idnits 2.17.1 draft-ietf-rtgwg-bgp-routing-large-dc-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 1, 2016) is 2949 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-15) exists of draft-ietf-idr-add-paths-13 == Outdated reference: A later version (-07) exists of draft-ietf-idr-link-bandwidth-06 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Area Working Group P. Lapukhov 3 Internet-Draft Facebook 4 Intended status: Informational A. Premji 5 Expires: September 2, 2016 Arista Networks 6 J. Mitchell, Ed. 7 March 1, 2016 9 Use of BGP for routing in large-scale data centers 10 draft-ietf-rtgwg-bgp-routing-large-dc-08 12 Abstract 14 Some network operators build and operate data centers that support 15 over one hundred thousand servers. In this document, such data 16 centers are referred to as "large-scale" to differentiate them from 17 smaller infrastructures. Environments of this scale have a unique 18 set of network requirements with an emphasis on operational 19 simplicity and network stability. This document summarizes 20 operational experience in designing and operating large-scale data 21 centers using BGP as the only routing protocol. The intent is to 22 report on a proven and stable routing design that could be leveraged 23 by others in the industry. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on September 2, 2016. 42 Copyright Notice 44 Copyright (c) 2016 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Network Design Requirements . . . . . . . . . . . . . . . . . 4 61 2.1. Bandwidth and Traffic Patterns . . . . . . . . . . . . . 4 62 2.2. CAPEX Minimization . . . . . . . . . . . . . . . . . . . 4 63 2.3. OPEX Minimization . . . . . . . . . . . . . . . . . . . . 5 64 2.4. Traffic Engineering . . . . . . . . . . . . . . . . . . . 5 65 2.5. Summarized Requirements . . . . . . . . . . . . . . . . . 5 66 3. Data Center Topologies Overview . . . . . . . . . . . . . . . 6 67 3.1. Traditional DC Topology . . . . . . . . . . . . . . . . . 6 68 3.2. Clos Network topology . . . . . . . . . . . . . . . . . . 7 69 3.2.1. Overview . . . . . . . . . . . . . . . . . . . . . . 7 70 3.2.2. Clos Topology Properties . . . . . . . . . . . . . . 8 71 3.2.3. Scaling the Clos topology . . . . . . . . . . . . . . 9 72 3.2.4. Managing the Size of Clos Topology Tiers . . . . . . 10 73 4. Data Center Routing Overview . . . . . . . . . . . . . . . . 11 74 4.1. Layer 2 Only Designs . . . . . . . . . . . . . . . . . . 11 75 4.2. Hybrid L2/L3 Designs . . . . . . . . . . . . . . . . . . 12 76 4.3. Layer 3 Only Designs . . . . . . . . . . . . . . . . . . 12 77 5. Routing Protocol Selection and Design . . . . . . . . . . . . 13 78 5.1. Choosing EBGP as the Routing Protocol . . . . . . . . . . 13 79 5.2. EBGP Configuration for Clos topology . . . . . . . . . . 15 80 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 15 81 5.2.2. Private Use ASNs . . . . . . . . . . . . . . . . . . 16 82 5.2.3. Prefix Advertisement . . . . . . . . . . . . . . . . 17 83 5.2.4. External Connectivity . . . . . . . . . . . . . . . . 18 84 5.2.5. Route Summarization at the Edge . . . . . . . . . . . 19 85 6. ECMP Considerations . . . . . . . . . . . . . . . . . . . . . 19 86 6.1. Basic ECMP . . . . . . . . . . . . . . . . . . . . . . . 20 87 6.2. BGP ECMP over Multiple ASNs . . . . . . . . . . . . . . . 21 88 6.3. Weighted ECMP . . . . . . . . . . . . . . . . . . . . . . 21 89 6.4. Consistent Hashing . . . . . . . . . . . . . . . . . . . 22 90 7. Routing Convergence Properties . . . . . . . . . . . . . . . 22 91 7.1. Fault Detection Timing . . . . . . . . . . . . . . . . . 22 92 7.2. Event Propagation Timing . . . . . . . . . . . . . . . . 23 93 7.3. Impact of Clos Topology Fan-outs . . . . . . . . . . . . 23 94 7.4. Failure Impact Scope . . . . . . . . . . . . . . . . . . 24 95 7.5. Routing Micro-Loops . . . . . . . . . . . . . . . . . . . 25 96 8. Additional Options for Design . . . . . . . . . . . . . . . . 26 97 8.1. Third-party Route Injection . . . . . . . . . . . . . . . 26 98 8.2. Route Summarization within Clos Topology . . . . . . . . 26 99 8.2.1. Collapsing Tier-1 Devices Layer . . . . . . . . . . . 27 100 8.2.2. Simple Virtual Aggregation . . . . . . . . . . . . . 28 101 8.3. ICMP Unreachable Message Masquerading . . . . . . . . . . 29 102 9. Security Considerations . . . . . . . . . . . . . . . . . . . 29 103 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 104 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 105 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 106 12.1. Normative References . . . . . . . . . . . . . . . . . . 30 107 12.2. Informative References . . . . . . . . . . . . . . . . . 30 108 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 110 1. Introduction 112 This document describes a practical routing design that can be used 113 in a large-scale data center ("DC") design. Such data centers, also 114 known as hyper-scale or warehouse-scale data centers, have a unique 115 attribute of supporting over a hundred thousand servers. In order to 116 accommodate networks of this scale, operators are revisiting 117 networking designs and platforms to address this need. 119 The design presented in this document is based on operational 120 experience with data centers built to support large-scale distributed 121 software infrastructure, such as a Web search engine. The primary 122 requirements in such an environment are operational simplicity and 123 network stability so that a small group of people can effectively 124 support a significantly sized network. 126 Experimentation and extensive testing has shown that External BGP 127 (EBGP) [RFC4271] is well suited as a stand-alone routing protocol for 128 these type of data center applications. This is in contrast with 129 more traditional DC designs, which may use simple tree topologies and 130 rely on extending Layer 2 domains across multiple network devices. 131 This document elaborates on the requirements that led to this design 132 choice and presents details of the EBGP routing design as well as 133 explores ideas for further enhancements. 135 This document first presents an overview of network design 136 requirements and considerations for large-scale data centers. Then 137 traditional hierarchical data center network topologies are 138 contrasted with Clos networks [CLOS1953] that are horizontally scaled 139 out. This is followed by arguments for selecting EBGP with a Clos 140 topology as the most appropriate routing protocol to meet the 141 requirements and the proposed design is described in detail. 142 Finally, this document reviews some additional considerations and 143 design options. 145 2. Network Design Requirements 147 This section describes and summarizes network design requirements for 148 large-scale data centers. 150 2.1. Bandwidth and Traffic Patterns 152 The primary requirement when building an interconnection network for 153 large number of servers is to accommodate application bandwidth and 154 latency requirements. Until recently it was quite common to see the 155 majority of traffic entering and leaving the data center, commonly 156 referred to as "north-south" traffic. Traditional "tree" topologies 157 were sufficient to accommodate such flows, even with high 158 oversubscription ratios between the layers of the network. If more 159 bandwidth was required, it was added by "scaling up" the network 160 elements, e.g. by upgrading the device's linecards or fabrics or 161 replacing the device with one with higher port density. 163 Today many large-scale data centers host applications generating 164 significant amounts of server-to-server traffic, which does not 165 egress the DC, commonly referred to as "east-west" traffic. Examples 166 of such applications could be compute clusters such as Hadoop 167 [HADOOP], massive data replication between clusters needed by certain 168 applications, or virtual machine migrations. Scaling traditional 169 tree topologies to match these bandwidth demands becomes either too 170 expensive or impossible due to physical limitations, e.g. port 171 density in a switch. 173 2.2. CAPEX Minimization 175 The Capital Expenditures (CAPEX) associated with the network 176 infrastructure alone constitutes about 10-15% of total data center 177 expenditure (see [GREENBERG2009]). However, the absolute cost is 178 significant, and hence there is a need to constantly drive down the 179 cost of individual network elements. This can be accomplished in two 180 ways: 182 o Unifying all network elements, preferably using the same hardware 183 type or even the same device. This allows for volume pricing on 184 bulk purchases and reduced maintenance and sparing costs. 186 o Driving costs down using competitive pressures, by introducing 187 multiple network equipment vendors. 189 In order to allow for good vendor diversity it is important to 190 minimize the software feature requirements for the network elements. 191 This strategy provides maximum flexibility of vendor equipment 192 choices while enforcing interoperability using open standards. 194 2.3. OPEX Minimization 196 Operating large-scale infrastructure can be expensive as a larger 197 amount of elements will statistically fail more often. Having a 198 simpler design and operating using a limited software feature set 199 minimizes software issue-related failures. 