Private VLANs with VXLAN

Got this remark from a reader after he read the VXLAN and Q-in-Q blog post:

Another area where there is a feature gap with EVPN VXLAN is Private VLANs with VXLAN. They’re not supported on either Nexus or Juniper switches.

I have one word on using private VLANs in 2019: Don’t. They are messy and hard to maintain (not to mention it gets really interesting when you’re combining virtual and physical switches).

Having said that, as EVPN supports Route Distinguishers and Route Targets it should be possible to implement a 2-VRF hub-and-spoke VPN topology (like the one we described in the original MPLS and VPN Architectures book) and even configure inter-VRF routing on the hub device assuming the hardware supports VXLAN-to-VXLAN routing.

Has anyone done that? I hope not. Is anything along these lines supported? I have no idea – if you know more please write a comment.

Nonetheless, as I said it is 2019 and I’d strongly recommend you use microsegmentation (ACLs in front of servers or virtual machines) in data center environments instead of Private VLANs, more so if you’re running a virtualized environment. Hub-and-spoke VPN topologies are obviously a totally different beast.


Want to know more about VXLAN and EVPN? Why don’t you:

All these webinars are part of Standard ipSpace.net subscription. Alternatively, buy the Expert ipSpace.net subscription and choose Building Next-Generation Data Centers as your online course.

6 comments:

  1. Aldrin Isaac did a presentation at NXTWORK covering this use case.
  2. Aldrin Isaac also covered private vlan emulation in his presentation at NANOG 75 (slide 43 and 44): https://pc.nanog.org/static/published/meetings/NANOG75/1903/20190219_Isaac_Building_Blocks_In_v1.pdf
  3. just adding a small correction to the initial statement - Private VLAN is supported with VXLAN on Cisco Nexus
    https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/vxlan/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_chapter_0111.html#d20872e11476a1635

    In addition, EVPN would be able to solve the use-case with what is called E-TREE aka RFC8317 (not a 1:1 match) but close as it allows a Layer-2 isolation use-case, The presentation by Aldrin is referring more to a hub-and-spoke model for IP as described in https://tools.ietf.org/html/draft-keyupate-evpn-virtual-hub. The port-filter detail is kind of interesting to solve the isolate host use-case - very creative :-)
  4. Best way to do PVLAN and that sort of group-based filtering will be group based policy (GBP). However the option header has not been finalized so it will be some more time before we have an accepted industry standard for it. See https://tools.ietf.org/html/draft-lemon-vxlan-gpe-gbp-02. There is at least one proprietary implementation.
  5. and yet we have Cisco ACI running micro-segmentation using PVLAN through VMM integration.. >.<
    Replies
    1. That's where you end when you're trying to solve the problem in the wrong place, or if you insist on solving the problem even though the owner of the infrastructure where the problem should have been solved hates you. Nothing unusual in IT world ;))
Add comment
Sidebar