Routing Area Working GroupInternet Engineering Task Force (IETF) P. LapukhovInternet-DraftRequest for Comments: 7938 FacebookIntended status:Category: Informational A. PremjiExpires: December 6, 2016ISSN: 2070-1721 Arista Networks J. Mitchell, Ed.June 4,August 2016 Use of BGP forroutingRouting inlarge-scale data centers draft-ietf-rtgwg-bgp-routing-large-dc-11Large-Scale Data Centers Abstract Some network operators build and operate data centers that support over one hundred thousand servers. In this document, such data centers are referred to as "large-scale" to differentiate them from smaller infrastructures. Environments of this scale have a unique set of network requirements with an emphasis on operational simplicity and network stability. This document summarizes operational experience in designing and operating large-scale data centers using BGP as the only routing protocol. The intent is to report on a proven and stable routing design that could be leveraged by others in the industry. Status of This Memo ThisInternet-Draftdocument issubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsnot an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are amaximumcandidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 6, 2016.http://www.rfc-editor.org/info/rfc7938. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Network Design Requirements . . . . . . . . . . . . . . . . . 4 2.1. Bandwidth and Traffic Patterns . . . . . . . . . . . . . 4 2.2. CAPEX Minimization . . . . . . . . . . . . . . . . . . . 4 2.3. OPEX Minimization . . . . . . . . . . . . . . . . . . . . 5 2.4. Traffic Engineering . . . . . . . . . . . . . . . . . . . 5 2.5. Summarized Requirements . . . . . . . . . . . . . . . . .65 3. Data Center Topologies Overview . . . . . . . . . . . . . . . 6 3.1. Traditional DC Topology . . . . . . . . . . . . . . . . . 6 3.2. Clos NetworktopologyTopology . . . . . . . . . . . . . . . . . . 7 3.2.1. Overview . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2. Clos Topology Properties . . . . . . . . . . . . . . 8 3.2.3. Scaling the ClostopologyTopology . . . . . . . . . . . . . . 9 3.2.4. Managing the Size of Clos Topology Tiers . . . . . . 10 4. Data Center Routing Overview . . . . . . . . . . . . . . . .1110 4.1.Layer 2 OnlyL2-Only Designs . . . . . . . . . . . . . . . . . . . . . 11 4.2. Hybrid L2/L3 Designs . . . . . . . . . . . . . . . . . . 12 4.3.Layer 3 OnlyL3-Only Designs . . . . . . . . . . . . . . . . . . . . . 12 5. Routing Protocol Design . . . . . . . . . . . . . . . . . . . 13 5.1. Choosing EBGP as the Routing Protocol . . . . . . . . . . 13 5.2. EBGP Configuration for ClostopologyTopology . . . . . . . . . . 15 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme 15 5.2.2. Private Use ASNs . . . . . . . . . . . . . . . . . . 16 5.2.3. Prefix Advertisement . . . . . . . . . . . . . . . . 17 5.2.4. External Connectivity . . . . . . . . . . . . . . . . 18 5.2.5. Route Summarization at the Edge . . . . . . . . . . . 19 6. ECMP Considerations . . . . . . . . . . . . . . . . . . . . .2019 6.1. Basic ECMP . . . . . . . . . . . . . . . . . . . . . . . 20 6.2. BGP ECMP over Multiple ASNs . . . . . . . . . . . . . . . 21 6.3. Weighted ECMP . . . . . . . . . . . . . . . . . . . . . . 21 6.4. Consistent Hashing . . . . . . . . . . . . . . . . . . . 22 7. Routing Convergence Properties . . . . . . . . . . . . . . . 22 7.1. Fault Detection Timing . . . . . . . . . . . . . . . . . 22 7.2. Event Propagation Timing . . . . . . . . . . . . . . . . 23 7.3. Impact of Clos TopologyFan-outsFan-Outs . . . . . . . . . . . . 23 7.4. Failure Impact Scope . . . . . . . . . . . . . . . . . . 24 7.5. Routing Micro-Loops . . . . . . . . . . . . . . . . . . . 25 8. Additional Options for Design . . . . . . . . . . . . . . . . 26 8.1.Third-partyThird-Party Route Injection . . . . . . . . . . . . . . . 26 8.2. Route Summarization within Clos Topology . . . . . . . . 26 8.2.1. CollapsingTier-1Tier 1 Devices Layer . . . . . . . . . . . 27 8.2.2. Simple Virtual Aggregation . . . . . . . . . . . . . 29 8.3. ICMP Unreachable Message Masquerading . . . . . . . . . . 29 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 10.IANA ConsiderationsReferences . . . . . . . . . . . . . . . . . . . . .30 11. Acknowledgements. . . . 30 10.1. Normative References . . . . . . . . . . . . . . . . . . 3012.10.2. Informative References . . . . . . . . . . . . . . . . .. . . . . . . .3112.1. Normative References . . . . . . . . . . .Acknowledgements . . . . . . .31 12.2. Informative References. . . . . . . . . . . . . . . . .3135 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 1. Introduction This document describes a practical routing design that can be used in a large-scale data center (DC) design. Such data centers, also known ashyper-scale"hyper-scale" orwarehouse-scale"warehouse-scale" data centers, have a unique attribute of supporting over a hundred thousand servers. In order to accommodate networks of this scale, operators are revisiting networking designs and platforms to address this need. The design presented in this document is based on operational experience with data centers built to support large-scale distributed software infrastructure, such as aWebweb search engine. The primary requirements in such an environment are operational simplicity and network stability so that a small group of people can effectively support a significantly sized network. Experimentation and extensive testing have shown that External BGP (EBGP) [RFC4271] is well suited as a stand-alone routing protocol for thesetypetypes of data center applications. This is in contrast with more traditional DC designs, which may use simple tree topologies and rely on extending Layer 2 (L2) domains across multiple network devices. This document elaborates on the requirements that led to this design choice and presents details of the EBGP routing design as well asexploresexploring ideas for further enhancements. This document first presents an overview of network design requirements and considerations for large-scale data centers.ThenThen, traditional hierarchical data center network topologies are contrasted with Clos networks [CLOS1953] that are horizontally scaled out. This is followed by arguments for selecting EBGP with a Clos topology as the most appropriate routing protocol to meet the requirements and the proposed design is described in detail. Finally, this document reviews some additional considerations and design options. A thorough understanding of BGP is assumed by a reader planning on deploying the design described within the document. 2. Network Design Requirements This section describes and summarizes network design requirements for large-scale data centers. 2.1. Bandwidth and Traffic Patterns The primary requirement when building an interconnection network for a large number of servers is to accommodate application bandwidth and latency requirements. Until recently it was quite common to see the majority of traffic entering and leaving the data center, commonly referred to as "north-south" traffic. Traditional "tree" topologies were sufficient to accommodate such flows, even with high oversubscription ratios between the layers of the network. If more bandwidth was required, it was added by "scaling up" the network elements, e.g., by upgrading the device's linecards or fabrics or replacing the device with one with higher port density. Today many large-scale data centers host applications generating significant amounts of server-to-server traffic, which does not egress the DC, commonly referred to as "east-west" traffic. Examples of such applications could becomputecomputer clusters such as Hadoop [HADOOP], massive data replication between clusters needed by certain applications, or virtual machine migrations. Scaling traditional tree topologies to match these bandwidth demands becomes either too expensive or impossible due to physical limitations, e.g., port density in a switch. 2.2. CAPEX Minimization The Capital Expenditures (CAPEX) associated with the network infrastructure alone constitutes about 10-15% of total data center expenditure (see [GREENBERG2009]). However, the absolute cost is significant, and hence there is a need to constantly drive down the cost of individual network elements. This can be accomplished in two ways: o Unifying all network elements, preferably using the same hardware type or even the same device. This allows for volume pricing on bulk purchases and reduced maintenance and inventory costs. o Driving costs down using competitive pressures, by introducing multiple network equipment vendors. In order to allow for good vendordiversitydiversity, it is important to minimize the software feature requirements for the network elements. This strategy provides maximum flexibility of vendor equipment choices while enforcing interoperability using open standards. 2.3. OPEX Minimization Operating large-scale infrastructure can be expensive as a larger amount of elements will statistically fail more often. Having a simpler design and operating using a limited software feature set minimizes software issue-related failures. An important aspect of Operational Expenditure (OPEX) minimization is reducing the size of failure domains in the network. Ethernet networks are known to be susceptible to broadcast or unicast traffic storms that can have a dramatic impact on network performance and availability. The use of a fully routed design significantly reduces the size of thedata planedata-plane failure domains, i.e., limits them to the lowest level in the network hierarchy. However, such designs introduce the problem of distributedcontrol planecontrol-plane failures. This observation calls for simpler and lesscontrol planecontrol-plane protocols to reduce protocol interaction issues, reducing the chance of a network meltdown. Minimizing software feature requirements as described in the CAPEX section above also reduces testing and training requirements. 