idnits 2.17.1 draft-ietf-rtgwg-bgp-routing-large-dc-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 4, 2016) is 2875 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 2385 (Obsoleted by RFC 5925) == Outdated reference: A later version (-07) exists of draft-ietf-idr-link-bandwidth-06 == Outdated reference: A later version (-20) exists of draft-ietf-rtgwg-bgp-pic-00 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Area Working Group P. Lapukhov 3 Internet-Draft Facebook 4 Intended status: Informational A. Premji 5 Expires: December 6, 2016 Arista Networks 6 J. Mitchell, Ed. 7 June 4, 2016 9 Use of BGP for routing in large-scale data centers 10 draft-ietf-rtgwg-bgp-routing-large-dc-11 12 Abstract 14 Some network operators build and operate data centers that support 15 over one hundred thousand servers. In this document, such data 16 centers are referred to as "large-scale" to differentiate them from 17 smaller infrastructures. Environments of this scale have a unique 18 set of network requirements with an emphasis on operational 19 simplicity and network stability. This document summarizes 20 operational experience in designing and operating large-scale data 21 centers using BGP as the only routing protocol. The intent is to 22 report on a proven and stable routing design that could be leveraged 23 by others in the industry. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on December 6, 2016. 42 Copyright Notice 44 Copyright (c) 2016 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Network Design Requirements . . . . . . . . . . . . . . . . . 4 61 2.1. Bandwidth and Traffic Patterns . . . . . . . . . . . . . 4 62 2.2. CAPEX Minimization . . . . . . . . . . . . . . . . . . . 4 63 2.3. OPEX Minimization . . . . . . . . . . . . . . . . . . . . 5 64 2.4. Traffic Engineering . . . . . . . . . . . . . . . . . . . 5 65 2.5. Summarized Requirements . . . . . . . . . . . . . . . . . 6 66 3. Data Center Topologies Overview . . . . . . . . . . . . . . . 6 67 3.1. Traditional DC Topology . . . . . . . . . . . . . . . . . 6 68 3.2. Clos Network topology . . . . . . . . . . . . . . . . . . 7 69 3.2.1. Overview . . . . . . . . . . . . . . . . . . . . . . 7 70 3.2.2. Clos Topology Properties . . . . . . . . . . . . . . 8 71 3.2.3. Scaling the Clos topology . . . . . . . . . . . . . . 9 72 3.2.4. Managing the Size of Clos Topology Tiers . . . . . . 10 73 4. Data Center Routing Overview . . . . . . . . . . . . . . . . 11 74 4.1. Layer 2 Only Designs . . . . . . . . . . . . . . . . . . 11 75 4.2. Hybrid L2/L3 Designs . . . . . . . . . . . . . . . . . . 12 76 4.3. Layer 3 Only Designs . . . . . . . . . . . . . . . . . . 12 77 5. Routing Protocol Design . . . . . . . . . . . . . . . . . . . 13 78 5.1. Choosing EBGP as the Routing Protocol . . . . . . . . . . 13 79 5.2. EBGP Configuration for Clos topology . . . . . . . . . . 15 80 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 15 81 5.2.2. Private Use ASNs . . . . . . . . . . . . . . . . . . 16 82 5.2.3. Prefix Advertisement . . . . . . . . . . . . . . . . 17 83 5.2.4. External Connectivity . . . . . . . . . . . . . . . . 18 84 5.2.5. Route Summarization at the Edge . . . . . . . . . . . 19 85 6. ECMP Considerations . . . . . . . . . . . . . . . . . . . . . 20 86 6.1. Basic ECMP . . . . . . . . . . . . . . . . . . . . . . . 20 87 6.2. BGP ECMP over Multiple ASNs . . . . . . . . . . . . . . . 21 88 6.3. Weighted ECMP . . . . . . . . . . . . . . . . . . . . . . 21 89 6.4. Consistent Hashing . . . . . . . . . . . . . . . . . . . 22 90 7. Routing Convergence Properties . . . . . . . . . . . . . . . 22 91 7.1. Fault Detection Timing . . . . . . . . . . . . . . . . . 22 92 7.2. Event Propagation Timing . . . . . . . . . . . . . . . . 23 93 7.3. Impact of Clos Topology Fan-outs . . . . . . . . . . . . 23 94 7.4. Failure Impact Scope . . . . . . . . . . . . . . . . . . 24 95 7.5. Routing Micro-Loops . . . . . . . . . . . . . . . . . . . 25 96 8. Additional Options for Design . . . . . . . . . . . . . . . . 26 97 8.1. Third-party Route Injection . . . . . . . . . . . . . . . 26 98 8.2. Route Summarization within Clos Topology . . . . . . . . 26 99 8.2.1. Collapsing Tier-1 Devices Layer . . . . . . . . . . . 27 100 8.2.2. Simple Virtual Aggregation . . . . . . . . . . . . . 29 101 8.3. ICMP Unreachable Message Masquerading . . . . . . . . . . 29 102 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 103 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 104 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 105 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 106 12.1. Normative References . . . . . . . . . . . . . . . . . . 31 107 12.2. Informative References . . . . . . . . . . . . . . . . . 31 108 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 110 1. Introduction 112 This document describes a practical routing design that can be used 113 in a large-scale data center (DC) design. Such data centers, also 114 known as hyper-scale or warehouse-scale data centers, have a unique 115 attribute of supporting over a hundred thousand servers. In order to 116 accommodate networks of this scale, operators are revisiting 117 networking designs and platforms to address this need. 119 The design presented in this document is based on operational 120 experience with data centers built to support large-scale distributed 121 software infrastructure, such as a Web search engine. The primary 122 requirements in such an environment are operational simplicity and 123 network stability so that a small group of people can effectively 124 support a significantly sized network. 126 Experimentation and extensive testing have shown that External BGP 127 (EBGP) [RFC4271] is well suited as a stand-alone routing protocol for 128 these type of data center applications. This is in contrast with 129 more traditional DC designs, which may use simple tree topologies and 130 rely on extending Layer 2 domains across multiple network devices. 131 This document elaborates on the requirements that led to this design 132 choice and presents details of the EBGP routing design as well as 133 explores ideas for further enhancements. 135 This document first presents an overview of network design 136 requirements and considerations for large-scale data centers. Then 137 traditional hierarchical data center network topologies are 138 contrasted with Clos networks [CLOS1953] that are horizontally scaled 139 out. This is followed by arguments for selecting EBGP with a Clos 140 topology as the most appropriate routing protocol to meet the 141 requirements and the proposed design is described in detail. 142 Finally, this document reviews some additional considerations and 143 design options. A thorough understanding of BGP is assumed by a 144 reader planning on deploying the design described within the 145 document. 147 2. Network Design Requirements 149 This section describes and summarizes network design requirements for 150 large-scale data centers. 152 2.1. Bandwidth and Traffic Patterns 154 The primary requirement when building an interconnection network for 155 a large number of servers is to accommodate application bandwidth and 156 latency requirements. Until recently it was quite common to see the 157 majority of traffic entering and leaving the data center, commonly 158 referred to as "north-south" traffic. Traditional "tree" topologies 159 were sufficient to accommodate such flows, even with high 160 oversubscription ratios between the layers of the network. If more 161 bandwidth was required, it was added by "scaling up" the network 162 elements, e.g., by upgrading the device's linecards or fabrics or 163 replacing the device with one with higher port density. 165 Today many large-scale data centers host applications generating 166 significant amounts of server-to-server traffic, which does not 167 egress the DC, commonly referred to as "east-west" traffic. Examples 168 of such applications could be compute clusters such as Hadoop 169 [HADOOP], massive data replication between clusters needed by certain 170 applications, or virtual machine migrations. Scaling traditional 171 tree topologies to match these bandwidth demands becomes either too 172 expensive or impossible due to physical limitations, e.g., port 173 density in a switch. 175 2.2. CAPEX Minimization 177 The Capital Expenditures (CAPEX) associated with the network 178 infrastructure alone constitutes about 10-15% of total data center 179 expenditure (see [GREENBERG2009]). However, the absolute cost is 180 significant, and hence there is a need to constantly drive down the 181 cost of individual network elements. This can be accomplished in two 182 ways: 184 o Unifying all network elements, preferably using the same hardware 185 type or even the same device. This allows for volume pricing on 186 bulk purchases and reduced maintenance and inventory costs. 188 o Driving costs down using competitive pressures, by introducing 189 multiple network equipment vendors. 191 In order to allow for good vendor diversity it is important to 192 minimize the software feature requirements for the network elements. 193 This strategy provides maximum flexibility of vendor equipment 194 choices while enforcing interoperability using open standards. 196 2.3. OPEX Minimization 198 Operating large-scale infrastructure can be expensive as a larger 199 amount of elements will statistically fail more often. Having a 200 simpler design and operating using a limited software feature set 201 minimizes software issue-related failures. 