Shulou(Shulou.com)06/02 Report--

Readers' constraints: readers are required to have a deeper understanding of TCP/IP.

Why VXLAN?

The size of ● virtual machines is limited by network specifications.

In the second-layer network environment, data packets are forwarded by querying the MAC address table, while the capacity of the MAC address table limits the number of virtual machines.

● network isolation capability limit

Currently, the mainstream network isolation technology is VLAN or × × (Virtual Private Network). There are the following restrictions on deployment in large-scale virtualized networks:

Because the VLAN Tag domain defined in IEEE 802.1Q has only 12 bits and can only represent 4096 VLAN, ─ can not meet the needs of identifying a large number of user groups in layer 2 networks.

VLAN/ × × in ─ traditional layer 2 network can not meet the needs of network dynamic adjustment.

The scope of ● virtual machine migration is limited by network architecture

After the virtual machine starts, you may need to migrate the virtual machine to the new server due to problems such as server resources (such as too high CPU, insufficient memory, etc.). In order to ensure that the business is not interrupted in the process of virtual machine migration, it is necessary to ensure that the parameters such as IP address and MAC address of the virtual machine remain unchanged, which requires that the business network is a two-layer network and that the network itself has multi-path redundant backup and reliability.

Problems solved by VXLAN

● is limited by network specifications for virtual machine size

VXLAN encapsulates the packets sent by the virtual machine in UDP and uses the IP/MAC address of the physical network as the outer header to encapsulate the network only as the encapsulated parameters. Therefore, the requirement of MAC address specification for large layer 2 network is greatly reduced.

● limits the ability of network isolation

VXLAN introduces a user identity similar to VLAN ID, called VXLAN Network identity VNI (VXLAN Network ID), which consists of 24 bits and supports up to 16m ((2 ^ 24-1) / 1024 ^ 2) VXLAN segments, thus satisfying a large number of user identities.

The scope of ● migration for virtual machines is limited by network architecture

The large layer 2 network is built by VXLAN, which ensures that the parameters such as IP address and MAC address of the virtual machine remain unchanged during the virtual migration.

What is VXLAN? VXLAN-Virtual eXtensible Local Area Network (virtualized Extensible Local area Network)

VXLAN is a kind of network virtualization technology in NVO3 (Network Virtualization over Layer3). By encapsulating the packet sent by VM or physical server in UDP, using the IP/MAC of the physical network as the message header, and then transmitting it on the IP network, the data is unencapsulated by the tunnel terminal and sent to the target virtual machine or physical server.

NVE-Network Virtual Endpoint

Network virtual edge node NVE is a network entity that realizes the function of network virtualization. After the message is encapsulated and transformed by NVE, the two-layer virtualized network can be established between NVE based on three-layer basic network.

VTEP-VXLAN Tunnel Endpoints

VTEP is the end point of VXLAN tunnel, which is encapsulated in NVE and used for encapsulation and de-encapsulation of VXLAN messages.

VNI-VXLAN Network Identifier

VXLAN network identity VNI is similar to VLAN ID, which is used to distinguish VXLAN segments. Virtual machines with different VXLAN segments can not directly communicate with each other at layer 2.

A VNI represents a tenant, even if multiple end users belong to the same VNI. VNI consists of 24 bits and supports up to 16m ((2 ^ 24-1) / 1024 ^ 2) tenants.

Datagram forwarding Vxlan Gateway

There are three main communication modes between VM: different VM under the same VNI, cross-network access under different VNI, and access between VXLAN and non-VXLAN. The following is the schematic diagram of the VXLAN gateway.

VXLAN gateways are divided into layer 2 gateways and layer 3 gateways.

End users located in the same network segment communicate. After the layer 2 gateway receives the user message, according to the type of destination MAC contained in the message, the message forwarding process is divided into:

The ● MAC address is the BUM (broadcast&unknown-unicast&multicast, broadcast & unknown Unicast & Multicast) address, which is processed according to the BUM message forwarding process.

The ● MAC address is a known unicast address and is processed according to the known unicast message forwarding process.

Layer 3 gateway for communication between end users who are not in the same network segment or between VXLAN and non-VXLAN users.

Layer 2 gateway VXLAN layer 2 gateway workflow

The workflow of VXLAN layer 2 gateway is divided into BUM packet forwarding workflow and VXLAN known unicast forwarding workflow.

1. VXLAN BUM message forwarding workflow

When the BUM message enters the VXLAN tunnel, the access end VTEP uses head-end replication to encapsulate the message in VXLAN. The BUM message goes out of the VXLAN tunnel, and the VTEP at the exit unblocks the message. The specific forwarding process of BUM messages is shown in the following figure.

Headend replication: the API receives the BUM (Broadcast&Unknown-unicast&Multicast) message, and the local VTEP obtains the VTEP list belonging to the same VNI through the control plane, copies the received BUM message according to the VTEP list and sends it to all VTEP belonging to the same VNI.

It is not necessary to rely on the multicast routing protocol to complete the broadcast of BUM messages through headend replication.

1) Switch_1 receives the message from terminal A, acquires the corresponding layer 2 broadcast domain according to the access port and VLAN information in the message, and determines whether the destination MAC of the message is BUM MAC.

● is, broadcast in the corresponding layer 2 broadcast domain, and jump to 2).

● is not, through the known unicast message forwarding process.