2.4. Traffic Engineering In any data center, application load balancing is a critical function performed by network devices. Traditionally, load balancers are deployed as dedicated devices in the traffic forwarding path. The problem arises in scaling load balancers under growing traffic demand. A preferable solution would be able to scale theloadload- balancing layer horizontally, by adding more of the uniform nodes and distributing incoming traffic across these nodes. In situations like this, an ideal choice would be to use network infrastructure itself to distribute traffic across a group of load balancers. The combination ofAnycastanycast prefix advertisement [RFC4786] and Equal Cost Multipath (ECMP) functionality can be used to accomplish this goal. To allow for more granular load distribution, it is beneficial for the network to support the ability to perform controlled per-hop traffic engineering. For example, it is beneficial to directly control the ECMP next-hop set forAnycastanycast prefixes at every level of the network hierarchy. 2.5. Summarized Requirements This section summarizes the list of requirements outlined in the previous sections: o REQ1: Select a topology that can be scaled "horizontally" by adding more links and network devices of the same type without requiring upgrades to the network elements themselves. o REQ2: Define a narrow set of software features/protocols supported by a multitude of networking equipment vendors. o REQ3: Choose a routing protocol that has a simple implementation in terms of programming code complexity and ease of operational support. o REQ4: Minimize the failure domain of equipment or protocol issues as much as possible. o REQ5: Allow for some traffic engineering, preferably via explicit control of the routing prefixnext-hopnext hop using built-in protocol mechanics. 3. Data Center Topologies Overview This section provides an overview of two general types of data center designs--- hierarchical (also known astree based)"tree-based") andClos basedClos-based network designs. 3.1. Traditional DC Topology In the networking industry, a common design choice for data centers typicallylooklooks like an (upside down) tree with redundant uplinks and three layers of hierarchy namely; core,aggregation/distributionaggregation/distribution, and access layers (see Figure 1). To accommodate bandwidth demands, each higher layer, from the server towards DC egress or WAN, has higher port density and bandwidth capacity where the core functions as the "trunk" of thetree basedtree-based design. To keep terminology uniform and for comparison with other designs, in this document these layers will be referred to asTier-1, Tier-2Tier 1, Tier 2 andTier-3Tier 3 "tiers", instead ofCore, Aggregationcore, aggregation, orAccessaccess layers. +------+ +------+ | | | | | |--| |Tier-1Tier 1 | | | | +------+ +------+ | | | | +---------+ | | +----------+ | +-------+--+------+--+-------+ | | | | | | | | | +----+ +----+ +----+ +----+ | | | | | | | | | |-----| | | |-----| |Tier-2Tier 2 | | | | | | | | +----+ +----+ +----+ +----+ | | | | | | | | | +-----+ | | +-----+ | +-| |-+ +-| |-+Tier-3Tier 3 +-----+ +-----+ | | | | | | <- Servers -> <- Servers -> Figure 1: Typical DCnetwork topologyNetwork Topology Unfortunately, as noted previously, it is not possible to scale atree basedtree-based design to a large enough degreeto handlefor handling large-scale designs due to the inability to be able to acquireTier-1Tier 1 devices with a large enough port density to sufficiently scaleTier-2.Tier 2. Also,continouscontinuous upgrades or replacement of theupper tierupper-tier devices are required as deployment size or bandwidth requirementsincreaseincrease, which is operationally complex. For this reason, REQ1 is in place, eliminating this type of design from consideration. 3.2. Clos NetworktopologyTopology This section describes a common design for horizontally scalable topology in large-scale data centers in order to meet REQ1. 3.2.1. Overview A common choice for a horizontally scalable topology is a folded Clos topology, sometimes called "fat-tree"(see, for(for example, [INTERCON] and [ALFARES2008]). This topology features an odd number of stages (sometimes known asdimensions)"dimensions") and is commonly made of uniform elements, e.g., network switches with the same port count. Therefore, the choice of folded Clos topology satisfies REQ1 and facilitates REQ2. See Figure 2 below for an example of a folded 3-stage Clos topology (3 stages countingTier-2Tier 2 stage twice, when tracing a packet flow): +-------+ | |----------------------------+ | |------------------+ | | |--------+ | | +-------+ | | | +-------+ | | | | |--------+---------+-------+ | | |--------+-------+ | | | | |------+ | | | | | +-------+ | | | | | | +-------+ | | | | | | | |------+-+-------+-+-----+ | | | |------+-+-----+ | | | | | | |----+ | | | | | | | | +-------+ | | | | | | ---------> M linksTier-1Tier 1 | | | | | | | | | +-------+ +-------+ +-------+ | | | | | | | | | | | |Tier-2Tier 2 | | | | | | +-------+ +-------+ +-------+ | | | | | | | | | | | | | | | ---------> N Links | | | | | | | | | O O O O O O O O O Servers Figure 2: 3-Stage Folded ClostopologyTopology This topology is often also referred to as a "Leaf and Spine" network, where "Spine" is the name given to the middle stage of the Clos topology(Tier-1)(Tier 1) and "Leaf" is the name of input/output stage(Tier-2).(Tier 2). For uniformity, this document will refer to these layers using the"Tier-n""Tier n" notation. 3.2.2. Clos Topology Properties The following are some key properties of the Clos topology: o The topology is fully non-blocking, or more accurately non- interfering, if M >= N and oversubscribed by a factor of N/M otherwise. Here M and N is the uplink and downlink port count respectively, for aTier-2Tier 2 switch as shown in Figure 2. o Utilizing this topology requires control anddata planedata-plane support for ECMP with a fan-out of M or more. oTier-1Tier 1 switches have exactly one path to every server in this topology. This is an important property that makes route summarization dangerous in this topology (see Section 8.2 below). o Traffic flowing from server to server is load balanced over all available paths using ECMP. 3.2.3. Scaling the ClostopologyTopology A Clos topology can be scaled either by increasing network element port density or by adding more stages, e.g., moving to a 5-stage Clos, as illustrated in Figure 3 below:Tier-1Tier 1 +-----+ Cluster | | +----------------------------+ +--| |--+ | | | +-----+ | |Tier-2Tier 2 | | |Tier-2Tier 2 | +-----+ | | +-----+ | +-----+ | +-------------| DEV |------+--| |--+--| |-------------+ | | +-----| C |------+ | | +--| |-----+ | | | | +-----+ | +-----+ +-----+ | | | | | | | | | | | +-----+ | +-----+ +-----+ | | | | +-----------| DEV |------+ | | +--| |-----------+ | | | | | +---| D |------+--| |--+--| |---+ | | | | | | | | +-----+ | | +-----+ | +-----+ | | | | | | | | | | | | | | | | | +-----+ +-----+ | | +-----+ | +-----+ +-----+ | | DEV | | DEV | | +--| |--+ | | | | | | A | | B |Tier-3Tier 3 | | |Tier-3Tier 3 | | | | | +-----+ +-----+ | +-----+ +-----+ +-----+ | | | | | | | | | | | O O O O | O O O O | Servers | Servers +----------------------------+ Figure 3: 5-Stage ClostopologyTopology The small example of topologyonin Figure 3 is built from devices with a port count of4 and provides full bisectional bandwidth to all connected servers.4. In this document, one set of directly connectedTier-2Tier 2 andTier-3Tier 3 devices along with their attached servers will be referred to as a "cluster". For example, DEV A, B, C, D, and the servers that connect to DEV A and B, on Figure 3 form a cluster. The concept of a cluster may also be a useful concept as a single deployment or maintenance unitwhichthat can be operated on at a different frequency than the entire topology. In practice,the Tier-3 layerTier 3 of the network, whichareis typicallytop of rackTop-of-Rack switches (ToRs), is where oversubscription is introduced to allow for packaging of more servers in the data center while meeting the bandwidth requirements for different types of applications. The main reason to limit oversubscription at a single layer of the network is to simplify application development that would otherwise need to account for multiple bandwidth pools: within rack(Tier-3),(Tier 3), between racks(Tier-2),(Tier 2), and between clusters(Tier-1).(Tier 1). Since oversubscription does not have a direct relationship to the routingdesigndesign, it is not discussed further in this document. 3.2.4. Managing the Size of Clos Topology Tiers If a data center network size is small, it is possible to reduce the number of switches inTier-1Tier 1 orTier-2Tier 2 of a Clos topology by a factor of two. To understand how this could be done, takeTier-1Tier 1 as an example. EveryTier-2Tier 2 device connects to a single group ofTier-1Tier 1 devices. If half of the ports on each of theTier-1Tier 1 devices are not beingusedused, then it is possible to reduce the number ofTier-1Tier 1 devices by half and simply map two uplinks from aTier-2Tier 2 device to the sameTier-1Tier 1 device that were previously mapped to differentTier-1Tier 1 devices. This technique maintains the samebisectionalbandwidth while reducing the number of elements inthe Tier-1 layer,Tier 1, thus saving on CAPEX. The tradeoff, in this example, is the reduction of maximum DC size in terms of overall server count by half. In this example,Tier-2Tier 2 devices will be using two parallel links to connect to eachTier-1Tier 1 device. If one of these links fails, the other will pick up all traffic of the failed link,possiblepossibly resulting in heavy congestion and quality of service degradation if the path determination procedure does not take bandwidth amount intoaccountaccount, since the number of upstreamTier-1Tier 1 devices is likely wider than two. To avoid this situation, parallel links can be grouped in link aggregation groups(LAGs, such as [IEEE8023AD])(LAGs), e.g., [IEEE8023AD], with widely available implementation settings that take the whole "bundle" down upon a single link failure. Equivalent techniques that enforce "fate sharing" on the parallel links can be used in place of LAGs to achieve the same effect. As a result of such fate-sharing, traffic from two or more failed links will bere-balancedrebalanced over the multitude of remaining paths that equals the number ofTier-1Tier 1 devices. This example is using two links for simplicity, having more links in a bundle will have less impact on capacity upon a member-link failure. 