition of a link or pathway failure between a set of 1210 devices in every tier as well as to the WAN routers if external 1211 connectivity is present. 1213 Route summarization would be possible with a small modification to 1214 the network topology, though the trade-off would be reduction of the 1215 total size of the network as well as network congestion under 1216 specific failures. This approach is very similar to the technique 1217 described above, which allows Border Routers to summarize the entire 1218 data center address space. 1220 8.2.1. Collapsing Tier-1 Devices Layer 1222 In order to add more paths between Tier-1 and Tier-3 devices, group 1223 Tier-2 devices into pairs, and then connect the pairs to the same 1224 group of Tier-1 devices. This is logically equivalent to 1225 "collapsing" Tier-1 devices into a group of half the size, merging 1226 the links on the "collapsed" devices. The result is illustrated in 1227 Figure 6. For example, in this topology DEV C and DEV D connect to 1228 the same set of Tier-1 devices (DEV 1 and DEV 2), whereas before they 1229 were connecting to different groups of Tier-1 devices. 1231 Tier-2 Tier-1 Tier-2 1232 +-----+ +-----+ +-----+ 1233 +-------------| DEV |------| DEV |------| |-------------+ 1234 | +-----| C |--++--| 1 |--++--| |-----+ | 1235 | | +-----+ || +-----+ || +-----+ | | 1236 | | || || | | 1237 | | +-----+ || +-----+ || +-----+ | | 1238 | +-----+-----| DEV |--++--| DEV |--++--| |-----+-----+ | 1239 | | | +---| D |------| 2 |------| |---+ | | | 1240 | | | | +-----+ +-----+ +-----+ | | | | 1241 | | | | | | | | 1242 +-----+ +-----+ +-----+ +-----+ 1243 | DEV | | DEV | | | | | 1244 | A | | B | Tier-3 Tier-3 | | | | 1245 +-----+ +-----+ +-----+ +-----+ 1246 | | | | | | | | 1247 O O O O <- Servers -> O O O O 1249 Figure 6: 5-Stage Clos topology 1251 Having this design in place, Tier-2 devices may be configured to 1252 advertise only a default route down to Tier-3 devices. If a link 1253 between Tier-2 and Tier-3 fails, the traffic will be re-routed via 1254 the second available path known to a Tier-2 switch. It is still not 1255 possible to advertise a summary route covering prefixes for a single 1256 cluster from Tier-2 devices since each of them has only a single path 1257 down to this prefix. It would require dual-homed servers to 1258 accomplish that. Also note that this design is only resilient to 1259 single link failure. It is possible for a double link failure to 1260 isolate a Tier-2 device from all paths toward a specific Tier-3 1261 device, thus causing a routing black-hole. 1263 A result of the proposed topology modification would be reduction of 1264 Tier-1 devices port capacity. This limits the maximum number of 1265 attached Tier-2 devices and therefore will limit the maximum DC 1266 network size. A larger network would require different Tier-1 1267 devices that have higher port density to implement this change. 1269 Another problem is traffic re-balancing under link failures. Since 1270 three are two paths from Tier-1 to Tier-3, a failure of the link 1271 between Tier-1 and Tier-2 switch would result in all traffic that was 1272 taking the failed link to switch to the remaining path. This will 1273 result in doubling of link utilization on the remaining link. 1275 8.2.2. Simple Virtual Aggregation 1277 A completely different approach to route summarization is possible, 1278 provided that the main goal is to reduce the FIB pressure, while 1279 allowing the control plane to disseminate full routing information. 1280 Firstly, it could be easily noted that in many cases multiple 1281 prefixes, some of which are less specific, share the same set of the 1282 next-hops (same ECMP group). For example, looking from the 1283 perspective of a Tier-3 devices, all routes learned from upstream 1284 Tier-2's, including the default route, will share the same set of BGP 1285 next-hops, provided that there are no failures in the network. This 1286 makes it possible to use the technique similar to described in 1287 [RFC6769] and only install the least specific route in the FIB, 1288 ignoring more specific routes if they share the same next-hop set. 1289 For example, under normal network conditions, only the default route 1290 need to be programmed into FIB. 1292 Furthermore, if the Tier-2 devices are configured with summary 1293 prefixes covering all of their attached Tier-3 device's prefixes the 1294 same logic could be applied in Tier-1 devices as well, and, by 1295 induction to Tier-2/Tier-3 switches in different clusters. These 1296 summary routes should still allow for more specific prefixes to leak 1297 to Tier-1 devices, to enable for detection of mismatches in the next- 1298 hop sets if a particular link fails, changing the next-hop set for a 1299 specific prefix. 