{"id":1840,"date":"2023-10-06T13:00:19","date_gmt":"2023-10-06T13:00:19","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=8934"},"modified":"2023-10-06T13:00:19","modified_gmt":"2023-10-06T13:00:19","slug":"ipv6-only-in-evpn-vxlan-fabrics","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/10\/06\/ipv6-only-in-evpn-vxlan-fabrics\/","title":{"rendered":"IPv6-only in EVPN-VXLAN Fabrics"},"content":{"rendered":"<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/ipv6-only-in-evpn-vxlan-fabrics.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p>Many organizations are migrating away from traditional three-tier, spanning-tree datacenter and campus LANs to the newer EVPN-VXLAN architecture. This architecture is very flexible and allows for numerous implementation design options, however, the most common deployment is a leaf-spine, or <strong><a href=\"https:\/\/howdoesinternetwork.com\/2019\/clos-topology\" target=\"_blank\" rel=\"noopener\">Clos<\/a><\/strong>, design \u2013 so much so that leaf-spine EVPN-VXLAN LANs are the new de facto standard for datacenter and campus LANs alike.<\/p>\n<p>There are many benefits to EVPN-VXLAN designs, including scalability, optimization for east-west traffic, virtual machine mobility, easier segmentation, simpler automation, all links are active, etc. (This article is not a tutorial on EVPN-VXLAN, but here is a link to a <strong><a href=\"https:\/\/archive.nanog.org\/sites\/default\/files\/1_Jain_VxLAN_BGP-EVPN.pdf\" target=\"_blank\" rel=\"noopener\">good overview<\/a><\/strong>.) Many of these benefits are related to the fact that EVPN-VXLAN is an overlay on top of a standard, generic, though typically Clos, Layer 3 underlay. Much like <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Multiprotocol_Label_Switching\" target=\"_blank\" rel=\"noopener\">MPLS<\/a><\/strong>, the underlay and overlay networks are completely logically separate: What is under the hood, so to speak, is independent from the production traffic flowing over the top.<\/p>\n<p>Therefore, since the overlay and underlay are separate, the network architect has many options on how to design and deploy the underlying fabric. With this being the case, why not use an IPv6-only \u201cunderlay\u201d to carry your production traffic in the overlay, whether IPv6, IPv4 or dual stack? When EVPN-VXLAN first came out, this may not have been an option. But today, most leading network vendors support (possibly with some limitations) IPv6-only underlay EVPN-VXLAN fabrics.<\/p>\n<h3>First, some terminology<\/h3>\n<p>When discussing EVPN-VXLAN, it is common to hear the terms \u201coverlay\u201d and \u201cunderlay\u201d tossed around. Before discussing the benefits of IPv6-only, first let\u2019s get on the same page with respect to general terminology and what constitutes IPv6-only. My preferred view breaks EVPN and VXLAN into multiple parts.<\/p>\n<p>The EVPN-VXLAN underlay is the underlying transport network. Underlay addressing is \u201cinfrastructure\u201d addressing and consists of all fabric switch loopbacks and point-to-point interfaces. A routing protocol is used in the underlay to facilitate the reachability required by overlay protocols. (There are multiple options and combinations for the underlay and overlay routing protocols, e.g., OSPF(v3), iBGP, eBGP, etc., but protocol selection is outside of the scope of this blog.) In summary, the underlay is a base Layer 3 infrastructure.<\/p>\n<p>The overlay can be split up into three distinct functional planes.<\/p>\n<ul class=\"ipv6-list\">\n<li>1) <strong><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7348\" target=\"_blank\" rel=\"noopener\">VXLAN<\/a><\/strong> \u2013 the overlay data plane<\/li>\n<li>2) <strong><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8365\" target=\"_blank\" rel=\"noopener\">EVPN<\/a><\/strong> \u2013 the overlay control plane<\/li>\n<li>3) Production Traffic \u2013 network applications for end-user\/business use such as VLANs, VRFs, and routing protocols to fabric-external devices (firewalls, WAN, Internet, etc.)<\/li>\n<\/ul>\n<p>When people say \u201cunderlay,\u201d in my experience, they typically mean the underlay, as defined above, as well as parts 1) and 2) of the overlay. And the general term \u201coverlay\u201d typically refers to 3) above \u2013 production traffic to support applications and the overall business. If that\u2019s still a bit confusing, perhaps another way to think of it is that the general term \u201coverlay\u201d is the production traffic and the EVPN-VXLAN \u201cfabric\u201d is everything else below. Got it?<\/p>\n<p>Now, back to running IPv6-only in an EVPN-VXLAN fabric. This means the underlay\/infrastructure is IPv6-only \u2013 with loopbacks, point-to-point links, and the routing protocol running for reachability. In addition, VXLAN, the overlay data plane, must be IPv6-only. This means VXLAN source-interfaces (typically loopbacks) on the VTEPs are configured IPv6-only, and VXLAN encapsulation set to IPv6. Finally, EVPN, the overlay control plane, is IPv6-only with MP-BGP EVPN peering exclusively with IPv6 addresses.<\/p>\n<p>These three components of the fabric being IPv6-only would amount to an IPv6-only underlay \u2013 so to speak. Now, the production traffic tunneled on top of this can be IPv6-only, IPv4-only, or dual stack on a VLAN (VXLAN) by VLAN basis to support varying protocol requirements in your network.<\/p>\n<h3>Benefits of an IPv6-only underlay<\/h3>\n<p>Most organizations must still support a mix of production traffic \u2013 IPv6-only, IPv4-only, and dual stack. For example, some business-critical tools or applications may never support IPv6. Therefore, there may be separate segments, or even <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Virtual_routing_and_forwarding\" target=\"_blank\" rel=\"noopener\">VRFs<\/a><\/strong>, that are IPv4-only, while new networks may be deployed as IPv6-only, and networks in transition may be dual stacked for migrations. Luckily, the EVPN-VXLAN fabric can support these various options in the Production Traffic overlay.