4. Data Center Routing Overview This section provides an overview of three general types of data center protocol designs--- Layer 2 only, HybridL2/L3Layer L2/L3, and Layer 3 only. 4.1.Layer 2 OnlyL2-Only DesignsOriginallyOriginally, most data center designs usedSpanning-TreeSpanning Tree Protocol (STP) originally defined in [IEEE8021D-1990] forloop freeloop-free topology creation, typically utilizing variants of the traditional DC topology described in Section 3.1. At the time, many DC switches either did not support Layer 3 routing protocols or supported them with additional licensing fees, which played a part in the design choice. Although many enhancements have been made through the introduction of Rapid Spanning Tree Protocol (RSTP) in the latest revision of [IEEE8021D-2004] and Multiple Spanning Tree Protocol (MST) specified in [IEEE8021Q] that increase convergence,stabilitystability, andloadload- balancing in larger topologies, many of the fundamentals of the protocol limit its applicability in large-scale DCs. STP and its newer variants use an active/standby approach to pathselectionselection, and are therefore hard to deploy inhorizontally-scaledhorizontally scaled topologies as described in Section 3.2. Further, operators have had many experiences with large failures due to issues caused by improper cabling, misconfiguration, or flawed software on a single device. These failures regularly affected the entire spanning-tree domain and were very hard to troubleshoot due to the nature of the protocol. For these reasons, and since almost all DC traffic is now IP, therefore requiring a Layer 3 routing protocol at the network edge for external connectivity, designs utilizing STP usually fail all of the requirements of large-scale DC operators. Various enhancements to link-aggregation protocols such as [IEEE8023AD], generally known as Multi-Chassis Link-Aggregation (M-LAG) made it possible to use Layer 2 designs with active-active network paths while relying on STP as the backup for loop prevention. The major downsides of this approach are the lack of ability to scale linearly past two in most implementations, lack ofstandards basedstandards-based implementations, andaddedthe added failure domain risk of syncing state between the devices. It should be noted that building large, horizontally scalable,Layer 2 onlyL2-only networks without STP is possible recently through the introduction of theTRILLTransparent Interconnection of Lots of Links (TRILL) protocol in [RFC6325]. TRILL resolves many of the issues STP has for large-scale DC designhoweverhowever, due to the limited number of implementations, and often the requirement for specific equipment that supports it, this has limited its applicability and increased the cost of such designs. Finally, neither the base TRILL specification nor the M-LAG approach totally eliminate the problem of the shared broadcastdomain,domain that is so detrimental to the operations of any Layer 2,Ethernet basedEthernet-based solution. Later TRILL extensions have been proposed to solve the this problemstatementstatement, primarily based on the approaches outlined in [RFC7067], but this even further limits the number of available interoperable implementations that can be used to build a fabric. Therefore,TRILL basedTRILL-based designs have issues meeting REQ2, REQ3, and REQ4. 4.2. Hybrid L2/L3 Designs Operators have sought to limit the impact ofdata planedata-plane faults and build large-scale topologies through implementing routing protocols in either theTier-1Tier 1 orTier-2Tier 2 parts of the network and dividing the Layer 2 domain into numerous, smaller domains. This design has allowed data centers to scale up, but at the cost of complexity in managing multiple network protocols. For the following reasons, operators have retained Layer 2 in either the access(Tier-3)(Tier 3) or both access and aggregation(Tier-3(Tier 3 andTier-2)Tier 2) parts of the network: o Supporting legacy applications that may require direct Layer 2 adjacency or use non-IP protocols. o Seamless mobility for virtual machines that require the preservation of IP addresses when a virtual machine moves to a differentTier-3Tier 3 switch. o Simplified IP addressing = less IP subnets are required for the data center. o Application load balancing may require direct Layer 2 reachability to perform certain functions such as Layer 2 Direct Server Return(DSR, see [L3DSR]).(DSR). See [L3DSR]. o Continued CAPEX differences betweenLayer 2L2- andLayer 3 capableL3-capable switches. 4.3.Layer 3 OnlyL3-Only Designs Network designs that leverage IP routing down toTier-3Tier 3 of the network have gained popularity as well. The main benefit of these designs is improved network stability and scalability, as a result of confining L2 broadcast domains.CommonlyCommonly, an Interior Gateway Protocol (IGP) such asOSPFOpen Shortest Path First (OSPF) [RFC2328] is used as the primary routing protocol in such a design. As data centers grow in scale, and server count exceeds tens of thousands, such fully routed designs have become more attractive. Choosing aLayer 3 onlyL3-only design greatly simplifies the network, facilitating the meeting of REQ1 and REQ2, and has widespread adoption in networks where large Layer 2 adjacency and larger size Layer 3 subnets are not as critical compared to network scalability and stability. Application providers and network operators continue to develop new solutions to meet some of the requirements that previously had driven large Layer 2 domains by using various overlay or tunneling techniques. 5. Routing Protocol Design In thissectionsection, the motivations for using External BGP (EBGP) as the single routing protocol for data center networks having a Layer 3 protocol design and Clos topology are reviewed. Then, a practical approach for designing anEBGP basedEBGP-based network is provided. 5.1. Choosing EBGP as the Routing Protocol REQ2 would give preference to the selection of a single routing protocol to reduce complexity and interdependencies. While it is common to rely on an IGP in this situation, sometimes with either the addition of EBGP at the device bordering the WAN or Internal BGP (IBGP) throughout, this document proposes the use of anEBGP onlyEBGP-only design. Although EBGP is the protocol used for almost allinter-domain routingInter-Domain Routing in the Internet and has wide support from both vendor and service provider communities, it is not generally deployed as the primary routing protocol within the data center for a number of reasons (some of which are interrelated): o BGP is perceived as a"WAN only protocol only""WAN-only, protocol-only" and not often considered for enterprise or data center applications. o BGP is believed to have a "much slower" routing convergence compared to IGPs. oLarge scaleLarge-scale BGP deployments typically utilize an IGP for BGP next- hop resolution as all nodes in theiBGPIBGP topology are not directly connected. o BGP is perceived to require significant configuration overhead and does not support neighbor auto-discovery. This document discusses some of these perceptions, especially as applicable to the proposed design, and highlights some of the advantages of using the protocol such as: o BGP has less complexity in parts of its protocol design--- internal data structures and state machine are simpler as compared to most link-state IGPs such as OSPF. For example, instead of implementing adjacency formation, adjacency maintenance and/or flow-control, BGP simply relies on TCP as the underlying transport. This fulfills REQ2 and REQ3. o BGP information flooding overhead is less when compared to link- state IGPs. Since every BGP router calculates and propagates only the best-path selected, a network failure is masked as soon as the BGP speaker finds an alternate path, which exists when highly symmetric topologies, such as Clos, are coupled with anEBGP onlyEBGP-only design. In contrast, the event propagation scope of a link-state IGP is an entire area, regardless of the failure type. In this way, BGP better meets REQ3 and REQ4. It is also worth mentioning that all widely deployed link-state IGPs feature periodic refreshes of routing information while BGP does not expire routing state, although this rarely impacts modern router control planes. o BGP supports third-party (recursively resolved)next-hops.next hops. This allows for manipulating multipath to benon-ECMP basednon-ECMP-based orforwarding basedforwarding-based on application-defined paths, through establishment of a peering session with an application "controller"whichthat can inject routing information into the system, satisfying REQ5. OSPF provides similar functionality using concepts such as "Forwarding Address", but with more difficulty in implementation and far less control of information propagation scope. o Using a well-defined Autonomous System Number (ASN) allocation scheme and standard AS_PATH loop detection, "BGP path hunting" (see [JAKMA2008]) can be controlled and complex unwanted paths will be ignored. See Section 5.2 for an example of a working ASN allocation scheme. In a link-stateIGPIGP, accomplishing the same goal would require multi-(instance/topology/process) support, typically not available in all DC devices and quite complex to configure and troubleshoot. Using a traditional single flooding domain, which most DC designs utilize, under certain failure conditions may pick up unwanted lengthy paths, e.g., traversing multipleTier-2Tier 2 devices. o EBGP configuration that is implemented with minimal routing policy is easier to troubleshoot for network reachability issues. In most implementations, it is straightforward to view contents of the BGP Loc-RIB and compare it to the router'sRIB.Routing Information Base (RIB). Also, in mostimplementationsimplementations, an operator can view every BGP neighborsAdj-RIB- InAdj-RIB-In and Adj-RIB-Outstructuresstructures, and therefore incoming and outgoingNLRINetwork Layer Reachability Information (NLRI) information can be easily correlated on both sides of a BGP session. Thus, BGP satisfies REQ3. 