Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What is the principle and function of VXLAN

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)05/31 Report--

This article shows you the principle and function of VXLAN, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

What is VXLAN?

VXLAN (Virtual eXtensible Local Area Network, Virtual extension Local area Network) is one of the NVO3 (Network Virtualization over Layer 3) standard technologies defined by IETF and an extension of the traditional VLAN protocol. The characteristic of VXLAN is that the Ethernet frame of L2 is encapsulated in UDP message (L2 over L4) and transmitted in L3 network.

As shown in figure 1-1, VXLAN is essentially a tunneling technology, which establishes a logical tunnel on the IP network between the source network device and the destination network device, and forwards the user-side message through this tunnel after specific encapsulation. From the user's point of view, the server connected to the network is like connecting to different ports of a virtual layer 2 switch (the data center VXLAN network represented by the blue virtual box can be regarded as a layer 2 virtual switch), which can communicate conveniently.

Figure 1-1 VXLAN is a tunneling technology

VXLAN has become the mainstream technology of building data center, because it can well meet the needs of virtual machine dynamic migration and multi-tenancy in data center.

Why do you need VXLAN

Why do you need VXLAN? This is closely related to the trend of virtualization on the server side of the data center. On the one hand, there is a dynamic migration of virtual machines after server virtualization, which requires a network with barrier-free access; on the other hand, the scale of the data center is getting larger and larger, and the number of tenants is increasing rapidly. The network is required to provide the ability to isolate a large number of tenants. The adoption of VXLAN can meet these two key requirements.

Dynamic migration of virtual machines requires a network with barrier-free access

What is server virtualization technology?

Traditional data center physical server utilization is too low, an average of only 10%-15%, wasting a lot of power energy and computer room resources, so the emergence of server virtualization technology. As shown in figure 1-2, server virtualization technology virtualizes a physical server into multiple logical servers, which are called virtual machines (VM). Each VM can run independently and has its own operating system, APP, and, of course, its own independent MAC address and IP address, which are connected to the external physical network through a virtual switch (vSwitch) inside the server.

Figure 1-2 illustration of server virtualization

Through server virtualization, it can effectively improve the utilization of servers, reduce energy consumption and reduce the operating costs of data centers, so virtualization technology has been widely used.

What is virtual machine dynamic migration?

The so-called dynamic migration of virtual machines is the process of moving a virtual machine system from one physical server to another while ensuring the normal operation of services on the virtual machine. This process is imperceptible to the end user, allowing administrators to flexibly provision server resources or repair and upgrade physical servers without affecting the normal use of users.

After server virtualization, virtual machine dynamic migration becomes normal. in order to ensure that the business is not interrupted during the migration, it is required that not only the IP address of the virtual machine remains unchanged, but also the running state of the virtual machine must remain the same (for example, TCP session state), so the dynamic migration of virtual machines can only be carried out in the same layer-2 domain, not across the layer-2 domain.

As shown in figure 1-3, the traditional two-layer and three-layer network architecture limits the dynamic migration range of virtual machines, and the migration can only be carried out in a small local range, and the application is greatly limited.

Figure 1-3 traditional two-tier and three-tier network architecture limits the dynamic migration range of virtual machines

In order to break this limitation and realize the dynamic migration of virtual machines on a large scale or even across regions, it is necessary to bring all the servers that may be involved in VM migration into the same layer 2 network domain, so as to realize the large-scale barrier-free migration of VM.

How does VXLAN meet the network requirements of virtual machine dynamic migration?

As we all know, the same layer 2 switch can achieve layer 2 communication between hanging servers, and when the server is migrated from one port of the layer 2 switch to another port, the IP address can remain unchanged. In this way, we can meet the needs of virtual machine dynamic migration. It is from this that the design concept and goal of VXLAN come from.

As we can see from the previous section, VXLAN is essentially a tunneling technology. When there is a need for communication between the source and destination, a virtual tunnel is created over the data center IP network to transparently forward user data. However, there are many requirements for mutual communication in the data center, and the establishment of this kind of tunnel is almost fully interconnected to meet the communication needs.