203 An important aspect of Operational Expenditure (OPEX) minimization is 204 reducing the size of failure domains in the network. Ethernet 205 networks are known to be susceptible to broadcast or unicast traffic 206 storms that can have a dramatic impact on network performance and 207 availability. The use of a fully routed design significantly reduces 208 the size of the data plane failure domains, i.e., limits them to the 209 lowest level in the network hierarchy. However, such designs 210 introduce the problem of distributed control plane failures. This 211 observation calls for simpler and less control plane protocols to 212 reduce protocol interaction issues, reducing the chance of a network 213 meltdown. Minimizing software feature requirements as described in 214 the CAPEX section above also reduces testing and training 215 requirements. 217 2.4. Traffic Engineering 219 In any data center, application load balancing is a critical function 220 performed by network devices. Traditionally, load balancers are 221 deployed as dedicated devices in the traffic forwarding path. The 222 problem arises in scaling load balancers under growing traffic 223 demand. A preferable solution would be able to scale the load 224 balancing layer horizontally, by adding more of the uniform nodes and 225 distributing incoming traffic across these nodes. In situations like 226 this, an ideal choice would be to use network infrastructure itself 227 to distribute traffic across a group of load balancers. The 228 combination of Anycast prefix advertisement [RFC4786] and Equal Cost 229 Multipath (ECMP) functionality can be used to accomplish this goal. 230 To allow for more granular load distribution, it is beneficial for 231 the network to support the ability to perform controlled per-hop 232 traffic engineering. For example, it is beneficial to directly 233 control the ECMP next-hop set for Anycast prefixes at every level of 234 network hierarchy. 236 2.5. Summarized Requirements 238 This section summarizes the list of requirements outlined in the 239 previous sections: 241 o REQ1: Select a topology that can be scaled "horizontally" by 242 adding more links and network devices of the same type without 243 requiring upgrades to the network elements themselves. 245 o REQ2: Define a narrow set of software features/protocols supported 246 by a multitude of networking equipment vendors. 248 o REQ3: Choose a routing protocol that has a simple implementation 249 in terms of programming code complexity and ease of operational 250 support. 252 o REQ4: Minimize the failure domain of equipment or protocol issues 253 as much as possible. 255 o REQ5: Allow for some traffic engineering, preferably via explicit 256 control of the routing prefix next-hop using built-in protocol 257 mechanics. 259 3. Data Center Topologies Overview 261 This section provides an overview of two general types of data center 262 designs - hierarchical (also known as tree based) and Clos based 263 network designs. 265 3.1. Traditional DC Topology 267 In the networking industry, a common design choice for data centers 268 typically look like an (upside down) tree with redundant uplinks and 269 three layers of hierarchy namely; core, aggregation/distribution and 270 access layers (see Figure 1). To accommodate bandwidth demands, each 271 higher layer, from server towards DC egress or WAN, has higher port 272 density and bandwidth capacity where the core functions as the 273 "trunk" of the tree based design. To keep terminology uniform and 274 for comparison with other designs, in this document these layers will 275 be referred to as Tier-1, Tier-2 and Tier-3 "tiers", instead of Core, 276 Aggregation or Access layers. 278 +------+ +------+ 279 | | | | 280 | |--| | Tier-1 281 | | | | 282 +------+ +------+ 283 | | | | 284 +---------+ | | +----------+ 285 | +-------+--+------+--+-------+ | 286 | | | | | | | | 287 +----+ +----+ +----+ +----+ 288 | | | | | | | | 289 | |-----| | | |-----| | Tier-2 290 | | | | | | | | 291 +----+ +----+ +----+ +----+ 292 | | | | 293 | | | | 294 | +-----+ | | +-----+ | 295 +-| |-+ +-| |-+ Tier-3 296 +-----+ +-----+ 297 | | | | | | 298 <- Servers -> <- Servers -> 300 Figure 1: Typical DC network topology 302 Unfortunately, as noted previously, it is not possible to scale a 303 tree based design to a large enough degree to handle large-scale 304 designs due to the inability to be able to acquire Tier-1 devices 305 with a large enough port density to sufficiently scale Tier-2. Also, 306 continous upgrades or replacement of the upper tier devices are 307 required as deployment size or bandwidth requirements increase which 308 is operationally complex. For this reason, REQ1 is in place, 309 eliminating this type of design from consideration. 311 3.2. Clos Network topology 313 This section describes a common design for horizontally scalable 314 topology in large-scale data centers in order to meet REQ1. 316 3.2.1. Overview 318 A common choice for a horizontally scalable topology is a folded Clos 319 topology, sometimes called "fat-tree" (see, for example, [INTERCON] 320 and [ALFARES2008]). This topology features an odd number of stages 321 (sometimes known as dimensions) and is commonly made of uniform 322 elements, e.g., network switches with the same port count. 323 Therefore, the choice of folded Clos topology satisfies REQ1 and 324 facilitates REQ2. See Figure 2 below for an example of a folded 325 3-stage Clos topology (3 stages counting Tier-2 stage twice, when 326 tracing a packet flow): 328 +-------+ 329 | |----------------------------+ 330 | |------------------+ | 331 | |--------+ | | 332 +-------+ | | | 333 +-------+ | | | 334 | |--------+---------+-------+ | 335 | |--------+-------+ | | | 336 | |------+ | | | | | 337 +-------+ | | | | | | 338 +-------+ | | | | | | 339 | |------+-+-------+-+-----+ | | 340 | |------+-+-----+ | | | | | 341 | |----+ | | | | | | | | 342 +-------+ | | | | | | ---------> M links 343 Tier-1 | | | | | | | | | 344 +-------+ +-------+ +-------+ 345 | | | | | | 346 | | | | | | Tier-2 347 | | | | | | 348 +-------+ +-------+ +-------+ 349 | | | | | | | | | 350 | | | | | | ---------> N Links 351 | | | | | | | | | 352 O O O O O O O O O Servers 354 Figure 2: 3-Stage Folded Clos topology 356 This topology is often also referred to as a "Leaf and Spine" 357 network, where "Spine" is the name given to the middle stage of the 358 Clos topology (Tier-1) and "Leaf" is the name of input/output stage 359 (Tier-2). For uniformity, this document will refer to these layers 360 using the "Tier-n" notation. 362 3.2.2. Clos Topology Properties 364 The following are some key properties of the Clos topology: 366 o The topology is fully non-blocking, or more accurately non- 367 interfering, if M >= N and oversubscribed by a factor of N/M 368 otherwise. Here M and N is the uplink and downlink port count 369 respectively, for a Tier-2 switch as shown in Figure 2. 371 o Utilizing this topology requires control and data plane support 372 for ECMP with a fan-out of M or more. 374 o Tier-1 switches have exactly one path to every server in this 375 topology. This is an important property that makes route 376 summarization dangerous in this topology (see Section 8.2 below). 378 o Traffic flowing from server to server is load balanced over all 379 available paths using ECMP. 381 3.2.3. Scaling the Clos topology 383 A Clos topology can be scaled either by increasing network element 384 port density or adding more stages, e.g., moving to a 5-stage Clos, 385 as illustrated in Figure 3 below: 387 Tier-1 388 +-----+ 389 Cluster | | 390 +----------------------------+ +--| |--+ 391 | | | +-----+ | 392 | Tier-2 | | | Tier-2 393 | +-----+ | | +-----+ | +-----+ 394 | +-------------| DEV |------+--| |--+--| |-------------+ 395 | | +-----| C |------+ | | +--| |-----+ | 396 | | | +-----+ | +-----+ +-----+ | | 397 | | | | | | 398 | | | +-----+ | +-----+ +-----+ | | 399 | | +-----------| DEV |------+ | | +--| |-----------+ | 400 | | | | +---| D |------+--| |--+--| |---+ | | | 401 | | | | | +-----+ | | +-----+ | +-----+ | | | | 402 | | | | | | | | | | | | 403 | +-----+ +-----+ | | +-----+ | +-----+ +-----+ 404 | | DEV | | DEV | | +--| |--+ | | | | 405 | | A | | B | Tier-3 | | | Tier-3 | | | | 406 | +-----+ +-----+ | +-----+ +-----+ +-----+ 407 | | | | | | | | | | 408 | O O O O | O O O O 409 | Servers | Servers 410 +----------------------------+ 412 Figure 3: 5-Stage Clos topology 414 The small example topology on Figure 3 is built from devices with a 415 port count of 4 and provides full bisectional bandwidth to all 416 connected servers. In this document, one set of directly connected 417 Tier-2 and Tier-3 devices along with their attached servers will be 418 referred to as a "cluster". For example, DEV A, B, C, D, and the 419 servers that connect to DEV A and B, on Figure 3 form a cluster. The 420 concept of a cluster may also be a useful concept as a single 421 deployment or maintenance unit which can be operated on at a 422 different frequency than the entire topology. 424 In practice, the Tier-3 layer of the network, which are typically top 425 of rack switches (ToRs), is where oversubscription is introduced to 426 allow for packaging of more servers in the data center while meeting 427 the bandwidth requirements for different types of applications. The 428 main reason to limit oversubscription at a single layer of the 429 network is to simplify application development that would otherwise 430 need to account for multiple bandwidth pools: within rack (Tier-3), 431 between racks (Tier-2), and between clusters (Tier-1). Since 432 oversubscription does not have a direct relationship to the routing 433 design it is not discussed further in this document. 