5.2. EBGP Configuration for ClostopologyTopology Clos topologies that have more than 5 stages are very uncommon due to the large numbers of interconnects required by such a design. Therefore, the examples below are made with reference to the 5-stage Clos topology (in unfolded state). 5.2.1. EBGP Configuration Guidelines and Example ASN Scheme The diagram below illustrates an example of an ASN allocation scheme. The following is a list of guidelines that can be used: o EBGP single-hop sessions are established over direct point-to- point links interconnecting the network nodes, no multi-hop or loopback sessions areusedused, even in the case of multiple links between the same pair of nodes. o Private Use ASNs from the range 64512-65534 are used to avoid ASN conflicts. o A single ASN is allocated to all of the Clos topology'sTier-1Tier 1 devices. o A unique ASN is allocated to each set ofTier-2Tier 2 devices in the same cluster. o A unique ASN is allocated to everyTier-3Tier 3 device (e.g., ToR) in this topology. ASN 65534 +---------+ | +-----+ | | | | | +-|-| |-|-+ | | +-----+ | | ASN 646XX | | | | ASN 646XX +---------+ | | | | +---------+ | +-----+ | | | +-----+ | | | +-----+ | +-----------|-| |-|-+-|-| |-|-+-|-| |-|-----------+ | +---|-| |-|-+ | | | | +-|-| |-|---+ | | | | +-----+ | | +-----+ | | +-----+ | | | | | | | | | | | | | | | | | | | | | | | | | | +-----+ | | +-----+ | | +-----+ | | | | +-----+---|-| |-|-+ | | | | +-|-| |-|---+-----+ | | | | +-|-| |-|-+-|-| |-|-+-|-| |-|-+ | | | | | | | | +-----+ | | | +-----+ | | | +-----+ | | | | | | | | | +---------+ | | | | +---------+ | | | | | | | | | | | | | | | | +-----+ +-----+ | | +-----+ | | +-----+ +-----+ | ASN | | | +-|-| |-|-+ | | | | |65YYY| | ... | | | | | | ... | | ... | +-----+ +-----+ | +-----+ | +-----+ +-----+ | | | | +---------+ | | | | O O O O <- Servers -> O O O O Figure 4: BGP ASNlayoutLayout for5-stage5-Stage Clos 5.2.2. Private Use ASNs The original range of Private Use ASNs [RFC6996] limited operators to 1023 unique ASNs. Since it is quite likely that the number of network devices may exceed this number, a workaround is required. One approach is to re-use the ASNs assigned to theTier-3Tier 3 devices across different clusters. For example, Private Use ASNs 65001, 65002 ... 65032 could be used within every individual cluster and assigned toTier-3Tier 3 devices. To avoid route suppression due to the AS_PATH loop detection mechanism in BGP, upstream EBGP sessions onTier-3Tier 3 devices must be configured with the"AllowAS In""Allowas-in" feature [ALLOWASIN] that allows accepting a device's own ASN in received route advertisements. Although this feature is notstandarized,standardized, it is widely availableaccrossacross multiple vendors implementations. Introducing this feature does not make routing loops more likely in the design since the AS_PATH is being added to by routers at each of the topology tiers and AS_PATH length is an early tie breaker in the BGP path selection process. Further loop protection is still in place at theTier-1Tier 1 device, which will not accept routes with a path including its ownASN and Tier-2ASN. Tier 2 devices do not have direct connectivity with each other. Another solution to this problem would beusingto use Four-Octet ASNs ([RFC6793]), where there are additional Private Use ASNs available, see [IANA.AS]. Use of Four-Octet ASNs puts additional protocol complexity in the BGP implementation and should be balanced against the complexity of re-use when considering REQ3 and REQ4. Perhaps more importantly, they are not yet supported by all BGP implementations, which may limit vendor selection of DC equipment. When supported, ensure that deployed implementations are able to remove the Private Use ASNs when external connectivity (Section 5.2.4) to these ASNs is required. 5.2.3. Prefix Advertisement A Clos topology features a large number of point-to-point links and associated prefixes. Advertising all of these routes into BGP may create Forwarding Information Base (FIB) overload in the network devices. Advertising these links also puts additional path computation stress on the BGP control plane for little benefit. There are two possible solutions: o Do not advertise any of the point-to-point links into BGP. Since the EBGP-based design changes the next-hop address at every device, distant networks will automatically be reachable via the advertising EBGP peer and do not require reachability to these prefixes. However, this may complicate operations or monitoring: e.g., using the popular "traceroute" tool will display IP addresses that are not reachable. o Advertise point-to-point links, but summarize them on every device. This requires an address allocation scheme such as allocating a consecutive block of IP addresses perTier-1Tier 1 andTier-2Tier 2 device to be used for point-to-point interface addressing to the lower layers(Tier-2(Tier 2 uplinks will be allocated fromTier-1Tier 1 address blocks and so forth). Server subnets onTier-3Tier 3 devices must be announced into BGP without using route summarization onTier-2Tier 2 andTier-1Tier 1 devices. Summarizing subnets in a Clos topology results in route black-holing under a single link failure (e.g., betweenTier-2Tier 2 andTier-3 devices)Tier 3 devices), and hence must be avoided. The use of peer links within the same tier to resolve the black-holing problem by providing "bypass paths" is undesirable due to O(N^2) complexity of thepeering meshpeering-mesh and waste of ports on the devices. An alternative to thefull-meshfull mesh ofpeer-linkspeer links would beusingto use a simpler bypass topology, e.g., a "ring" as described in [FB4POST], but such a topology adds extra hops and hasverylimitedbisectionalbandwidth.Additionally requiringIt may require special tweaks to make BGP routingwork - such as possiblywork, e.g., splitting every device into an ASNonof its own. Later in this document, Section 8.2 introduces a less intrusive method for performing a limited form of route summarization in Clos networks and discusses its associatedtrade-offs.tradeoffs. 5.2.4. External Connectivity A dedicated cluster (or clusters) in the Clos topology could be used for the purpose of connecting to the Wide Area Network (WAN) edge devices, or WAN Routers.Tier-3Tier 3 devices in such a cluster would be replaced with WAN routers, and EBGP peering would be used again, though WAN routers are likely to belong to a public ASN if Internet connectivity is required in the design. TheTier-2Tier 2 devices in such a dedicated cluster will be referred to as "Border Routers" in this document. These devices have to perform a few special functions: o Hide network topology information when advertising paths to WAN routers, i.e., remove Private Use ASNs [RFC6996] from the AS_PATH attribute. This is typically done to avoid ASN number collisions between different data centers and also to provide a uniform AS_PATH length to the WAN for purposes of WAN ECMP toAnycastanycast prefixes originated in the topology. Animplementation specificimplementation-specific BGP feature typically called "Remove Private AS" is commonly used to accomplish this. Depending on implementation, the feature should strip a contiguous sequence of Private Use ASNs found in an AS_PATH attribute prior to advertising the path to a neighbor. This assumes that all ASNs used for intra data center numbering are from the Private Use ranges. The process for stripping the Private Use ASNs is not currently standardized, see[I-D.mitchell-grow-remove-private-as]. However[REMOVAL]. However, most implementations at least follow the logic described in this vendor's document [VENDOR-REMOVE-PRIVATE-AS], which is enough for the design specified. o Originate a default route to the data center devices. This is the only place where a default route can be originated, as route summarization is risky for the unmodified Clos topology. Alternatively, Border Routers may simply relay the default route learned from WAN routers. Advertising the default route from Border Routers requires that all Border Routers be fully connected to the WAN Routers upstream, to provide resistance to a single- link failure causing the black-holing of traffic. To prevent black-holing in the situation when all of the EBGP sessions to the WAN routers fail simultaneously on a given device, it is more desirable to readvertise the default route rather than originating the default route via complicated conditional route origination schemes provided by some implementations [CONDITIONALROUTE]. 