Networking Updates Roopa Prabhu Aug 14, 2020 Linux Kernel - - PowerPoint PPT Presentation

Roopa Prabhu

Aug 14, 2020

Networking Updates

2

Linux Kernel dataplane for an Open standards based multihoming protocol

3

Traditional Multihoming

switch1

switch2

Host1

Host2

peerlink

4

Open Multihoming solution with VxLAN Overlay

• E-VPN multihoming: BGP based E-VPN multihoming controlplane [1]

○ Connect your servers to a redundant pair of switches running Open BGP based multihoming protocol ○ Peer switches are connected over VxLan overlay (peer switches are vxlan tunnel endpoints or VTEPs)

switch1 switch2 host1 host2 switch3 host2 Vxlan

• verlay

Vxlan

• verlay

5

Linux Kernel Dataplane forwarding enhancements to support E-VPN-multihoming

• Vxlan FDB ECMP nexthop groups support [2]

○ Ability to ECMP to multiple evpn peered vteps

vxlan fdb entry: # bridge fdb show | grep vni1000 02:02:00:00:00:13 dev vni1000 nhid 102 self permanent nexthop group entry:

# ip nexthop ls id 12 via 172.16.1.2 scope link fdb id 13 via 172.16.1.3 scope link fdb id 102 group 12/13 fdb

6

Encoding local vs peer ownership in neigh entries

• Kernel FDB and neighbor database is central to a Multihoming protocol
• Keeping them in sync across multihoming peers for faster convergence is key
• Kernel API enhancements for accuracy and better convergence amidst mac

moves in these systems (With requests from FRR team):

• Bridge notify: To indicate a MAC has become active locally due to kernel

dataplane seeing a packet on a host port locally [3]

• Neighbor entry enhancements to indicate local reachability and

multihoming-peer reachability. new flag (pending upstream) Linux bridge FDB E-VPN control plane (FRR) neighbour table

1 2 1 2

7

Miscellaneous updates

8

Protodown and protodown reason

• protodown is a per netdevice flag today that enables control plane protocols to hold an interface carrier down
• Multiple users:

○ Multihoming protocols ○ VRRP ○ port security violation ○ flaky link, auto-detect and keep the link down

• New protodown-reason support upstream. (iproute2 changes pending)

$cat /etc/iproute2/protodown_reasons.d/r.conf 0 mlag 1 evpn 2 vrrp 3 psecurity $ip link set dev vxlan0 protodown on protodown_reason vrrp on $ip link set dev vxlan0 protodown_reason mlag on $ip link show 14: vxlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether f6:06:be:17:91:e7 brd ff:ff:ff:ff:ff:ff protodown on <mlag,vrrp>

9

Linux kernel

NAT offload to switch ASIC

• Move NAT function from host to the ASICs on the switch: NAT at

higher speeds and scale

• Linux kernel NAT offload to switch ASIC:

iptables/nftables/conntrack or TC conntrack Dynamic NAT offload: iptables dynamic NAT entry Trap first packet to CPU matching NAT rule On conntrack entry learn, ofload conntrack entry to HW (Offload via netlink or in-kernel offload API)

Switch ASIC conntrack 1 2 2 3 3 1 iptables iptables NAT

10

References

[1] E-VPN Multihoming: https://tools.ietf.org/html/rfc7432#section-8 [2] VxLAN FDB nexthop groups: https://patchwork.ozlabs.org/project/netdev/cover/1590125177-39176-1-git-send-email-roopa@cumulusnetworks.com/ [3] Bridge notify flag: https://patchwork.ozlabs.org/project/netdev/cover/20200623204718.1057508-1-nikolay@cumulusnetworks.com/ [4] Protodown reason: https://patchwork.ozlabs.org/project/netdev/patch/1596242041-14347-1-git-send-email-roopa@cumulusnetworks.com/ [5] NAT offload on Cumulus Linux: https://docs.cumulusnetworks.com/cumulus-linux-41/Layer-3/Network-Address-Translation-NAT/

10