| IDR | P.L. Lapukhov |
| Internet-Draft | Microsoft Corp. |
| Intended status: Informational | A.P. Premji |
| Expires: January 13, 2013 | Arista Networks |
| July 14, 2012 |
Using BGP for routing in large-scale data centers
draft-lapukhov-bgp-routing-large-dc-01
Some service providers build and operate data centers that support over 100,000 servers. In this document, such data-centers are referred to as "large-scale" data centers to differentiate them the from more common smaller infrastructures. The data centers of this scale have a unique set of network requirements, with emphasis on operational simplicity and network stability.
This document attempts to summarize the authors' experiences in designing and supporting large data centers, using BGP as the only control-plane protocol. The intent here is to describe a proven and stable routing design that could be leveraged by others in the industry.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 13, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document presents a practical routing design that can be used in large-scale data centers. Such data centers, also known as hyper-scale or warehouse scale data centers, have a unique attribute of supporting over a 100,000 end hosts. In order to support networks of such scale, operators are revisiting networking designs and platforms to address this need.. Contrary to the more traditional data center designs, the approach presented in this document does not have any dependency on building a large Layer-2 domain and instead relies on routing at every layer in the network. Implementing a pure Layer-3 design using BGP further ensures broad vendor support and almost guarantees interoperability between vendors given that BGP is one of the most widely deployed protocols on the Internet.
This section provides an overview of two types of traditional data center designs - Layer-2 and fully routed Layer-3 topologies.
In the networking industry, a common design choice for data centers is to use a mix of Ethernet-based Layer 2 technologies. Network topologies typically look like a tree with redundant uplinks and three levels of hierarchy commonly named Core , Aggregation and Access layers (see Figure 1). To accommodate bandwidth demands, every next level has higher port density and bandwidth capacity, moving upwards in the topology. To keep terminology uniform, tn this document, these topology layers will be referred to as "tiers", e.g. Tier 1, Tier 2 and Tier 3 instead of Core, Aggregation or Access layers.
+------+ +------+
| | | |
| |--| | Tier1
| | | |
+------+ +------+
| | | |
+---------+ | | +----------+
| +-------+--+------+--+-------+ |
| | | | | | | |
+----+ +----+ +----+ +----+
| | | | | | | |
| |-----| | | |-----| | Tier2
| | | | | | | |
+----+ +----+ +----+ +----+
| | | |
| | | |
| +-----+ | | +-----+ |
+-| |-+ +-| |-+ Tier3
+-----+ +-----+
| | | | | |
[Servers] [Servers]
Figure 1: Typical Data Center network layout
IP routing is normally used only at the upper layers in the topology, e.g. Tier 1 or Tier 2. Some of the reasons for introducing such large (sometimes called stretched) layer-2 domains are:
Network designs that leverage IP routing down to the access layer (Tier 3) of the network have gained popularity as well. The main benefit of such designs is improved network stability and scalability, as a result of confining L2 broadcast domains. A common choice of routing protocol for data center designs would be an IGP, such as OSPF or ISIS. As data centers grow in scale, and server count exceeds tens of thousands, such fully routed designs become more attractive.
Although BGP is the de-facto standard protocol for routing on the Internet, having wide support from both the vendor and service provider communities, it is not generally deployed in data centers for a number of reasons:
In this document we demonstrate a practical approach for using BGP as the single routing protocol for data center networks.
The remaining of this document is organized as following. First the design requirements for large scale data centers are presented. Next, the document gives an overview of Clos network topology and its properties. After that, the reasons for selecting BGP as the single routing protocols are presented. Finally, the document discusses the design in more details and covers specific BGP policy features.
This section describes and summarizes network design requirement for a large-scale data center.
The primary requirement when building an interconnection network for large number of servers is to accommodate application bandwidth and latency requirements. Until recently it was quite common to see traffic flows mostly entering and leaving the data center (also known as north-south traffic) There were no intense, highly meshed flows or traffic patterns between the machines within the same tier. As a result, traditional "tree" topologies were sufficient to accommodate such flows, even with high oversubscription ratios in network equipment. If more bandwidth was required, it was added by “scaling up” the network elements, by upgrading line-cards or switch fabrics.