201 An important aspect of Operational Expenditure (OPEX) minimization is 202 reducing size of failure domains in the network. Ethernet networks 203 are known to be susceptible to broadcast or unicast traffic storms 204 that can have a dramatic impact on network performance and 205 availability. The use of a fully routed design significantly reduces 206 the size of the data plane failure domains - i.e. limits them to the 207 lowest level in the network hierarchy. However, such designs 208 introduce the problem of distributed control plane failures. This 209 observation calls for simpler and less control plane protocols to 210 minimize protocol interaction issues, reducing the chance of a 211 network meltdown. Minimizing software feature requirements as 212 described in the CAPEX section above also reduces testing and 213 personnel training requirements. 215 2.4. Traffic Engineering 217 In any data center, application load balancing is a critical function 218 performed by network devices. Traditionally, load balancers are 219 deployed as dedicated devices in the traffic forwarding path. The 220 problem arises in scaling load balancers under growing traffic 221 demand. A preferable solution would be able to scale load balancing 222 layer horizontally, by adding more of the uniform nodes and 223 distributing incoming traffic across these nodes. In situations like 224 this, an ideal choice would be to use network infrastructure itself 225 to distribute traffic across a group of load balancers. The 226 combination of Anycast prefix advertisement [RFC4786] and Equal Cost 227 Multipath (ECMP) functionality can be used to accomplish this goal. 228 To allow for more granular load distribution, it is beneficial for 229 the network to support the ability to perform controlled per-hop 230 traffic engineering. For example, it is beneficial to directly 231 control the ECMP next-hop set for Anycast prefixes at every level of 232 network hierarchy. 234 2.5. Summarized Requirements 236 This section summarizes the list of requirements outlined in the 237 previous sections: 239 o REQ1: Select a topology that can be scaled "horizontally" by 240 adding more links and network devices of the same type without 241 requiring upgrades to the network elements themselves. 243 o REQ2: Define a narrow set of software features/protocols supported 244 by a multitude of networking equipment vendors. 246 o REQ3: Choose a routing protocol that has a simple implementation 247 in terms of programming code complexity and ease of operational 248 support. 250 o REQ4: Minimize the failure domain of equipment or protocol issues 251 as much as possible. 253 o REQ5: Allow for some traffic engineering, preferably via explicit 254 control of the routing prefix next-hop using built-in protocol 255 mechanics. 257 3. Data Center Topologies Overview 259 This section provides an overview of two general types of data center 260 designs - hierarchical (also known as tree based) and Clos based 261 network designs. 263 3.1. Traditional DC Topology 265 In the networking industry, a common design choice for data centers 266 typically look like a (upside down) tree with redundant uplinks and 267 three layers of hierarchy namely; core, aggregation/distribution and 268 access layers (see Figure 1). To accommodate bandwidth demands, each 269 higher layer, from server towards DC egress or WAN, has higher port 270 density and bandwidth capacity where the core functions as the 271 "trunk" of the tree based design. To keep terminology uniform and 272 for comparison with other designs, in this document these layers will 273 be referred to as Tier-1, Tier-2 and Tier-3 "tiers", instead of Core, 274 Aggregation or Access layers. 276 +------+ +------+ 277 | | | | 278 | |--| | Tier-1 279 | | | | 280 +------+ +------+ 281 | | | | 282 +---------+ | | +----------+ 283 | +-------+--+------+--+-------+ | 284 | | | | | | | | 285 +----+ +----+ +----+ +----+ 286 | | | | | | | | 287 | |-----| | | |-----| | Tier-2 288 | | | | | | | | 289 +----+ +----+ +----+ +----+ 290 | | | | 291 | | | | 292 | +-----+ | | +-----+ | 293 +-| |-+ +-| |-+ Tier-3 294 +-----+ +-----+ 295 | | | | | | 296 <- Servers -> <- Servers -> 298 Figure 1: Typical DC network topology 300 3.2. Clos Network topology 302 This section describes a common design for horizontally scalable 303 topology in large-scale data centers in order to meet REQ1. 305 3.2.1. Overview 307 A common choice for a horizontally scalable topology is a folded Clos 308 topology, sometimes called "fat-tree" (see, for example, [INTERCON] 309 and [ALFARES2008]). This topology features an odd number of stages 310 (sometimes known as dimensions) and is commonly made of uniform 311 elements, e.g. network switches with the same port count. Therefore, 312 the choice of folded Clos topology satisfies REQ1 and facilitates 313 REQ2. See Figure 2 below for an example of a folded 3-stage Clos 314 topology (3 stages counting Tier-2 stage twice, when tracing a packet 315 flow): 317 +-------+ 318 | |----------------------------+ 319 | |------------------+ | 320 | |--------+ | | 321 +-------+ | | | 322 +-------+ | | | 323 | |--------+---------+-------+ | 324 | |--------+-------+ | | | 325 | |------+ | | | | | 326 +-------+ | | | | | | 327 +-------+ | | | | | | 328 | |------+-+-------+-+-----+ | | 329 | |------+-+-----+ | | | | | 330 | |----+ | | | | | | | | 331 +-------+ | | | | | | ---------> M links 332 Tier-1 | | | | | | | | | 333 +-------+ +-------+ +-------+ 334 | | | | | | 335 | | | | | | Tier-2 336 | | | | | | 337 +-------+ +-------+ +-------+ 338 | | | | | | | | | 339 | | | | | | ---------> N Links 340 | | | | | | | | | 341 O O O O O O O O O Servers 343 Figure 2: 3-Stage Folded Clos topology 345 This topology is often also referred to as a "Leaf and Spine" 346 network, where "Spine" is the name given to the middle stage of the 347 Clos topology (Tier-1) and "Leaf" is the name of input/output stage 348 (Tier-2). For uniformity, this document will continue referring to 349 these layers using the "Tier-n" notation. 351 3.2.2. Clos Topology Properties 353 The following are some key properties of the Clos topology: 355 o The topology is fully non-blocking, or more accurately: non- 356 interfering, if M >= N and oversubscribed by a factor of N/M 357 otherwise. Here M and N is the uplink and downlink port count 358 respectively, for a Tier-2 switch as shown in Figure 2. 360 o Utilizing this topology requires control and data plane support 361 for ECMP with a fan-out of M or more. 363 o Tier-1 switches have exactly one path to every server in this 364 topology. This is an important property that makes route 365 summarization dangerous in this topology (see Section 8.2 below). 367 o Traffic flowing from server to server is load balanced over all 368 available paths using ECMP. 370 3.2.3. Scaling the Clos topology 372 A Clos topology can be scaled either by increasing network element 373 port density or adding more stages, e.g. moving to a 5-stage Clos, as 374 illustrated in Figure 3 below: 376 Tier-1 377 +-----+ 378 Cluster | | 379 +----------------------------+ +--| |--+ 380 | | | +-----+ | 381 | Tier-2 | | | Tier-2 382 | +-----+ | | +-----+ | +-----+ 383 | +-------------| DEV |------+--| |--+--| |-------------+ 384 | | +-----| C |------+ | | +--| |-----+ | 385 | | | +-----+ | +-----+ +-----+ | | 386 | | | | | | 387 | | | +-----+ | +-----+ +-----+ | | 388 | | +-----------| DEV |------+ | | +--| |-----------+ | 389 | | | | +---| D |------+--| |--+--| |---+ | | | 390 | | | | | +-----+ | | +-----+ | +-----+ | | | | 391 | | | | | | | | | | | | 392 | +-----+ +-----+ | | +-----+ | +-----+ +-----+ 393 | | DEV | | DEV | | +--| |--+ | | | | 394 | | A | | B | Tier-3 | | | Tier-3 | | | | 395 | +-----+ +-----+ | +-----+ +-----+ +-----+ 396 | | | | | | | | | | 397 | O O O O | O O O O 398 | Servers | Servers 399 +----------------------------+ 401 Figure 3: 5-Stage Clos topology 403 The small example topology on Figure 3 is built from devices with a 404 port count of 4 and provides full bisectional bandwidth to all 405 connected servers. In this document, one set of directly connected 406 Tier-2 and Tier-3 devices along with their attached servers will be 407 referred to as a "cluster". For example, DEV A, B, C, D, and the 408 servers that connect to DEV A and B, on Figure 3 form a cluster. The 409 concept of a cluster may also be a useful concept as a single 410 deployment or maintenance unit which can be operated on at a 411 different frequency than the entire topology. 413 In practice, the Tier-3 layer of the network, which are typically top 414 of rack switches (ToRs), is where oversubscription is introduced to 415 allow for packaging of more servers in the data center while meeting 416 the bandwidth requirements for different types of applications. The 417 main reason to limit oversubscription at a single layer of the 418 network is to simplify application development that would otherwise 419 need to account for multiple bandwidth pools: within rack (Tier-3), 420 between racks (Tier-2), and between clusters (Tier-1). Since 421 oversubscription does not have a direct relationship to the routing 422 design it is not discussed further in this document. 