Otv notes
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Otv notes

on

  • 1,451 views

Cisco OTV for CCIE DC prep

Cisco OTV for CCIE DC prep

Statistics

Views

Total Views
1,451
Views on SlideShare
1,430
Embed Views
21

Actions

Likes
0
Downloads
42
Comments
0

2 Embeds 21

https://twitter.com 18
http://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Otv notes Presentation Transcript

  • 1. OTV1  OTV technology Introduction  OTV Operations  OTV Configuration and verification (N7K)  OTV unicast mode and its limitation  FHRP Localization and egress routing  Guidelines and limitation for deployment. Overlay Transport Virtualization
  • 2. Overlay Transport Virtualization OTV2  OTV is Layer 2 VPN technology. OTV extends VLAN from one site to another so you can use same IP address space on both site for same VLAN. Some application requires same VLAN and IP subnet to be present on more than two sites.  Connecting more than 2 sites are difficult to manage using exiting technology (e.g. VPLS) due to Spanning tree restrictions.  OTV introduces the concept of “MAC routing,” which means a control plane protocol is used to exchange MAC reachability information between network devices providing LAN extension functionality.
  • 3. Overlay Transport Virtualization OTV3  At Data plane, OTV edge device does L2 frame encapsulation in IP payload at layer 3 Edge and uses multicast to route encapsulated frames to destination OTV edge device.  At Control plane, OTV edge device uses a control multicast group to establish Level 1 IS-IS adjacencies and uses IS-IS protocol to advertize MAC addresses to other OTV devices on other site.  Depending on upstream routing OTV edge device may or may not run routing protocols but running routing protocol on OTV edge device is not a requirement. OTV edge device connects to core as a host not as a router. If routing protocol is required only enable stub routing (stub area for OSPF or EIGRP stub router).  OTV edge device filters unknown unicast frames in other words it does not forward unknown unicast frames to other site. OTV edge device also sets DF bit in outer IP header when it encapsulates L2 frame.  OTV edge device has modified MAC address table which shows what IP address to use when reaching to remote MAC address at other site. This IP address is IP address of join interface of the remote site.  OTV edge device also cache ARP resolution for MAC addresses not local to the site and learnt via the overlay. So that all ARP and ND reply can be responded locally within site.  Current implementation of OTV shim header on Nexus 7K uses MPLS over GRE over IP encapsulation[2] but draft RFC defines UDP encapsulation method.[3]
  • 4. OTV Terminologies OTV4  Overlay interface: A Logical tunnel interface which does encapsulate the frame into a IP packet.  Join interface: L3 routed port which sends IGMP version 3 join message.  Internal interface: L2 trunk or access interfaces which runs spanning tree.  Site ID: A unique 24-bit value reserved for each site.  Site VLAN: A VLAN that is reserved for choosing OTV authorative edge device for that site.  Control group: An ASM multicast address used to build the OTV neighbor adjacency and to exchange MAC addresses with neighbors. The use of the ASM group as a vehicle to transport the Hello messages allows the edge devices to discover each other as if they were deployed on a shared LAN segment. This emulates a shared medium where all OTV edge devices connected to it. [1]  Data group: In order to handle L2 multicast data-traffic between sites up to 8 ranges of IPv4 SSM multicast group prefixes can be used by each site. Each OTV edge device creates mapping for Gs to Gd in Data group mapping table.  MAC address table of a OTV edge devices are slightly modified to incorporate overlay interface as destination. Site1-OTV1# sh mac add add 0007.eb49.7600 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ O 101 0007.eb49.7600 dynamic 0 F F Overlay0