VXLAN can provide a set of methodology to build a fully interconnected two-layer tunnel virtual network based on the data center IP network, which ensures that any two points can communicate through the VXLAN tunnel, and ignores the structure and details of the underlying network. From a server perspective, VXLAN virtualizes the entire data center infrastructure network into a huge "layer 2 switch" for them, with all servers connected to this virtual layer 2 switch. How to forward within the basic network is an internal matter of this "huge switch", and the server does not need to care at all.

Figure 1-4 VXLAN virtualizes the entire data center infrastructure network into a huge "layer 2 switch"

The number of data center tenants has soared, requiring a network that can isolate a large number of tenants

As we all know, in traditional VLAN networks, the number of available VLAN supported by the standard definition is only about 4000. After server virtualization, multiple virtual machines are hosted in a physical server, each with an independent IP address and MAC address, which is equivalent to the multiplication of servers connected to the data center. In addition, public cloud or other large virtual cloud data centers often need to accommodate tens of thousands or more tenants, and the capacity of VLAN is obviously inadequate.

How can VXLAN solve the above problems? VXLAN introduces a network identity similar to VLAN ID in the VXLAN frame header, which is called VXLAN network identity VNI (VXLAN Network ID), which is composed of 24 bits and theoretically supports up to 16m VXLAN segments, thus meeting the needs of identification and isolation between large-scale different networks. We will describe the role of VNI in detail below.

What is the difference between VXLAN and VLAN

VLAN as a traditional network isolation technology, the number of VLAN in the standard definition is only about 4000, which can not meet the isolation needs of large data centers between tenants. In addition, the layer 2 scope of VLAN is generally small and fixed, which can not support large-scale dynamic migration of virtual machines.

VXLAN perfectly makes up for the above shortcomings of VLAN. On the one hand, it provides the identification ability of up to 16m tenants through the 24-bit VNI field in VXLAN (shown in figure 1-5), which is much greater than 4000 of VLAN. On the other hand, VXLAN essentially builds a virtual tunnel between the two switches through the basic IP network of the data center, virtualizing the data center network into a giant "layer 2 switch" to meet the needs of large-scale dynamic migration of virtual machines.

Although VXLAN is an extension protocol of VLAN in terms of name, the ability of VXLAN to build virtual tunnels is very different from that of VLAN.

Let's take a look at what a VXLAN message looks like.

Figure 1-5 VXLAN message format (taking the outer IP header as IPv4 format as an example)

As shown in the figure above, VTEP "wraps" the original Ethernet frame (Original L2 Frame) sent by VM as follows:

VXLAN Header

Add the VXLAN header (8 bytes), which contains a 24-bit VNI field to define different tenants in the VXLAN network. In addition, it contains VXLAN Flags (8 bits with a value of 00001000) and two reserved fields (24 bits and 8 bits, respectively).

UDP Header

The VXLAN header and the original Ethernet frame are used as the data of the UDP. In the UDP header, the destination port number (VXLAN Port) is fixed to 4789, and the source port number is (UDP Src. Port) is the value of the original Ethernet frame calculated by the hash algorithm.

Outer IP Header

Encapsulate the outer IP header. Where the source IP address (Outer Src. IP) is the IP address of the VTEP to which the source VM belongs, and the destination IP address (Outer Dst. IP) is the IP address of the VTEP to which the destination VM belongs.

Outer MAC Header

Encapsulate the outer etheric head. Where the source MAC address (Src. MAC Addr.) is the MAC address of the VTEP to which the source VM belongs, and the destination MAC address (Dst. MAC Addr.) is the MAC address of the next hop device in the path to the destination VTEP.

How is the VXLAN tunnel established

This section will introduce you to the process of establishing a VXLAN tunnel and gain a better understanding of how VXLAN works in the process.

What are VTEP and VNI in VXLAN

Let's take a closer look at VXLAN's network model and some common concepts. As shown in figure 1-6, the two servers communicate over the VXLAN network.