<\/p>\n<p>Since the overlay and underlay are independent, what drivers are there to implement an IPv6-only fabric? Below is a list I compiled. (Can you think of other drivers for your environment? I\u2019m interested in hearing them.)<\/p>\n<ul class=\"ipv6-list fabric-list\">\n<li>\u00a7 <strong>Scalability<\/strong>: IPv6 offers almost limitless address space to work with. Where IPv4 deployments commonly re-use addresses in various parts of the network, this can lead to unforeseen issues. It is not recommended to re-use addresses, and with IPv6 you don\u2019t need to. With IPv4, this practice has bitten many organizations time and time again.<\/li>\n<li>\u00a7 <strong>Futureproof<\/strong>: IPv6 is already the majority protocol in many parts of the Internet, and IPv4 will continue to languish. So why implement anything else? And don\u2019t make the mistake of saying, \u201cWe\u2019ll deploy IPv4 first and go back and migrate to IPv6 later.\u201d How often does the network team return after a deployment to update temporary network artifacts? IPv6 circumvents the creation of more technical debt.<\/li>\n<li>\u00a7 <strong>Simplicity<\/strong>: A single protocol IPv6 EVPN-VXLAN fabric \u2013 yet it can support various production workloads.<\/li>\n<li>\u00a7 <strong>Mandates<\/strong>: Your organization may have a mandate to be IPv6-only and eliminate all IPv4 from the network.<\/li>\n<li>\u00a7 <strong>A natural steppingstone<\/strong>: For those organizations that have limited experience with IPv6, they can start with their EVPN-VXLAN fabric. Then the overlay production traffic, possibly today being IPv4, can evolve over time to dual-stack and eventually IPv6-only.<\/li>\n<\/ul>\n<h3>Test functionality for Your Environment<\/h3>\n<p>Most leading network vendors support IPv6-only EVPN-VXLAN fabrics to one extent or another. But like any new network deployment, it is highly recommended to test and verify vendor claims of support. This can take place in a separate, physical network lab environment, or in a virtual environment such as <strong><a href=\"https:\/\/www.eve-ng.net\/\" target=\"_blank\" rel=\"noopener\">EVE-NG<\/a><\/strong>. Make sure to formulate a detailed test plan that includes test cases specific to your environment. And ensure border cases are tested as well. These are where some vendors may still have limitations. Does your network require multicast, for example? What about mLAG or IPv6-only administration? If your vendor\u2019s platform has any IPv6-only limitations, communicate and work with them so they understand your requirements. Find out where the feature you need sits on their roadmap. Or if not on their roadmap yet, work to get it in their feature enhancement queue. Communication and collaboration are key.<\/p>\n<h3>Conclusions<\/h3>\n<p>For those deploying EVPN-VXLAN networks in their campus and datacenters, the question should not be, \u201cWhy would I deploy an IPv6-only fabric?\u201d but rather \u201cWhy would I not deploy an IPv6-only fabric?\u201d What constitutes an IPv6-only fabric? Deploying IPv6-only for underlay infrastructure addressing of loopbacks and point-to-point links, as well as running VXLAN (overlay data plane) and EVPN (overlay control plane) as IPv6-only. Production traffic tunneled on top can still be IPv4, IPv6 or dual stack depending on business requirements and migration strategy. There are numerous drivers for this model, whether mandated by a higher authority, or making the IPv6-only choice as a stand-alone decision. Major network vendors support this architecture. However, since these deployments are relatively new, make sure and work with your suppliers on the proper design that fits your requirements. And don\u2019t forget to conduct the proper testing before rolling out in production. Finally, rest comfortable that you are deploying a network model (EVPN-VXLAN) and protocol (IPv6) with a solid foundation for the foreseeable future.<\/p>\n<style>\n.ipv6-list li {\nlist-style-type:none !important;\n}\n.fabric-list li {\nmargin-bottom:10px;\n}\n<\/style>\n<p> <a href=\"https:\/\/blogs.infoblox.com\/ipv6-coe\/ipv6-only-in-evpn-vxlan-fabrics\/\">Infoblox Original<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many organizations are migrating away from traditional three-tier, spanning-tree datacenter<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1048,1045,1046,396,395,397,1047,1050,1049,1044],"tags":[1055,1052,1053,405,404,406,1054,1057,1056,1051],"class_list":["post-1840","post","type-post","status-publish","format-standard","hentry","category-clos","category-evpn","category-evpn-vxlan","category-ipv6","category-ipv6-coe","category-ipv6-only","category-leaf-spine","category-overlay","category-underlay","category-vxlan","tag-clos","tag-evpn","tag-evpn-vxlan","tag-ipv6","tag-ipv6-coe","tag-ipv6-only","tag-leaf-spine","tag-overlay","tag-underlay","tag-vxlan"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Infoblox","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/infoblox\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/clos\/\" rel=\"category tag\">Clos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/evpn\/\" rel=\"category tag\">EVPN<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/evpn-vxlan\/\" rel=\"category tag\">EVPN-VXLAN<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ipv6\/\" rel=\"category tag\">IPv6<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ipv6-coe\/\" rel=\"category tag\">IPv6 CoE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ipv6-only\/\" rel=\"category tag\">IPv6 only<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/leaf-spine\/\" rel=\"category tag\">leaf spine<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/overlay\/\" rel=\"category tag\">overlay<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/underlay\/\" rel=\"category tag\">underlay<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vxlan\/\" rel=\"category tag\">VXLAN<\/a>","tag_info":"VXLAN","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1840"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1840\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}