Otv notes

OTV1

OTV technology Introduction OTV Operations OTV Configuration and verification (N7K) OTV unicast mode and its limitation FHRP Localization and egress routing Guidelines and limitation for deployment.

Overlay Transport Virtualization

OTV2

Overlay Transport Virtualization OTV is Layer 2 VPN technology. OTV extends VLAN from one site to another so you

can use same IP address space on both site for same VLAN. Some application requires same VLAN and IP subnet to be present on more than two sites.

Connecting more than 2 sites are difficult to manage using exiting technology (e.g. VPLS) due to Spanning tree restrictions.

OTV introduces the concept of “MAC routing,” which means a control plane protocol is used to exchange MAC reachability information between network devices providing LAN extension functionality.

OTV3

Overlay Transport Virtualization At Data plane, OTV edge device does L2 frame encapsulation in IP payload at layer 3 Edge and uses

multicast to route encapsulated frames to destination OTV edge device. At Control plane, OTV edge device uses a control multicast group to establish Level 1 IS-IS adjacencies

and uses IS-IS protocol to advertize MAC addresses to other OTV devices on other site. Depending on upstream routing OTV edge device may or may not run routing protocols but running

routing protocol on OTV edge device is not a requirement. OTV edge device connects to core as a host not as a router. If routing protocol is required only enable stub routing (stub area for OSPF or EIGRP stub router).

OTV edge device filters unknown unicast frames in other words it does not forward unknown unicast frames to other site. OTV edge device also sets DF bit in outer IP header when it encapsulates L2 frame.

OTV edge device has modified MAC address table which shows what IP address to use when reaching to remote MAC address at other site. This IP address is IP address of join interface of the remote site.

OTV edge device also cache ARP resolution for MAC addresses not local to the site and learnt via the overlay. So that all ARP and ND reply can be responded locally within site.

Current implementation of OTV shim header on Nexus 7K uses MPLS over GRE over IP encapsulation[2] but draft RFC defines UDP encapsulation method.[3]

OTV4

OTV Terminologies Overlay interface: A Logical tunnel interface which does encapsulate the frame into a IP packet. Join interface: L3 routed port which sends IGMP version 3 join message. Internal interface: L2 trunk or access interfaces which runs spanning tree. Site ID: A unique 24-bit value reserved for each site. Site VLAN: A VLAN that is reserved for choosing OTV authorative edge device for that site. Control group: An ASM multicast address used to build the OTV neighbor adjacency and to exchange

MAC addresses with neighbors. The use of the ASM group as a vehicle to transport the Hello messages allows the edge devices to discover each other as if they were deployed on a shared LAN segment. This emulates a shared medium where all OTV edge devices connected to it. [1]

Data group: In order to handle L2 multicast data-traffic between sites up to 8 ranges of IPv4 SSM multicast group prefixes can be used by each site. Each OTV edge device creates mapping for Gs to Gd in Data group mapping table.

MAC address table of a OTV edge devices are slightly modified to incorporate overlay interface as destination.

Site1-OTV1# sh mac add add 0007.eb49.7600

Legend:

* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

age - seconds since last seen,+ - primary entry using vPC Peer-Link

VLAN MAC Address Type age Secure NTFY Ports

---------+-----------------+--------+---------+------+----+------------------

O 101 0007.eb49.7600 dynamic 0 F F Overlay0

OTV5

OTV Neighbor Discovery Step 1: Each OTV devices sends a IGMP join message thru their join interfaces on ASM

control group. This triggers PIM join and multicast tree for OTV control group. Step 2: OTV control protocol sends Hello message with its identity. Step 3 and 4: These hello messages are replicated to all OTV devices that has joined the

control group. Step 5: The receiving OTV edge devices decapsulate the packets. Step 6: These Hellos are passed to the control protocol process. This will eventually build

neighbor adjacency over interface overlay0. You can see them using show otv adjacency

