OTV

OTV vs Other DCIs

Many possible options for Layer 2 DCI
- Dark Fiber (CWDM/DWDM), L2TPv3, AToM, VPLS, Bridging over GRE, VXLAN
Considerations vs other technologies
- Transport Requirements
- Spanning-Tree
- Failure Event Propagation
- Multipath & Multipoint Tunneling
- BUM flooding

What is OTV

Overlay Transport Virtualization (OTV)
- Ethernet over IP tunnel: MAC in IP Routing
- Used to extend layer 2 domain across Data Center Interconnect (DCI): e.g span a VLAN between two DC sites
OTV is a site-to-site tunnel
- Inter-fabric tunnel as opposed to an intra-fabric tunnel like VXLAN
- Analogous to site-to-site IPSec VPN vs remote access VPN: e.g a router to router tunnel
Main OTV use case is Virtual Machine Workload Mobility: e.g VMWare VMotion
OTV is purpose built for DCI
- Transport agnostic: any ipv4 transport works
- Scaling enhancements: STP suppression, ARP suppression, Unknown flooding suppression
- Hardware Accelerated
  - Up to 100GE line rate
  - Like VXLAN, platform/linecard support is specific
    Nexus 7K M & F3 cards
    ASR 1K & CSR1000v (ASR1Kv)

How OTV works

OTV Edge Devices auto-discover each other by default: uses IS-IS over IPv4 Multicast
MAC addresses are advertised as IS-IS routes: different from FabricPath or ACI usage of IS-IS
Traffic between sites is unicast IP encapsulated
- Ethernet over MPLS over GRE over IP: original frame format (M1 card)
- Ethernet over UDP over IP: Newer frame format (ASK 1K or N7K F3 card) -> Need to match encapsulation between devices

OTV Terminology

OTV Edge Device: Edge routers running OTV
Authoritative Edge Device (AED)
- Active edge device for a particular VLAN
- Allows multiple redundant edge routers while preventing loops
Extend VLANs: VLAN being bridged over OTV
Site VLAN: internal VLAN used to elect AED
Site Identifier: Unique ID per DC site, shared between AEDs
Overlay Interface: the logical OTV tunnel interface
OTV Join Interface: The physical link or port-channel used to route upstream towards the DCI
OTV Control Group: Multicast address used to discover the remote sites in the control plane
OTV Data Group: used when you're tunneling multicast traffic over OTV in the data plane

OTV Control Plane

Uses IS-IS to advertise MAC addresses between AEDs
- Encapsulated as Control Group Multicast
- IS-IS over Ethernet over MPLS over GRE over IPv4 Multicast
- IS-IS over Ethernet over UDP over IPv4 Multicast
- Implies that DCI must support ASM Multicast
- Can be encapsulated as Unicast with OTV adjacency server

OTV Data Plane

Uses both Unicast and Multicast Transport
Multicast Control Group
- Multicast or Broadcast Control Plane Protocols
- e.g ARP, OSPF, EIGRP, etc
Unicast Data: normal unicast is encapsulated as Unicast between AEDs
Multicast Data Group:
- Multicast Data flows are encapsulated as SSM Multicast
- Implied AEDs use IGMPv3 for (S,G) Joins

Configuration

Multicast Transport

Enable feature
Create and specify site VLAN
Configure OTV site ID
Configure OTV tunnel
Specify join interface
Specify control group
Specify data group
Specify extend VLANs

#N7K1:
interface e1/5
  ip address 1.1.1.71/24
vlan 11, 111
!
feature otv
otv site-vlan 111
otv site-identifier 0x111
!
interface overlay1
  otv join-interface ethernet 1/5
  otv control-group 239.1.1.1 
  otv data-group 232.1.1.0/28
  otv extend-vlan 11
  no shut

#N7K2:
interface e1/5
  ip address 1.1.1.72/24
vlan 11, 222
!
feature otv
otv site-vlan 222
otv site-identifier 0x222
!
interface overlay1
  otv join-interface ethernet 1/5
  otv control-group 239.1.1.1 
  otv data-group 232.1.1.0/28
  otv extend-vlan 11
  no shut

Unicast Transport

Adjacency server

feature otv
otv site-identifier 0x1
otv site-vlan 1111
vlan 1111

interface overlay 1
  otv join-interface e1/5
  otv extend-vlan 11,22
  otv adjacency-server unicast-only 
  no shut

interface e1/5
  ip address 10.71.73.71/24

Adjacency client

feature otv
otv site-identifier 0x2
otv site-vlan 2222
vlan 2222
interface overlay 1
  otv join-interface e1/13
  otv extend-vlan 11, 22
  otv use-adjacency-server 10.71.73.71 unicast-only
  no shut

interface e1/13
  ip address 10.71.73.73/24

Verification

show otv
show otv site detail
show otv isis adjacency
show otv vlan
show otv route
show otv isis database detail
show mac address-table