In contrast, large-scale data centers often host applications that generate significant amount of server to server traffic, also known as “east-west” traffic. Examples of such applications could be compute clusters such as Hadoop or live virtual machine migrations. Scaling up traditional tree topologies to match these bandwidth demands becomes either too expensive or impossible due to physical limitations.
The cost of the network infrastructure alone (CAPEX) constitutes about 10-15% of total data center expenditure [GREENBERG2009]. However, The absolute cost is significant, and there is a need to constantly drive down the cost of networking elements themselves. This can be accomplished in two ways:
In order to allow for vendor diversity, it is important to minimize the software feature requirements for the network elements. Furthermore, this strategy provides the maximum flexibility of vendor equipment choices while enforcing interoperability using open standards
Operating large scale infrastructure could be expensive, provide that larger amount of elements will statistically fail more often. Having a simpler design and operating using a limited software feature-set ensures that failures will mostly result from hardware malfunction and not software issues.
An important aspect of OPEX minimization is reducing size of failure domains in the network. Ethernet networks are known to be susceptible to broadcast or unicast storms. The use of a fully routed design significantly reduces the size of the data-plane failure domains (e.g. limits to Tier-3 switches only). However, such designs also introduce the problem of distributed control-plane failures. This calls for simpler control-plane protocols that are expected to have less chances of network meltdown.
In any data center, application load-balancing is a critical function performed by network devices. Traditionally, load-balancers are deployed as dedicated devices in the traffic forwarding path. The problem arises in scaling load-balancers under growing traffic demand. A preferable solution would be able to scale load-balancing layer horizontally, by adding more of the uniform nodes and distributing incoming traffic across these nodes
In situation like this, an ideal choice would to use network infrastructure itself to distribute traffic across a group of load-balancers. A combination of features such as Anycast prefix advertisement [RFC4786] along with Equal Cost Multipath (ECMP) functionality could be used to accomplish this. To allow for more granular load-distribution, it is beneficial for the network to support the ability to perform controlled per-hop traffic engineering. For example, it is beneficial to directly control the ECMP next-hop set for anycast prefixes at every level of network hierarchy.
This section summarizes the list of requirements, based on the discussion so far:
This section outlines the most common choice for horizontally scalable topology in large scale data centers.
A common choice for a horizontally scalable topology is a folded Clos topology, sometimes called “fat-tree” (see, for example, [INTERCON] and [ALFARES2008]). This topology features odd number of stages (dimensions) and is commonly made of the same uniform elements, e.g. switches with the same port count. Therefore, the choice of Clos topology satisfies both REQ1 and REQ2. See Figure 2 below for an example of folded 3-stage Clos topology:
+-------+
| |----------------------------+
| |------------------+ |
| |--------+ | |
+-------+ | | |
+-------+ | | |
| |--------+---------+-------+ |
| |--------+-------+ | | |
| |------+ | | | | |
+-------+ | | | | | |
+-------+ | | | | | |
| |------+-+-------+-+-----+ | |
| |------+-+-----+ | | | | |
| |----+ | | | | | | | |
+-------+ | | | | | | ---------> M links
Tier1 | | | | | | | | |
+-------+ +-------+ +-------+
| | | | | |
| | | | | | Tier2
| | | | | |
+-------+ +-------+ +-------+
| | | | | | | | |
| | | | | | ---------> N Links
| | | | | | | | |
O O O O O O O O O Servers
Figure 2: 3-Stage Folded Clos topology
In the networking industry, a topology like this is sometimes referred to as "Leaf and Spine" network, where "Spine" is the name given to the middle stage of the Clos topology (Tier 1) and "Leaf" is the name of input/output stage (Tier 2). However, for consistency, we will refer to these layers as "Tier n".