424 3.2.4. Managing the Size of Clos Topology Tiers 426 If a data center network size is small, it is possible to reduce the 427 number of switches in Tier-1 or Tier-2 of Clos topology by a factor 428 of two. To understand how this could be done, take Tier-1 as an 429 example. Every Tier-2 device connects to a single group of Tier-1 430 devices. If half of the ports on each of the Tier-1 devices are not 431 being used then it is possible to reduce the number of Tier-1 devices 432 by half and simply map two uplinks from a Tier-2 device to the same 433 Tier-1 device that were previously mapped to different Tier-1 434 devices. This technique maintains the same bisectional bandwidth 435 while reducing the number of elements in the Tier-1 layer, thus 436 saving on CAPEX. The tradeoff, in this example, is the reduction of 437 maximum DC size in terms of overall server count by half. 439 In this example, Tier-2 devices will be using two parallel links to 440 connect to each Tier-1 device. If one of these links fails, the 441 other will pick up all traffic of the failed link, possible resulting 442 in heavy congestion and quality of service degradation if the path 443 determination procedure does not take bandwidth amount into account 444 since the number of upstream Tier-1 devices is likely wider than two. 445 To avoid this situation, parallel links can be grouped in link 446 aggregation groups (LAGs, such as [IEEE8023AD]) with widely available 447 implementation settings that take the whole "bundle" down upon a 448 single link failure. Equivalent techniques that enforce "fate 449 sharing" on the parallel links can be used in place of LAGs to 450 achieve the same effect. As a result of such fate-sharing, traffic 451 from two or more failed links will be re-balanced over the multitude 452 of remaining paths that equals the number of Tier-1 devices. This 453 example is using two links for simplicity, having more links in a 454 bundle will have less impact on capacity upon a member-link failure. 456 4. Data Center Routing Overview 458 This section provides an overview of three general types of data 459 center protocol designs - Layer 2 only, Hybrid L2/L3 and Layer 3 460 only. 462 4.1. Layer 2 Only Designs 464 Originally most data center designs used Spanning-Tree Protocol (STP) 465 initially defined in [IEEE8021D-1990] for loop-free topology 466 creation, typically utilizing variants of the traditional DC topology 467 described in Section 3.1. At the time, many DC switches either did 468 not support Layer 3 routed protocols or supported it with additional 469 licensing fees, which played a part in the design choice. Although 470 many enhancements have been made through the introduction of Rapid 471 Spanning Tree Protocol (RSTP) in the latest revision of 472 [IEEE8021D-2004] and Multiple Spanning Tree Protocol (MST) specified 473 in [IEEE8021Q] that increase convergence, stability and load 474 balancing in larger topologies, many of the fundamentals of the 475 protocol limit its applicability in large-scale DCs. STP and its 476 newer variants use an active/standby approach to path selection and 477 are therefore hard to deploy in horizontally-scaled topologies as 478 described in Section 3.2. Further, operators have had many 479 experiences with large failures due to issues caused by improper 480 cabling, misconfiguration, or flawed software on a single device. 481 These failures regularly affected the entire spanning-tree domain and 482 were very hard to troubleshoot due to the nature of the protocol. 483 For these reasons, and since almost all DC traffic is now IP, 484 therefore requiring a Layer 3 routing protocol at the network edge 485 for external connectivity, designs utilizing STP usually fail all of 486 the requirements of large-scale DC operators. Various enhancements 487 to link-aggregation protocols such as [IEEE8023AD], generally known 488 as Multi-Chassis Link-Aggregation (M-LAG) made it possible to use 489 Layer 2 designs with active-active network paths while relying on STP 490 as the backup for loop prevention. The major downsides of this 491 approach are the lack of ability to scale linearly past two in most 492 implementations, lack of standards based implementations, and added 493 failure domain risk of keeping state between the devices. 495 It should be noted that building large, horizontally scalable, Layer 496 2 only networks without STP is possible recently through the 497 introduction of the TRILL protocol in [RFC6325]. TRILL resolves many 498 of the issues STP has for large-scale DC design. However, due to 499 limited number of implementations, and often the requirement for 500 specific equipment that supports it, this has limited its 501 applicability and increased the cost of such designs. 503 Finally, neither the base TRILL specification nor the M-LAG approach 504 totally eliminate the fundamental problem of the shared broadcast 505 domain, that is so detrimental to the operations of any Layer 2, 506 Ethernet based solutions. Later TRILL extensions have been proposed 507 to solve this problem primarily based on the approaches outlined in 508 [RFC7067], but this even further limits the number of available 509 interoperable implementations that can be used to build a fabric, 510 therefore TRILL based designs have issues meeting REQ2, REQ3, and 511 REQ4. 513 4.2. Hybrid L2/L3 Designs 515 Operators have sought to limit the impact of data plane faults and 516 build large-scale topologies through implementing routing protocols 517 in either the Tier-1 or Tier-2 parts of the network and dividing the 518 Layer 2 domain into numerous, smaller domains. This design has 519 allowed data centers to scale up, but at the cost of complexity in 520 the network managing multiple protocols. For the following reasons, 521 operators have retained Layer 2 in either the access (Tier-3) or both 522 access and aggregation (Tier-3 and Tier-2) parts of the network: 524 o Supporting legacy applications that may require direct Layer 2 525 adjacency or use non-IP protocols. 527 o Seamless mobility for virtual machines that require the 528 preservation of IP addresses when a virtual machine moves to 529 different Tier-3 switch. 531 o Simplified IP addressing = less IP subnets are required for the 532 data center. 534 o Application load balancing may require direct Layer 2 reachability 535 to perform certain functions such as Layer 2 Direct Server Return 536 (DSR). 538 o Continued CAPEX differences between Layer 2 and Layer 3 capable 539 switches. 541 4.3. Layer 3 Only Designs 543 Network designs that leverage IP routing down to Tier-3 of the 544 network have gained popularity as well. The main benefit of these 545 designs is improved network stability and scalability, as a result of 546 confining L2 broadcast domains. Commonly an Interior Gateway 547 Protocol (IGP) such as OSPF [RFC2328] is used as the primary routing 548 protocol in such a design. As data centers grow in scale, and server 549 count exceeds tens of thousands, such fully routed designs have 550 become more attractive. 552 Choosing a Layer 3 only design greatly simplifies the network, 553 facilitating the meeting of REQ1 and REQ2, and has widespread 554 adoption in networks where large Layer 2 adjacency and larger size 555 Layer 3 subnets are not as critical compared to network scalability 556 and stability. Application providers and network operators continue 557 to also develop new solutions to meet some of the requirements that 558 previously have driven large Layer 2 domains by using various overlay 559 or tunneling techniques.. 561 5. Routing Protocol Selection and Design 563 In this section the motivations for using External BGP (EBGP) as the 564 single routing protocol for data center networks having a Layer 3 565 protocol design and Clos topology are reviewed. Then, a practical 566 approach for designing an EBGP based network is provided. 568 5.1. Choosing EBGP as the Routing Protocol 570 REQ2 would give preference to the selection of a single routing 571 protocol to reduce complexity and interdependencies. While it is 572 common to rely on an IGP in this situation, sometimes with either the 573 addition of EBGP at the device bordering the WAN or Internal BGP 574 (IBGP) throughout, this document proposes the use of an EBGP only 575 design. 577 Although EBGP is the protocol used for almost all inter-domain 578 routing on the Internet and has wide support from both vendor and 579 service provider communities, it is not generally deployed as the 580 primary routing protocol within the data center for a number of 581 reasons (some of which are interrelated): 583 o BGP is perceived as a "WAN only protocol only" and not often 584 considered for enterprise or data center applications. 586 o BGP is believed to have a "much slower" routing convergence 587 compared to IGPs. 589 o Large scale BGP deployments typically utilize an IGP for next-hop 590 resolution as all nodes in the iBGP topology are not directly 591 connected. 593 o BGP is perceived to require significant configuration overhead and 594 does not support neighbor auto-discovery. 