  • 5. OTV Neighbor Discovery OTV5  Step 1: Each OTV devices sends a IGMP join message thru their join interfaces on ASM control group. This triggers PIM join and multicast tree for OTV control group.  Step 2: OTV control protocol sends Hello message with its identity.  Step 3 and 4: These hello messages are replicated to all OTV devices that has joined the control group.  Step 5: The receiving OTV edge devices decapsulate the packets.  Step 6: These Hellos are passed to the control protocol process. This will eventually build neighbor adjacency over interface overlay0. You can see them using show otv adjacency
  • 6. OTV configuration example (Nexus 7000) OTV6 feature otv otv site-vlan 5 otv site-identifier 0x5 interface Overlay0 otv join-interface Ethernet2/1 otv control-group 233.1.1.1 otv data-group 232.5.6.0/28 otv extend-vlan 100 no shutdown interface Ethernet2/1 descrip Join interface ip address 150.1.5.5/24 ip igmp version 3 no shutdown interface Ethernet2/3 descrip Internal interface switchport switchport mode trunk no shutdown feature otv otv site-vlan 6 otv site-identifier 0x6 interface Overlay0 otv join-interface Ethernet2/1 otv control-group 233.1.1.1 otv data-group 232.5.6.0/28 otv extend-vlan 100 no shutdown interface Ethernet2/1 descrip Join interface ip address 150.1.6.6/24 ip igmp version 3 no shutdown interface Ethernet2/3 descrip Internal interface switchport switchport mode trunk no shutdown
  • 7. Verification OTV7 N7K-5# show otv OTV Overlay Information Site Identifier 0000.0000.0005 Overlay interface Overlay0 VPN name : Overlay0 VPN state : UP Extended vlans : 100 (Total:1) Control group : 233.1.1.1 Data group range(s) : 232.5.6.0/24 Join interface(s) : Eth2/1 (150.1.5.5) Site VLAN : 5 (up) AED-Capable : No (No extended VLAN is operationally up) Capability : Multicast-Reachable N7K-5# sh otv adjacency Overlay Adjacency database Overlay-Interface Overlay0 : Hostname System-ID Dest Addr Up Time State N7K-6 0050.5689.1ff6 150.4.6.6 00:06:51 UP
  • 8. Overlay Transport Virtualization OTV8  Verification commands N7K-5# sh int overlay 0 Overlay0 is up MTU 1400 bytes, BW 1000000 Kbit Encapsulation OTV Last link flapped 00:45:00 Last clearing of "show interface" counters never Load-Interval is 5 minute (300 seconds) RX 0 unicast packets 0 multicast packets 0 bytes 0 bits/sec 0 packets/sec TX 0 unicast packets 0 multicast packets 0 bytes 0 bits/sec 0 packets/sec N7K-5 # sh otv arp-nd-cache OTV ARP/ND L3->L2 Address Mapping Cache Overlay Interface Overlay1 VLAN MAC Address Layer-3 Address Age Expires In 100 001a.a1ff.7d46 15.1.1.32 00:03:42 00:04:17
  • 9. OTV Authentication methods OTV9  There are three methods of authentication. All of them are key chain based. 1. Neighbor Authentication – for ISIS neighbor authentication between two sites 2. Route Authentication – for route injection control 3. Neighbor Authentication – for neighbor authentication within a site when using multihoming.  Authentication is useful when multicast core is not under same administrative control. This is very similar to Fabricpath authentication and other IS-IS authentication methods.  The following example shows route authentication. key chain OTV key 0 key-string 7 070c22454b0d1a5546 otv-isis default vpn Overlay0 otv isis authentication-type md5 otv isis authentication key-chain OTV
  • 10. OTV Authentication methods OTV10  OTV Neighbor Authentication Configuration example. key chain OTV key 0 key-string 7 070c22454b0d1a5546 interface Overlay1 otv isis authentication-type md5 otv isis authentication key-chain OTV N7K-5# sh otv isis interface overlay 0 OTV-IS-IS process: default VPN: Overlay0 Overlay0, Interface status: protocol-up/link-up/admin-up IP address: none IPv6 address: none IPv6 link-local address: none Index: 0x0001, Local Circuit ID: 0x01, Circuit Type: L1 Level1 Adjacency server (local/remote) : disabled / none Adjacency server capability : multicast Authentication type is MD5 Authentication keychain is OTV Authentication check specified LSP interval: 33 ms, MTU: 1400 Level Metric CSNP Next CSNP Hello Multi Next IIH 1 40 10 00:00:05 3 3 0.728284 Level Adjs AdjsUp Pri Circuit ID Since 1 1 1 64 N7K-5.01 * 00:53:44
