Private VLANs with VXLAN
Got this remark from a reader after he read the VXLAN and Q-in-Q blog post:
Another area where there is a feature gap with EVPN VXLAN is Private VLANs with VXLAN. They’re not supported on either Nexus or Juniper switches.
I have one word on using private VLANs in 2019: Don’t. They are messy and hard to maintain (not to mention it gets really interesting when you’re combining virtual and physical switches).
Having said that, as EVPN supports Route Distinguishers and Route Targets it should be possible to implement a 2-VRF hub-and-spoke VPN topology (like the one we described in the original MPLS and VPN Architectures book) and even configure inter-VRF routing on the hub device assuming the hardware supports VXLAN-to-VXLAN routing.
Has anyone done that? I hope not. Is anything along these lines supported? I have no idea – if you know more please write a comment.
Nonetheless, as I said it is 2019 and I’d strongly recommend you use microsegmentation (ACLs in front of servers or virtual machines) in data center environments instead of Private VLANs, more so if you’re running a virtualized environment. Hub-and-spoke VPN topologies are obviously a totally different beast.
Want to know more about VXLAN and EVPN? Why don’t you:
- Start with Introduction to Virtual Networking if you’re just starting with network virtualization;
- Watch Networking in Private and Public Clouds to understand the challenges we’re trying to solve and explore various approaches to virtual networking;
- Continue with a deep dive into VXLAN;
- Conclude the journey with EVPN deep dive.
All these webinars are part of Standard ipSpace.net subscription. Alternatively, buy the Expert ipSpace.net subscription and choose Building Next-Generation Data Centers as your online course.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/vxlan/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_chapter_0111.html#d20872e11476a1635
In addition, EVPN would be able to solve the use-case with what is called E-TREE aka RFC8317 (not a 1:1 match) but close as it allows a Layer-2 isolation use-case, The presentation by Aldrin is referring more to a hub-and-spoke model for IP as described in https://tools.ietf.org/html/draft-keyupate-evpn-virtual-hub. The port-filter detail is kind of interesting to solve the isolate host use-case - very creative :-)