1301 Re-stating once again, this technique does not reduce the amount of 1302 control plane state (i.e. BGP UPDATEs/BGP LocRIB sizing), but only 1303 allows for more efficient FIB utilization, by spotting more specific 1304 prefixes that share their next-hops with less specifics. 1306 8.3. ICMP Unreachable Message Masquerading 1308 This section discusses some operational aspects of not advertising 1309 point-to-point link subnets into BGP, as previously outlined as an 1310 option in Section 5.2.3. The operational impact of this decision 1311 could be seen when using the well-known "traceroute" tool. 1312 Specifically, IP addresses displayed by the tool will be the link's 1313 point-to-point addresses, and hence will be unreachable for 1314 management connectivity. This makes some troubleshooting more 1315 complicated. 1317 One way to overcome this limitation is by using the DNS subsystem to 1318 create the "reverse" entries for the IP addresses of the same device 1319 pointing to the same name. The connectivity then can be made by 1320 resolving this name to the "primary" IP address of the devices, e.g. 1321 its Loopback interface, which is always advertised into BGP. 1322 However, this creates a dependency on the DNS subsystem, which may be 1323 unavailable during an outage. 1325 Another option is to make the network device perform IP address 1326 masquerading, that is rewriting the source IP addresses of the 1327 appropriate ICMP messages sent off of the device with the "primary" 1328 IP address of the device. Specifically, the ICMP Destination 1329 Unreachable Message (type 3) codes 3 (port unreachable) and ICMP Time 1330 Exceeded (type 11) code 0, which are involved in proper working of 1331 the "traceroute" tool. With this modification, the "traceroute" 1332 probes sent to the devices will always be sent back with the 1333 "primary" IP address as the source, allowing the operator to discover 1334 the "reachable" IP address of the box. This has the downside of 1335 hiding the address of the "entry point" into the device. 1337 9. Security Considerations 1339 The design does not introduce any additional security concerns. 1340 General BGP security considerations are discussed in [RFC4271] and 1341 [RFC4272]. Furthermore, the Generalized TTL Security Mechanism 1342 [RFC5082] could be used to reduce the risk of BGP session spoofing. 1344 10. IANA Considerations 1346 This document includes no request to IANA. 1348 11. Acknowledgements 1350 This publication summarizes work of many people who participated in 1351 developing, testing and deploying the proposed network design, some 1352 of whom were George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong, 1353 Robert Toomey, and Lihua Yuan. Authors would also like to thank 1354 Linda Dunbar, Anoop Ghanwani, Susan Hares, Danny McPherson, Robert 1355 Raszuk and Russ White for reviewing this document and providing 1356 valuable feedback and Mary Mitchell for initial grammar and style 1357 suggestions. 1359 12. References 1361 12.1. Normative References 1363 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 1364 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 1365 DOI 10.17487/RFC4271, January 2006, 1366 . 1368 [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for 1369 Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, July 1370 2013, . 1372 12.2. Informative References 1374 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, 1375 DOI 10.17487/RFC2328, April 1998, 1376 . 1378 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path 1379 Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, 1380 . 1382 [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", 1383 RFC 4272, DOI 10.17487/RFC4272, January 2006, 1384 . 1386 [RFC4277] McPherson, D. and K. Patel, "Experience with the BGP-4 1387 Protocol", RFC 4277, DOI 10.17487/RFC4277, January 2006, 1388 . 1390 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 1391 Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, 1392 December 2006, . 1394 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C. 1395 Pignataro, "The Generalized TTL Security Mechanism 1396 (GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007, 1397 . 