https://tools.ietf.org/html/draft-nachum-sarp-06 proposes a Proxy Gateway mechanism to limit switches' FDB (MAC table) sizes in an environment where hosts (or VMs) within one subnet (or VLAN) can spread over many access domains (or shelves or sites) and each access domain has hosts (VMs) belonging to many subnets (or VLANs).
The main idea of SARP is to represent all VMs (or hosts) under each access domain by their corresponding access (or aggregation) node's MAC address regardless whether the access (or aggregation) node is the VMs (hosts)' gateway or not. For example, when a host "a" under access domain "S" needs to communicate with peers on the same VLAN but connected to different access domains, SARP requires "a" to use remote access node's MAC address rather than peers' MAC addresses. By doing so, switches in each domain do not need to maintain a list of MAC addresses for all the VMs (hosts) in different access domains in their FDBs. Therefore, the switches' FDB size is limited regardless how VLAN is spread. However, when SEND is used, Access (or Aggregation) switches might not possess knowledge of the attached hosts (VMs)' private keys. Are there any concerns/feedback for giving the following recommendation in our draft? Any preferences? 1) state that SARP is not recommended when SEND is deployed; 2) recommend using RFC6496 (Secure Proxy ND Support for SEND). p.s. Even though NVO3/TRILL provides an overlay mechanism so that the hosts (or VMs) addresses are hidden from the switches in the core, all the overlay edge nodes are still exposed to all the hosts MAC addresses on the VLANs that are enabled on the edges, which can cause switches' FDB size explosion issue. For example: For a typical Access switch (Top of Rack) with 40 physical servers attached, where each server has 100 VMs, there are 4000 hosts under the Access Switch. If indeed hosts/VMs can be moved anywhere, the worst case for the Access Switch is when all those 4000 VMs belong to different VLANs, i.e. the access switch has 4000 VLANs enabled. If each VLAN has 200 hosts, this access switch's MAC table potentially has 200*4000 = 800,000 entries. Thank you very much for your feedback. Linda Dunbar
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