596 This document discusses some of these perceptions, especially as 597 applicable to the proposed design, and highlights some of the 598 advantages of using the protocol such as: 600 o BGP has less complexity in parts of its protocol design - internal 601 data structures and state machine are simpler as compared to most 602 link-state IGPs such as OSPF. For example, instead of 603 implementing adjacency formation, adjacency maintenance and/or 604 flow-control, BGP simply relies on TCP as the underlying 605 transport. This fulfills REQ2 and REQ3. 607 o BGP information flooding overhead is less when compared to link- 608 state IGPs. Since every BGP router calculates and propagates only 609 the best-path selected, a network failure is masked as soon as the 610 BGP speaker finds an alternate path, which exists when highly 611 symmetric topologies, such as Clos, are coupled with EBGP only 612 design. In contrast, the event propagation scope of a link-state 613 IGP is an entire area, regardless of the failure type. In this 614 way, BGP better meets REQ3 and REQ4. It is also worth mentioning 615 that all widely deployed link-state IGPs also feature periodic 616 refreshes of routing information, even if this rarely causes 617 significant impact to modern router control planes, while BGP does 618 not expire routing state. 620 o BGP supports third-party (recursively resolved) next-hops. This 621 allows for manipulating multipath to be non-ECMP based or 622 forwarding based on application-defined paths, through 623 establishment of a peering session with an application 624 "controller" which can inject routing information into the system, 625 satisfying REQ5. OSPF provides similar functionality using 626 concepts such as "Forwarding Address", but with more difficulty in 627 implementation and far less control of information propagation 628 scope. 630 o Using a well-defined ASN allocation scheme and standard AS_PATH 631 loop detection, "BGP path hunting" (see [JAKMA2008]) can be 632 controlled and complex unwanted paths to be ignored. See 633 Section 5.2 for an example of a working ASN allocation scheme. In 634 a link-state IGP accomplishing the same goal would require multi- 635 (instance/topology/processes) support, typically not available in 636 all DC devices and quite complex to configure and troubleshoot. 637 Using a traditional single flooding domain, which most DC designs 638 utilize, under certain failure conditions may pick up unwanted 639 lengthy paths, e.g. traversing multiple Tier-2 devices. 641 o EBGP configuration that is implemented with minimal routing policy 642 is easier to troubleshoot for network reachability issues. Also, 643 in most implementations, it is straightforward to view contents of 644 BGP Loc-RIB and compare it to the router's RIB. Also, in most 645 implementations an operator can view every BGP neighbors Adj-RIB- 646 In and Adj-RIB-Out structures and therefore incoming and outgoing 647 NLRI information can be easily correlated on both sides of a BGP 648 session. Thus, BGP satisfies REQ3. 650 5.2. EBGP Configuration for Clos topology 652 Clos topologies that have more than 5 stages are very uncommon due to 653 the large numbers of interconnects required by such a design. 654 Therefore, the examples below are made with reference to the 5-stage 655 Clos topology (in unfolded state). 657 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 659 The diagram below illustrates an example ASN allocation scheme. The 660 following is a list of guidelines that can be used: 662 o EBGP single-hop sessions are established over direct point-to- 663 point links interconnecting the network nodes, no multi-hop or 664 loopback sessions are used even in the case of multiple links 665 between the same pair of nodes. 667 o Private Use ASNs from the range 64512-65534 are used so as to 668 avoid ASN conflicts. 670 o A single ASN is allocated to all of the Clos topology's Tier-1 671 devices. 673 o A unique ASN is allocated to each set of Tier-2 devices in the 674 same cluster. 676 o A unique ASN is allocated to every Tier-3 device (e.g. ToR) in 677 this topology. 679 ASN 65534 680 +---------+ 681 | +-----+ | 682 | | | | 683 +-|-| |-|-+ 684 | | +-----+ | | 685 ASN 646XX | | | | ASN 646XX 686 +---------+ | | | | +---------+ 687 | +-----+ | | | +-----+ | | | +-----+ | 688 +-----------|-| |-|-+-|-| |-|-+-|-| |-|-----------+ 689 | +---|-| |-|-+ | | | | +-|-| |-|---+ | 690 | | | +-----+ | | +-----+ | | +-----+ | | | 691 | | | | | | | | | | 692 | | | | | | | | | | 693 | | | +-----+ | | +-----+ | | +-----+ | | | 694 | +-----+---|-| |-|-+ | | | | +-|-| |-|---+-----+ | 695 | | | +-|-| |-|-+-|-| |-|-+-|-| |-|-+ | | | 696 | | | | | +-----+ | | | +-----+ | | | +-----+ | | | | | 697 | | | | +---------+ | | | | +---------+ | | | | 698 | | | | | | | | | | | | 699 +-----+ +-----+ | | +-----+ | | +-----+ +-----+ 700 | ASN | | | +-|-| |-|-+ | | | | 701 |65YYY| | ... | | | | | | ... | | ... | 702 +-----+ +-----+ | +-----+ | +-----+ +-----+ 703 | | | | +---------+ | | | | 704 O O O O <- Servers -> O O O O 706 Figure 4: BGP ASN layout for 5-stage Clos 708 5.2.2. Private Use ASNs 710 The original range of Private Use ASNs [RFC6996] limited operators to 711 1023 unique ASNs. Since it is quite likely that the number of 712 network devices may exceed this number, a workaround is required. 713 One approach is to re-use the ASNs assigned to the Tier-3 devices 714 across different clusters. For example, Private Use ASNs 65001, 715 65002 ... 65032 could be used within every individual cluster and 716 assigned to Tier-3 devices. 718 To avoid route suppression due to the AS_PATH loop detection 719 mechanism in BGP, upstream EBGP sessions on Tier-3 devices must be 720 configured with the "AllowAS In" feature [ALLOWASIN] that allows 721 accepting a device's own ASN in received route advertisements. 722 Introducing this feature does not make it likely for routing loops in 723 the design since the AS_PATH is being added to by routers at each of 724 the topology tiers and AS_PATH length is an early tie breaker in the 725 BGP path selection process. Further loop protection is still in 726 place at the Tier-1 device, which will not accept routes with a path 727 including its own ASN and Tier-2 devices do not have direct 728 connectivity with each other. 730 Another solution to this problem would be using Four-Octet ASNs 731 ([RFC6793]), where there are additional Private Use ASNs available, 732 see [IANA.AS]. Use of Four-Octet ASNs put additional protocol 733 complexity in the BGP implementation so should be considered against 734 the complexity of re-use when considering REQ3 and REQ4. Perhaps 735 more importantly, they are not yet supported by all BGP 736 implementations, which may limit vendor selection of DC equipment. 737 When supported, ensure that implementations in use are able to remove 738 the Private Use ASNs if required for external connectivity 739 (Section 5.2.4). 741 5.2.3. Prefix Advertisement 743 A Clos topology features a large number of point-to-point links and 744 associated prefixes. Advertising all of these routes into BGP may 745 create FIB overload conditions in the network devices. Advertising 746 these links also puts additional path computation stress on the BGP 747 control plane for little benefit. There are two possible solutions: 749 o Do not advertise any of the point-to-point links into BGP. Since 750 the EBGP-based design changes the next-hop address at every 751 device, distant networks will automatically be reachable via the 752 advertising EBGP peer and do not require reachability to these 753 prefixes. However, this may complicate operations or monitoring: 754 e.g. using the popular "traceroute" tool will display IP addresses 755 that are not reachable. 757 o Advertise point-to-point links, but summarize them on every 758 device. This requires an address allocation scheme such as 759 allocating a consecutive block of IP addresses per Tier-1 and 760 Tier-2 device to be used for point-to-point interface addressing 761 to the lower layers (Tier-2 uplinks will be numbered out of Tier-1 762 addressing and so forth). 764 Server subnets on Tier-3 devices must be announced into BGP without 765 using route summarization on Tier-2 and Tier-1 devices. Summarizing 766 subnets in a Clos topology results in route black-holing under a 767 single link failure (e.g. between Tier-2 and Tier-3 devices) and 768 hence must be avoided. The use of peer links within the same tier to 769 resolve the black-holing problem by providing "bypass paths" is 770 undesirable due to O(N^2) complexity of the peering mesh and waste of 771 ports on the devices. An alternative to the full-mesh of peer-links 772 would be using a simpler bypass topology, e.g. a "ring" as described 773 in [FB4POST], but such a topology adds extra hops and has very 774 limited bisection bandwidth, in addition requiring special tweaks to 775 make BGP routing work - such as possibly splitting every device into 776 an ASN on its own. Later in this document, section Section 8.2 777 introduces a less intrusive method for performing a limited form of 778 route summarization in Clos networks and the discusses it's 779 associated trade-offs. 781 5.2.4. External Connectivity 783 A dedicated cluster (or clusters) in the Clos topology could be used 784 for the purpose of connecting to the Wide Area Network (WAN) edge 785 devices, or WAN Routers. Tier-3 devices in such cluster would be 786 replaced with WAN routers, and EBGP peering would be used again, 787 though WAN routers are likely to belong to a public ASN if Internet 788 connectivity is required in the design. The Tier-2 devices in such a 789 dedicated cluster will be referred to as "Border Routers" in this 790 document. These devices have to perform a few special functions: 792 o Hide network topology information when advertising paths to WAN 793 routers, i.e. remove Private Use ASNs [RFC6996] from the AS_PATH 794 attribute. This is typically done to avoid ASN number collisions 795 between different data centers and also to provide a uniform 796 AS_PATH length to the WAN for purposes of WAN ECMP to Anycast 797 prefixes originated in the topology. An implementation specific 798 BGP feature typically called "Remove Private AS" is commonly used 799 to accomplish this. Depending on implementation, the feature 800 should strip a contiguous sequence of Private Use ASNs found in 801 AS_PATH attribute prior to advertising the path to a neighbor. 