Debugging OTV

debug otv isis iih
(config)# logging level otv 7

AED Node HA

Multiple AED are supported per-site per-tunnel: Adds both node level redundancy and load distribution
AEDs within the site communicate over the Site VLAN
- IS-IS adjacency formed over site VLAN
- Used to elect which AED forwards which VLANs: load split on even/odd VLAN numbers, not configurable in current version
AEDs within the site also communicate over layer 3
- IS-IS over multicast IPv4
- IS-IS over unicast IPv4 with adjacency server

Recovering from AED Node Failure

AEDs within the site track each other two ways
- Layer 2 IS-IS adjacency over Site VLAN
- Layer 3 IS-IS adjacency through overlay tunnel
- Called the "dual site ajacency"
Three possible AED failure cases
- AEDs lose layer 2 reachability but not layer 3 reachability
- AEDs lose layer 3 reachability but not layer 2 reachability
- AEDs lose both layer 2 reachability and layer 3 reachability
Verified with show otv site detail: Dual site adjacency must be "Full"

Tuning AED Node Failure Detection

AED failure detection has 2 components
- Layer 3 failure detection
- Layer 2 failure detection
Layer 3 failure detection
- IS-IS Timer inside the overlay tunnel
- Convergence is a function of underlay transport
- Tune the underlay transport for HA, and OTV transport is tuned for HA
Layer 2 failure detection
- IS-IS timer over the site VLAN
- AEDs may not be directly connected, result is long failure detection time
- Workaround is to run BFD over site VLAN

# AED1:
feature interface-vlan
feature bfd
interface vlan 1111
  ip address 192.11.11.71/24
otv site-vlan 1111
  otv isis bfd
otv-isis default
  track-adjacency-nexthop

# AED2:
feature interface-vlan
feature bfd
interface vlan 1111
  ip address 192.11.11.72/24
otv site-vlan 1111
  otv isis bfd
otv-isis default
  track-adjacency-nexthop

Verification

show bfd clients
show bfd neighbors [detail]

Layer 3 Multicast HA for AEDs

OTV AEDs rely on Multicast transport for
- IS-IS control plane exchange
- Link local multicast sent across the overlay
  - e.g IGMP report message from clients across the overlay
- Multicast in multicast transport
  - e.g IPTV layer 2 multicast across overlay tunnel
How can we achieve Multicast HA?
- Tune underlying unicast IGP/BGP routing
- Add Rendezvous point redundancy, e.g. Anycast RP

Adjacency Server HA

Without multicast, AEDs cannot find tunnel endpoints
- Adjacency server maintains mappings of extend VLANs to tunnel endpoint
- Analogous to a dynamic DNS server
If single adjacency server is down, tunnel endpoints cannot resolve -> lost control plane and data plane
Best practice is to use redundant Adjacency Server
- HA is now based on IGP/BGP unicast convergence to Adjacency Server IP

# Adjacency Server 1
interface overlay 1
  otv use-adjacency-server 10.71.73.71 10.71.73.73 unicast-only
  otv adjacency-server unicast-only

# Adjacency Server 2
interface overlay 1
  otv use-adjacency-server 10.71.73.71 10.71.73.73 unicast-only
  otv adjacency-server unicast-only

# Other AED
interface overlay 1
  otv use-adjacency-server 10.71.73.71 10.71.73.73 unicast-only

OTV and FHRP Localization

Apply filter on AEDs

! STOP FHRP Hellos Going across OTV Tunnel
ip access-list LOCAL_IP_CONTROL_PLANE
  permit ip any 224.0.0.0/24

ip access-list ANY_IP
  permit ip any any

vlan access-map DROP_LOCAL_CONTROL_PLANE 10
  match ip address LOCAL_IP_CONTROL_PLANE
    action drop
vlan access-map DROP_LOCAL_CONTROL_PLANE 20
  match ip address ANY_IP
    action forward

vlan filter DROP_LOCAL_CONTROL_PLANE vlan-list 11, 22 (VLAN 11, 22 is extend vlan across sites)

! Above vlan acl can be replaced with port acl as following
ip access-list DROP_CONTROL_PLANE
  10 deny ip any 224.0.0.0/24
  20 permit ip any any
interface Po20
  switchport
  ip port access-group DROP_CONTROL_PLANE in

! STOP OTV from advertising virtual mac addresses as OTV routes
mac-list DROP_HSRP_AND_VRRP seq 5 deny 0000.0c9f.f000 ffff.ffff.f000
mac-list DROP_HSRP_AND_VRRP seq 10 deny 0000.5e00.0100 ffff.ffff.ff00
mac-list DROP_HSRP_AND_VRRP seq 15 permit 0.0.0 0.0.0
route-map DROP_HSRP_AND_VRRP permit 10
  match mac-list DROP_HSRP_AND_VRRP
otv-isis default
  vpn Overlay1
    redistribute filter route-map DROP_HSRP_AND_VRRP

! STOP ARP Responses for FHRP VMACs from going across OTV Tunnels
feature dhcp
arp access-list HSRP_VMAC_ARP
  10 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
  20 deny ip any mac 0000.5e00.0100 ffff.ffff.ff00
  30 permit ip any mac any
ip arp inspection filter HSRP_VMAC ARP vlan 11, 12

Reference

https://packetpushers.net/?s=otv

PreviousLISP NextVXLAN

Last updated 2 years ago