Figure 1-6 schematic of VXLAN network model

As you can see from the figure above, VXLAN establishes a tunnel between two TOR switches to "package" the original data frames sent by the server so that the original messages can be transmitted over a bearer network, such as an IP network. When you reach the TOR switch to which the destination server is connected, leave the VXLAN tunnel, recover the original data frame, and continue to forward to the destination server.

In addition, there are some new elements in the VXLAN network that do not exist in the traditional data center network, such as VTEP, VNI and so on. What is their role? The following will introduce you to these new elements.

What is VXLAN VTEP?

As shown in figure 1-6, VTEP (VXLAN Tunnel Endpoints,VXLAN Tunnel Endpoint) is the edge device of the VXLAN network and the beginning and end of the VXLAN tunnel. VXLAN encapsulates and unencapsulates the user's original data frame on the VTEP.

VTEP is the absolute protagonist in VXLAN network. VTEP can be either a network device (such as Huawei's CloudEngine series switch) or a virtual switch in the server. The original data frame sent by the source server is encapsulated into a VXLAN format message on the VTEP, and transferred to another VTEP in the IP network, and then unsealed and returned to the original data frame, and finally forwarded to the destination server.

For the detailed work of VTEP in the process of establishing and forwarding VXLAN tunnel, please see how the VXLAN tunnel is established below.

What is VXLAN VNI?

As mentioned earlier, VLAN takes up only 12 bits of space in Ethernet data frames, which makes the isolation capability of VLAN inadequate in the data center network. The emergence of VNI is designed to solve this problem.

As shown in figure 1-6, VNI (VXLAN Network Identifier,VXLAN Network Identifier), VNI is a user identity similar to VLAN ID, a VNI represents a tenant, and virtual machines belonging to different VNI cannot directly communicate with each other at layer 2. As shown in figure 1-5, when the VXLAN message is encapsulated, 24 bits of length space is allocated to the VNI to support the isolation of a large number of tenants.

For the detailed work of VNI in the process of establishing and forwarding VXLAN tunnel, please see how the VXLAN tunnel is established below.

In addition, in a distributed gateway deployment scenario, VNI can be divided into two layers of VNI and three layers of VNI, and their functions are different:

Layer 2 VNI is an ordinary VNI, which is mapped to the broadcast domain BD at 1:1 to forward VXLAN messages with the subnet (for details, see what is "the same layer 2 domain" below).

Layer 3 VNI is associated with VPN instances for forwarding VXLAN messages across subnets (details of the work of layer 3 VNI will be described in another EVPN related document).

Which VTEP need to establish VXLAN tunnel

An VXLAN tunnel is determined by two VTEP. There are many VTEP in the data center network, as shown in figure 1-7, so which VTEP need to establish VXLAN tunnels?

Figure 1-7 schematic diagram of establishing a VXLAN tunnel (1)

As mentioned earlier, through the VXLAN tunnel, the "layer 2 domain" can break through the physical boundaries and realize the communication between the VM in the layer 2 network. Therefore, if there is a need for "layer 2" interworking between the VM connected on different VTEP, a VXLAN tunnel needs to be established between the two VTEP. In other words, VXLAN tunnels need to be established between VTEP in the same layer 2 domain.

For example, assuming that layer 2 interworking is required between the VM of the VTEP_1 connection, the VM of the VTEP_2 connection, and the VM of the VTEP_3 connection in figure 1-7, then a VXLAN tunnel needs to be established between VTEP_1, VTEP_2, and VTEP_3, as shown in figure 1-8.

Figure 1-8 schematic diagram of establishing a VXLAN tunnel (2)

What is "the same big two-tier domain"?

The "same layer 2 domain" mentioned above is similar to the concept of VLAN (virtual local area network) in the traditional network, except that in the VXLAN network, it has another name, called Bridge-Domain, or BD for short.