802 This assumes that all ASNs used for intra data center numbering 803 are from the Private Use ranges. The process for stripping the 804 Private Use ASNs is not currently standardized, see 805 [I-D.mitchell-grow-remove-private-as]. However, most 806 implementations at least follow the logic described in this 807 vendor's document [REMOVE-PRIVATE-AS]. 809 o Originate a default route to the data center devices. This is the 810 only place where default route can be originated, as route 811 summarization is risky for the "scale-out" topology. 812 Alternatively, Border Routers may simply relay the default route 813 learned from WAN routers. Advertising the default route from 814 Border Routers requires that all Border Routers be fully connected 815 to the WAN Routers upstream, to provide resistance to a single- 816 link failure causing the black-holing of traffic. To prevent 817 black-holing in situation when all of EBGP sessions to the WAN 818 routers fail simultaneously on a given device it is more desirable 819 to take the "relaying" approach rather than introducing the 820 default route via complicated conditional route origination 821 schemes provided by some implementations [CONDITIONALROUTE]. 823 5.2.5. Route Summarization at the Edge 825 It is often desirable to summarize network reachability information 826 prior to advertising it to the WAN network due to high amount of IP 827 prefixes originated from within the data center in a fully routed 828 network design. For example, a network with 2000 Tier-3 devices will 829 have at least 2000 servers subnets advertised into BGP, along with 830 the infrastructure or other prefixes. However, as discussed before, 831 the proposed network design does not allow for route summarization 832 due to the lack of peer links inside every tier. 834 However, it is possible to lift this restriction for the Border 835 Routers, by devising a different connectivity model for these 836 devices. There are two options possible: 838 o Interconnect the Border Routers using a full-mesh of physical 839 links or using any other "peer-mesh" topology, such as ring or 840 hub-and-spoke. Configure BGP accordingly on all Border Leafs to 841 exchange network reachability information - e.g. by adding a mesh 842 of IBGP sessions. The interconnecting peer links need to be 843 appropriately sized for traffic that will be present in the case 844 of a device or link failure underneath the Border Routers. 846 o Tier-1 devices may have additional physical links provisioned 847 toward the Border Routers (which are Tier-2 devices from the 848 perspective of Tier-1). Specifically, if protection from a single 849 link or node failure is desired, each Tier-1 devices would have to 850 connect to at least two Border Routers. This puts additional 851 requirements on the port count for Tier-1 devices and Border 852 Routers, potentially making it a non-uniform, larger port count, 853 device compared with the other devices in the Clos. This also 854 reduces the number of ports available to "regular" Tier-2 switches 855 and hence the number of clusters that could be interconnected via 856 Tier-1 layer. 858 If any of the above options are implemented, it is possible to 859 perform route summarization at the Border Routers toward the WAN 860 network core without risking a routing black-hole condition under a 861 single link failure. Both of the options would result in non-uniform 862 topology as additional links have to be provisioned on some network 863 devices. 865 6. ECMP Considerations 867 This section covers the Equal Cost Multipath (ECMP) functionality for 868 Clos topology and discusses a few special requirements. 870 6.1. Basic ECMP 872 ECMP is the fundamental load sharing mechanism used by a Clos 873 topology. Effectively, every lower-tier device will use all of its 874 directly attached upper-tier devices to load share traffic destined 875 to the same IP prefix. Number of ECMP paths between any two Tier-3 876 devices in Clos topology equals to the number of the devices in the 877 middle stage (Tier-1). For example, Figure 5 illustrates the 878 topology where Tier-3 device A has four paths to reach servers X and 879 Y, via Tier-2 devices B and C and then Tier-1 devices 1, 2, 3, and 4 880 respectively. 882 Tier-1 883 +-----+ 884 | DEV | 885 +->| 1 |--+ 886 | +-----+ | 887 Tier-2 | | Tier-2 888 +-----+ | +-----+ | +-----+ 889 +------------>| DEV |--+->| DEV |--+--| |-------------+ 890 | +-----| B |--+ | 2 | +--| |-----+ | 891 | | +-----+ +-----+ +-----+ | | 892 | | | | 893 | | +-----+ +-----+ +-----+ | | 894 | +-----+---->| DEV |--+ | DEV | +--| |-----+-----+ | 895 | | | +---| C |--+->| 3 |--+--| |---+ | | | 896 | | | | +-----+ | +-----+ | +-----+ | | | | 897 | | | | | | | | | | 898 +-----+ +-----+ | +-----+ | +-----+ +-----+ 899 | DEV | | | Tier-3 +->| DEV |--+ Tier-3 | | | | 900 | A | | | | 4 | | | | | 901 +-----+ +-----+ +-----+ +-----+ +-----+ 902 | | | | | | | | 903 O O O O <- Servers -> X Y O O 905 Figure 5: ECMP fan-out tree from A to X and Y 907 The ECMP requirement implies that the BGP implementation must support 908 multipath fan-out for up to the maximum number of devices directly 909 attached at any point in the topology in upstream or downstream 910 direction. Normally, this number does not exceed half of the ports 911 found on a device in the topology. For example, an ECMP fan-out of 912 32 would be required when building a Clos network using 64-port 913 devices. The Border Routers may need to have wider fan-out to be 914 able to connect to multitude of Tier-1 devices if route summarization 915 at Border Router level is implemented as described in Section 5.2.5. 916 If a device's hardware does not support wider ECMP, logical link- 917 grouping (link-aggregation at layer 2) could be used to provide 918 "hierarchical" ECMP (Layer 3 ECMP followed by Layer 2 ECMP) to 919 compensate for fan-out limitations. Such approach, however, 920 increases the risk of flow polarization, as less entropy will be 921 available to the second stage of ECMP. 923 Most BGP implementations declare paths to be equal from an ECMP 924 perspective if they match up to and including step (e) in 925 Section 9.1.2.2 of [RFC4271]. In the proposed network design there 926 is no underlying IGP, so all IGP costs are assumed to be zero or 927 otherwise the same value across all paths and policies may be applied 928 as necessary to equalize BGP attributes that vary in vendor defaults, 929 such as MED and origin code. For historical reasons it is also 930 useful to not use 0 as the equalized MED value; this and some other 931 useful BGP information is available in [RFC4277] . Routing loops are 932 unlikely due to the BGP best-path selection process which prefers 933 shorter AS_PATH length, and longer paths through the Tier-1 devices 934 which don't allow their own ASN in the path and have the same ASN are 935 also not possible. 937 6.2. BGP ECMP over Multiple ASNs 939 For application load balancing purposes it is desirable to have the 940 same prefix advertised from multiple Tier-3 devices. From the 941 perspective of other devices, such a prefix would have BGP paths with 942 different AS_PATH attribute values, while having the same AS_PATH 943 attribute lengths. Therefore, BGP implementations must support load 944 sharing over above-mentioned paths. This feature is sometimes known 945 as "multipath relax" or "multipath multiple-as" and effectively 946 allows for ECMP to be done across different neighboring ASNs if all 947 other attributes are equal as already described in the previous 948 section. 950 6.3. Weighted ECMP 952 It may be desirable for the network devices to implement "weighted" 953 ECMP, to be able to send more traffic over some paths in ECMP fan- 954 out. This could be helpful to compensate for failures in the network 955 and send more traffic over paths that have more capacity. The 956 prefixes that require weighted ECMP would have to be injected using 957 remote BGP speaker (central agent) over a multihop session as 958 described further in Section 8.1. If support in implementations is 959 available, weight-distribution for multiple BGP paths could be 960 signaled using the technique described in 961 [I-D.ietf-idr-link-bandwidth]. 