435 3.2.4. Managing the Size of Clos Topology Tiers 437 If a data center network size is small, it is possible to reduce the 438 number of switches in Tier-1 or Tier-2 of a Clos topology by a factor 439 of two. To understand how this could be done, take Tier-1 as an 440 example. Every Tier-2 device connects to a single group of Tier-1 441 devices. If half of the ports on each of the Tier-1 devices are not 442 being used then it is possible to reduce the number of Tier-1 devices 443 by half and simply map two uplinks from a Tier-2 device to the same 444 Tier-1 device that were previously mapped to different Tier-1 445 devices. This technique maintains the same bisectional bandwidth 446 while reducing the number of elements in the Tier-1 layer, thus 447 saving on CAPEX. The tradeoff, in this example, is the reduction of 448 maximum DC size in terms of overall server count by half. 450 In this example, Tier-2 devices will be using two parallel links to 451 connect to each Tier-1 device. If one of these links fails, the 452 other will pick up all traffic of the failed link, possible resulting 453 in heavy congestion and quality of service degradation if the path 454 determination procedure does not take bandwidth amount into account 455 since the number of upstream Tier-1 devices is likely wider than two. 456 To avoid this situation, parallel links can be grouped in link 457 aggregation groups (LAGs, such as [IEEE8023AD]) with widely available 458 implementation settings that take the whole "bundle" down upon a 459 single link failure. Equivalent techniques that enforce "fate 460 sharing" on the parallel links can be used in place of LAGs to 461 achieve the same effect. As a result of such fate-sharing, traffic 462 from two or more failed links will be re-balanced over the multitude 463 of remaining paths that equals the number of Tier-1 devices. This 464 example is using two links for simplicity, having more links in a 465 bundle will have less impact on capacity upon a member-link failure. 467 4. Data Center Routing Overview 469 This section provides an overview of three general types of data 470 center protocol designs - Layer 2 only, Hybrid L2/L3 and Layer 3 471 only. 473 4.1. Layer 2 Only Designs 475 Originally most data center designs used Spanning-Tree Protocol (STP) 476 originally defined in [IEEE8021D-1990] for loop free topology 477 creation, typically utilizing variants of the traditional DC topology 478 described in Section 3.1. At the time, many DC switches either did 479 not support Layer 3 routing protocols or supported them with 480 additional licensing fees, which played a part in the design choice. 481 Although many enhancements have been made through the introduction of 482 Rapid Spanning Tree Protocol (RSTP) in the latest revision of 483 [IEEE8021D-2004] and Multiple Spanning Tree Protocol (MST) specified 484 in [IEEE8021Q] that increase convergence, stability and load 485 balancing in larger topologies, many of the fundamentals of the 486 protocol limit its applicability in large-scale DCs. STP and its 487 newer variants use an active/standby approach to path selection and 488 are therefore hard to deploy in horizontally-scaled topologies as 489 described in Section 3.2. Further, operators have had many 490 experiences with large failures due to issues caused by improper 491 cabling, misconfiguration, or flawed software on a single device. 492 These failures regularly affected the entire spanning-tree domain and 493 were very hard to troubleshoot due to the nature of the protocol. 494 For these reasons, and since almost all DC traffic is now IP, 495 therefore requiring a Layer 3 routing protocol at the network edge 496 for external connectivity, designs utilizing STP usually fail all of 497 the requirements of large-scale DC operators. Various enhancements 498 to link-aggregation protocols such as [IEEE8023AD], generally known 499 as Multi-Chassis Link-Aggregation (M-LAG) made it possible to use 500 Layer 2 designs with active-active network paths while relying on STP 501 as the backup for loop prevention. The major downsides of this 502 approach are the lack of ability to scale linearly past two in most 503 implementations, lack of standards based implementations, and added 504 the failure domain risk of syncing state between the devices. 506 It should be noted that building large, horizontally scalable, Layer 507 2 only networks without STP is possible recently through the 508 introduction of the TRILL protocol in [RFC6325]. TRILL resolves many 509 of the issues STP has for large-scale DC design however due to the 510 limited number of implementations, and often the requirement for 511 specific equipment that supports it, this has limited its 512 applicability and increased the cost of such designs. 514 Finally, neither the base TRILL specification nor the M-LAG approach 515 totally eliminate the problem of the shared broadcast domain, that is 516 so detrimental to the operations of any Layer 2, Ethernet based 517 solution. Later TRILL extensions have been proposed to solve the 518 this problem statement primarily based on the approaches outlined in 519 [RFC7067], but this even further limits the number of available 520 interoperable implementations that can be used to build a fabric. 521 Therefore, TRILL based designs have issues meeting REQ2, REQ3, and 522 REQ4. 524 4.2. Hybrid L2/L3 Designs 526 Operators have sought to limit the impact of data plane faults and 527 build large-scale topologies through implementing routing protocols 528 in either the Tier-1 or Tier-2 parts of the network and dividing the 529 Layer 2 domain into numerous, smaller domains. This design has 530 allowed data centers to scale up, but at the cost of complexity in 531 managing multiple network protocols. For the following reasons, 532 operators have retained Layer 2 in either the access (Tier-3) or both 533 access and aggregation (Tier-3 and Tier-2) parts of the network: 535 o Supporting legacy applications that may require direct Layer 2 536 adjacency or use non-IP protocols. 538 o Seamless mobility for virtual machines that require the 539 preservation of IP addresses when a virtual machine moves to a 540 different Tier-3 switch. 542 o Simplified IP addressing = less IP subnets are required for the 543 data center. 545 o Application load balancing may require direct Layer 2 reachability 546 to perform certain functions such as Layer 2 Direct Server Return 547 (DSR, see [L3DSR]). 549 o Continued CAPEX differences between Layer 2 and Layer 3 capable 550 switches. 552 4.3. Layer 3 Only Designs 554 Network designs that leverage IP routing down to Tier-3 of the 555 network have gained popularity as well. The main benefit of these 556 designs is improved network stability and scalability, as a result of 557 confining L2 broadcast domains. Commonly an Interior Gateway 558 Protocol (IGP) such as OSPF [RFC2328] is used as the primary routing 559 protocol in such a design. As data centers grow in scale, and server 560 count exceeds tens of thousands, such fully routed designs have 561 become more attractive. 563 Choosing a Layer 3 only design greatly simplifies the network, 564 facilitating the meeting of REQ1 and REQ2, and has widespread 565 adoption in networks where large Layer 2 adjacency and larger size 566 Layer 3 subnets are not as critical compared to network scalability 567 and stability. Application providers and network operators continue 568 to develop new solutions to meet some of the requirements that 569 previously had driven large Layer 2 domains by using various overlay 570 or tunneling techniques. 572 5. Routing Protocol Design 574 In this section the motivations for using External BGP (EBGP) as the 575 single routing protocol for data center networks having a Layer 3 576 protocol design and Clos topology are reviewed. Then, a practical 577 approach for designing an EBGP based network is provided. 579 5.1. Choosing EBGP as the Routing Protocol 581 REQ2 would give preference to the selection of a single routing 582 protocol to reduce complexity and interdependencies. While it is 583 common to rely on an IGP in this situation, sometimes with either the 584 addition of EBGP at the device bordering the WAN or Internal BGP 585 (IBGP) throughout, this document proposes the use of an EBGP only 586 design. 588 Although EBGP is the protocol used for almost all inter-domain 589 routing in the Internet and has wide support from both vendor and 590 service provider communities, it is not generally deployed as the 591 primary routing protocol within the data center for a number of 592 reasons (some of which are interrelated): 594 o BGP is perceived as a "WAN only protocol only" and not often 595 considered for enterprise or data center applications. 597 o BGP is believed to have a "much slower" routing convergence 598 compared to IGPs. 600 o Large scale BGP deployments typically utilize an IGP for BGP next- 601 hop resolution as all nodes in the iBGP topology are not directly 602 connected. 604 o BGP is perceived to require significant configuration overhead and 605 does not support neighbor auto-discovery. 607 This document discusses some of these perceptions, especially as 608 applicable to the proposed design, and highlights some of the 609 advantages of using the protocol such as: 611 o BGP has less complexity in parts of its protocol design - internal 612 data structures and state machine are simpler as compared to most 613 link-state IGPs such as OSPF. For example, instead of 614 implementing adjacency formation, adjacency maintenance and/or 615 flow-control, BGP simply relies on TCP as the underlying 616 transport. This fulfills REQ2 and REQ3. 