We know that different VLAN is distinguished by VLAN ID, so how can different BD be distinguished? In fact, as mentioned earlier, it is distinguished by VNI. For CloudEngine series switches, the mapping between BD and VNI is 1:1, which is established by configuring the command line on the VTEP device, as shown in the following example:

Bridge-domain 10 / / means to create a "large layer 2 broadcast domain" BD, whose number is 10 vxlan vni 5000 / / indicates that under BD 10, the VNI associated with it is specified to be 500 broadcast.

The VTEP device generates a mapping table between BD and VNI based on the above configuration, which can be viewed from the command line, as shown below:

Display vxlan vniNumber of vxlan vni: 1 VNI BD-ID State-5000 10 up

After having the mapping table, the message entering VTEP can determine which VNI logo should be added when the message is encapsulated by VXLAN according to the BD to which it belongs. So, on what basis does the message determine which BD it belongs to?

How to determine which BD a message belongs to

Let's make it clear here that VTEP is only a role played by the switch and only part of the function of the switch. In other words, not all messages entering the switch will go through the VXLAN tunnel (or the message may go through the normal layer 2 and layer 3 forwarding process). Therefore, before we answer "how to determine which BD a message belongs to", we must first answer "which messages are going to enter the VXLAN tunnel".

Which messages are going to enter the VXLAN tunnel?

Before answering this question, let's recall how the switch handles the received and sent messages in VLAN technology. In order to enter the switch for further processing, the message must first go through the interface. It can be said that the interface controls the "life and death power" of the message. Three different types of interfaces are defined in traditional networks: Access, Trunk, and Hybrid. Although the application scenarios of these three types of interfaces are different, their ultimate goals are the same: one is to check which messages are allowed to pass according to the configuration; the other is to judge what to do with the checked messages.

In fact, in the VXLAN network, the interface on the VTEP undertakes a similar task, but in the CloudEngine series of switches, the interface here is not a physical interface, but a logical interface called "layer 2 subinterface". Similarly, the layer 2 subinterface mainly does two things: one is to check which packets need to enter the VXLAN tunnel according to the configuration; the other is to determine what to do with the packets passed by the check. On layer 2 subinterfaces, different flow encapsulation types can be defined as needed (similar to different interface types in traditional networks). CloudEngine series switches currently support four flow encapsulation types: dot1q, untag, qinq, and default:

Dot1q: for messages with one layer of VLAN Tag, this type of API only receives messages that match the specified VLAN Tag; for messages with two layers of VLAN Tag, this type of API only receives messages with outer VLAN Tag matching the specified VLAN Tag.

Untag: this type of interface only receives messages without VLAN Tag.

Qinq: this type of interface only receives messages with the specified two-layer VLAN Tag.

Default: allows the interface to receive all messages regardless of whether there is a VLAN Tag in the message. Whether the original message is encapsulated by VXLAN or unencapsulated by VXLAN, this type of interface does not perform any VLAN Tag processing on the original message, including adding, replacing, or stripping.

In addition to the layer 2 subinterface, VLAN can also be used as a service access point. After the VLAN is bound to the broadcast domain BD, the interface joining the VLAN is the VXLAN service access point, and the messages entering the interface are processed by the VXLAN tunnel.

Add layer 2 subinterface to BD

Now let's answer "how to determine which BD a message belongs to" is very simple. In fact, as long as the layer 2 subinterface is added to the specified BD, and then according to the configuration on the layer 2 subinterface, the device can determine which BD the message belongs to!

For example, in the networking shown in figure 1-9, a virtualized server has two virtual machines with different VLAN, VM1 (VLAN 10) and VM2 (VLAN 20), which need to be connected to the VXLAN network when communicating with other virtual machines. At this point, we can encapsulate different layer 2 subinterfaces for VM1 and VM2 on the physical interface 10GE of VTEP on 1-0-1, and add them to different BD. In this way, the subsequent traffic of VM1 and VM2 will be forwarded into different VXLAN tunnels.

In this example, the uplink of vSwitch is configured in Trunk mode, and the PVID is 20. In this way, the message sent by vSwitch to VTEP contains both VM1 traffic with tag and VM2 traffic with untag. At this time, two layer 2 subinterfaces are created on the interface of VTEP, which are configured as the encapsulation type of dot1q and untag respectively.