5.2.5. Route Summarization at the Edge It is often desirable to summarize network reachability information prior to advertising it to the WAN network due to the high amount of IP prefixes originated from within the data center in a fully routed network design. For example, a network with 2000Tier-3Tier 3 devices will have at least 2000 servers subnets advertised into BGP, along with the infrastructure prefixes. However, as discussedbeforein Section 5.2.3, the proposed network design does not allow for route summarization due to the lack of peer links inside every tier. However, it is possible to lift this restriction for the BorderRouters,Routers by devising a different connectivity model for these devices. There are two options possible: o Interconnect the Border Routers using a full-mesh of physical links or using any other "peer-mesh" topology, such as ring or hub-and-spoke. Configure BGP accordingly on all Border Leafs to exchange network reachability information, e.g., by adding a mesh of IBGP sessions. The interconnecting peer links need to be appropriately sized for traffic that will be present in the case of a device or link failure in the mesh connecting the Border Routers. oTier-1Tier 1 devices may have additional physical links provisioned toward the Border Routers (which areTier-2Tier 2 devices from the perspective ofTier-1).Tier 1). Specifically, if protection from a single link or node failure is desired, eachTier-1 devicesTier 1 device would have to connect to at least two Border Routers. This puts additional requirements on the port count forTier-1Tier 1 devices and Border Routers, potentially making it anon-uniform,nonuniform, larger port count, device compared with the other devices in the Clos. This also reduces the number of ports available to "regular"Tier-2 switchesTier 2 switches, and hence the number of clusters that could be interconnected viathe Tier-1 layer.Tier 1. If any of the above options are implemented, it is possible to perform route summarization at the Border Routers toward the WAN network core without risking a routing black-hole condition under a single link failure. Both of the options would result innon-uniformnonuniform topology as additional links have to be provisioned on some network devices. 6. ECMP Considerations This section covers the Equal Cost Multipath (ECMP) functionality for Clos topology and discusses a few special requirements. 6.1. Basic ECMP ECMP is the fundamentalload sharingload-sharing mechanism used by a Clos topology. Effectively, every lower-tier device will use all of its directly attached upper-tier devices toload shareload-share traffic destined to the same IP prefix. The number of ECMP paths between any twoTier-3Tier 3 devices in Clos topology is equal to the number of the devices in the middle stage(Tier-1).(Tier 1). For example, Figure 5 illustrates a topology whereTier-3Tier 3 device A has four paths to reach servers X and Y, viaTier-2Tier 2 devices B and C and thenTier-1Tier 1 devices 1, 2, 3, and44, respectively.Tier-1Tier 1 +-----+ | DEV | +->| 1 |--+ | +-----+ |Tier-2Tier 2 | |Tier-2Tier 2 +-----+ | +-----+ | +-----+ +------------>| DEV |--+->| DEV |--+--| |-------------+ | +-----| B |--+ | 2 | +--| |-----+ | | | +-----+ +-----+ +-----+ | | | | | | | | +-----+ +-----+ +-----+ | | | +-----+---->| DEV |--+ | DEV | +--| |-----+-----+ | | | | +---| C |--+->| 3 |--+--| |---+ | | | | | | | +-----+ | +-----+ | +-----+ | | | | | | | | | | | | | | +-----+ +-----+ | +-----+ | +-----+ +-----+ | DEV | | |Tier-3Tier 3 +->| DEV |--+Tier-3Tier 3 | | | | | A | | | | 4 | | | | | +-----+ +-----+ +-----+ +-----+ +-----+ | | | | | | | | O O O O <- Servers -> X Y O O Figure 5: ECMPfan-out treeFan-Out Tree from A to X and Y The ECMP requirement implies that the BGP implementation must support multipath fan-out for up to the maximum number of devices directly attached at any point in the topology in the upstream or downstream direction. Normally, this number does not exceed half of the ports found on a device in the topology. For example, an ECMP fan-out of 32 would be required when building a Clos network using 64-port devices. The Border Routers may need to have wider fan-out to be able to connect to a multitude ofTier-1Tier 1 devices if route summarization at Border Router level is implemented as described in Section 5.2.5. If a device's hardware does not support wider ECMP, logical link-grouping (link-aggregation atlayerLayer 2) could be used to provide "hierarchical" ECMP (Layer 3 ECMP coupled with Layer 2 ECMP) to compensate for fan-out limitations. However, this approach increases the risk of flow polarization, as less entropy will be available at the second stage of ECMP. Most BGP implementations declare paths to be equal from an ECMP perspective if they match up to and including step (e) in Section 9.1.2.2 of [RFC4271]. In the proposed network design there is no underlying IGP, so all IGP costs are assumed to be zero or otherwise the same value across all paths and policies may be applied as necessary to equalize BGP attributes that vary in vendor defaults, such asMEDthe MULTI_EXIT_DISC (MED) attribute and origin code. For historicalreasonsreasons, it is also useful to not use 0 as the equalized MED value; this and some other useful BGP information is available in[RFC4277] .[RFC4277]. Routing loops are unlikely due to the BGP best-path selection processwhich(which prefers shorter AS_PATHlength,length), and longer paths through theTier-1Tier 1 deviceswhich(which don't allow their own ASN in thepath and have the same ASNpath) arealsonot possible. 6.2. BGP ECMP over Multiple ASNs For applicationload balancing purposesload-balancing purposes, it is desirable to have the same prefix advertised from multipleTier-3Tier 3 devices. From the perspective of other devices, such a prefix would have BGP paths with different AS_PATH attribute values, while having the same AS_PATH attribute lengths. Therefore, BGP implementations must supportloadload- sharing over the above-mentioned paths. This feature is sometimes known as "multipath relax" or "multipathmultiple-as"multiple-AS" and effectively allows for ECMP to be done across different neighboring ASNs if all other attributes are equal as already described in the previous section. 6.3. Weighted ECMP It may be desirable for the network devices to implement "weighted" ECMP, to be able to send more traffic over some paths in ECMP fan- out. This could be helpful to compensate for failures in the network and send more traffic over paths that have more capacity. The prefixes that require weighted ECMP would have to be injected using remote BGP speaker (central agent) over amultihopmulti-hop session as described further in Section 8.1. If support in implementations is available,weight-distributionweight distribution for multiple BGP paths could be signaled using the technique described in[I-D.ietf-idr-link-bandwidth].[LINK]. 6.4. Consistent Hashing It is often desirable to have the hashing function used for ECMP to be consistent (see [CONS-HASH]), to minimize the impact on flow to next-hop affinity changes when anext-hopnext hop is added or removed to an ECMP group. This could be used if the network device is used as a load balancer, mapping flows toward multiple destinations--- in this case, losing or adding a destination will not have a detrimental effect on currently established flows. One particular recommendation on implementing consistent hashing is provided in [RFC2992], though other implementations are possible. This functionality could be naturally combined with weighted ECMP, with the impact of thenext-next hop changes being proportional to the weight of the givennext-hop.next hop. The downside of consistent hashing is increased load on hardware resource utilization, as typically more resources (e.g.,TCAMTernary Content-Addressable Memory (TCAM) space) are required to implement a consistent-hashing function. 7. Routing Convergence Properties This section reviews routing convergence properties in the proposed design. A case is made that sub-second convergence is achievable if the implementation supports fast EBGP peering session deactivation and timely RIB and FIBupdateupdates upon failure of the associated link. 7.1. Fault Detection Timing BGP typically relies on an IGP to route around link/node failures inside an AS, and implements either apolling basedpolling-based or an event- driven mechanism to obtain updates on IGP state changes. The proposed routing design does not use an IGP, so the remaining mechanisms that could be used for fault detection are BGP keep-alive time-out (or any other type of keep-alive mechanism) and link-failure triggers. Relying solely on BGP keep-alive packets may result in high convergence delays, on the order of multiple seconds (on many BGP implementations the minimum configurable BGP hold timer value is three seconds). However, many BGP implementations can shut down local EBGP peering sessions in response to the "link down" event for the outgoing interface used for BGP peering. This feature is sometimes called "fast fallover". Since links in modern data centers are predominantly point-to-point fiber connections, a physical interface failure is often detected in milliseconds and subsequently triggers a BGPre-convergence.reconvergence. Ethernet links may support failure signaling or detection standards such as Connectivity Fault Management (CFM) as described in[IEEE8021Q], which[IEEE8021Q]; this may make failure detection more robust. Alternatively, some platforms may support Bidirectional Forwarding Detection (BFD) [RFC5880] to allow for sub-second failure detection and fault signaling to the BGP process. However, the use of either of these presents additional requirements to vendor software and possibly hardware, and may contradict REQ1. Until recently with [RFC7130], BFD also did not allow detection of a single member link failure on a LAG, which would have limited its usefulness in some designs. 