618 o BGP information flooding overhead is less when compared to link- 619 state IGPs. Since every BGP router calculates and propagates only 620 the best-path selected, a network failure is masked as soon as the 621 BGP speaker finds an alternate path, which exists when highly 622 symmetric topologies, such as Clos, are coupled with an EBGP only 623 design. In contrast, the event propagation scope of a link-state 624 IGP is an entire area, regardless of the failure type. In this 625 way, BGP better meets REQ3 and REQ4. It is also worth mentioning 626 that all widely deployed link-state IGPs feature periodic 627 refreshes of routing information while BGP does not expire routing 628 state, although this rarely impacts modern router control planes. 630 o BGP supports third-party (recursively resolved) next-hops. This 631 allows for manipulating multipath to be non-ECMP based or 632 forwarding based on application-defined paths, through 633 establishment of a peering session with an application 634 "controller" which can inject routing information into the system, 635 satisfying REQ5. OSPF provides similar functionality using 636 concepts such as "Forwarding Address", but with more difficulty in 637 implementation and far less control of information propagation 638 scope. 640 o Using a well-defined Autonomous System Number (ASN) allocation 641 scheme and standard AS_PATH loop detection, "BGP path hunting" 642 (see [JAKMA2008]) can be controlled and complex unwanted paths 643 will be ignored. See Section 5.2 for an example of a working ASN 644 allocation scheme. In a link-state IGP accomplishing the same 645 goal would require multi-(instance/topology/process) support, 646 typically not available in all DC devices and quite complex to 647 configure and troubleshoot. Using a traditional single flooding 648 domain, which most DC designs utilize, under certain failure 649 conditions may pick up unwanted lengthy paths, e.g., traversing 650 multiple Tier-2 devices. 652 o EBGP configuration that is implemented with minimal routing policy 653 is easier to troubleshoot for network reachability issues. In 654 most implementations, it is straightforward to view contents of 655 BGP Loc-RIB and compare it to the router's RIB. Also, in most 656 implementations an operator can view every BGP neighbors Adj-RIB- 657 In and Adj-RIB-Out structures and therefore incoming and outgoing 658 NLRI information can be easily correlated on both sides of a BGP 659 session. Thus, BGP satisfies REQ3. 661 5.2. EBGP Configuration for Clos topology 663 Clos topologies that have more than 5 stages are very uncommon due to 664 the large numbers of interconnects required by such a design. 665 Therefore, the examples below are made with reference to the 5-stage 666 Clos topology (in unfolded state). 668 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 670 The diagram below illustrates an example ASN allocation scheme. The 671 following is a list of guidelines that can be used: 673 o EBGP single-hop sessions are established over direct point-to- 674 point links interconnecting the network nodes, no multi-hop or 675 loopback sessions are used even in the case of multiple links 676 between the same pair of nodes. 678 o Private Use ASNs from the range 64512-65534 are used to avoid ASN 679 conflicts. 681 o A single ASN is allocated to all of the Clos topology's Tier-1 682 devices. 684 o A unique ASN is allocated to each set of Tier-2 devices in the 685 same cluster. 687 o A unique ASN is allocated to every Tier-3 device (e.g., ToR) in 688 this topology. 690 ASN 65534 691 +---------+ 692 | +-----+ | 693 | | | | 694 +-|-| |-|-+ 695 | | +-----+ | | 696 ASN 646XX | | | | ASN 646XX 697 +---------+ | | | | +---------+ 698 | +-----+ | | | +-----+ | | | +-----+ | 699 +-----------|-| |-|-+-|-| |-|-+-|-| |-|-----------+ 700 | +---|-| |-|-+ | | | | +-|-| |-|---+ | 701 | | | +-----+ | | +-----+ | | +-----+ | | | 702 | | | | | | | | | | 703 | | | | | | | | | | 704 | | | +-----+ | | +-----+ | | +-----+ | | | 705 | +-----+---|-| |-|-+ | | | | +-|-| |-|---+-----+ | 706 | | | +-|-| |-|-+-|-| |-|-+-|-| |-|-+ | | | 707 | | | | | +-----+ | | | +-----+ | | | +-----+ | | | | | 708 | | | | +---------+ | | | | +---------+ | | | | 709 | | | | | | | | | | | | 710 +-----+ +-----+ | | +-----+ | | +-----+ +-----+ 711 | ASN | | | +-|-| |-|-+ | | | | 712 |65YYY| | ... | | | | | | ... | | ... | 713 +-----+ +-----+ | +-----+ | +-----+ +-----+ 714 | | | | +---------+ | | | | 715 O O O O <- Servers -> O O O O 717 Figure 4: BGP ASN layout for 5-stage Clos 719 5.2.2. Private Use ASNs 721 The original range of Private Use ASNs [RFC6996] limited operators to 722 1023 unique ASNs. Since it is quite likely that the number of 723 network devices may exceed this number, a workaround is required. 724 One approach is to re-use the ASNs assigned to the Tier-3 devices 725 across different clusters. For example, Private Use ASNs 65001, 726 65002 ... 65032 could be used within every individual cluster and 727 assigned to Tier-3 devices. 729 To avoid route suppression due to the AS_PATH loop detection 730 mechanism in BGP, upstream EBGP sessions on Tier-3 devices must be 731 configured with the "AllowAS In" feature [ALLOWASIN] that allows 732 accepting a device's own ASN in received route advertisements. 733 Although this feature is not standarized, it is widely available 734 accross multiple vendors implementations. Introducing this feature 735 does not make routing loops more likely in the design since the 736 AS_PATH is being added to by routers at each of the topology tiers 737 and AS_PATH length is an early tie breaker in the BGP path selection 738 process. Further loop protection is still in place at the Tier-1 739 device, which will not accept routes with a path including its own 740 ASN and Tier-2 devices do not have direct connectivity with each 741 other. 743 Another solution to this problem would be using Four-Octet ASNs 744 ([RFC6793]), where there are additional Private Use ASNs available, 745 see [IANA.AS]. Use of Four-Octet ASNs puts additional protocol 746 complexity in the BGP implementation and should be balanced against 747 the complexity of re-use when considering REQ3 and REQ4. Perhaps 748 more importantly, they are not yet supported by all BGP 749 implementations, which may limit vendor selection of DC equipment. 750 When supported, ensure that deployed implementations are able to 751 remove the Private Use ASNs when external connectivity 752 (Section 5.2.4) to these ASNs is required. 754 5.2.3. Prefix Advertisement 756 A Clos topology features a large number of point-to-point links and 757 associated prefixes. Advertising all of these routes into BGP may 758 create Forwarding Information Base (FIB) overload in the network 759 devices. Advertising these links also puts additional path 760 computation stress on the BGP control plane for little benefit. 761 There are two possible solutions: 763 o Do not advertise any of the point-to-point links into BGP. Since 764 the EBGP-based design changes the next-hop address at every 765 device, distant networks will automatically be reachable via the 766 advertising EBGP peer and do not require reachability to these 767 prefixes. However, this may complicate operations or monitoring: 768 e.g., using the popular "traceroute" tool will display IP 769 addresses that are not reachable. 771 o Advertise point-to-point links, but summarize them on every 772 device. This requires an address allocation scheme such as 773 allocating a consecutive block of IP addresses per Tier-1 and 774 Tier-2 device to be used for point-to-point interface addressing 775 to the lower layers (Tier-2 uplinks will be allocated from Tier-1 776 address blocks and so forth). 778 Server subnets on Tier-3 devices must be announced into BGP without 779 using route summarization on Tier-2 and Tier-1 devices. Summarizing 780 subnets in a Clos topology results in route black-holing under a 781 single link failure (e.g., between Tier-2 and Tier-3 devices) and 782 hence must be avoided. The use of peer links within the same tier to 783 resolve the black-holing problem by providing "bypass paths" is 784 undesirable due to O(N^2) complexity of the peering mesh and waste of 785 ports on the devices. An alternative to the full-mesh of peer-links 786 would be using a simpler bypass topology, e.g., a "ring" as described 787 in [FB4POST], but such a topology adds extra hops and has very 788 limited bisectional bandwidth. Additionally requiring special tweaks 789 to make BGP routing work - such as possibly splitting every device 790 into an ASN on its own. Later in this document, Section 8.2 791 introduces a less intrusive method for performing a limited form of 792 route summarization in Clos networks and discusses its associated 793 trade-offs. 795 5.2.4. External Connectivity 797 A dedicated cluster (or clusters) in the Clos topology could be used 798 for the purpose of connecting to the Wide Area Network (WAN) edge 799 devices, or WAN Routers. Tier-3 devices in such cluster would be 800 replaced with WAN routers, and EBGP peering would be used again, 801 though WAN routers are likely to belong to a public ASN if Internet 802 connectivity is required in the design. The Tier-2 devices in such a 803 dedicated cluster will be referred to as "Border Routers" in this 804 document. These devices have to perform a few special functions: 806 o Hide network topology information when advertising paths to WAN 807 routers, i.e., remove Private Use ASNs [RFC6996] from the AS_PATH 808 attribute. This is typically done to avoid ASN number collisions 809 between different data centers and also to provide a uniform 810 AS_PATH length to the WAN for purposes of WAN ECMP to Anycast 811 prefixes originated in the topology. An implementation specific 812 BGP feature typically called "Remove Private AS" is commonly used 813 to accomplish this. Depending on implementation, the feature 814 should strip a contiguous sequence of Private Use ASNs found in an 815 AS_PATH attribute prior to advertising the path to a neighbor. 