The following are some key properties of the Clos topology:
A Clos topology could be scaled either by increasing network switch port count or adding more stages, e.g. moving to a 5-stage Clos, as illustrated on Figure 3 below:
Tier1
+-----+
| |
+--| |--+
| +-----+ |
Tier2 | | Tier2
+-----+ | +-----+ | +-----+
+-------------| DEV |--+--| |--+--| |-------------+
| +-----| C |--+ | | +--| |-----+ |
| | +-----+ +-----+ +-----+ | |
| | | |
| | +-----+ +-----+ +-----+ | |
| +-----+-----| DEV |--+ | | +--| |-----+-----+ |
| | | +---| D |--+--| |--+--| |---+ | | |
| | | | +-----+ | +-----+ | +-----+ | | | |
| | | | | | | | | |
+-----+ +-----+ | +-----+ | +-----+ +-----+
| DEV | | DEV | +--| |--+ | | | |
| A | | B | Tier3 | | Tier3 | | | |
+-----+ +-----+ +-----+ +-----+ +-----+
| | | | | | | |
O O O O <- Servers -> O O O O
Figure 3: 5-Stage Clos topology
The topology on Figure 3 is built from switches with port count of 4 and provides full bisection bandwidth to all connected servers. We will refer to the collection of directly connected Tier 2 and Tier 3 switches as a “cluster” in this document. For example, devices A, B, C, and D on Figure 3 form a cluster.
In practice, the Tier 3 level of the network (typically top of rack switches, or ToRs) is where oversubscription is introduced to allow for packaging of more servers in data center. The main reason to limit oversubscription at a single layer of the network is to simplify application development that would otherwise need to account for two bandwidth pools: within the same access switch (e.g. rack) and outside of the local switch Since oversubscription itself does not have any effect on routing, we will not be discussing it further in this document
This section discusses the motivation for choosing BGP as the routing protocol and BGP configuration for routing in Clos topology.
The set of requirements discussed earlier call for a single routing protocol (REQ2) to reduce complexity and interdependencies. While it is common to rely on an IGP in this situation, the document proposes the use of BGP only. The advantages of using BGP are discussed below.
Topologies that have more than 5 stages are very uncommon due to the large numbers of interconnects required by such a design.
The diagram below illustrates suggests BGP Autonomous System Number (BGP ASN) allocation scheme. The following is a list of guidelines that can be used:
ASN 64534
+---------+
| +-----+ |
| | | |
+-|-| |-|-+
| | +-----+ | |
ASN 64XXX | | | | ASN 64XXX
+---------+ | | | | +---------+
| +-----+ | | | +-----+ | | | +-----+ |
+-----------|-| |-|-+-|-| |-|-+-|-| |-|-----------+
| +---|-| |-|-+ | | | | +-|-| |-|---+ |
| | | +-----+ | | +-----+ | | +-----+ | | |
| | | | | | | | | |
| | | | | | | | | |
| | | +-----+ | | +-----+ | | +-----+ | | |
| +-----+---|-| |-|-+ | | | | +-|-| |-|---+-----+ |
| | | +-|-| |-|-+-|-| |-|-+-|-| |-|-+ | | |
| | | | | +-----+ | | | +-----+ | | | +-----+ | | | | |
| | | | +---------+ | | | | +---------+ | | | |
| | | | | | | | | | | |
+-----+ +-----+ | | +-----+ | | +-----+ +-----+
| ASN | | | +-|-| |-|-+ | | | |
|65YYY| | ... | | | | | | ... | | ... |
+-----+ +-----+ | +-----+ | +-----+ +-----+
| | | | +---------+ | | | |
O O O O <- Servers -> O O O O
Figure 4: BGP ASN layout for 5-stage Clos
The use of private BGP ASNs limits to the usable range of 1022 unique numbers. Since it is very likely that the number of network switches could exceed this number, a workaround is required. One approach would be to re-use the private ASN’s assigned to the Tier 3 switches across different clusters. For example, private BGP ASN’s 65001, 65002 ... 65032 could be used within every individual cluster to be assigned to Tier 3 switches.
