Campus Network as a Service

CNaaS Compatible Network Designs

If you deploy new network equipment outside of the CNaaS service but still want to maintain compatability with the CNaaS design for possible future integrations you can use these guidelines to get  you as close as possible to a compatible design.

Requirements core/dist:

  1. VXLAN/EVPN fabric between core/dist (leaf/spine) devices, IPv4 routed/L3 point-to-point links between core/dist
  2. Each dist/core device has two loopbacks, one in global/main VRF used for EVPN peering ("infra loopback") and one loopback in a dedicated management VRF ("management loopback")
  3. Core devices are only used for connecting distribution switches. External connectivity, firewalls etc are all connected to dist switches (possibly dedicated border dist)
  4. Deploy dist switches in pairs, with access switches connected redundantly to two dist switches
  5. Mature API for management and monitoring (Netconf, SNMP etc)

Optional core/dist:

  1. Each core/dist device in a separate private 4-byte AS, eBGP IPv4 peering to all neighbors. EVPN peering from all dist infra loopback to core infra loopback, core acts as route-reflector (possibly OSPF or IS-IS for underlay)
  2. EVPN ESI LAG from dist pair towards access switch for redundancy (possibly multi-chassis/vPC for redundancy)

Requirements access:

  1. VLAN tagging
  2. 802.1X and MAB
  3. Mature API for management and monitoring (Netconf, SNMP etc)

You can have a look at specific configuration examples in our Jinja2 CLI templates: https://github.com/SUNET/cnaas-nms-templates

Known compatible hardware configurations for core/dist layers:

  • Arista EOS: 7050X, 7280 running EOS v4.24 for ESI with routing/IRB. "FLX Lite" license
  • Cisco NX-OS: Nexus9000, Nexus3000 running NX-OS version ?
  • Cisco IOS-XR: NCS5000 running version ?
  • Cisco IOS-XE: Catalyst9000 running version 17.3 for EVPN?
  • Juniper JunOS: MX or QFX running version ?

Special considerations for non-standard design:

If using JunOS with only two dist switches (no core layer) you should disable isolation to get working redundancy: https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/concept/evpn-vxlan-core-isolation-disabling.html

  • No labels