OTV6

OTV configuration example (Nexus 7000)

feature otv

otv site-vlan 5

otv site-identifier 0x5

interface Overlay0

otv join-interface Ethernet2/1

otv control-group 233.1.1.1

otv data-group 232.5.6.0/28

otv extend-vlan 100

no shutdown

interface Ethernet2/1

descrip Join interface

ip address 150.1.5.5/24

ip igmp version 3

no shutdown

interface Ethernet2/3

descrip Internal interface

switchport

switchport mode trunk

no shutdown

feature otv

otv site-vlan 6

otv site-identifier 0x6

interface Overlay0

otv join-interface Ethernet2/1

otv control-group 233.1.1.1

otv data-group 232.5.6.0/28

otv extend-vlan 100

no shutdown

interface Ethernet2/1

descrip Join interface

ip address 150.1.6.6/24

ip igmp version 3

no shutdown

interface Ethernet2/3

descrip Internal interface

switchport

switchport mode trunk

no shutdown

OTV7

VerificationN7K-5# show otv

OTV Overlay Information

Site Identifier 0000.0000.0005

Overlay interface Overlay0

VPN name : Overlay0

VPN state : UP

Extended vlans : 100 (Total:1)

Control group : 233.1.1.1

Data group range(s) : 232.5.6.0/24

Join interface(s) : Eth2/1 (150.1.5.5)

Site VLAN : 5 (up)

AED-Capable : No (No extended VLAN is operationally up)

Capability : Multicast-Reachable

N7K-5# sh otv adjacency

Overlay Adjacency database

Overlay-Interface Overlay0 :

Hostname System-ID Dest Addr Up Time State

N7K-6 0050.5689.1ff6 150.4.6.6 00:06:51 UP

OTV8

Overlay Transport Virtualization Verification commands

N7K-5# sh int overlay 0

Overlay0 is up

MTU 1400 bytes, BW 1000000 Kbit

Encapsulation OTV

Last link flapped 00:45:00

Last clearing of "show interface" counters never

Load-Interval is 5 minute (300 seconds)

RX

0 unicast packets 0 multicast packets

0 bytes 0 bits/sec 0 packets/sec

TX

0 unicast packets 0 multicast packets

0 bytes 0 bits/sec 0 packets/sec

N7K-5 # sh otv arp-nd-cache

OTV ARP/ND L3->L2 Address Mapping Cache

Overlay Interface Overlay1

VLAN MAC Address Layer-3 Address Age Expires In

100 001a.a1ff.7d46 15.1.1.32 00:03:42 00:04:17

OTV9

OTV Authentication methods

There are three methods of authentication. All of them are key chain based.

1. Neighbor Authentication – for ISIS neighbor authentication between two sites

2. Route Authentication – for route injection control

3. Neighbor Authentication – for neighbor authentication within a site when using multihoming.

Authentication is useful when multicast core is not under same administrative control. This is very similar to Fabricpath authentication and other IS-IS authentication methods.

The following example shows route authentication.key chain OTV

key 0

key-string 7 070c22454b0d1a5546

otv-isis default

vpn Overlay0

otv isis authentication-type md5

otv isis authentication key-chain OTV

OTV10

OTV Authentication methods OTV Neighbor Authentication Configuration example.

key chain OTV

key 0

key-string 7 070c22454b0d1a5546

interface Overlay1

otv isis authentication-type md5

otv isis authentication key-chain OTV

N7K-5# sh otv isis interface overlay 0

OTV-IS-IS process: default VPN: Overlay0

Overlay0, Interface status: protocol-up/link-up/admin-up

IP address: none

IPv6 address: none

IPv6 link-local address: none

Index: 0x0001, Local Circuit ID: 0x01, Circuit Type: L1

Level1

Adjacency server (local/remote) : disabled / none

Adjacency server capability : multicast

Authentication type is MD5

Authentication keychain is OTV

Authentication check specified

LSP interval: 33 ms, MTU: 1400

Level Metric CSNP Next CSNP Hello Multi Next IIH

1 40 10 00:00:05 3 3 0.728284

Level Adjs AdjsUp Pri Circuit ID Since

1 1 1 64 N7K-5.01 * 00:53:44

OTV11

OTV Unicast mode

Unicast OTV mode can be used in smaller deployment (2 or 3 sites) where there is no multicast transport core.