To avoid route suppression due to AS PATH loop prevention, upstream eBGP sessions on Tier 3 switches must be configured with the “AllowAS In” feature that allows accepting a device’s own ASN in received route advertisements. Introducing this feature does not create the opportunity for routing loops under misconfiguration since the AS PATH is always incremented when routes are propagated from tier to tier.
Another solution to this problem would be to using four-octet (32-bit) BGP ASNs. However, there are no reserved private ASN range in the four-octet numbering scheme although efforts are underway to support this, see [I-D.mitchell-idr-as-private-reservation]. This will also require vendors to implement specific policy features, such as four-octet private AS removal from AS-PATH attribute.
A Clos topology has a large number of point-to-point links and associated prefixes. Advertising all of these routes into BGP may create FIB overload conditions. There are two possible solutions that can help prevent FIB overload:
Server facing subnets on Tier 3 switches are announced into BGP without using summarization on Tier 2 and Tier 1 switches. Summarizing subnets in the Clos topology will result in route black-holing under a single link failure (e.g. between Tier 2 and Tier 3 switch) and hence must be avoided. The use of peer links within the same tier to resolve the black-holing problem is undesirable due to O(N^2) complexity of the peering mesh and waste of ports on the switches.
A dedicate cluster (or clusters) in the Clos topology could be used solely for the purpose of connecting to the Wide Area Network (WAN) edge devices, or WAN Routers. Tier 3 switches in such a cluster would be replaced with WAN Routers, but eBGP peering would be used again, though WAN routers are likely to belong to a public ASN.
The Tier 2 devices in such a dedicated cluster will be referred to as “Border Routers” in this document. These devices have to perform a few special functions:
This section covers the Equal Cost Multipath (ECMP) functionality for Clos topology and discusses a few special requirements.
ECMP is the fundamental load-sharing mechanism used by a Clos topology. Effectively, every lower-tier switch will use all of its directly attached upper-tier devices to load-share traffic destined to the same prefix. Number of ECMP paths between two input/output switches in Clos topology equals to the number of the switches in the middle stage (Tier 1). For example, Figure 5 illustrates the topology where Tier 3 device A has four paths to reach servers X and Y, via Tier 2 devices B and C and then Tier 1 devices 1, 2, 3, and 4 respectively.
Tier 1
+-----+
| DEV |
+->| 1 |--+
| +-----+ |
Tier 2 | | Tier 2
+-----+ | +-----+ | +-----+
+------------>| DEV |--+->| DEV |--+--| |-------------+
| +-----| B |--+ | 2 | +--| |-----+ |
| | +-----+ +-----+ +-----+ | |
| | | |
| | +-----+ +-----+ +-----+ | |
| +-----+---->| DEV |--+ | DEV | +--| |-----+-----+ |
| | | +---| C |--+->| 3 |--+--| |---+ | | |
| | | | +-----+ | +-----+ | +-----+ | | | |
| | | | | | | | | |
+-----+ +-----+ | +-----+ | +-----+ +-----+
| DEV | | | Tier 3 +->| DEV |--+ Tier 3 | | | |
| A | | | | 4 | | | | |
+-----+ +-----+ +-----+ +-----+ +-----+
| | | | | | | |
O O O O <- Servers -> X Y O O
Figure 5: ECMP fan-out tree from A to X and Y
The ECMP requirement implies that the BGP implementation must support multi-path fan-out for up to the maximum number of devices directly attached at any point in the topology. Normally, this number does not exceed half of the ports found on a switch in the topology. For example, an ECMP max-path of 32 would be required when building a Clos network using 64-port devices.
Most implementations declare paths to be equal from ECMP perspective if they match up to and including step (e) in Section 9.1.2.2 of [RFC4271]. In the proposed network design there is no underlying IGP, so all IGP costs are automatically assumed to be zero (or otherwise the same value across all paths). Loop prevention is assumed to be handled by the BGP best-path selection process.
