Shulou(Shulou.com)06/01 Report--

VXLAN gateway

First of all, add the popular OverLay technology:

VXLAN: VXLAN encapsulates Ethernet packets into UDP packets for tunneling, UDP destination port is 4798(modifiable), standard 5-tuple mode is conducive to load sharing in IP network forwarding process; isolation identifier VNI is represented by 24 bits; all traffic is encapsulated as payload forwarding. NVGRE: NVGRE uses the GRE tunneling protocol defined by RFC 2784 and RFC 2890. Ethernet packets are encapsulated in GRE for tunneling. The isolation identifier is represented by 24 bits; the main difference from VXLAN is the load sharing of traffic, because GRE tunnel encapsulation is used, NVGRE uses the GRE extension field flow ID for traffic load sharing, which requires the physical network to be able to identify the extension information of GRE tunnel. STT: STT is a stateless transmission protocol that encapsulates Ethernet packets into TCP packets for tunneling, and isolation identifiers are represented by 64 bits. The main difference from VXLAN and NVGRE is the use of stateless TCP in the tunnel encapsulation format, which requires modifications to the traditional TCP protocol to accommodate NVGRE transmissions.

//The feeling is similar, and the most basic new technology is also added from the old protocol to support new features.

Anyway, VXLAN Gateway:

Why do I need a VXLAN gateway?

Because VXLAN VTEP discovery technology between the cause, after all, multicast is not applicable to today's large-scale IDC equipment.

Another part of the reason is the communication requirements of VXLAN, i.e. -communication between VNI VMs; communication between VNI VMs; communication between VMs and external servers

In any case, VXLAN has two types of packets that are invariant:

1. BUM (broadcast&unknown-unicast&multicast) package, is a new connection, you need to find the corresponding VTEP

2. Send unicast packets when VTEP and MAC address of peer are known

There are several categories of VXLAN gateways:

1. Layer 2 VXLAN Gateway

That is, ordinary VMs in the same VNI communicate with each other (the same multicast group searches each other)

2. Three-layer VXLAN gateway

a. Mutual visits between different VNIs (multicast groups with two VNIs at the same time, acting as intermediaries)

b. Access between VM and external network server (Layer 3 routing is required)

Networking of VXLAN gateways (centralized and distributed):

Centralized VXLAN Gateway:

Taking the virtual machine with address 10.1.1.11 as an example, the process of three-layer communication between the virtual machine and the external network is as follows:

(1)When a virtual machine (10.1.1.11) performs Layer 3 communication across network segments, it first broadcasts and sends an ARP request message to resolve the MAC address of the VXLAN IP gateway (10.1.1.1).// Anyway, VM's packet is the first to access VTEP.

(2) After receiving the ARP request message, VTEP 1 adds VXLAN encapsulation and sends it to all remote VTEPs.// In fact, requests that are not in the learned flow table need to be submitted to the VXLAN gateway.

(3) After VTEP 3 decapsulates the VXLAN packet, it finds that the destination IP of the ARP request is the IP address of the local gateway corresponding to VXLAN, i.e., the IP address of the VSI virtual interface associated with VXLAN, learns the ARP information of 10.1.1.11, and responds to the virtual machine with an ARP reply message.// At this time, it does not specify which MAC is used to return to VTEP1 and VM.

(4) After receiving the ARP reply message, VTEP1 forwards the message to the virtual machine.

(5)After obtaining the MAC address of the gateway, the VM adds the MAC address of the gateway to the Layer 3 packet, and sends the Layer 2 data frame to VTEP 3 via the VXLAN network.// VTEP should return its own MAC(???) in step 3. Doubt? Verification 20180430, confirmed.)

(6) VTEP3 decapsulates the VXLAN packet, removes the link layer header, and performs Layer 3 forwarding on the IP packet encapsulated in the inner layer, and sends it to the final destination node.

(7)After the message returned by the destination node arrives at the gateway, the gateway encapsulates the link layer header for the message according to the learned ARP entry, and sends it to the virtual machine through the VXLAN network.

The communication process between virtual machines belonging to different VXLAN networks is similar to the above process, except that the centralized gateway of one VXLAN network needs to forward the message to the centralized gateway of another VXLAN network, and then the centralized gateway forwards the message to the corresponding virtual machine in the VXLAN.

Distributed VXLAN Gateway:

Why Distributed VXLAN Gateways:

When the centralized VXLAN IP gateway scheme is adopted, the traffic between different VXLANs and the traffic of VXLAN accessing external networks are all processed by the centralized VXLAN IP gateway, which puts great pressure on the gateway and intensifies the consumption of network bandwidth resources. In the distributed VXLAN IP gateway scheme, each VTEP device can act as a VXLAN IP gateway, forwarding traffic at the local site in Layer 3, which relieves the pressure on the gateway.

In distributed VXLAN IP gateway networking, VSI virtual interfaces need to be created on all distributed VXLAN IP gateways (GWs), and the same IP address needs to be configured for the same VSI virtual interface on different GWs as the gateway address of virtual machines in the VXLAN. The local proxy ARP function needs to be enabled on the distributed VXLAN IP gateway. A VSI virtual interface needs to be created on the Border Gateway and configured with an IP address (different from that on the GW).