7.2. Event Propagation Timing In the proposeddesigndesign, the impact of the BGPMinimum Route Advertisement Interval (MRAI) timer (See sectionMinRouteAdvertisementIntervalTimer (MRAI timer), as specified in Section 9.2.1.1 of[RFC4271])[RFC4271], should be considered. Per thestandardstandard, it is required for BGP implementations to space out consecutive BGP UPDATE messages by at least MRAI seconds, which is often a configurable value. The initial BGP UPDATE messages after an event carrying withdrawn routes are commonly not affected by this timer. The MRAI timer may present significant convergence delays when a BGP speaker "waits" for the new path to be learned from its peers and has no local backup path information. In a Clostopologytopology, each EBGP speaker typically has either one path(Tier-2(Tier 2 devices don't accept paths from otherTier-2Tier 2 in the same cluster due to same ASN) or N paths for the same prefix, where N is a significantly large number, e.g., N=32 (the ECMP fan-out to the nextTier).tier). Therefore, if a link fails to another device from which a path is received there is either no backup path at all (e.g., from the perspective of aTier-2Tier 2 switch losing the link to aTier-3Tier 3 device), or the backup is readily available in BGP Loc-RIB (e.g., from the perspective of aTier-2Tier 2 device losing the link to aTier-1Tier 1 switch). In the former case, the BGP withdrawal announcement will propagate without delay and triggerre-convergencereconvergence on affected devices. In the latter case, thebest-pathbest path will bere-evaluatedre-evaluated, and the local ECMP group corresponding to the new next-hop set will be changed. If the BGP path was thebest-pathbest path selected previously, an "implicit withdraw" will be sent via a BGP UPDATE message as described as Option b in Section 3.1 of [RFC4271] due to the BGP AS_PATH attribute changing. 7.3. Impact of Clos TopologyFan-outsFan-Outs Clos topology has large fan-outs, which may impact the "Up->Down" convergence in some cases, as described in this section. In a situation when a link betweenTier-3Tier 3 andTier-2Tier 2 device fails, theTier-2Tier 2 device will send BGP UPDATE messages to all upstreamTier-1Tier 1 devices, withdrawing the affected prefixes. TheTier-1Tier 1 devices, in turn, will relay these messages to all downstreamTier-2Tier 2 devices (except for the originator).Tier-2Tier 2 devices other than the one originating the UPDATE should then wait for ALL upstreamTier-1Tier 1 devices to send an UPDATE message before removing the affected prefixes and sending corresponding UPDATE downstream to connectedTier-3Tier 3 devices. If the originalTier-2Tier 2 device or the relayingTier-1Tier 1 devices introduce some delay into their UPDATE message announcements, the result could be UPDATE message "dispersion", that could be as long as multiple seconds. In order to avoid such a behavior, BGP implementations must support "update groups". The "update group" is defined as a collection of neighbors sharing the same outbound policy--- the local speaker will send BGP updates to the members of the group synchronously. The impact of such "dispersion" grows with the size of topology fan- out and could also grow under network convergence churn. Some operators may be tempted to introduce "route flap dampening" type features that vendors include to reduce thecontrol planecontrol-plane impact of rapidly flapping prefixes. However, due to issues described with false positives in these implementations especially under such "dispersion" events, it is not recommended to enable this feature in this design. More background and issues with "route flap dampening" and possible implementation changes that could affect this are well described in [RFC7196]. 7.4. Failure Impact Scope A network is declared to converge in response to a failure once all devices within the failure impact scope are notified of the event and havere-calculatedrecalculated their RIBs and consequently updated their FIBs. Larger failure impact scope typically means slower convergence since more devices have to be notified, and results in a less stable network. In thissectionsection, we describe BGP's advantages over link- state routing protocols in reducing failure impact scope for a Clos topology. BGP behaves like a distance-vector protocol in the sense that only the best path from the point of view of the local router is sent to neighbors. As such, some failures are masked if the local node can immediately find a backup path and does not have to send any updates further. Notice that in the worst case, all devices in a data center topology have to either withdraw a prefix completely or update the ECMP groups in their FIBs. However, many failures will not result in such a wide impact. There are two main failure types where impact scope is reduced: o Failure of a link betweenTier-2Tier 2 andTier-1Tier 1 devices: In this case, aTier-2Tier 2 device will update the affected ECMP groups, removing the failed link. There is no need to send new information to downstreamTier-3Tier 3 devices, unless the path was selected as best by the BGP process, in which case only an "implicit withdraw" needs to besent, whichsent and this should not affect forwarding. The affectedTier-1Tier 1 device will lose the only path available to reach a particular cluster and will have to withdraw the associated prefixes. Such a prefix withdrawal process will only affectTier-2Tier 2 devices directly connected to the affectedTier-1Tier 1 device. TheTier-2Tier 2 devices receiving the BGP UPDATE messages withdrawing prefixes will simply have to update their ECMP groups. TheTier-3Tier 3 devices are not involved in there-convergencereconvergence process. o Failure of aTier-1Tier 1 device: In this case, allTier-2Tier 2 devices directly attached to the failed node will have to update their ECMP groups for all IP prefixes from a non-local cluster. TheTier-3Tier 3 devices are once again not involved in there-convergencereconvergence process, but may receive "implicit withdraws" as described above. Even in the case of such failures where multiple IP prefixes will have to be reprogrammed in the FIB, it is worth noting that all of these prefixes share a single ECMP group onTier-2a Tier 2 device. Therefore, in the case of implementations with a hierarchical FIB, only a single change has to be made to the FIB.Hierarchical FIB"Hierarchical FIB" here means FIB structure where the next-hop forwarding information is stored separately from the prefix lookup table, and the latter only stores pointers to the respective forwarding information. See[I-D.ietf-rtgwg-bgp-pic][BGP-PIC] for discussion of FIB hierarchies and fast convergence. Even though BGP offers reduced failure scope for some cases, further reduction of the fault domain using summarization is not always possible with the proposed design, since using this technique may create routing black-holes as mentioned previously. Therefore, the worstcontrol planefailure impact scope on the control plane is the network as awhole,whole -- forinstanceinstance, in the case of a link failure betweenTier-2Tier 2 andTier-3Tier 3 devices. The amount of impacted prefixes in this case would be much less than in the case of a failure in the upper layers of a Clos network topology. The property of having such large failure scope is not a result of choosing EBGP in the design but rather a result of using the Clos topology. 7.5. Routing Micro-Loops When a downstream device, e.g.,Tier-2Tier 2 device, loses all paths for a prefix, it normally has the default route pointing toward the upstreamdevice,device -- in thiscasecase, theTier-1Tier 1 device. As a result, it is possible to get in the situation where aTier-2Tier 2 switch loses a prefix, but aTier-1Tier 1 switch still has the path pointing to theTier-2 device, whichTier 2 device; this results in a transient micro-loop, since theTier-1Tier 1 switch will keep passing packets to the affected prefix back to theTier-2Tier 2 device, and theTier-2Tier 2 will bounce them back again using the default route. This micro-loop will last for theduration oftime it takes the upstream device to fully update its forwarding tables. To minimize impact of such micro-loops,Tier-2Tier 2 andTier-1Tier 1 switches can be configured with static "discard" or "null" routes that will be more specific than the default route for prefixes missing during network convergence. ForTier-2Tier 2 switches, the discard route should be a summary route, covering all server subnets of the underlyingTier-3Tier 3 devices. ForTier-1Tier 1 devices, the discard route should be a summary covering the server IP address subnets allocated for the whole data center. Those discard routes will only take precedence for the duration of network convergence, until the device learns a more specific prefix via a new path. 8. Additional Options for Design 8.1.Third-partyThird-Party Route Injection BGP allows for a "third-party", i.e., a directlyattached,attached BGPspeakerspeaker, to inject routes anywhere in the network topology, meeting REQ5. This can be achieved by peering via amultihopmulti-hop BGP session with some or even all devices in the topology. Furthermore, BGP diverse path distribution [RFC6774] could be used to inject multiple BGP next hops for the same prefix to facilitate load balancing, or using the BGP ADD-PATH capability[I-D.ietf-idr-add-paths][RFC7911] if supported by the implementation. Unfortunately, in manyimplementationsimplementations, ADD-PATH has been found to only support IBGP properlydue toin the use cases for which it was originallyoptimized for, whichoptimized; this limits the "third-party" peering to IBGP only. To implement route injection in the proposed design, a third-party BGP speaker may peer withTier-3Tier 3 andTier-1Tier 1 switches, injecting the same prefix, but using a special set of BGPnext-hopsnext hops forTier-1Tier 1 devices. Thosenext-hopsnext hops are assumed to resolve recursively via BGP, and could be, for example, IP addresses onTier-3Tier 3 devices. The resulting forwarding table programming could provide desired traffic proportion distribution among different clusters. 