816 This assumes that all ASNs used for intra data center numbering 817 are from the Private Use ranges. The process for stripping the 818 Private Use ASNs is not currently standardized, see 819 [I-D.mitchell-grow-remove-private-as]. However most 820 implementations at least follow the logic described in this 821 vendor's document [VENDOR-REMOVE-PRIVATE-AS], which is enough for 822 the design specified. 824 o Originate a default route to the data center devices. This is the 825 only place where a default route can be originated, as route 826 summarization is risky for the unmodified Clos topology. 827 Alternatively, Border Routers may simply relay the default route 828 learned from WAN routers. Advertising the default route from 829 Border Routers requires that all Border Routers be fully connected 830 to the WAN Routers upstream, to provide resistance to a single- 831 link failure causing the black-holing of traffic. To prevent 832 black-holing in the situation when all of the EBGP sessions to the 833 WAN routers fail simultaneously on a given device, it is more 834 desirable to readvertise the default route rather than originating 835 the default route via complicated conditional route origination 836 schemes provided by some implementations [CONDITIONALROUTE]. 838 5.2.5. Route Summarization at the Edge 840 It is often desirable to summarize network reachability information 841 prior to advertising it to the WAN network due to high amount of IP 842 prefixes originated from within the data center in a fully routed 843 network design. For example, a network with 2000 Tier-3 devices will 844 have at least 2000 servers subnets advertised into BGP, along with 845 the infrastructure prefixes. However, as discussed before in 846 Section 5.2.3, the proposed network design does not allow for route 847 summarization due to the lack of peer links inside every tier. 849 However, it is possible to lift this restriction for the Border 850 Routers, by devising a different connectivity model for these 851 devices. There are two options possible: 853 o Interconnect the Border Routers using a full-mesh of physical 854 links or using any other "peer-mesh" topology, such as ring or 855 hub-and-spoke. Configure BGP accordingly on all Border Leafs to 856 exchange network reachability information, e.g., by adding a mesh 857 of IBGP sessions. The interconnecting peer links need to be 858 appropriately sized for traffic that will be present in the case 859 of a device or link failure in the mesh connecting the Border 860 Routers. 862 o Tier-1 devices may have additional physical links provisioned 863 toward the Border Routers (which are Tier-2 devices from the 864 perspective of Tier-1). Specifically, if protection from a single 865 link or node failure is desired, each Tier-1 devices would have to 866 connect to at least two Border Routers. This puts additional 867 requirements on the port count for Tier-1 devices and Border 868 Routers, potentially making it a non-uniform, larger port count, 869 device compared with the other devices in the Clos. This also 870 reduces the number of ports available to "regular" Tier-2 switches 871 and hence the number of clusters that could be interconnected via 872 the Tier-1 layer. 874 If any of the above options are implemented, it is possible to 875 perform route summarization at the Border Routers toward the WAN 876 network core without risking a routing black-hole condition under a 877 single link failure. Both of the options would result in non-uniform 878 topology as additional links have to be provisioned on some network 879 devices. 881 6. ECMP Considerations 883 This section covers the Equal Cost Multipath (ECMP) functionality for 884 Clos topology and discusses a few special requirements. 886 6.1. Basic ECMP 888 ECMP is the fundamental load sharing mechanism used by a Clos 889 topology. Effectively, every lower-tier device will use all of its 890 directly attached upper-tier devices to load share traffic destined 891 to the same IP prefix. The number of ECMP paths between any two 892 Tier-3 devices in Clos topology is equal to the number of the devices 893 in the middle stage (Tier-1). For example, Figure 5 illustrates a 894 topology where Tier-3 device A has four paths to reach servers X and 895 Y, via Tier-2 devices B and C and then Tier-1 devices 1, 2, 3, and 4 896 respectively. 898 Tier-1 899 +-----+ 900 | DEV | 901 +->| 1 |--+ 902 | +-----+ | 903 Tier-2 | | Tier-2 904 +-----+ | +-----+ | +-----+ 905 +------------>| DEV |--+->| DEV |--+--| |-------------+ 906 | +-----| B |--+ | 2 | +--| |-----+ | 907 | | +-----+ +-----+ +-----+ | | 908 | | | | 909 | | +-----+ +-----+ +-----+ | | 910 | +-----+---->| DEV |--+ | DEV | +--| |-----+-----+ | 911 | | | +---| C |--+->| 3 |--+--| |---+ | | | 912 | | | | +-----+ | +-----+ | +-----+ | | | | 913 | | | | | | | | | | 914 +-----+ +-----+ | +-----+ | +-----+ +-----+ 915 | DEV | | | Tier-3 +->| DEV |--+ Tier-3 | | | | 916 | A | | | | 4 | | | | | 917 +-----+ +-----+ +-----+ +-----+ +-----+ 918 | | | | | | | | 919 O O O O <- Servers -> X Y O O 921 Figure 5: ECMP fan-out tree from A to X and Y 923 The ECMP requirement implies that the BGP implementation must support 924 multipath fan-out for up to the maximum number of devices directly 925 attached at any point in the topology in the upstream or downstream 926 direction. Normally, this number does not exceed half of the ports 927 found on a device in the topology. For example, an ECMP fan-out of 928 32 would be required when building a Clos network using 64-port 929 devices. The Border Routers may need to have wider fan-out to be 930 able to connect to a multitude of Tier-1 devices if route 931 summarization at Border Router level is implemented as described in 932 Section 5.2.5. If a device's hardware does not support wider ECMP, 933 logical link-grouping (link-aggregation at layer 2) could be used to 934 provide "hierarchical" ECMP (Layer 3 ECMP coupled with Layer 2 ECMP) 935 to compensate for fan-out limitations. However, this approach 936 increases the risk of flow polarization, as less entropy will be 937 available at the second stage of ECMP. 939 Most BGP implementations declare paths to be equal from an ECMP 940 perspective if they match up to and including step (e) in 941 Section 9.1.2.2 of [RFC4271]. In the proposed network design there 942 is no underlying IGP, so all IGP costs are assumed to be zero or 943 otherwise the same value across all paths and policies may be applied 944 as necessary to equalize BGP attributes that vary in vendor defaults, 945 such as MED and origin code. For historical reasons it is also 946 useful to not use 0 as the equalized MED value; this and some other 947 useful BGP information is available in [RFC4277] . Routing loops are 948 unlikely due to the BGP best-path selection process which prefers 949 shorter AS_PATH length, and longer paths through the Tier-1 devices 950 which don't allow their own ASN in the path and have the same ASN are 951 also not possible. 953 6.2. BGP ECMP over Multiple ASNs 955 For application load balancing purposes it is desirable to have the 956 same prefix advertised from multiple Tier-3 devices. From the 957 perspective of other devices, such a prefix would have BGP paths with 958 different AS_PATH attribute values, while having the same AS_PATH 959 attribute lengths. Therefore, BGP implementations must support load 960 sharing over the above-mentioned paths. This feature is sometimes 961 known as "multipath relax" or "multipath multiple-as" and effectively 962 allows for ECMP to be done across different neighboring ASNs if all 963 other attributes are equal as already described in the previous 964 section. 966 6.3. Weighted ECMP 968 It may be desirable for the network devices to implement "weighted" 969 ECMP, to be able to send more traffic over some paths in ECMP fan- 970 out. This could be helpful to compensate for failures in the network 971 and send more traffic over paths that have more capacity. The 972 prefixes that require weighted ECMP would have to be injected using 973 remote BGP speaker (central agent) over a multihop session as 974 described further in Section 8.1. If support in implementations is 975 available, weight-distribution for multiple BGP paths could be 976 signaled using the technique described in 977 [I-D.ietf-idr-link-bandwidth]. 979 6.4. Consistent Hashing 981 It is often desirable to have the hashing function used for ECMP to 982 be consistent (see [CONS-HASH]), to minimize the impact on flow to 983 next-hop affinity changes when a next-hop is added or removed to an 984 ECMP group. This could be used if the network device is used as a 985 load balancer, mapping flows toward multiple destinations - in this 986 case, losing or adding a destination will not have a detrimental 987 effect on currently established flows. One particular recommendation 988 on implementing consistent hashing is provided in [RFC2992], though 989 other implementations are possible. This functionality could be 990 naturally combined with weighted ECMP, with the impact of the next- 991 hop changes being proportional to the weight of the given next-hop. 992 The downside of consistent hashing is increased load on hardware 993 resource utilization, as typically more resources (e.g., TCAM space) 994 are required to implement a consistent-hashing function. 