Q&A

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 43

The Secrets to Scalable Multi-Tenancy

February 3, 2016

Q. Does ACI use VXLAN? A. Cisco® Application Centric Infrastructure (ACI) uses VXLAN encapsulation as well for intrafabric delivery of

Layer 2 and Layer 3 flows leaf-to-leaf. The control plane used in ACI is not Ethernet VPN (EVPN). Multiprotocol Border Gateway Protocol (MP-BGP) is used only to advertise external prefixes into the fabric. That said, the two technologies present lots of similarities from a functional point of view.

Q. Is there any benefit to running VXLAN with BGP EVPN in a homogeneous corporate environment, i.e. with no tenants, and no security or chargeback concerns among servers? A. Yes, it allows you to provide Layer 2 communication between endpoints connected to VXLAN tunnel endpoints

(VTEPs) that are part of a routed fabric. Routed fabrics are more resilient, more scalable, and converge faster than Layer 2 networks. Layer 2 adjacency and mobility are very common use cases for the deployment of overlay technologies.

Q. Any good Cisco design documents on how this would work with VMware NSX or with the Federation Enterprise Hybrid Cloud Design? A. Not at this time, as NSX-v does not currently support integration with hardware VTEPs (with the exception of

integration in flood and learn mode). This may change once NSX introduces support for hardware VTEPs.

Q. When you ARP cache, for how long does it stay? A. For the default Address Resolution Protocol (ARP) timeout (unless tuned). However, when 75 percent of the

timeout time is reached, the VTEP will ARP to refresh the entry for locally connected endpoints.

Q. In a multi-tenant EVPN environment, what is the recommended "shared-internet" architecture? Would this be in a default-vrf, or on its own, for example? A. Access to a shared resource (such as the Internet) could be achieved by connecting the fabric to a common exit

point (a firewall, for example) that routes tenant traffic to the shared resource while preventing intertenant communication.

Q. Do you know when HW VTEPs will be supported? Will Cisco support OVSDB? A. The first question is for VMware. For the second, it is still TBD but can't happen before the first.

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 44

Q. What platforms support this? A. If you refer to VXLAN EVPN, it is widely supported across Cisco Nexus® platforms (9000, 5600, and 7000

Series) and also on the Cisco ASR 9000 Series.

Q. Is there a performance penalty when introducing this overlay for east/west traffic flow versus bare switching (outside of the encapsulation overhead)? I'm interested in delays, specifically at scale in large data center pods. A. Additional latency introduced is negligible. VXLAN bridging is line-rate across all the Cisco Nexus platforms.

VXLAN routing is not on all the existing hardware, but it will be in the next generation of Cisco Nexus 9000 and 7000 Series hardware coming out soon (Q2CY16).

Q. Is EVPN with VXLAN on the ASR 1000? A. As of today, EVPN with VXLAN is not on the ASR 1000 Series as far as I know. Only in flood and learn mode

(no EVPN control plane support).

Q. So far the discussion is VXLAN within the same data center. What about using VXLAN to provide Data Center Interconnect (DCI) and enable moving workloads across the WAN to a remote data center? A. Doing DCI with VXLAN can be done, but you need to take into consideration that a lot of the mechanisms we

know from Overlay Transport Virtualization (OTV) are not there. As of today it's not the best solution to do DCI via IP-based networks.

Q. I know that when host moves it adds a sequence number. Does that sequence number reset, and if not what is the max value and is there a mechanism to make fabric stable when there are MAC flaps (like dampening)? A. There is a default of five moves in 180 seconds; if you cross that threshold, the MAC info gets frozen on a VTEP

to avoid overloading the BGP control plane. I can't recall what the maximum value is for the sequence number, to be honest.

Q. Are there any plans to introduce this type of technology into the Cisco Catalyst® line of switches/routers? A. As of today, this is data center only.