8.2. Route Summarization within Clos Topology As mentioned previously, route summarization is not possible within the proposed Clos topology since it makes the network susceptible to route black-holing under single link failures. The main problem is the limited number of redundant paths between network elements, e.g., there is only a single path between any pair ofTier-1Tier 1 andTier-3Tier 3 devices. However, some operators may find route aggregation desirable to improvecontrol planecontrol-plane stability. If any technique to summarize within the topology is planned, modeling of the routing behavior and potential for black-holing should be done not only for single or multiple link failures, but also for fiber pathway failures or optical domain failures when the topology extends beyond a physical location. Simple modeling can be done by checking the reachability on devices doing summarization under the condition of a link or pathway failure between a set of devices in every tier as well as to the WAN routers when external connectivity is present. Route summarization would be possible with a small modification to the network topology, though thetrade-offtradeoff would be reduction of the total size of the network as well as network congestion under specific failures. This approach is very similar to the technique described above, which allows Border Routers to summarize the entire data center address space. 8.2.1. CollapsingTier-1Tier 1 Devices Layer In order to add more paths betweenTier-1Tier 1 andTier-3Tier 3 devices, groupTier-2Tier 2 devices into pairs, and then connect the pairs to the same group ofTier-1Tier 1 devices. This is logically equivalent to "collapsing"Tier-1Tier 1 devices into a group of half the size, merging the links on the "collapsed" devices. The result is illustrated in Figure 6. For example, in this topology DEV C and DEV D connect to the same set ofTier-1Tier 1 devices (DEV 1 and DEV 2), whereas before they were connecting to different groups ofTier-1Tier 1 devices.Tier-2 Tier-1 Tier-2Tier 2 Tier 1 Tier 2 +-----+ +-----+ +-----+ +-------------| DEV |------| DEV |------| |-------------+ | +-----| C |--++--| 1 |--++--| |-----+ | | | +-----+ || +-----+ || +-----+ | | | | || || | | | | +-----+ || +-----+ || +-----+ | | | +-----+-----| DEV |--++--| DEV |--++--| |-----+-----+ | | | | +---| D |------| 2 |------| |---+ | | | | | | | +-----+ +-----+ +-----+ | | | | | | | | | | | | +-----+ +-----+ +-----+ +-----+ | DEV | | DEV | | | | | | A | | B |Tier-3 Tier-3Tier 3 Tier 3 | | | | +-----+ +-----+ +-----+ +-----+ | | | | | | | | O O O O <- Servers -> O O O O Figure 6: 5-Stage ClostopologyTopology Having this design in place,Tier-2Tier 2 devices may be configured to advertise only a default route down toTier-3Tier 3 devices. If a link betweenTier-2Tier 2 andTier-3Tier 3 fails, the traffic will be re-routed via the second available path known to aTier-2Tier 2 switch. It is still not possible to advertise a summary route covering prefixes for a single cluster fromTier-2Tier 2 devices since each of them has only a single path down to this prefix. It would require dual-homed servers to accomplish that. Also note that this design is only resilient to single link failures. It is possible for a double link failure to isolate aTier-2Tier 2 device from all paths toward a specificTier-3Tier 3 device, thus causing a routing black-hole. A result of the proposed topology modification would be a reduction ofTier-1 devicesthe portcapacity.capacity of Tier 1 devices. This limits the maximum number of attachedTier-2 devicesTier 2 devices, and therefore will limit the maximum DC network size. A larger network would require differentTier-1Tier 1 devices that have higher port density to implement this change. Another problem is trafficre-balancingrebalancing under link failures. Since there are two paths fromTier-1Tier 1 toTier-3,Tier 3, a failure of the link betweenTier-1Tier 1 andTier-2Tier 2 switch would result in all traffic that was taking the failed link to switch to the remaining path. This will result in doubling the link utilization on the remaining link. 8.2.2. Simple Virtual Aggregation A completely different approach to route summarization is possible, provided that the main goal is to reduce the FIB size, while allowing the control plane to disseminate full routing information. Firstly, it could be easily noted that in many cases multiple prefixes, some of which are less specific, share the same set of thenext-hopsnext hops (same ECMP group). For example,lookingfrom the perspective ofa Tier-3Tier 3 devices, all routes learned from upstreamTier-2's,Tier 2 devices, including the default route, will share the same set of BGPnext-hops,next hops, provided that there are no failures in the network. This makes it possible to use the technique similar to that described in [RFC6769] and only install the least specific route in the FIB, ignoring more specific routes if they share the same next-hop set. For example, under normal network conditions, only the default route needs to be programmed into the FIB. Furthermore, if theTier-2Tier 2 devices are configured with summary prefixes covering all of their attachedTier-3Tier 3 device's prefixes, the same logic could be applied inTier-1Tier 1 devices aswell,well and, by induction toTier-2/Tier-3Tier 2/Tier 3 switches in different clusters. These summary routes should still allow for more specific prefixes to leak toTier-1Tier 1 devices, to enable detection of mismatches in the next-hop sets if a particular link fails, thus changing the next-hop set for a specific prefix.Re-statingRestating once again, this technique does not reduce the amount ofcontrol planecontrol-plane state (i.e., BGPUPDATEs/BGP LocRIBUPDATEs, BGP Loc-RIB size), but only allows for more efficient FIB utilization, by detecting more specific prefixes that share their next-hop set with a subsuming less specific prefix. 8.3. ICMP Unreachable Message Masquerading This section discusses some operational aspects of not advertising point-to-point link subnets into BGP, as previously identified as an option in Section 5.2.3. The operational impact of this decision could be seen when using the well-known "traceroute" tool. Specifically, IP addresses displayed by the tool will be the link's point-to-point addresses, and hence will be unreachable for management connectivity. This makes some troubleshooting more complicated. One way to overcome this limitation is by using the DNS subsystem to create the "reverse" entries for these point-to-point IP addresses pointing to the same name as the loopback address. The connectivity then can be made by resolving this name to the "primary" IP address of thedevices,device, e.g., its Loopback interface, which is always advertised into BGP. However, this creates a dependency on the DNS subsystem, which may be unavailable during an outage. Another option is to make the network device perform IP address masquerading, thatisis, rewriting the source IP addresses of the appropriate ICMP messages sent by the device with the "primary" IP address of the device. Specifically, the ICMP Destination Unreachable Message (type 3)codescode 3 (port unreachable) and ICMP Time Exceeded (type 11) code0, which0 are required for correct operation of the "traceroute" tool. With this modification, the "traceroute" probes sent to the devices will always be sent back with the "primary" IP address as the source, allowing the operator to discover the "reachable" IP address of the box. This has the downside of hiding the address of the "entry point" into the device. If the devices support [RFC5837], this may allow the best of both worlds by providing the information about the incoming interface even if the return address is the "primary" IP address. 9. Security Considerations The design does not introduce any additional security concerns. General BGP security considerations are discussed in [RFC4271] and [RFC4272]. Since a DC is asingle operatorsingle-operator domain, this document assumes that edge filtering is in place to prevent attacks against the BGP sessions themselves from outside the perimeter of the DC. This may be a more feasible option for most deployments than having to deal with key management forTCP-MD5TCP MD5 as described in [RFC2385] or dealing with the lack of implementations of the TCP Authentication Option [RFC5925] available at the time ofthis documentpublication of[RFC5925].this document. The Generalized TTL Security Mechanism [RFC5082] could also be used to further reduce the risk of BGP session spoofing. 10.IANA Considerations This document includes no request to IANA. 11. Acknowledgements This publication summarizes work of many people who participated in developing, testing and deploying the proposed network design, some of whom were George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong, Robert Toomey, and Lihua Yuan. Authors would also like to thank Linda Dunbar, Anoop Ghanwani, Susan Hares, Danny McPherson, Robert Raszuk and Russ White for reviewing this document and providing valuable feedback and Mary Mitchell for initial grammar and style suggestions. 12. References 12.1. Normative References [RFC4271] Rekhter, Y., Ed., Li, T., Ed.,References 10.1. Normative References [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January2006, <http://www.rfc-editor.org/info/rfc4271>. [RFC6996]2006, <http://www.rfc-editor.org/info/rfc4271>. [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, July 2013, <http://www.rfc-editor.org/info/rfc6996>. 