996 7. Routing Convergence Properties 998 This section reviews routing convergence properties in the proposed 999 design. A case is made that sub-second convergence is achievable if 1000 the implementation supports fast EBGP peering session deactivation 1001 and timely RIB and FIB update upon failure of the associated link. 1003 7.1. Fault Detection Timing 1005 BGP typically relies on an IGP to route around link/node failures 1006 inside an AS, and implements either a polling based or an event- 1007 driven mechanism to obtain updates on IGP state changes. The 1008 proposed routing design does not use an IGP, so the remaining 1009 mechanisms that could be used for fault detection are BGP keep-alive 1010 time-out (or any other type of keep-alive mechanism) and link-failure 1011 triggers. 1013 Relying solely on BGP keep-alive packets may result in high 1014 convergence delays, on the order of multiple seconds (on many BGP 1015 implementations the minimum configurable BGP hold timer value is 1016 three seconds). However, many BGP implementations can shut down 1017 local EBGP peering sessions in response to the "link down" event for 1018 the outgoing interface used for BGP peering. This feature is 1019 sometimes called "fast fallover". Since links in modern data centers 1020 are predominantly point-to-point fiber connections, a physical 1021 interface failure is often detected in milliseconds and subsequently 1022 triggers a BGP re-convergence. 1024 Ethernet links may support failure signaling or detection standards 1025 such as Connectivity Fault Management (CFM) as described in 1026 [IEEE8021Q], which may make failure detection more robust. 1027 Alternatively, some platforms may support Bidirectional Forwarding 1028 Detection (BFD) [RFC5880] to allow for sub-second failure detection 1029 and fault signaling to the BGP process. However, the use of either 1030 of these presents additional requirements to vendor software and 1031 possibly hardware, and may contradict REQ1. Until recently with 1032 [RFC7130], BFD also did not allow detection of a single member link 1033 failure on a LAG, which would have limited its usefulness in some 1034 designs. 1036 7.2. Event Propagation Timing 1038 In the proposed design the impact of the BGP Minimum Route 1039 Advertisement Interval (MRAI) timer (See section 9.2.1.1 of 1040 [RFC4271]) should be considered. Per the standard it is required for 1041 BGP implementations to space out consecutive BGP UPDATE messages by 1042 at least MRAI seconds, which is often a configurable value. The 1043 initial BGP UPDATE messages after an event carrying withdrawn routes 1044 are commonly not affected by this timer. The MRAI timer may present 1045 significant convergence delays when a BGP speaker "waits" for the new 1046 path to be learned from its peers and has no local backup path 1047 information. 1049 In a Clos topology each EBGP speaker typically has either one path 1050 (Tier-2 devices don't accept paths from other Tier-2 in the same 1051 cluster due to same ASN) or N paths for the same prefix, where N is a 1052 significantly large number, e.g., N=32 (the ECMP fan-out to the next 1053 Tier). Therefore, if a link fails to another device from which a 1054 path is received there is either no backup path at all (e.g., from 1055 perspective of a Tier-2 switch losing the link to a Tier-3 device), 1056 or the backup is readily available in BGP Loc-RIB (e.g., from the 1057 perspective of a Tier-2 device losing the link to a Tier-1 switch). 1058 In the former case, the BGP withdrawal announcement will propagate 1059 without delay and trigger re-convergence on affected devices. In the 1060 latter case, the best-path will be re-evaluated and the local ECMP 1061 group corresponding to the new next-hop set changed. If the BGP path 1062 was the best-path selected previously, an "implicit withdraw" will be 1063 sent via a BGP UPDATE message as described as Option b in Section 3.1 1064 of [RFC4271] due to the BGP AS_PATH attribute changing. 1066 7.3. Impact of Clos Topology Fan-outs 1068 Clos topology has large fan-outs, which may impact the "Up->Down" 1069 convergence in some cases, as described in this section. In a 1070 situation when a link between Tier-3 and Tier-2 device fails, the 1071 Tier-2 device will send BGP UPDATE messages to all upstream Tier-1 1072 devices, withdrawing the affected prefixes. The Tier-1 devices, in 1073 turn, will relay these messages to all downstream Tier-2 devices 1074 (except for the originator). Tier-2 devices other than the one 1075 originating the UPDATE should then wait for ALL upstream Tier-1 1076 devices to send an UPDATE message before removing the affected 1077 prefixes and sending corresponding UPDATE downstream to connected 1078 Tier-3 devices. If the original Tier-2 device or the relaying Tier-1 1079 devices introduce some delay into their UPDATE message announcements, 1080 the result could be UPDATE message "dispersion", that could be as 1081 long as multiple seconds. In order to avoid such a behavior, BGP 1082 implementations must support "update groups". The "update group" is 1083 defined as a collection of neighbors sharing the same outbound policy 1084 - the local speaker will send BGP updates to the members of the group 1085 synchronously. 1087 The impact of such "dispersion" grows with the size of topology fan- 1088 out and could also grow under network convergence churn. Some 1089 operators may be tempted to introduce "route flap dampening" type 1090 features that vendors include to reduce the control plane impact of 1091 rapidly flapping prefixes. However, due to issues described with 1092 false positives in these implementations especially under such 1093 "dispersion" events, it is not recommended to enable this feature in 1094 this design. More background and issues with "route flap dampening" 1095 and possible implementation changes that could affect this are well 1096 described in [RFC7196]. 1098 7.4. Failure Impact Scope 1100 A network is declared to converge in response to a failure once all 1101 devices within the failure impact scope are notified of the event and 1102 have re-calculated their RIBs and consequently updated their FIBs. 1103 Larger failure impact scope typically means slower convergence since 1104 more devices have to be notified, and results in a less stable 1105 network. In this section we describe BGP's advantages over link- 1106 state routing protocols in reducing failure impact scope for a Clos 1107 topology. 1109 BGP behaves like a distance-vector protocol in the sense that only 1110 the best path from the point of view of the local router is sent to 1111 neighbors. As such, some failures are masked if the local node can 1112 immediately find a backup path and does not have to send any updates 1113 further. Notice that in the worst case, all devices in a data center 1114 topology have to either withdraw a prefix completely or update the 1115 ECMP groups in their FIBs. However, many failures will not result in 1116 such a wide impact. There are two main failure types where impact 1117 scope is reduced: 1119 o Failure of a link between Tier-2 and Tier-1 devices: In this case, 1120 a Tier-2 device will update the affected ECMP groups, removing the 1121 failed link. There is no need to send new information to 1122 downstream Tier-3 devices, unless the path was selected as best by 1123 the BGP process, in which case only an "implicit withdraw" needs 1124 to be sent, which should not affect forwarding. The affected 1125 Tier-1 device will lose the only path available to reach a 1126 particular cluster and will have to withdraw the associated 1127 prefixes. Such prefix withdrawal process will only affect Tier-2 1128 devices directly connected to the affected Tier-1 device. The 1129 Tier-2 devices receiving the BGP UPDATE messages withdrawing 1130 prefixes will simply have to update their ECMP groups. The Tier-3 1131 devices are not involved in the re-convergence process. 1133 o Failure of a Tier-1 device: In this case, all Tier-2 devices 1134 directly attached to the failed node will have to update their 1135 ECMP groups for all IP prefixes from a non-local cluster. The 1136 Tier-3 devices are once again not involved in the re-convergence 1137 process, but may receive "implicit withdraws" as described above. 1139 Even in the case of such failures where multiple IP prefixes will 1140 have to be reprogrammed in the FIB, it is worth noting that all of 1141 these prefixes share a single ECMP group on Tier-2 device. 1142 Therefore, in the case of implementations with a hierarchical FIB, 1143 only a single change has to be made to the FIB. Hierarchical FIB 1144 here means FIB structure where the next-hop forwarding information is 1145 stored separately from the prefix lookup table, and the latter only 1146 stores pointers to the respective forwarding information. See 1147 [I-D.ietf-rtgwg-bgp-pic] for discussion of FIB hierarchies and fast 1148 convergence. 