963 6.4. Consistent Hashing 965 It is often desirable to have the hashing function used for ECMP to 966 be consistent (see [CONS-HASH]), to minimize the impact on flow to 967 next-hop affinity changes when a next-hop is added or removed to ECMP 968 group. This could be used if the network device is used as a load 969 balancer, mapping flows toward multiple destinations - in this case, 970 losing or adding a destination will not have detrimental effect of 971 currently established flows. One particular recommendation on 972 implementing consistent hashing is provided in [RFC2992], though 973 other implementations are possible. This functionality could be 974 naturally combined with weighted ECMP, with the impact of the next- 975 hop changes being proportional to the weight of the given next-hop. 976 The downside of consistent hashing is increased load on hardware 977 resource utilization, as typically more space is required to 978 implement a consistent-hashing region. 980 7. Routing Convergence Properties 982 This section reviews routing convergence properties in the proposed 983 design. A case is made that sub-second convergence is achievable if 984 the implementation supports fast EBGP peering session deactivation 985 and timely RIB and FIB update upon failure of the associated link. 987 7.1. Fault Detection Timing 989 BGP typically relies on an IGP to route around link/node failures 990 inside an AS, and implements either a polling based or an event- 991 driven mechanism to obtain updates on IGP state changes. The 992 proposed routing design does not use an IGP, so the remaining 993 mechanisms that could be used for fault detection are BGP keep-alive 994 process (or any other type of keep-alive mechanism) and link-failure 995 triggers. 997 Relying solely on BGP keep-alive packets may result in high 998 convergence delays, in the order of multiple seconds (on many BGP 999 implementations the minimum configurable BGP hold timer value is 1000 three seconds). However, many BGP implementations can shut down 1001 local EBGP peering sessions in response to the "link down" event for 1002 the outgoing interface used for BGP peering. This feature is 1003 sometimes called as "fast fallover". Since links in modern data 1004 centers are predominantly point-to-point fiber connections, a 1005 physical interface failure is often detected in milliseconds and 1006 subsequently triggers a BGP re-convergence. 1008 Ethernet links may support failure signaling or detection standards 1009 such as Connectivity Fault Management (CFM) as described in 1010 [IEEE8021Q], which may make failure detection more robust. 1012 Alternatively, some platforms may support Bidirectional Forwarding 1013 Detection (BFD) [RFC5880] to allow for sub-second failure detection 1014 and fault signaling to the BGP process. However, use of either of 1015 these presents additional requirements to vendor software and 1016 possibly hardware, and may contradict REQ1. Until recently with 1017 [RFC7130], BFD also did not allow detection of a single member link 1018 failure on a LAG, which would have limited its usefulness in some 1019 designs. 1021 7.2. Event Propagation Timing 1023 In the proposed design the impact of BGP Minimum Route Advertisement 1024 Interval (MRAI) timer (See section 9.2.1.1 of [RFC4271]) should be 1025 considered. Per the standard it is required for BGP implementations 1026 to space out consecutive BGP UPDATE messages by at least MRAI 1027 seconds, which is often a configurable value. The initial BGP UPDATE 1028 messages after an event carrying withdrawn routes are commonly not 1029 affected by this timer. The MRAI timer may present significant 1030 convergence delays when a BGP speaker "waits" for the new path to be 1031 learned from its peers and has no local backup path information. 1033 In a Clos topology each EBGP speaker typically has either one path 1034 (Tier-2 devices don't accept paths from other Tier-2 in the same 1035 cluster due to same ASN) or N paths for the same prefix, where N is a 1036 significantly large number, e.g. N=32 (the ECMP fan-out to the 1037 Tier). Therefore, if a link fails to another device from which a 1038 path is received there is either no backup path at all (e.g. from 1039 perspective of a Tier-2 switch losing link to a Tier-3 device), or 1040 the backup is readily available in BGP Loc-RIB (e.g. from perspective 1041 of a Tier-2 device losing link to a Tier-1 switch). In the former 1042 case, the BGP withdrawal announcement will propagate un-delayed and 1043 trigger re-convergence on affected devices. In the latter case, the 1044 best-path will be re-evaluated and the local ECMP group corresponding 1045 to the new next-hop set changed. If the BGP path was the best-path 1046 selected previously, an "implicit withdraw" will be sent via a BGP 1047 UPDATE message as described as Option b in Section 3.1 of [RFC4271] 1048 due to the BGP AS_PATH attribute changing. 1050 7.3. Impact of Clos Topology Fan-outs 1052 Clos topology has large fan-outs, which may impact the "Up->Down" 1053 convergence in some cases, as described in this section. In a 1054 situation when a link between Tier-3 and Tier-2 device fails, the 1055 Tier-2 device will send BGP UPDATE messages to all upstream Tier-1 1056 devices, withdrawing the affected prefixes. The Tier-1 devices, in 1057 turn, will relay those messages to all downstream Tier-2 devices 1058 (except for the originator). Tier-2 devices other than the one 1059 originating the UPDATE should then wait for ALL upstream Tier-1 1060 devices to send an UPDATE message before removing the affected 1061 prefixes and sending corresponding UPDATE downstream to connected 1062 Tier-3 devices. If the original Tier-2 device or the relaying Tier-1 1063 devices introduce some delay into their UPDATE message announcements, 1064 the result could be UPDATE message "dispersion", that could be as 1065 long as multiple seconds. In order to avoid such a behavior, BGP 1066 implementations must support "update groups". The "update group" is 1067 defined as a collection of neighbors sharing the same outbound policy 1068 - the local speaker will send BGP updates to the members of the group 1069 synchronously. 1071 The impact of such "dispersion" grows with the size of topology fan- 1072 out and could also grow under network convergence churn. Some 1073 operators may be tempted to introduce "route flap dampening" type 1074 features that vendors include to reduce the control plane impact of 1075 rapidly flapping prefixes. However, due to issues described with 1076 false positives in these implementations especially under such 1077 "dispersion" events, it is not recommended to turn this feature on in 1078 this design. More background and issues with "route flap dampening" 1079 and possible implementation changes that could affect this are well 1080 described in [RFC7196]. 1082 7.4. Failure Impact Scope 1084 A network is declared to converge in response to a failure once all 1085 devices within the failure impact scope are notified of the event and 1086 have re-calculated their RIB's and consequently updated their FIB's. 1087 Larger failure impact scope typically means slower convergence since 1088 more devices have to be notified, and additionally results in a less 1089 stable network. In this section we describe BGP's advantages over 1090 link-state routing protocols in reducing failure impact scope for a 1091 Clos topology. 1093 BGP behaves like a distance-vector protocol in the sense that only 1094 the best path from the point of view of the local router is sent to 1095 neighbors. As such, some failures are masked if the local node can 1096 immediately find a backup path and does not have to send any updates 1097 further. Notice that in the worst case ALL devices in a data center 1098 topology have to either withdraw a prefix completely or update the 1099 ECMP groups in the FIB. However, many failures will not result in 1100 such a wide impact. There are two main failure types where impact 1101 scope is reduced: 1103 o Failure of a link between Tier-2 and Tier-1 devices: In this case, 1104 a Tier-2 device will update the affected ECMP groups, removing the 1105 failed link. There is no need to send new information to 1106 downstream Tier-3 devices, unless the path was selected as best by 1107 the BGP process, in which case only an "implicit withdraw" needs 1108 to be sent, which should not affect forwarding. The affected 1109 Tier-1 device will lose the only path available to reach a 1110 particular cluster and will have to withdraw the associated 1111 prefixes. Such prefix withdrawal process will only affect Tier-2 1112 devices directly connected to the affected Tier-1 device. The 1113 Tier-2 devices receiving the BGP UPDATE messages withdrawing 1114 prefixes will simply have to update their ECMP groups. The Tier-3 1115 devices are not involved in the re-convergence process. 1117 o Failure of a Tier-1 device: In this case, all Tier-2 devices 1118 directly attached to the failed node will have to update their 1119 ECMP groups for all IP prefixes from non-local cluster. The 1120 Tier-3 devices are once again not involved in the re-convergence 1121 process, but may receive "implicit withdraws" as described above. 