For application load-balancing purposes we may want the same prefix to be advertised from multiple Tier-3 switches. From the perspective of other devices, such a prefix would have BGP paths with different AS PATH attribute values, though having the same AS PATH attribute lengths. Therefore, the BGP implementations must support load-sharing over above-mentioned paths. This feature is sometimes known as “AS PATH multipath relax” and effectively allows for ECMP to be done across different neighboring ASNs.
This section reviews routing convergence properties of BGP in the proposed design. A case is made that sub-second convergence is achievable provided that implementation supports fast BGP peering session shutdown upon failure of an associated link.
BGP typically relies on an IGP to route around link/node failures inside an AS, and implements either a polling based or an event-driven mechanism to obtain updates on IGP state changes. The proposed routing design omits the use of an IGP, so the only mechanisms that could be used for fault detection are BGP keep-alives and link-failure triggers.
Relying solely on BGP keep-alive packets may result in high convergence delays, in the order of multiple seconds (normally, the minimum recommended BGP hold time value is 3 seconds). However, many BGP implementations can shut down local eBGP peering sessions in response to the "link down" event for the outgoing interface used for BGP peering. This feature is sometimes called as "fast fail-over". Since the majority of the links in modern data centers are point to point fiber connections, a physical interface failure if often detected in milliseconds and subsequently triggers a BGP re-convergence.
Furthermore, popular link technologies, such as 10Gbps Ethernet, may support a simple form of OAM for failure signaling such as [FAULTSIG10GE], which makes failure detection more robust. Alternatively, as opposed to relying on physical layer for fault signaling, some platforms may support Bidirectional Forwarding Detection ([RFC5880]) to allow for sub-second failure detection and fault signaling to the BGP process. This, however, presents additional requirements to vendor software and possibly hardware, and may contradict REQ1.
BGP is inherently a distance-vector protocol, and as such some of failures could be masked if the local node can immediately find a backup path. The worst case is that all devices in data center topology would have to either withdraw a prefix completely, or recalculate the ECMP paths in the FIB. Reducing the fault domain using summarization is not possible with the proposed design, since using this technique may create route black-holing issues as mentioned previously. Thus, the control-plane failure impact scope is the network as a whole. It is worth pointing that such property is not a result of choosing BGP, but rather a result of using the "scale-out" Clos topology.
BGP allows for a third-party BGP speaker (not necessarily directly attached to the network devices) to inject routes anywhere in the network topology. This could be achieved by peering an external speaker using an eBGP multi-hop session with some or even all devices in the topology. Furthermore, BGP diverse path distribution [I-D.ietf-grow-diverse-bgp-path-dist] could be used to inject multiple next-hop for the same prefix to facilitate load-balancing. Using such a technique would make it possible to implement unequal-cost load-balancing across multiple clusters in the data-center, by associating the same prefix with next-hops mapped to different clusters.
For example, a third-party BGP speaker may peer with Tier 3 and Tier 1 switches, injecting the same prefix, but using a special set of BGP next-hops for Tier 1 devices. Those next-hops are assumed to resolve recursively via BGP, and could be, for example, IP addresses on Tier 3 switches. The resulting forwarding table programming could provide desired traffic proportion distribution among different clusters.
The design does not introduce any additional security concerns. For control plane security, BGP peering sessions could be authenticated using TCP MD5 signature extension header [RFC2385]. Furthermore, BGP TTL security [I-D.gill-btsh] could be used to reduce the risk of session spoofing and TCP SYN flooding attacks against the control plane.
There are no considerations associated with IANA for this document.
This publication summarizes work of many people who participated in developing, testing and deploying the proposed design. Their names, in alphabetical order, are George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong, Robert Toomey, and Lihua Yuan. Authors would also like to thank Jon Mitchell, Linda Dunbar and Susan Hares for reviewing and providing valuable feedback on the document.