1150 Even though BGP offers reduced failure scope for some cases, further 1151 reduction of the fault domain using summarization is not always 1152 possible with the proposed design, since using this technique may 1153 create routing black-holes as mentioned previously. Therefore, the 1154 worst control plane failure impact scope is the network as a whole, 1155 for instance in the case of a link failure between Tier-2 and Tier-3 1156 devices. The amount of impacted prefixes in this case would be much 1157 less than in the case of a failure in the upper layers of a Clos 1158 network topology. The property of having such large failure scope is 1159 not a result of choosing EBGP in the design but rather a result of 1160 using the Clos topology. 1162 7.5. Routing Micro-Loops 1164 When a downstream device, e.g., Tier-2 device, loses all paths for a 1165 prefix, it normally has the default route pointing toward the 1166 upstream device, in this case the Tier-1 device. As a result, it is 1167 possible to get in the situation where a Tier-2 switch loses a 1168 prefix, but a Tier-1 switch still has the path pointing to the Tier-2 1169 device, which results in a transient micro-loop, since the Tier-1 1170 switch will keep passing packets to the affected prefix back to the 1171 Tier-2 device, and the Tier-2 will bounce them back again using the 1172 default route. This micro-loop will last for the duration of time it 1173 takes the upstream device to fully update its forwarding tables. 1175 To minimize impact of such micro-loops, Tier-2 and Tier-1 switches 1176 can be configured with static "discard" or "null" routes that will be 1177 more specific than the default route for prefixes missing during 1178 network convergence. For Tier-2 switches, the discard route should 1179 be a summary route, covering all server subnets of the underlying 1180 Tier-3 devices. For Tier-1 devices, the discard route should be a 1181 summary covering the server IP address subnets allocated for the 1182 whole data center. Those discard routes will only take precedence 1183 for the duration of network convergence, until the device learns a 1184 more specific prefix via a new path. 1186 8. Additional Options for Design 1188 8.1. Third-party Route Injection 1190 BGP allows for a "third-party", i.e., directly attached, BGP speaker 1191 to inject routes anywhere in the network topology, meeting REQ5. 1192 This can be achieved by peering via a multihop BGP session with some 1193 or even all devices in the topology. Furthermore, BGP diverse path 1194 distribution [RFC6774] could be used to inject multiple BGP next hops 1195 for the same prefix to facilitate load balancing, or using the BGP 1196 ADD-PATH capability [I-D.ietf-idr-add-paths] if supported by the 1197 implementation. Unfortunately, in many implementations ADD-PATH has 1198 been found to only support IBGP properly due to the use cases it was 1199 originally optimized for, which limits the "third-party" peering to 1200 IBGP only. 1202 To implement route injection in the proposed design, a third-party 1203 BGP speaker may peer with Tier-3 and Tier-1 switches, injecting the 1204 same prefix, but using a special set of BGP next-hops for Tier-1 1205 devices. Those next-hops are assumed to resolve recursively via BGP, 1206 and could be, for example, IP addresses on Tier-3 devices. The 1207 resulting forwarding table programming could provide desired traffic 1208 proportion distribution among different clusters. 1210 8.2. Route Summarization within Clos Topology 1212 As mentioned previously, route summarization is not possible within 1213 the proposed Clos topology since it makes the network susceptible to 1214 route black-holing under single link failures. The main problem is 1215 the limited number of redundant paths between network elements, e.g., 1216 there is only a single path between any pair of Tier-1 and Tier-3 1217 devices. However, some operators may find route aggregation 1218 desirable to improve control plane stability. 1220 If any technique to summarize within the topology is planned, 1221 modeling of the routing behavior and potential for black-holing 1222 should be done not only for single or multiple link failures, but 1223 also fiber pathway failures or optical domain failures when the 1224 topology extends beyond a physical location. Simple modeling can be 1225 done by checking the reachability on devices doing summarization 1226 under the condition of a link or pathway failure between a set of 1227 devices in every tier as well as to the WAN routers when external 1228 connectivity is present. 1230 Route summarization would be possible with a small modification to 1231 the network topology, though the trade-off would be reduction of the 1232 total size of the network as well as network congestion under 1233 specific failures. This approach is very similar to the technique 1234 described above, which allows Border Routers to summarize the entire 1235 data center address space. 1237 8.2.1. Collapsing Tier-1 Devices Layer 1239 In order to add more paths between Tier-1 and Tier-3 devices, group 1240 Tier-2 devices into pairs, and then connect the pairs to the same 1241 group of Tier-1 devices. This is logically equivalent to 1242 "collapsing" Tier-1 devices into a group of half the size, merging 1243 the links on the "collapsed" devices. The result is illustrated in 1244 Figure 6. For example, in this topology DEV C and DEV D connect to 1245 the same set of Tier-1 devices (DEV 1 and DEV 2), whereas before they 1246 were connecting to different groups of Tier-1 devices. 1248 Tier-2 Tier-1 Tier-2 1249 +-----+ +-----+ +-----+ 1250 +-------------| DEV |------| DEV |------| |-------------+ 1251 | +-----| C |--++--| 1 |--++--| |-----+ | 1252 | | +-----+ || +-----+ || +-----+ | | 1253 | | || || | | 1254 | | +-----+ || +-----+ || +-----+ | | 1255 | +-----+-----| DEV |--++--| DEV |--++--| |-----+-----+ | 1256 | | | +---| D |------| 2 |------| |---+ | | | 1257 | | | | +-----+ +-----+ +-----+ | | | | 1258 | | | | | | | | 1259 +-----+ +-----+ +-----+ +-----+ 1260 | DEV | | DEV | | | | | 1261 | A | | B | Tier-3 Tier-3 | | | | 1262 +-----+ +-----+ +-----+ +-----+ 1263 | | | | | | | | 1264 O O O O <- Servers -> O O O O 1266 Figure 6: 5-Stage Clos topology 1268 Having this design in place, Tier-2 devices may be configured to 1269 advertise only a default route down to Tier-3 devices. If a link 1270 between Tier-2 and Tier-3 fails, the traffic will be re-routed via 1271 the second available path known to a Tier-2 switch. It is still not 1272 possible to advertise a summary route covering prefixes for a single 1273 cluster from Tier-2 devices since each of them has only a single path 1274 down to this prefix. It would require dual-homed servers to 1275 accomplish that. Also note that this design is only resilient to 1276 single link failures. It is possible for a double link failure to 1277 isolate a Tier-2 device from all paths toward a specific Tier-3 1278 device, thus causing a routing black-hole. 1280 A result of the proposed topology modification would be a reduction 1281 of Tier-1 devices port capacity. This limits the maximum number of 1282 attached Tier-2 devices and therefore will limit the maximum DC 1283 network size. A larger network would require different Tier-1 1284 devices that have higher port density to implement this change. 1286 Another problem is traffic re-balancing under link failures. Since 1287 there are two paths from Tier-1 to Tier-3, a failure of the link 1288 between Tier-1 and Tier-2 switch would result in all traffic that was 1289 taking the failed link to switch to the remaining path. This will 1290 result in doubling the link utilization on the remaining link. 1292 8.2.2. Simple Virtual Aggregation 1294 A completely different approach to route summarization is possible, 1295 provided that the main goal is to reduce the FIB size, while allowing 1296 the control plane to disseminate full routing information. Firstly, 1297 it could be easily noted that in many cases multiple prefixes, some 1298 of which are less specific, share the same set of the next-hops (same 1299 ECMP group). For example, looking from the perspective of a Tier-3 1300 devices, all routes learned from upstream Tier-2's, including the 1301 default route, will share the same set of BGP next-hops, provided 1302 that there are no failures in the network. This makes it possible to 1303 use the technique similar to described in [RFC6769] and only install 1304 the least specific route in the FIB, ignoring more specific routes if 1305 they share the same next-hop set. For example, under normal network 1306 conditions, only the default route needs to be programmed into the 1307 FIB. 1309 Furthermore, if the Tier-2 devices are configured with summary 1310 prefixes covering all of their attached Tier-3 device's prefixes, the 1311 same logic could be applied in Tier-1 devices as well, and, by 1312 induction to Tier-2/Tier-3 switches in different clusters. These 1313 summary routes should still allow for more specific prefixes to leak 1314 to Tier-1 devices, to enable detection of mismatches in the next-hop 1315 sets if a particular link fails, changing the next-hop set for a 1316 specific prefix. 1318 Re-stating once again, this technique does not reduce the amount of 1319 control plane state (i.e., BGP UPDATEs/BGP LocRIB size), but only 1320 allows for more efficient FIB utilization, by detecting more specific 1321 prefixes that share their next-hop set with a subsuming less specific 1322 prefix. 