This blog post dives into the complexities and distinct advantages of LISP and BGP EVPN within a Software-Defined Networking (SDN) campus network .
Lately, I've engaged in numerous discussions with my customers about whether they should implement Cisco SDA in their campus environments or construct the underlay independently, especially utilizing BGP EVPN automated with Ansible or through the NDFC (Nexus Dashboard Fabric Controller). The driver for these discussions often comes from the widespread adoption of BGP EVPN in data centers, where SDN has a longer history and more common application compared to campus networking.
A common misconception is that vendors like Cisco employ non-standard approaches to achieve vendor lock-in. Though this perspective isn't entirely unfounded, it's not the primary motive.
In my view, the two most crucial aspects here are mobility and interoperability with data center networks and across multiple vendors.
Mobility
The key driver for preferring LISP in campus networks over the familiar BGP EVPN in Datacenters is mobility. Nearly all my clients aim to transition to a Wi-Fi-only infrastructure in the office or, at the very least, adopt a Wi-Fi-first strategy. An often expressed need is to integrate the Wi-Fi infrastructure to streamline the planning and operation of networks and achieve end-to-end segmentation regardless of access method. Positioning a Wireless LAN Controller (WLC) centrally, forwarding all user traffic to the controller, and breaking out traffic there is increasingly challenging, especially with bandwidth requirements imposed by 802.11ax.
Let's examine our contenders concerning these topics:
BGP-EVP
BGP, originally born for the internet, possesses powerful capabilities and manipulation possibilities, hence found his way into various technologies. However, as a routing protocol, it necessitates a converged network. By default, every VTEP must be aware of all endpoints, or at least those within the VRFs they manage.
When a new device connects, the VTEP advertises an update to the route reflectors, which then forward this information to all other VTEPs.
This process is manageable in mainly static environments like data centers but becomes challenging in campus environments with mobile devices.
As soon as a Client move to another VTEP two messages will be sent:
withdraw:
the source VTEP tells the rest of the network, that the client is not reachable via the it anymore.
advertise:
the destination VTEP does tell the rest that a new device is reachable via itself.
and this will look like this:
The control plane traffic flooding can significantly burden the network. For instance, imagine 10,000 vacuum robots roaming 20 times per minute on a campus. This equates to approximately 3,333 roams per second, a considerable load on the control plane.
Moreover, each VTEP must possess the same information. Therefore, the performance of the entire deployment can be constrained by a single switch with lower specifications. This presents a significant drawback when incorporating legacy equipment or low-tier devices.
Wi-Fi Integration Challenges
The integration of wireless networks presents its own set of challenges in the context of VXLAN deployments. Centralizing Wireless LAN Controllers (WLCs) to tunnel all traffic is increasingly viewed as outdated. While this approach facilitates micro-segmentation, it risks creating bottlenecks at the WLC, particularly with the high bandwidth demands of 802.11ax.
FlexConnect mode offers a potential solution by enabling local switching at access points, reducing the load on the central WLC. However, this setup can significantly increase control plane traffic, as described earlier, making it problematic in environments with high mobility. Moreover, achieving micro-segmentation within the wireless domain using FlexConnect can often be challenging, if not unfeasible.
The need for efficient wireless network integration underscores the importance of selecting a networking approach that accommodates the dynamic nature of wireless clients without overwhelming the network infrastructure.
LISP Pub/Sub
Designed in 2013 with mobility in mind, LISP (Locator/ID Separation Protocol) operates differently. When a new client connects, the edge node reports this to the Control Plane node, which then creates a table.
If a host wants to communicate with another host, the source Edge Node queries the Control Plane Node for the destination host's location (RLOC) and other details. This information is cached for future communications, facilitating the establishment of VXLAN tunnels. Only edge nodes with actively communicating endpoints maintain the essential information, significantly optimizing network performance.
With LISP, when your fridge moves, the source edge node deregisters the current entry, and the destination edge node registers the new client. This approach ensures the network is aware of the device's new location. Moreover, the capability to subscribe to an entry means that any change in location notifies all subscriber nodes, enhancing network responsiveness
So you can see that LISP is the solution of choice if you have a mobility requirements. That is the case for most of the campus environments out there.
A feature I'm really looking forward to seeing in the future is the extension of the LISP table to include SGT.
With this, you can utilize the enforcement point directly from the source Edge node.