10.2. Informative References [ALFARES2008] Al-Fares, M., Loukissas, A., and A. Vahdat, "A Scalable, Commodity Data Center Network Architecture", DOI 10.1145/1402958.1402967, August 2008, <http://dl.acm.org/citation.cfm?id=1402967>. [ALLOWASIN] Cisco Systems, "Allowas-in Feature in BGP Configuration Example", February 2015, <http://www.cisco.com/c/en/us/support/docs/ip/border- gateway-protocol-bgp/112236-allowas-in-bgp-config- example.html>. [BGP-PIC] Bashandy, A., Filsfils, C., and P. Mohapatra, "BGP Prefix Independent Convergence", Work in Progress, draft-ietf- rtgwg-bgp-pic-01, June 2016. [CLOS1953] Clos, C., "A Study of Non-Blocking Switching Networks", The Bell System Technical Journal, Vol. 32(2), DOI 10.1002/j.1538-7305.1953.tb01433.x, March 1953. [CONDITIONALROUTE] Cisco Systems, "Configuring and Verifying the BGP Conditional Advertisement Feature", August 2005, <http://www.cisco.com/c/en/us/support/docs/ip/ border-gateway-protocol-bgp/16137-cond-adv.html>. [CONS-HASH] Wikipedia, "Consistent Hashing", July 2016, <https://en.wikipedia.org/w/ index.php?title=Consistent_hashing&oldid=728825684>. [FB4POST] Farrington, N. and A. Andreyev, "Facebook's Data Center Network Architecture", May 2013, <http://nathanfarrington.com/papers/facebook-oic13.pdf>. [GREENBERG2009] Greenberg, A., Hamilton, J., and D. Maltz, "The Cost of a Cloud: Research Problems in Data Center Networks", DOI 10.1145/1496091.1496103, January 2009, <http://dl.acm.org/citation.cfm?id=1496103>. [HADOOP] Apache, "Apache Hadoop", April 2016, <https://hadoop.apache.org/>. [IANA.AS] IANA, "Autonomous System (AS) Numbers", <http://www.iana.org/assignments/as-numbers>. [IEEE8021D-1990] IEEE, "IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges", IEEE Std 802.1D, DOI 10.1109/IEEESTD.1991.101050, 1991, <http://ieeexplore.ieee.org/servlet/opac?punumber=2255>. [IEEE8021D-2004] IEEE, "IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges", IEEE Std 802.1D, DOI 10.1109/IEEESTD.2004.94569, June 2004, <http://ieeexplore.ieee.org/servlet/opac?punumber=9155>. [IEEE8021Q] IEEE, "IEEE Standard for Local and Metropolitan Area Networks: Bridges and Bridged Networks", IEEE Std 802.1Q, DOI 10.1109/IEEESTD.2014.6991462, <http://ieeexplore.ieee.org/servlet/ opac?punumber=6991460>. [IEEE8023AD] IEEE, "Amendment to Carrier Sense Multiple Access With Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications - Aggregation of Multiple Link Segments", IEEE Std 802.3ad, DOI 10.1109/IEEESTD.2000.91610, October 2000, <http://ieeexplore.ieee.org/servlet/opac?punumber=6867>. [INTERCON] Dally, W. and B. Towles, "Principles and Practices of Interconnection Networks", ISBN 978-0122007514, January 2004, <http://dl.acm.org/citation.cfm?id=995703>. [JAKMA2008] Jakma, P., "BGP Path Hunting", 2008, <https://blogs.oracle.com/paulj/entry/bgp_path_hunting>. [L3DSR] Schaumann, J., "L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing", 2011, <https://www.nanog.org/meetings/nanog51/presentations/ Monday/NANOG51.Talk45.nanog51-Schaumann.pdf>. [LINK] Mohapatra, P. and R. Fernando, "BGP Link Bandwidth Extended Community", Work in Progress, draft-ietf-idr- link-bandwidth-06, January 2013. [REMOVAL] Mitchell, J.,"AutonomousRao, D., and R. Raszuk, "Private Autonomous System (AS)Reservation for Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, July 2013, <http://www.rfc-editor.org/info/rfc6996>. 12.2. Informative ReferencesRemoval Requirements", Work in Progress, draft-mitchell-grow-remove-private-as-04, April 2015. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, DOI 10.17487/RFC2328, April 1998, <http://www.rfc-editor.org/info/rfc2328>. [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 Signature Option", RFC 2385, DOI 10.17487/RFC2385, August 1998, <http://www.rfc-editor.org/info/rfc2385>. [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, <http://www.rfc-editor.org/info/rfc2992>. [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC 4272, DOI 10.17487/RFC4272, January 2006, <http://www.rfc-editor.org/info/rfc4272>. [RFC4277] McPherson, D. and K. Patel, "Experience with the BGP-4 Protocol", RFC 4277, DOI 10.17487/RFC4277, January 2006, <http://www.rfc-editor.org/info/rfc4277>. [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786, December 2006, <http://www.rfc-editor.org/info/rfc4786>. [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C. Pignataro, "The Generalized TTL Security Mechanism (GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007, <http://www.rfc-editor.org/info/rfc5082>. [RFC5837] Atlas, A., Ed., Bonica, R., Ed., Pignataro, C., Ed., Shen, N., and JR. Rivers, "Extending ICMP for Interface and Next-Hop Identification", RFC 5837, DOI 10.17487/RFC5837, April 2010, <http://www.rfc-editor.org/info/rfc5837>. [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, <http://www.rfc-editor.org/info/rfc5880>. [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, DOI 10.17487/RFC5925, June 2010, <http://www.rfc-editor.org/info/rfc5925>. [RFC6325] Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and A. Ghanwani, "Routing Bridges (RBridges): Base Protocol Specification", RFC 6325, DOI 10.17487/RFC6325, July 2011, <http://www.rfc-editor.org/info/rfc6325>. [RFC6769] Raszuk, R., Heitz, J., Lo, A., Zhang, L., and X. Xu, "Simple Virtual Aggregation (S-VA)", RFC 6769, DOI 10.17487/RFC6769, October 2012, <http://www.rfc-editor.org/info/rfc6769>. [RFC6774] Raszuk, R., Ed., Fernando, R., Patel, K., McPherson, D., and K. Kumaki, "Distribution of Diverse BGP Paths", RFC 6774, DOI 10.17487/RFC6774, November 2012, <http://www.rfc-editor.org/info/rfc6774>. [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet Autonomous System (AS) Number Space", RFC 6793, DOI 10.17487/RFC6793, December 2012, <http://www.rfc-editor.org/info/rfc6793>. [RFC7067] Dunbar, L., Eastlake 3rd, D., Perlman, R., and I. Gashinsky, "Directory Assistance Problem and High-Level Design Proposal", RFC 7067, DOI 10.17487/RFC7067, November2013, <http://www.rfc-editor.org/info/rfc7067>. [RFC7130] Bhatia, M., Ed., Chen, M., Ed., Boutros, S., Ed., Binderberger, M., Ed., and J. Haas, Ed., "Bidirectional Forwarding Detection (BFD) on Link Aggregation Group (LAG) Interfaces", RFC 7130, DOI 10.17487/RFC7130, February 2014, <http://www.rfc-editor.org/info/rfc7130>. [RFC7196] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., and O. Maennel, "Making Route Flap Damping Usable", RFC 7196, DOI 10.17487/RFC7196, May 2014, <http://www.rfc-editor.org/info/rfc7196>. [I-D.ietf-idr-add-paths] Walton, D., Retana, A., Chen, E., and J. Scudder, "Advertisement of Multiple Paths in BGP", draft-ietf-idr- add-paths-15 (work in progress), May 2016. [I-D.ietf-idr-link-bandwidth] Mohapatra, P. and R. Fernando, "BGP Link Bandwidth Extended Community", draft-ietf-idr-link-bandwidth-06 (work in progress), January 2013. [I-D.ietf-rtgwg-bgp-pic] Bashandy, A., Filsfils, C., and P. Mohapatra, "Abstract", draft-ietf-rtgwg-bgp-pic-00 (work in progress), December 2015. [I-D.mitchell-grow-remove-private-as] Mitchell, J., Rao, D., and R. Raszuk, "Private Autonomous System (AS) Removal Requirements", draft-mitchell-grow- remove-private-as-04 (work in progress), April 2015. [CLOS1953] Clos, C., "A Study of Non-Blocking Switching Networks: Bell System Technical Journal Vol. 32(2)", March 1953. [HADOOP] Apache, , "Apache HaDoop", April 2016, <https://hadoop.apache.org/>. [GREENBERG2009] Greenberg, A., Hamilton, J., and D. Maltz, "The Cost of a Cloud: Research Problems in Data Center Networks", January 2009. [IEEE8021D-1990] IEEE 802.1D, , "IEEE Standard for Local and Metropolitan Area Networks--Media access control (MAC) Bridges", May 1990. [IEEE8021D-2004] IEEE 802.1D, , "IEEE Standard for Local and Metropolitan Area Networks--Media access control (MAC) Bridges", February 2004. [IEEE8021Q] IEEE 802.1Q, , "IEEE Standard for Local and metropolitan area networks--Bridges and Bridged Networks", December 2014. [INTERCON] Dally, W.2013, <http://www.rfc-editor.org/info/rfc7067>. [RFC7130] Bhatia, M., Ed., Chen, M., Ed., Boutros, S., Ed., Binderberger, M., Ed., andB. Towles, "PrinciplesJ. Haas, Ed., "Bidirectional Forwarding Detection (BFD) on Link Aggregation Group (LAG) Interfaces", RFC 7130, DOI 10.17487/RFC7130, February 2014, <http://www.rfc-editor.org/info/rfc7130>. [RFC7196] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., andPractices of Interconnection Networks", ISBN 978-0122007514, January 2004. [ALFARES2008] Al-Fares, M., Loukissas,O. Maennel, "Making Route Flap Damping Usable", RFC 7196, DOI 10.17487/RFC7196, May 2014, <http://www.rfc-editor.org/info/rfc7196>. [RFC7911] Walton, D., Retana, A., Chen, E., andA. Vahdat, "A Scalable, Commodity Data Center Network Architecture", August 2008. [IANA.AS] IANA, , "Autonomous System (AS) Numbers", June 2016, <http://www.iana.org/assignments/as-numbers/>. [IEEE8023AD] IEEE 802.3ad, , "IEEE Standard for Link aggregation for parallel links", October 2000. [ALLOWASIN] Cisco Systems, , "Allowas-in FeatureJ. Scudder, "Advertisement of Multiple Paths inBGP Configuration Example", JuneBGP", RFC 7911, DOI 10.17487/RFC7911, July 2016,<http://www.cisco.com/c/en/us/support/docs/ip/border- gateway-protocol-bgp/112236-allowas-in-bgp-config- example.html>.<http://www.rfc-editor.org/info/rfc7911>. [VENDOR-REMOVE-PRIVATE-AS] Cisco Systems,,"Removing Private Autonomous System Numbers in BGP", August 2005, <http://www.cisco.com/en/US/tech/tk365/ technologies_tech_note09186a0080093f27.shtml>.[CONDITIONALROUTE] Cisco Systems, , "Configuring and VerifyingAcknowledgements This publication summarizes theBGP Conditional Advertisement Feature", August 2005, <http://www.cisco.com/c/en/us/support/docs/ip/ border-gateway-protocol-bgp/16137-cond-adv.html>. [FB4POST] Farrington, N.work of many people who participated in developing, testing, andA. Andreyev, "Facebook's Data Center Network Architecture", May 2013, <http://nathanfarrington.com/papers/facebook-oic13.pdf>. [JAKMA2008] Jakma, P., "BGP Path Hunting", 2008, <https://blogs.oracle.com/paulj/entry/bgp_path_hunting>. [CONS-HASH] Wikipedia, , "Consistent Hashing", <http://en.wikipedia.org/wiki/Consistent_hashing>. [L3DSR] Schaumann, J., "L3DSR - Overcoming Layer 2 Limitationsdeploying the proposed network design, some ofDirect Server Return Load Balancing", 2011, <https://www.nanog.org/meetings/nanog51/presentations/ Monday/NANOG51.Talk45.nanog51-Schaumann.pdf>.whom were George Chen, Parantap Lahiri, Dave Maltz, Edet Nkposong, Robert Toomey, and Lihua Yuan. The authors would also like to thank Linda Dunbar, Anoop Ghanwani, Susan Hares, Danny McPherson, Robert Raszuk, and Russ White for reviewing this document and providing valuable feedback, and Mary Mitchell for initial grammar and style suggestions. Authors' Addresses Petr Lapukhov Facebook 1 Hacker Way Menlo Park, CA 94025USUnited States of America Email: petr@fb.com Ariff Premji Arista Networks 5453 Great America Parkway Santa Clara, CA 95054USUnited States of America Email: ariff@arista.com URI: http://arista.com/ Jon Mitchell (editor) Email: jrmitche@puck.nether.net