1123 Even though in case of such failures multiple IP prefixes will have 1124 to be reprogrammed in the FIB, it is worth noting that ALL of these 1125 prefixes share a single ECMP group on Tier-2 device. Therefore, in 1126 the case of implementations with a hierarchical FIB, only a single 1127 change has to be made to the FIB. Hierarchical FIB here means FIB 1128 structure where the next-hop forwarding information is stored 1129 separately from the prefix lookup table, and the latter only store 1130 pointers to the respective forwarding information. 1132 Even though BGP offers reduced failure scope for some cases, further 1133 reduction of the fault domain using summarization is not always 1134 possible with the proposed design, since using this technique may 1135 create routing black-holes as mentioned previously. Therefore, the 1136 worst control plane failure impact scope is the network as a whole, 1137 for instance in a case of a link failure between Tier-2 and Tier-3 1138 devices. The amount of impacted prefixes in this case would be much 1139 less than in the case of a failure in the upper layers of a Clos 1140 network topology. The property of having such large failure scope is 1141 not a result of choosing EBGP in the design but rather a result of 1142 using the "scale-out" Clos topology. 1144 7.5. Routing Micro-Loops 1146 When a downstream device, e.g. Tier-2 device, loses all paths for a 1147 prefix, it normally has the default route pointing toward the 1148 upstream device, in this case the Tier-1 device. As a result, it is 1149 possible to get in the situation when Tier-2 switch loses a prefix, 1150 but Tier-1 switch still has the path pointing to the Tier-2 device, 1151 which results in transient micro-loop, since Tier-1 switch will keep 1152 passing packets to the affected prefix back to Tier-2 device, and 1153 Tier-2 will bounce it back again using the default route. This 1154 micro-loop will last for the duration of time it takes the upstream 1155 device to fully update its forwarding tables. 1157 To minimize impact of the micro-loops, Tier-2 and Tier-1 switches can 1158 be configured with static "discard" or "null" routes that will be 1159 more specific than the default route for prefixes missing during 1160 network convergence. For Tier-2 switches, the discard route should 1161 be a summary route, covering all server subnets of the underlying 1162 Tier-3 devices. For Tier-1 devices, the discard route should be a 1163 summary covering the server IP address subnets allocated for the 1164 whole data center. Those discard routes will only take precedence 1165 for the duration of network convergence, until the device learns a 1166 more specific prefix via a new path. 1168 8. Additional Options for Design 1170 8.1. Third-party Route Injection 1172 BGP allows for a "third-party", i.e. directly attached, BGP speaker 1173 to inject routes anywhere in the network topology, meeting REQ5. 1174 This can be achieved by peering via a multihop BGP session with some 1175 or even all devices in the topology. Furthermore, BGP diverse path 1176 distribution [RFC6774] could be used to inject multiple BGP next hops 1177 for the same prefix to facilitate load balancing, or using the BGP 1178 ADD-PATH capability [I-D.ietf-idr-add-paths] if supported by the 1179 implementation. Unfortunately, in many implementations ADD-PATH has 1180 been found to only support IBGP properly due to the use cases it was 1181 originally optimized for, which limits the "third-party" peering to 1182 IBGP only, if the feature is used. 1184 To implement route injection in the proposed design, a third-party 1185 BGP speaker may peer with Tier-3 and Tier-1 switches, injecting the 1186 same prefix, but using a special set of BGP next-hops for Tier-1 1187 devices. Those next-hops are assumed to resolve recursively via BGP, 1188 and could be, for example, IP addresses on Tier-3 devices. The 1189 resulting forwarding table programming could provide desired traffic 1190 proportion distribution among different clusters. 1192 8.2. Route Summarization within Clos Topology 1194 As mentioned previously, route summarization is not possible within 1195 the proposed Clos topology since it makes the network susceptible to 1196 route black-holing under single link failures. The main problem is 1197 the limited number of redundant paths between network elements, e.g. 1198 there is only a single path between any pair of Tier-1 and Tier-3 1199 devices. However, some operators may find route aggregation 1200 desirable to improve control plane stability. 1202 If planning on using any technique to summarize within the topology 1203 modeling of the routing behavior and potential for black-holing 1204 should be done not only for single or multiple link failures, but 1205 also fiber pathway failures or optical domain failures if the 1206 topology extends beyond a physical location. Simple modeling can be 1207 done by checking the reachability on devices doing summarization 1208 under the condition of a link or pathway failure between a set of 1209 devices in every tier as well as to the WAN routers if external 1210 connectivity is present. 1212 Route summarization would be possible with a small modification to 1213 the network topology, though the trade-off would be reduction of the 1214 total size of the network as well as network congestion under 1215 specific failures. This approach is very similar to the technique 1216 described above, which allows Border Routers to summarize the entire 1217 data center address space. 1219 8.2.1. Collapsing Tier-1 Devices Layer 1221 In order to add more paths between Tier-1 and Tier-3 devices, group 1222 Tier-2 devices into pairs, and then connect the pairs to the same 1223 group of Tier-1 devices. This is logically equivalent to 1224 "collapsing" Tier-1 devices into a group of half the size, merging 1225 the links on the "collapsed" devices. The result is illustrated in 1226 Figure 6. For example, in this topology DEV C and DEV D connect to 1227 the same set of Tier-1 devices (DEV 1 and DEV 2), whereas before they 1228 were connecting to different groups of Tier-1 devices. 1230 Tier-2 Tier-1 Tier-2 1231 +-----+ +-----+ +-----+ 1232 +-------------| DEV |------| DEV |------| |-------------+ 1233 | +-----| C |--++--| 1 |--++--| |-----+ | 1234 | | +-----+ || +-----+ || +-----+ | | 1235 | | || || | | 1236 | | +-----+ || +-----+ || +-----+ | | 1237 | +-----+-----| DEV |--++--| DEV |--++--| |-----+-----+ | 1238 | | | +---| D |------| 2 |------| |---+ | | | 1239 | | | | +-----+ +-----+ +-----+ | | | | 1240 | | | | | | | | 1241 +-----+ +-----+ +-----+ +-----+ 1242 | DEV | | DEV | | | | | 1243 | A | | B | Tier-3 Tier-3 | | | | 1244 +-----+ +-----+ +-----+ +-----+ 1245 | | | | | | | | 1246 O O O O <- Servers -> O O O O 1248 Figure 6: 5-Stage Clos topology 1250 Having this design in place, Tier-2 devices may be configured to 1251 advertise only a default route down to Tier-3 devices. If a link 1252 between Tier-2 and Tier-3 fails, the traffic will be re-routed via 1253 the second available path known to a Tier-2 switch. It is still not 1254 possible to advertise a summary route covering prefixes for a single 1255 cluster from Tier-2 devices since each of them has only a single path 1256 down to this prefix. It would require dual-homed servers to 1257 accomplish that. Also note that this design is only resilient to 1258 single link failure. It is possible for a double link failure to 1259 isolate a Tier-2 device from all paths toward a specific Tier-3 1260 device, thus causing a routing black-hole. 1262 A result of the proposed topology modification would be reduction of 1263 Tier-1 devices port capacity. This limits the maximum number of 1264 attached Tier-2 devices and therefore will limit the maximum DC 1265 network size. A larger network would require different Tier-1 1266 devices that have higher port density to implement this change. 1268 Another problem is traffic re-balancing under link failures. Since 1269 three are two paths from Tier-1 to Tier-3, a failure of the link 1270 between Tier-1 and Tier-2 switch would result in all traffic that was 1271 taking the failed link to switch to the remaining path. This will 1272 result in doubling of link utilization on the remaining link. 1274 8.2.2. Simple Virtual Aggregation 1276 A completely different approach to route summarization is possible, 1277 provided that the main goal is to reduce the FIB pressure, while 1278 allowing the control plane to disseminate full routing information. 