If the enforcement topic is unfamiliar to you, please refer to my previous post for more details: https://krauss1990.wixsite.com/home/post/use-dna-center-policy-matrix-for-traffic-to-datacenter
Interoperability
BGP-EVPN excels in interoperability, offering multi-vendor support and seamless integration between data center and campus networks. Its standardization allows for neighbor relationships and VXLAN tunnels between Cisco and other vendors, further facilitated by developments like IOS-XE 17.11.1 supporting Group Tags across different vendors. If supported for all vendors, even Microsegmentation is possible.
Seamless Integration between Data Center and Campus
Another aspect garnering significant interest is the seamless integration between data center and campus networks. Utilizing VXLAN in the campus not only facilitates deployments across different vendors but also allows for direct VXLAN tunnels into the data center. This capability is crucial for organizations looking to maintain a unified network fabric across their entire IT infrastructure, enhancing operational efficiency and simplifying network management.
Expertise
The widespread availability of BGP expertise in the market, as opposed to LISP, suggests that operations teams may be more accustomed to and comfortable with implementing BGP. This familiarity could also make it easier to recruit and onboard skilled personnel for managing BGP-EVPN tasks, thereby reducing training overheads and accelerating deployment timelines.
Advanced Manipulation with BGP-EVPN
A crucial advantage of BGP-EVPN is its capacity for advanced manipulation and customization to meet specific network requirements. This flexibility allows network architects to design and implement complex and sophisticated configurations tailored to the unique demands of their networks. One of the standout features of BGP-EVPN is service insertion, which exemplifies this flexibility.
Through service insertion, network traffic can be intelligently directed through specified network services, such as firewalls or load balancers, before reaching its destination. This capability is essential for ensuring security, optimizing performance, and maintaining high availability across the network. It underscores BGP-EVPN's role in facilitating sophisticated network designs that can adapt to evolving business needs and technological advancements.
As of the time of writing, the Catalyst Center does not natively support an EVPN Fabric. However, one of the prominent tools for this purpose is the Nexus Dashboard Fabric Controller (NDFC). Additionally, a favored approach among network professionals is utilizing Cisco's Ansible Playbooks. These playbooks allow for the automated building of the fabric, offering a degree of customization and control that aligns with specific operational requirements. Integrating Cisco Ansible Playbooks with Catalyst Center can yield a powerful combination, where Catalyst Center enhances the management of Wi-Fi networks and other key features, while Ansible takes care of the underlying fabric automation. This synergy enables a holistic management solution that leverages the strengths of both platforms to deliver a more efficient, secure, and visible network environment.
Conclusion
the realm of data center networking, the choice seems straightforward. The relatively static nature of device locations, combined with the unparalleled extensibility and flexibility offered by BGP-EVPN, positions it as the clear frontrunner. The dynamic nature of data centers rarely mimics the constant mobility and roaming found in campus environments, making the advanced capabilities of BGP-EVPN particularly suited to this context. Simply put, the case for employing LISP within a data center environment is hard to justify given the strengths of BGP-EVPN.
In contrast, the landscape of campus networking, with its focus on Wi-Fi connectivity and the need for dynamic micro-segmentation, clearly calls for the unique advantages of LISP Pub/Sub. The architecture of LISP, designed with mobility in mind, makes it superior for managing the fluid nature of campus network traffic. Furthermore, the integration with Catalyst Center not only simplifies network automation but also enhances visibility across the network, creating a seamless and efficient management experience.
However, the decision between LISP and BGP-EVPN is not always black and white. For organizations where the following needs are predominant, BGP-EVPN might be the architecture of choice:
Multivendor Support: Ensuring interoperability across different vendors' equipment is a critical requirement for many networks, making BGP-EVPN's standard-based approach highly attractive.
Common Fabric across Campus and Datacenter: For entities striving for a unified network fabric that spans both campus and data center environments, BGP-EVPN provides a cohesive and scalable solution.
Flexible Overlay Architecture: BGP-EVPN's versatility in configuring complex network scenarios—ranging from service insertion to sophisticated segmentation—makes it well-suited for addressing diverse and intricate network design requirements.
Ultimately, the selection between LISP and BGP-EVPN hinges on the specific needs and priorities of your network environment. Whether it's the mobility and dynamic segmentation capabilities critical to modern campus networks or the scalability and flexibility demands, aligning your network architecture with your operational objectives is key to fostering a robust, resilient, and efficient network infrastructure.
Comments