1399 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 1400 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 1401 . 1403 [RFC6325] Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and A. 1404 Ghanwani, "Routing Bridges (RBridges): Base Protocol 1405 Specification", RFC 6325, DOI 10.17487/RFC6325, July 2011, 1406 . 1408 [RFC6769] Raszuk, R., Heitz, J., Lo, A., Zhang, L., and X. Xu, 1409 "Simple Virtual Aggregation (S-VA)", RFC 6769, 1410 DOI 10.17487/RFC6769, October 2012, 1411 . 1413 [RFC6774] Raszuk, R., Ed., Fernando, R., Patel, K., McPherson, D., 1414 and K. Kumaki, "Distribution of Diverse BGP Paths", 1415 RFC 6774, DOI 10.17487/RFC6774, November 2012, 1416 . 1418 [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet 1419 Autonomous System (AS) Number Space", RFC 6793, 1420 DOI 10.17487/RFC6793, December 2012, 1421 . 1423 [RFC7067] Dunbar, L., Eastlake 3rd, D., Perlman, R., and I. 1424 Gashinsky, "Directory Assistance Problem and High-Level 1425 Design Proposal", RFC 7067, DOI 10.17487/RFC7067, November 1426 2013, . 1428 [RFC7130] Bhatia, M., Ed., Chen, M., Ed., Boutros, S., Ed., 1429 Binderberger, M., Ed., and J. Haas, Ed., "Bidirectional 1430 Forwarding Detection (BFD) on Link Aggregation Group (LAG) 1431 Interfaces", RFC 7130, DOI 10.17487/RFC7130, February 1432 2014, . 1434 [RFC7196] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., and O. 1435 Maennel, "Making Route Flap Damping Usable", RFC 7196, 1436 DOI 10.17487/RFC7196, May 2014, 1437 . 1439 [I-D.ietf-idr-add-paths] 1440 Walton, D., Retana, A., Chen, E., and J. Scudder, 1441 "Advertisement of Multiple Paths in BGP", draft-ietf-idr- 1442 add-paths-10 (work in progress), October 2014. 1444 [I-D.ietf-idr-link-bandwidth] 1445 Mohapatra, P. and R. Fernando, "BGP Link Bandwidth 1446 Extended Community", draft-ietf-idr-link-bandwidth-06 1447 (work in progress), January 2013. 1449 [I-D.mitchell-grow-remove-private-as] 1450 Mitchell, J., Rao, D., and R. Raszuk, "Private Autonomous 1451 System (AS) Removal Requirements", draft-mitchell-grow- 1452 remove-private-as-04 (work in progress), April 2015. 1454 [CLOS1953] 1455 Clos, C., "A Study of Non-Blocking Switching Networks: 1456 Bell System Technical Journal Vol. 32(2)", March 1953. 1458 [HADOOP] Apache, , "Apache HaDoop", August 2015, 1459 . 1461 [GREENBERG2009] 1462 Greenberg, A., Hamilton, J., and D. Maltz, "The Cost of a 1463 Cloud: Research Problems in Data Center Networks", January 1464 2009. 1466 [IEEE8021D-1990] 1467 IEEE 802.1D, , "IEEE Standard for Local and Metropolitan 1468 Area Networks--Media access control (MAC) Bridges", May 1469 1990. 1471 [IEEE8021D-2004] 1472 IEEE 802.1D, , "IEEE Standard for Local and Metropolitan 1473 Area Networks--Media access control (MAC) Bridges", 1474 February 2004. 1476 [IEEE8021Q] 1477 IEEE 802.1Q, , "IEEE Standard for Local and metropolitan 1478 area networks--Bridges and Bridged Networks", December 1479 2014. 1481 [INTERCON] 1482 Dally, W. and B. Towles, "Principles and Practices of 1483 Interconnection Networks", ISBN 978-0122007514, January 1484 2004. 1486 [ALFARES2008] 1487 Al-Fares, M., Loukissas, A., and A. Vahdat, "A Scalable, 1488 Commodity Data Center Network Architecture", August 2008. 1490 [IANA.AS] IANA, , "Autonomous System (AS) Numbers", August 2015, 1491 . 1493 [IEEE8023AD] 1494 IEEE 802.3ad, , "IEEE Standard for Link aggregation for 1495 parallel links", October 2000. 1497 [ALLOWASIN] 1498 Cisco Systems, , "Allowas-in Feature in BGP Configuration 1499 Example", February 2015, 1500 . 1504 [VENDOR-REMOVE-PRIVATE-AS] 1505 Cisco Systems, , "Removing Private Autonomous System 1506 Numbers in BGP", August 2005, 1507 . 1510 [CONDITIONALROUTE] 1511 Cisco Systems, , "Configuring and Verifying the BGP 1512 Conditional Advertisement Feature", August 2005, 1513 . 1516 [FB4POST] Farrington, N. and A. Andreyev, "Facebook's Data Center 1517 Network Architecture", May 2013, 1518 . 1520 [JAKMA2008] 1521 Jakma, P., "BGP Path Hunting", 2008, 1522 . 1524 [CONS-HASH] 1525 Wikipedia, , "Consistent Hashing", 1526 . 1528 Authors' Addresses 1529 Petr Lapukhov 1530 Facebook 1531 1 Hacker Way 1532 Menlo Park, CA 94025 1533 US 1535 Email: petr@fb.com 1537 Ariff Premji 1538 Arista Networks 1539 5453 Great America Parkway 1540 Santa Clara, CA 95054 1541 US 1543 Email: ariff@arista.com 1544 URI: http://arista.com/ 1546 Jon Mitchell (editor) 1548 Email: jrmitche@puck.nether.net