2) the VTEP on the Switch_1 acquires the headend replication tunnel list of the corresponding VNI according to the corresponding layer 2 broadcast domain, copies the message according to the acquired tunnel list, and encapsulates it with VXLAN. The VXLAN header and outer IP information are encapsulated based on each egress port and VXLAN encapsulation information, and forwarded from the egress port.

3) after the VTEP on Switch_2/Switch_3 receives the VXLAN message, the legal validity of the VXLAN message is judged according to the UDP destination port number, source / destination IP address and VNI. The corresponding layer 2 broadcast domain is obtained according to VNI, then unencapsulated by VXLAN, and the inner layer 2 message is obtained to determine whether the destination MAC of the message is BUM MAC.

● is, broadcast processing is carried out on the non-VXLAN side in the corresponding layer 2 broadcast domain.

● is not, and then determine whether it is a native MAC.

─ is sent to the host computer for processing.

─ is not, look up the interface and encapsulation information in the corresponding layer 2 broadcast domain, and jump to 4).

4) according to the outgoing interface and encapsulation information found, Switch_2/Switch_3 adds VLAN Tag to the message and forwards it to the corresponding terminal Bhand C.

The terminal Bmap C responds to the message of terminal An and forwards it according to the known unicast message forwarding process.

2. VXLAN known unicast forwarding workflow

The specific forwarding process of known unicast messages is shown in the following figure.

1) Switch_1 receives the message from terminal A, acquires the corresponding layer 2 broadcast domain according to the access port and VLAN information in the message, and determines whether the destination MAC of the message is a known unicast MAC.

● is, and then determine whether it is a native MAC.

─ is sent to the host computer for processing.

─ is not, look up the interface and encapsulation information in the corresponding layer 2 broadcast domain, and jump to 2).

● is not, broadcast in the corresponding layer 2 broadcast domain, and jump to 2).

2) VTEP on witch_1 carries out VXLAN encapsulation and packet forwarding according to the found outbound interface and encapsulation information.

3) after the VTEP on Switch_2 receives the VXLAN message, the legal validity of the VXLAN message is judged according to the UDP destination port number, source / destination IP address and VNI. The corresponding layer 2 broadcast domain is obtained according to VNI, then unencapsulated by VXLAN, and the inner layer 2 message is obtained to determine whether the destination MAC of the message is the known unicast message MAC.

● Yes, look up the interface and encapsulation information in the corresponding layer 2 broadcast domain, and jump to 4).

● is not, and then determine whether it is a native MAC.

─ is sent to the host computer for processing.

─ is not, through the BUM message forwarding process.

4) according to the outgoing interface and encapsulation information found, Switch_2 adds VLAN Tag to the message and forwards it to the corresponding terminal B.

Three-tier gateway

The communication between VXLAN of different network segments, and the communication between VXLAN and non-VXLAN, needs to be realized through IP routing.

Create BD on layer 3 gateway, map VNI to BD at 1:1, create BDIF interface based on BD, configure IP address through BDIF interface to realize communication between VXLAN of different network segments, and between VXLAN and non-VXLAN.

The BDIF interface is similar to the VLANIF interface.

Three-tier gateway classification

L3 gateway is divided into centralized gateway and distributed gateway.

Centralized gateway, north-south / east-west traffic needs to pass through the gateway, local cross-subnet traffic is also forwarded through the centralized gateway, traffic circuitous.

Distributed gateway, cross-subnet traffic is also the best path to forward, only north-south traffic pressure, no east-west traffic pressure.

Distributed gateways are divided into software distributed gateways and hardware distributed gateways. Software distributed gateways are located in vSwitch, vSwitch encapsulates and unencapsulates VXLAN, and cross-subnet east-west traffic is forwarded through DVR. The hardware distributed gateway is located in the edge device of the hardware network, and the hardware network device does VXLAN encapsulation and de-encapsulation.

Message forwarding process

The workflow of VXLAN layer 2 gateway is divided into BUM packet forwarding workflow and VXLAN known unicast forwarding workflow.

The communication between VXLAN networks in different network segments, as well as between VXLAN networks and non-VXLAN networks in different network segments, needs to be realized through the VXLAN layer 3 gateway. The workflow of the VXLAN layer 3 gateway is as follows:

The specific implementation process of layer 3 gateway communication is as follows:

1. Switch_4, as a VXLAN layer 2 gateway, receives the VXLAN message and unencapsulates it to confirm whether the DMAC in the inner layer message is the MAC address of the gateway interface.

● is transferred to the layer 3 gateway of the corresponding destination network segment for processing, and jump to 2.

● is not, look up the interface and encapsulation information in the corresponding layer 2 broadcast domain.

two。 Switch_4, as a three-layer gateway of VXLAN, strips the Ethernet encapsulation of the inner message and parses the destination IP. Look up the ARP entry according to the destination IP, and confirm the information such as DMAC, VXLAN tunnel exit interface and VIN.

● does not have VXLAN tunnel egress interface and VIN information, so it is forwarded at layer 3.

● has VXLAN tunnel exit interface and VIN information, jump 3.

3. Switch_4, as a VXLAN layer 2 gateway, re-encapsulates the VXLAN message, in which the SMAC in the Ethernet header of the inner message is the MAC address of the gateway interface.

For communication between Switch_4 and other Switch, see layer 2 Gateway implementation principles.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.