Private VLANs With VXLAN

I got this remark from a reader after he read the VXLAN and Q-in-Q blog post:

Another area with a feature gap with EVPN VXLAN is Private VLANs with VXLAN. They’re not supported on either Nexus or Juniper switches.

I have one word on using private VLANs in 2019: Don’t. They are messy and complicated to maintain (not to mention how exciting it gets to combine virtual and physical switches).

Having said that, as EVPN supports Route Distinguishers and Route Targets, it should be possible to implement a 2-VRF hub-and-spoke VPN topology (like the one we described in the original MPLS and VPN Architectures book) and even configure inter-VRF routing on the hub device assuming the hardware supports VXLAN-to-VXLAN routing.

Has anyone done that? I hope not. Is anything along these lines supported? I have no idea – if you know more, please write a comment.

Nonetheless, I strongly recommend using microsegmentation (ACLs in front of servers or virtual machines) in data center environments instead of Private VLANs, especially if you’re running a virtualized environment.

Hub-and-spoke VPN topologies in service provider networks are a different beast; you can’t use microsegmentation there.

Want to know more about VXLAN and EVPN? Why don’t you:

6 comments:

  1. Aldrin Isaac did a presentation at NXTWORK covering this use case.
  2. Aldrin Isaac also covered private vlan emulation in his presentation at NANOG 75 (slide 43 and 44): https://pc.nanog.org/static/published/meetings/NANOG75/1903/20190219_Isaac_Building_Blocks_In_v1.pdf
  3. just adding a small correction to the initial statement - Private VLAN is supported with VXLAN on Cisco Nexus
    https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/vxlan/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_chapter_0111.html#d20872e11476a1635

    In addition, EVPN would be able to solve the use-case with what is called E-TREE aka RFC8317 (not a 1:1 match) but close as it allows a Layer-2 isolation use-case, The presentation by Aldrin is referring more to a hub-and-spoke model for IP as described in https://tools.ietf.org/html/draft-keyupate-evpn-virtual-hub. The port-filter detail is kind of interesting to solve the isolate host use-case - very creative :-)
  4. Best way to do PVLAN and that sort of group-based filtering will be group based policy (GBP). However the option header has not been finalized so it will be some more time before we have an accepted industry standard for it. See https://tools.ietf.org/html/draft-lemon-vxlan-gpe-gbp-02. There is at least one proprietary implementation.
  5. and yet we have Cisco ACI running micro-segmentation using PVLAN through VMM integration.. >.<
    Replies
    1. That's where you end when you're trying to solve the problem in the wrong place, or if you insist on solving the problem even though the owner of the infrastructure where the problem should have been solved hates you. Nothing unusual in IT world ;))
Add comment
Sidebar