  • 11. OTV Unicast mode OTV11  Unicast OTV mode can be used in smaller deployment (2 or 3 sites) where there is no multicast transport core.  One site OTV edge device is selected as adjacency server and it is configured under interface overlay.  Adjacency server maintains list of all OTV edge device that are part of same overlay VPN.  Every OTV edge device willing to join a specific OTV logical overlay VPN, needs to first "register" with the Adjacency Server by start sending OTV Hello messages to it. All other OTV neighbor addresses are discovered dynamically through the Adjacency Server.  When there is MAC address table update on one site that gets unicasted to all OTV edge device in a given overlay VPN. (head end replication). Destination IP address of this update packet is join interface IP address of each site as opposed to single multicast address.
  • 12. OTV Unicast mode Configuration example OTV12  Unicast OTV mode Configuration example. interface Overlay0 otv join-interface Ethernet2/1 ! Instead of control and Data group range use IP address of adjacency servers otv use-adjacency-server 150.1.5.5 150.1.6.6 otv extend-vlan 100-103 no shutdown
  • 13. Authorative Edge Device (AED) OTV13  Each OTV site can have up to 2 edge device for high availability which can perform OTV encapsulation. Each device is selected as Authorative edge device (AED) for given VLAN. This election happens over site VLAN.  AED is responsible to forward traffic to and from Overlay VPN for its VLAN. E.g. If a host sends a broadcast it reaches to both OTV edge device on site but who ever is AED forwards this broadcast to overlay VPN. Similarly if a broadcast traffic received on both OTV edge device only AED for that VLAN forwards traffic to internal interface.
  • 14. FHRP Localization/Isolation OTV14  Each VLAN connected via OTV should have their gateway local to their site i.e. FHRP protocols should be filtered over OTV. Otherwise suboptimal switching/routing will occur. Scenario likely to come in exam.  In a good design all FHRP Hellos and MAC addresses of local gateway should be filtered at the OTV edge devices.
  • 15. FHRP Localization/Isolation Configuration OTV15  Step 1: Filtering HSRP hellos messages ip access-list HSRPv1-IP 10 permit udp any 224.0.0.2/32 eq 1985 ip access-list ALL 10 permit ip any any vlan access-map HSRP-FILTER 10 match ip address HSRPv1-IP action drop vlan access-map FHRP-FILTER 50 match ip address ALL-IPs action forward vlan filter FHRP-FILTER vlan-list 100
  • 16. FHRP Localization/Isolation OTV16  FHRP localization/Isolation configuration example for HSRP  Step 2: Filtering MAC address propagating to other site. mac-list OTV-HSRP-MAC seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00 route-map OTV-FHRP-FILTER permit 10 match mac-list OTV-FHRP-MAC otv-isis default vpn Overlay0 redistribute filter route-map OTV-FHRP-FILTER
  • 17. Guidelines and consideration for deployment of OTV OTV17  Up to eight data-group ranges can be defined.  L3 SVI (interface vlan) for vlans that are extended over OTV cannot be on same VDC.  OTV is only supported on M-series cards only as of today.  IGMP version 3 is mandatory to enable on join interface when multicast mode is used.  Site VLAN has to be up and operational even though there is only one OTV edge device at a given site.  No need to configure PIM on join interface because OTV edge device connects to core as a host.  Most simple design can just use 1 Overlay interface, however a more complex design can be used with VLANs split between Overlays for loadbalancing.  In a given VDC, one overlay VPN can run in unicast mode and another overlay VPN can run in Multicast mode.
  • 18. References OTV18  Cisco Overlay Transport Virtualization Technology Introduction and Deployment Considerations http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_ Intro.html  OTV Decoded – A Fancy GRE Tunnel http://blog.ine.com/2012/08/17/otv-decoded-a-fancy-gre-tunnel/  Overlay Transport Virtualization draft http://tools.ietf.org/html/draft-hasmit-otv-04  Cisco Nexus 7000 OTV configuration guide http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx- os/OTV/config_guide/b_Cisco_Nexus_7000_Series_NX-OS_OTV_Configuration_Guide.html
  • 19. Questions? OTV19