1324 8.3. ICMP Unreachable Message Masquerading 1326 This section discusses some operational aspects of not advertising 1327 point-to-point link subnets into BGP, as previously identified as an 1328 option in Section 5.2.3. The operational impact of this decision 1329 could be seen when using the well-known "traceroute" tool. 1330 Specifically, IP addresses displayed by the tool will be the link's 1331 point-to-point addresses, and hence will be unreachable for 1332 management connectivity. This makes some troubleshooting more 1333 complicated. 1335 One way to overcome this limitation is by using the DNS subsystem to 1336 create the "reverse" entries for these point-to-point IP addresses 1337 pointing to the same name as the loopback address. The connectivity 1338 then can be made by resolving this name to the "primary" IP address 1339 of the devices, e.g., its Loopback interface, which is always 1340 advertised into BGP. However, this creates a dependency on the DNS 1341 subsystem, which may be unavailable during an outage. 1343 Another option is to make the network device perform IP address 1344 masquerading, that is rewriting the source IP addresses of the 1345 appropriate ICMP messages sent by the device with the "primary" IP 1346 address of the device. Specifically, the ICMP Destination 1347 Unreachable Message (type 3) codes 3 (port unreachable) and ICMP Time 1348 Exceeded (type 11) code 0, which are required for correct operation 1349 of the "traceroute" tool. With this modification, the "traceroute" 1350 probes sent to the devices will always be sent back with the 1351 "primary" IP address as the source, allowing the operator to discover 1352 the "reachable" IP address of the box. This has the downside of 1353 hiding the address of the "entry point" into the device. If the 1354 devices support [RFC5837], this may allow the best of both worlds by 1355 providing the information about the incoming interface even if the 1356 return address is the "primary" IP address. 1358 9. Security Considerations 1360 The design does not introduce any additional security concerns. 1361 General BGP security considerations are discussed in [RFC4271] and 1362 [RFC4272]. Since a DC is a single operator domain, this document 1363 assumes that edge filtering is in place to prevent attacks against 1364 the BGP sessions themselves from outside the perimeter of the DC. 1365 This may be a more feasible option for most deployments than having 1366 to deal with key management for TCP-MD5 as described in [RFC2385] or 1367 dealing with the lack of implementations available at the time of 1368 this document of [RFC5925]. The Generalized TTL Security Mechanism 1369 [RFC5082] could also be used to further reduce the risk of BGP 1370 session spoofing. 1372 10. IANA Considerations 1374 This document includes no request to IANA. 1376 11. Acknowledgements 1378 This publication summarizes work of many people who participated in 1379 developing, testing and deploying the proposed network design, some 1380 of whom were George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong, 1381 Robert Toomey, and Lihua Yuan. Authors would also like to thank 1382 Linda Dunbar, Anoop Ghanwani, Susan Hares, Danny McPherson, Robert 1383 Raszuk and Russ White for reviewing this document and providing 1384 valuable feedback and Mary Mitchell for initial grammar and style 1385 suggestions. 1387 12. References 1389 12.1. Normative References 1391 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 1392 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 1393 DOI 10.17487/RFC4271, January 2006, 1394 . 1396 [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for 1397 Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, July 1398 2013, . 1400 12.2. Informative References 1402 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, 1403 DOI 10.17487/RFC2328, April 1998, 1404 . 1406 [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 1407 Signature Option", RFC 2385, DOI 10.17487/RFC2385, August 1408 1998, . 1410 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path 1411 Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, 1412 . 1414 [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", 1415 RFC 4272, DOI 10.17487/RFC4272, January 2006, 1416 . 1418 [RFC4277] McPherson, D. and K. Patel, "Experience with the BGP-4 1419 Protocol", RFC 4277, DOI 10.17487/RFC4277, January 2006, 1420 . 1422 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 1423 Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, 1424 December 2006, . 1426 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C. 1427 Pignataro, "The Generalized TTL Security Mechanism 1428 (GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007, 1429 . 1431 [RFC5837] Atlas, A., Ed., Bonica, R., Ed., Pignataro, C., Ed., Shen, 1432 N., and JR. Rivers, "Extending ICMP for Interface and 1433 Next-Hop Identification", RFC 5837, DOI 10.17487/RFC5837, 1434 April 2010, . 1436 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 1437 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 1438 . 1440 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1441 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 1442 June 2010, . 1444 [RFC6325] Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and A. 1445 Ghanwani, "Routing Bridges (RBridges): Base Protocol 1446 Specification", RFC 6325, DOI 10.17487/RFC6325, July 2011, 1447 . 1449 [RFC6769] Raszuk, R., Heitz, J., Lo, A., Zhang, L., and X. Xu, 1450 "Simple Virtual Aggregation (S-VA)", RFC 6769, 1451 DOI 10.17487/RFC6769, October 2012, 1452 . 1454 [RFC6774] Raszuk, R., Ed., Fernando, R., Patel, K., McPherson, D., 1455 and K. Kumaki, "Distribution of Diverse BGP Paths", 1456 RFC 6774, DOI 10.17487/RFC6774, November 2012, 1457 . 1459 [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet 1460 Autonomous System (AS) Number Space", RFC 6793, 1461 DOI 10.17487/RFC6793, December 2012, 1462 . 1464 [RFC7067] Dunbar, L., Eastlake 3rd, D., Perlman, R., and I. 1465 Gashinsky, "Directory Assistance Problem and High-Level 1466 Design Proposal", RFC 7067, DOI 10.17487/RFC7067, November 1467 2013, . 1469 [RFC7130] Bhatia, M., Ed., Chen, M., Ed., Boutros, S., Ed., 1470 Binderberger, M., Ed., and J. Haas, Ed., "Bidirectional 1471 Forwarding Detection (BFD) on Link Aggregation Group (LAG) 1472 Interfaces", RFC 7130, DOI 10.17487/RFC7130, February 1473 2014, . 1475 [RFC7196] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., and O. 1476 Maennel, "Making Route Flap Damping Usable", RFC 7196, 1477 DOI 10.17487/RFC7196, May 2014, 1478 . 1480 [I-D.ietf-idr-add-paths] 1481 Walton, D., Retana, A., Chen, E., and J. Scudder, 1482 "Advertisement of Multiple Paths in BGP", draft-ietf-idr- 1483 add-paths-15 (work in progress), May 2016. 1485 [I-D.ietf-idr-link-bandwidth] 1486 Mohapatra, P. and R. Fernando, "BGP Link Bandwidth 1487 Extended Community", draft-ietf-idr-link-bandwidth-06 1488 (work in progress), January 2013. 1490 [I-D.ietf-rtgwg-bgp-pic] 1491 Bashandy, A., Filsfils, C., and P. Mohapatra, "Abstract", 1492 draft-ietf-rtgwg-bgp-pic-00 (work in progress), December 1493 2015. 1495 [I-D.mitchell-grow-remove-private-as] 1496 Mitchell, J., Rao, D., and R. Raszuk, "Private Autonomous 1497 System (AS) Removal Requirements", draft-mitchell-grow- 1498 remove-private-as-04 (work in progress), April 2015. 1500 [CLOS1953] 1501 Clos, C., "A Study of Non-Blocking Switching Networks: 1502 Bell System Technical Journal Vol. 32(2)", March 1953. 1504 [HADOOP] Apache, , "Apache HaDoop", April 2016, 1505 . 1507 [GREENBERG2009] 1508 Greenberg, A., Hamilton, J., and D. Maltz, "The Cost of a 1509 Cloud: Research Problems in Data Center Networks", January 1510 2009. 1512 [IEEE8021D-1990] 1513 IEEE 802.1D, , "IEEE Standard for Local and Metropolitan 1514 Area Networks--Media access control (MAC) Bridges", May 1515 1990. 1517 [IEEE8021D-2004] 1518 IEEE 802.1D, , "IEEE Standard for Local and Metropolitan 1519 Area Networks--Media access control (MAC) Bridges", 1520 February 2004. 1522 [IEEE8021Q] 1523 IEEE 802.1Q, , "IEEE Standard for Local and metropolitan 1524 area networks--Bridges and Bridged Networks", December 1525 2014. 1527 [INTERCON] 1528 Dally, W. and B. Towles, "Principles and Practices of 1529 Interconnection Networks", ISBN 978-0122007514, January 1530 2004. 1532 [ALFARES2008] 1533 Al-Fares, M., Loukissas, A., and A. Vahdat, "A Scalable, 1534 Commodity Data Center Network Architecture", August 2008. 1536 [IANA.AS] IANA, , "Autonomous System (AS) Numbers", June 2016, 1537 . 1539 [IEEE8023AD] 1540 IEEE 802.3ad, , "IEEE Standard for Link aggregation for 1541 parallel links", October 2000. 1543 [ALLOWASIN] 1544 Cisco Systems, , "Allowas-in Feature in BGP Configuration 1545 Example", June 2016, 1546 . 1550 [VENDOR-REMOVE-PRIVATE-AS] 1551 Cisco Systems, , "Removing Private Autonomous System 1552 Numbers in BGP", August 2005, 1553 . 1556 [CONDITIONALROUTE] 1557 Cisco Systems, , "Configuring and Verifying the BGP 1558 Conditional Advertisement Feature", August 2005, 1559 . 1562 [FB4POST] Farrington, N. and A. Andreyev, "Facebook's Data Center 1563 Network Architecture", May 2013, 1564 . 1566 [JAKMA2008] 1567 Jakma, P., "BGP Path Hunting", 2008, 1568 . 1570 [CONS-HASH] 1571 Wikipedia, , "Consistent Hashing", 1572 . 1574 [L3DSR] Schaumann, J., "L3DSR - Overcoming Layer 2 Limitations of 1575 Direct Server Return Load Balancing", 2011, 1576 . 1579 Authors' Addresses 1581 Petr Lapukhov 1582 Facebook 1583 1 Hacker Way 1584 Menlo Park, CA 94025 1585 US 1587 Email: petr@fb.com 1589 Ariff Premji 1590 Arista Networks 1591 5453 Great America Parkway 1592 Santa Clara, CA 95054 1593 US 1595 Email: ariff@arista.com 1596 URI: http://arista.com/ 1598 Jon Mitchell (editor) 1600 Email: jrmitche@puck.nether.net