Figure 1-9 adds layer 2 subinterfaces to BD

The following is based on the above figure, combined with an example of the configuration on the CloudEngine switch.

On the access physical interface 10GE of the CloudEngine switch on 1-0-1, the layer 2 subinterfaces 10GE 1 and 10GE 1 are created respectively, and their flow encapsulation types are configured as dot1q and untag, respectively.

Interface 10GE1/0/1.1 mode L2 / / create layer 2 subinterface 10GE1/0/1.1 encapsulation dot1q vid 10 / / only messages with VLAN Tag 10 are allowed to enter VXLAN tunnel bridge-domain 10 / / specified messages enter BD 10#interface 10GE1/0/1.2 mode L2 / / create layer 2 subinterface 10GE1/0/1.2 encapsulation untag / / only messages without VLAN Tag are allowed to enter VXLAN tunnel bridge-domain 20 / / how does the specified message enter the BD 20#VXLAN tunnel?

Now, we can take a look at how the VXLAN tunnel was built. Generally speaking, the establishment of tunnel is nothing more than manual and automatic.

Manual establishment of VXLAN tunnel

This method requires users to manually specify the source IP of the VXLAN tunnel as the IP of the local VTEP and the destination IP as the IP of the peer VTEP, that is, to artificially establish a static VXLAN tunnel between the local VTEP and the peer VTEP.

For CloudEngine series switches, the above configuration is done under the NVE (Network Virtualization Edge) interface. An example of configuration is as follows:

Interface Nve1 / / create logical interface NVE 1 source 1.1.1.1 / / configure the IP address of the source VTEP (the IP address of the Loopback interface is recommended) vni 5000 head-end peer-list 2.2.2.2 vni 5000 head-end peer-list 2.2.2."

The configuration of vni 5000 head-end peer-list 2.2.2.2 and vni 5000 head-end peer-list 2.2.2.3 indicates that there are two peer VTEP belonging to VNI 5000 with IP addresses of 2.2.2.2 and 2.2.2.3, respectively. Based on these two configurations, a table similar to the following is generated on VTEP:

Display vxlan vni 5000 verbose BD ID: 10 State: up NVE: 288 Source Address: 1.1.1.1 Source IPv6 Address:-UDP Port: 4789 BUM Mode: head-end Group Address:-Peer List: 2.2 .2.2 2.2.2.3 IPv6 Peer List:-

According to the Peer List in the above table, the local VTEP can know which peer VTEP belongs to the same BD (or the same VNI), which determines the scope of the same layer-2 broadcast domain. When VTEP receives a BUM (Broadcast&Unknown-unicast&Multicast, broadcast & unknown Unicast & Multicast) message, it copies the message and sends it to all peer VTEP listed in Peer List (just as broadcast messages are broadcast within VLAN). Therefore, this table is also known as the "headend replication list". When VTEP receives a known unicast message, it determines which VXLAN tunnel the message is going through according to the MAC table on VTEP. At this point, the counterpart listed in the Peer List acts as the "outgoing interface" in the MAC table.

Later in the message forwarding process, you will see how the headend replication list guides the forwarding of messages in the VXLAN network.

Automatic establishment of VXLAN tunnel

The establishment of VXLAN tunnel in automatic mode requires the help of EVPN (Ethernet VPN) protocol, which can be found in "what is EVPN".

How to determine which tunnel the message is going into?

There may be more than one VXLAN tunnel belonging to the same BD. For example, in the headend replication list above, the same source VTEP (1.1.1.1) corresponds to two peer VTEP (2.2.2.2 and 2.2.2.3). That brings another question: which tunnel should the message take?

We know that in basic layer 2 and layer 3 forwarding, layer 2 forwarding relies on the MAC table. If there is no corresponding MAC entry, the host sends an ARP broadcast message to request the peer's MAC address; layer 3 forwarding relies on the FIB table. In fact, the same is true in VXLAN.

The above is what is the principle and function of VXLAN. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 223

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report