One site OTV edge device is selected as adjacency server and it is configured under interface overlay.

Adjacency server maintains list of all OTV edge device that are part of same overlay VPN.

Every OTV edge device willing to join a specific OTV logical overlay VPN, needs to first "register" with the Adjacency Server by start sending OTV Hello messages to it. All other OTV neighbor addresses are discovered dynamically through the Adjacency Server.

When there is MAC address table update on one site that gets unicasted to all OTV edge device in a given overlay VPN. (head end replication). Destination IP address of this update packet is join interface IP address of each site as opposed to single multicast address.

OTV12

OTV Unicast mode Configuration example

Unicast OTV mode Configuration example.

interface Overlay0

otv join-interface Ethernet2/1

! Instead of control and Data group range use IP address of adjacency servers

otv use-adjacency-server 150.1.5.5 150.1.6.6

otv extend-vlan 100-103

no shutdown

OTV13

Authorative Edge Device (AED) Each OTV site can have up to 2 edge device for high availability which can perform

OTV encapsulation. Each device is selected as Authorative edge device (AED) for given VLAN. This election happens over site VLAN.

AED is responsible to forward traffic to and from Overlay VPN for its VLAN. E.g. If a host sends a broadcast it reaches to both OTV edge device on site but who ever is AED forwards this broadcast to overlay VPN. Similarly if a broadcast traffic received on both OTV edge device only AED for that VLAN forwards traffic to internal interface.

OTV14

FHRP Localization/Isolation

Each VLAN connected via OTV should have their gateway local to their site i.e. FHRP protocols should be filtered over OTV. Otherwise suboptimal switching/routing will occur. Scenario likely to come in exam.

In a good design all FHRP Hellos and MAC addresses of local gateway should be filtered at the OTV edge devices.

OTV15

FHRP Localization/Isolation Configuration

Step 1: Filtering HSRP hellos messages

ip access-list HSRPv1-IP

10 permit udp any 224.0.0.2/32 eq 1985

ip access-list ALL

10 permit ip any any

vlan access-map HSRP-FILTER 10

match ip address HSRPv1-IP

action drop

vlan access-map FHRP-FILTER 50

match ip address ALL-IPs

action forward

vlan filter FHRP-FILTER vlan-list 100

OTV16

FHRP Localization/Isolation

FHRP localization/Isolation configuration example for HSRP Step 2: Filtering MAC address propagating to other site.

mac-list OTV-HSRP-MAC seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00

route-map OTV-FHRP-FILTER permit 10

match mac-list OTV-FHRP-MAC

otv-isis default

vpn Overlay0

redistribute filter route-map OTV-FHRP-FILTER

OTV17

Guidelines and consideration for deployment of OTV

Up to eight data-group ranges can be defined. L3 SVI (interface vlan) for vlans that are extended over OTV cannot be on same VDC. OTV is only supported on M-series cards only as of today. IGMP version 3 is mandatory to enable on join interface when multicast mode is

used. Site VLAN has to be up and operational even though there is only one OTV edge

device at a given site. No need to configure PIM on join interface because OTV edge device connects to

core as a host. Most simple design can just use 1 Overlay interface, however a more complex design

can be used with VLANs split between Overlays for loadbalancing. In a given VDC, one overlay VPN can run in unicast mode and another overlay VPN

can run in Multicast mode.

OTV18

References Cisco Overlay Transport Virtualization Technology Introduction and Deployment

Considerations http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_Intro.html

OTV Decoded – A Fancy GRE Tunnel

http://blog.ine.com/2012/08/17/otv-decoded-a-fancy-gre-tunnel/ Overlay Transport Virtualization draft

http://tools.ietf.org/html/draft-hasmit-otv-04 Cisco Nexus 7000 OTV configuration guide

http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/OTV/config_guide/b_Cisco_Nexus_7000_Series_NX-OS_OTV_Configuration_Guide.html

OTV19

Questions?