1279 Firstly, it could be easily noted that in many cases multiple 1280 prefixes, some of which are less specific, share the same set of the 1281 next-hops (same ECMP group). For example, looking from the 1282 perspective of a Tier-3 devices, all routes learned from upstream 1283 Tier-2's, including the default route, will share the same set of BGP 1284 next-hops, provided that there are no failures in the network. This 1285 makes it possible to use the technique similar to described in 1286 [RFC6769] and only install the least specific route in the FIB, 1287 ignoring more specific routes if they share the same next-hop set. 1288 For example, under normal network conditions, only the default route 1289 need to be programmed into FIB. 1291 Furthermore, if the Tier-2 devices are configured with summary 1292 prefixes covering all of their attached Tier-3 device's prefixes the 1293 same logic could be applied in Tier-1 devices as well, and, by 1294 induction to Tier-2/Tier-3 switches in different clusters. These 1295 summary routes should still allow for more specific prefixes to leak 1296 to Tier-1 devices, to enable for detection of mismatches in the next- 1297 hop sets if a particular link fails, changing the next-hop set for a 1298 specific prefix. 1300 Re-stating once again, this technique does not reduce the amount of 1301 control plane state (i.e. BGP UPDATEs/BGP LocRIB sizing), but only 1302 allows for more efficient FIB utilization, by spotting more specific 1303 prefixes that share their next-hops with less specifics. 1305 8.3. ICMP Unreachable Message Masquerading 1307 This section discusses some operational aspects of not advertising 1308 point-to-point link subnets into BGP, as previously outlined as an 1309 option in Section 5.2.3. The operational impact of this decision 1310 could be seen when using the well-known "traceroute" tool. 1311 Specifically, IP addresses displayed by the tool will be the link's 1312 point-to-point addresses, and hence will be unreachable for 1313 management connectivity. This makes some troubleshooting more 1314 complicated. 1316 One way to overcome this limitation is by using the DNS subsystem to 1317 create the "reverse" entries for the IP addresses of the same device 1318 pointing to the same name. The connectivity then can be made by 1319 resolving this name to the "primary" IP address of the devices, e.g. 1320 its Loopback interface, which is always advertised into BGP. 1321 However, this creates a dependency on the DNS subsystem, which may be 1322 unavailable during an outage. 1324 Another option is to make the network device perform IP address 1325 masquerading, that is rewriting the source IP addresses of the 1326 appropriate ICMP messages sent off of the device with the "primary" 1327 IP address of the device. Specifically, the ICMP Destination 1328 Unreachable Message (type 3) codes 3 (port unreachable) and ICMP Time 1329 Exceeded (type 11) code 0, which are involved in proper working of 1330 the "traceroute" tool. With this modification, the "traceroute" 1331 probes sent to the devices will always be sent back with the 1332 "primary" IP address as the source, allowing the operator to discover 1333 the "reachable" IP address of the box. This has the downside of 1334 hiding the address of the "entry point" into the device. 1336 9. Security Considerations 1338 The design does not introduce any additional security concerns. 1339 General BGP security considerations are discussed in [RFC4271] and 1340 [RFC4272]. Furthermore, the Generalized TTL Security Mechanism 1341 [RFC5082] could be used to reduce the risk of BGP session spoofing. 1343 10. IANA Considerations 1345 This document includes no request to IANA. 1347 11. Acknowledgements 1349 This publication summarizes work of many people who participated in 1350 developing, testing and deploying the proposed network design, some 1351 of whom were George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong, 1352 Robert Toomey, and Lihua Yuan. Authors would also like to thank 1353 Linda Dunbar, Anoop Ghanwani, Susan Hares, Danny McPherson, Robert 1354 Raszuk, and Russ White for reviewing this document and providing 1355 valuable feedback and Mary Mitchell for initial grammar and style 1356 suggestions. 1358 12. References 1360 12.1. Normative References 1362 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 1363 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 1364 DOI 10.17487/RFC4271, January 2006, 1365 . 1367 [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for 1368 Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, July 1369 2013, . 1371 12.2. Informative References 1373 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, 1374 DOI 10.17487/RFC2328, April 1998, 1375 . 1377 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path 1378 Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, 1379 . 1381 [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", 1382 RFC 4272, DOI 10.17487/RFC4272, January 2006, 1383 . 1385 [RFC4277] McPherson, D. and K. Patel, "Experience with the BGP-4 1386 Protocol", RFC 4277, DOI 10.17487/RFC4277, January 2006, 1387 . 1389 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 1390 Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, 1391 December 2006, . 1393 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C. 1394 Pignataro, "The Generalized TTL Security Mechanism 1395 (GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007, 1396 . 1398 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 1399 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 1400 . 1402 [RFC6325] Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and A. 1403 Ghanwani, "Routing Bridges (RBridges): Base Protocol 1404 Specification", RFC 6325, DOI 10.17487/RFC6325, July 2011, 1405 . 1407 [RFC6769] Raszuk, R., Heitz, J., Lo, A., Zhang, L., and X. Xu, 1408 "Simple Virtual Aggregation (S-VA)", RFC 6769, 1409 DOI 10.17487/RFC6769, October 2012, 1410 . 1412 [RFC6774] Raszuk, R., Ed., Fernando, R., Patel, K., McPherson, D., 1413 and K. Kumaki, "Distribution of Diverse BGP Paths", 1414 RFC 6774, DOI 10.17487/RFC6774, November 2012, 1415 . 1417 [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet 1418 Autonomous System (AS) Number Space", RFC 6793, 1419 DOI 10.17487/RFC6793, December 2012, 1420 . 1422 [RFC7067] Dunbar, L., Eastlake 3rd, D., Perlman, R., and I. 1423 Gashinsky, "Directory Assistance Problem and High-Level 1424 Design Proposal", RFC 7067, DOI 10.17487/RFC7067, November 1425 2013, . 1427 [RFC7130] Bhatia, M., Ed., Chen, M., Ed., Boutros, S., Ed., 1428 Binderberger, M., Ed., and J. Haas, Ed., "Bidirectional 1429 Forwarding Detection (BFD) on Link Aggregation Group (LAG) 1430 Interfaces", RFC 7130, DOI 10.17487/RFC7130, February 1431 2014, . 1433 [RFC7196] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., and O. 1434 Maennel, "Making Route Flap Damping Usable", RFC 7196, 1435 DOI 10.17487/RFC7196, May 2014, 1436 . 1438 [I-D.ietf-idr-add-paths] 1439 Walton, D., Retana, A., Chen, E., and J. Scudder, 1440 "Advertisement of Multiple Paths in BGP", draft-ietf-idr- 1441 add-paths-13 (work in progress), December 2015. 1443 [I-D.ietf-idr-link-bandwidth] 1444 Mohapatra, P. and R. Fernando, "BGP Link Bandwidth 1445 Extended Community", draft-ietf-idr-link-bandwidth-06 1446 (work in progress), January 2013. 1448 [I-D.mitchell-grow-remove-private-as] 1449 Mitchell, J., Rao, D., and R. Raszuk, "Private Autonomous 1450 System (AS) Removal Requirements", draft-mitchell-grow- 1451 remove-private-as-04 (work in progress), April 2015. 1453 [CLOS1953] 1454 Clos, C., "A Study of Non-Blocking Switching Networks: 1455 Bell System Technical Journal Vol. 32(2)", March 1953. 1457 [HADOOP] Apache, , "Apache HaDoop", June 2015, 1458 . 1460 [GREENBERG2009] 1461 Greenberg, A., Hamilton, J., and D. Maltz, "The Cost of a 1462 Cloud: Research Problems in Data Center Networks", January 1463 2009. 1465 [IEEE8021D-1990] 1466 IEEE 802.1D, , "IEEE Standard for Local and Metropolitan 1467 Area Networks--Media access control (MAC) Bridges", May 1468 1990. 1470 [IEEE8021D-2004] 1471 IEEE 802.1D, , "IEEE Standard for Local and Metropolitan 1472 Area Networks--Media access control (MAC) Bridges", 1473 February 2004. 1475 [IEEE8021Q] 1476 IEEE 802.1Q, , "IEEE Standard for Local and metropolitan 1477 area networks--Bridges and Bridged Networks", December 1478 2014. 1480 [INTERCON] 1481 Dally, W. and B. Towles, "Principles and Practices of 1482 Interconnection Networks", ISBN 978-0122007514, January 1483 2004. 1485 [ALFARES2008] 1486 Al-Fares, M., Loukissas, A., and A. Vahdat, "A Scalable, 1487 Commodity Data Center Network Architecture", August 2008. 1489 [IANA.AS] IANA, , "Autonomous System (AS) Numbers", June 2015, 1490 . 1492 [IEEE8023AD] 1493 IEEE 802.3ad, , "IEEE Standard for Link aggregation for 1494 parallel links", October 2000. 1496 [ALLOWASIN] 1497 Cisco Systems, , "Allowas-in Feature in BGP Configuration 1498 Example", February 2015, 1499 . 1503 [REMOVE-PRIVATE-AS] 1504 Cisco Systems, , "Removing Private Autonomous System 1505 Numbers in BGP", August 2005, 1506 . 1509 [CONDITIONALROUTE] 1510 Cisco Systems, , "Configuring and Verifying the BGP 1511 Conditional Advertisement Feature", August 2005, 1512 . 1515 [FB4POST] Farrington, N. and A. Andreyev, "Facebook's Data Center 1516 Network Architecture", May 2013, 1517 . 1519 [JAKMA2008] 1520 Jakma, P., "BGP Path Hunting", 2008, 1521 . 1523 [CONS-HASH] 1524 Wikipedia, , "Consistent Hashing", 1525 . 1527 Authors' Addresses 1528 Petr Lapukhov 1529 Facebook 1530 1 Hacker Way 1531 Menlo Park, CA 94025 1532 US 1534 Email: petr@fb.com 1536 Ariff Premji 1537 Arista Networks 1538 5453 Great America Parkway 1539 Santa Clara, CA 95054 1540 US 1542 Email: ariff@arista.com 1543 URI: http://arista.com/ 1545 Jon Mitchell (editor)