Q. If my border leaves have an EIGRP adjacency with an external router, is it recommended that I “redistribute” the BGP and directly connected fabric routes out to the external router (the goal is to reach the host subnet in the fabric from an external network)? A. Correct. You normally create a prefix list to avoid redistributing host routes out of the fabric and limit

redistribution into Enhanced Interior Gateway Routing Protocol (EIGRP) only for internal IP subnets that must be accessed from the external world.

Q. Can we have a different VLAN ID mapped to a VXLAN segment across multiple leaves? It will be the same subnet, though. Meaning, is the VLAN ID locally significant? A. Correct. VLANs are not only switch significant, but also link significant. Just like ACI.

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 44

Q. When using VXLAN EVPN, is it possible to use vPC from a FEXB22HP to two separate 9300 leaf switches? A. Virtual port channel (vPC) from a fabric extender (FEX) to Cisco Nexus 9300s is not currently supported. Check

with your account manager to confirm if this is also the case for Cisco Nexus B22 Blade Fabric Extender for HP (B22HP).

Q. What is the minimum code version and hardware required in order to implement VXLAN overlay using

BGP EVPN? (Interested in 9000 Series platforms only)

A. I would recommend the latest version on http://www.cisco.com/ - 7.0(3)I2(2a). But it should also be supported

from 7.0(3)I2(1). Only flood and learn VXLAN is supported with 6.x.

Q. In a dual data center architecture, is it recommended to implement unique VXLAN deployments in each data center and utilize OTV for DCI? A. This would be the best way to extend Layer 2 segments with a DCI technology.

Q. Considering the extremely short shelf life of Cisco data center technologies (FabricPath, vPC, OTV), why should we consider VXLAN any differently? Building data centers only to have their designs invalidated in two years leads to an awful ROI. A. OTV, vPC, and FabricPath are still valid technologies and supported as we speak and in the future. EVPN is a

standards-based approach for Layer 3 fabrics.

Q. Maybe I'm misunderstanding, but VXLAN is shaped to replace OTV, right? Layer 2 data centers built on vPC and FabricPath have been conveyed to our organization at a mini Cisco Live event as antiquated designs. A. The main focus for EVPN is data center fabric.

Q. Can you configure all this through VTS? A. Cisco Virtual Topology System (VTS) is able to configure the overlay part.

Q. VTS vs DCNM? A. Cisco Prime™ Data Center Network Manager (DCNM) is mainly focusing on the underlay part, whereas VTS is

focusing on the overlay part with integration into virtual machine managers (VMMs) (such as vCenter).

Q. Is there a plan to have one tool doing both underlay and overlay? A. This is something Cisco is working on as we speak.

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 44

Q. What's the use case for having two different VLANs on the lswitch locally mapped to the same L2VNI? A. You may have two different virtual environments (that you don't manage) that are using different VLAN IDs for

the same network, for example. Q. Any difference if I’m using Dark Fiber as the transport media? Dark Fiber would be my WAN or MAN media between data centers. Any issues with VXLAN-EVPN over Dark Fiber? A. None that we know of. You will need IP connectivity.

Q. If you have multiple tenants and need to allow communication between them, how does one go about this? I know on NSX the Edge Firewall must be configured to allow this; how does EVPN handle this? A. This you would solve with a service (for example, firewall) being connected to the fabric to allow intertenant

communication.

Q. Can the ASAs be used in the scenario shown in the presentation? A. Yes, a white paper will be posted on this topic soon on www.cisco.com.

Q. Are you talking about NFM, as we have that but it doesn’t support Cisco Nexus 7000 Series. Or is it something different? If yes, any time frame when it will be available? A. Please reach out to your account team for this information.

Q. The 9300 and 9500 can convert to ACI mode, right? A. Yes, the Cisco Nexus 9000 Series is the hardware for ACI.

Q. ACI has contracts, which does provide some level of security. How do you handle that in EVPN? A. EVPN does not have a concept similar to contracts in ACI. That's one of the many value-adds of ACI.

Q. Where are the LiveLessons video instructions referenced in the presentation? A. Visit http://www.ciscopress.com/store/cisco-programmable-fabric-using-vxlan-with-bgp-evpn-9780134272290.