When the distributed VXLAN IP gateway networking scheme is adopted, Layer 3 traffic is forwarded by looking up ARP entries. ARP entries can be dynamically learned according to ARP protocol.

1. Virtual machine communication process at different sites within the same VXLAN

Taking VM1 accessing VM4 as an example, the communication process of virtual machines at different sites in the same VXLAN is as follows:

(1)VM 1 broadcast sends an ARP request message hoping to get the MAC address of VM4. This packet was received by GW1.

(2)GW After receiving the ARP request message, VM 1 learns ARP information of VM 1, and the proxy replies to the ARP request, that is, sends an ARP reply message to VM 1, and the MAC address of the reply is the MAC address of VSI virtual interface 10.

(3)VM 1 learns that the MAC address of VM 4 is the MAC address of VSI virtual interface 10 on GW 1.

(4)GW 1 Modify the source MAC address in the received ARP request message to the MAC address of VSI virtual interface 10, encapsulate the message in VXLAN, and send it to all remote VTEPs in VXLAN.// 1. Multicast 2. Do not change ARP content, or ask VM4

(5)GW 2. After decapsulating the VXLAN packet, learn the ARP information of VM1 (IP = 10.1.1.11, MAC = MAC of VSI virtual interface 10 on GW 1, outgoing interface = Tunnel interface receiving the VXLAN packet), modify the source MAC in the ARP request message to the MAC address of local VSI virtual interface 10, and broadcast it in the local site of VXLAN 10.// Also proxy ARP

(6)VM 4 After receiving the ARP request, learn the ARP information of VM1 (IP = 10.1.1.11, MAC = MAC of VSI virtual interface 10 on GW 2), and send an ARP response message to GW 2.

(7)GW 2. After receiving the ARP response message from VM4, learn the ARP information of VM4, modify the source MAC in the ARP response message to the MAC address of the local VSI virtual interface 10, add VXLAN encapsulation to the ARP response message according to the learned ARP entry, and send the ARP response message to GW1.

(8)GW 1. After decapsulating the VXLAN packet, learn the ARP information of VM4 according to the received ARP response message (IP = 10.1.1.12, MAC = MAC of VSI virtual interface 10 on GW 2, outgoing interface = Tunnel interface receiving the VXLAN packet).

(9)After the ARP information is learned through the above steps, the packet sent by VM1 to VM4 is forwarded according to the learned ARP information: firstly, the packet is sent to GW1; GW1 encapsulates the packet with VXLAN and sends the packet to GW2; and GW2 decapsulates the packet and sends the packet to VM4.

//What you can see is that except for proxy ARP, there is no IP using VSI port, only MAC used. So the same VSI IP is feasible.

2. Virtual machine communication process between different VXLANs and different sites

Taking VM1 accessing VM5 as an example, the communication process of virtual machines of different VXLANs is as follows:

(1)VM 1 broadcast sends ARP request message to obtain MAC address of gateway 10.1.1.1.

(2)GW 1 After receiving the ARP request message, learn the ARP information of VM1, and send an ARP reply message to VM1. The MAC address of the reply is the MAC address of VSI virtual interface 10.// ARP proxy

(3)VM 1 sends a message for visiting VM5 to GW1.

(4)GW 1 Broadcast ARP requests to local and remote sites within all VXLANs to obtain the MAC address of VM5. The source IP address in the ARP request message is 20.1.1.1, and the source MAC address is the MAC address of the local VSI virtual interface 20.// GW1 directly uses the IP of VNI20 as ARP, indicating that it already knows that VM5 belongs to VNI20.

(5)GW 2. After receiving the VXLAN packet from the VXLAN tunnel and decapsulating it, learn the ARP information of GW1 (IP = 20.1.1.1, MAC = MAC of VSI virtual interface 20 on GW1, outgoing interface = Tunnel interface receiving the VXLAN packet), modify the source MAC in the ARP request message to the MAC address of local VSI virtual interface 20, and broadcast the ARP request message in the local site of VXLAN 20.// Note: GW2 changed MAC, but not IP!!! IP is the same!

(6)VM 5 After receiving the ARP request, learn ARP information of GW2 (IP is 20.1.1.1, MAC is MAC of VSI virtual interface 20 on GW2), and send an ARP response message to local gateway GW2.

(7)GW 2. After receiving the ARP response message from VM5, learn the ARP information of VM5, modify the source MAC in the ARP response message to the MAC address of the local VSI virtual interface 20, add VXLAN encapsulation to the ARP response message according to the learned ARP entry, and send the ARP response message to GW1.

(8)GW 1. After decapsulating the VXLAN packet, learn ARP information of VM5 according to the received ARP response message (IP = 20.1.1.12, MAC = MAC of VSI virtual interface 20 on GW 2, outgoing interface = Tunnel interface receiving the VXLAN packet).

(9)After the ARP information learning is completed through the above steps, the packet sent by VM1 to VM5 is forwarded according to the learned ARP information: firstly, the packet is sent to GW1; GW1 encapsulates the packet with VXLAN and sends the packet to GW2; and GW2 decapsulates the packet and sends the packet to VM5.

Question: Unresolved//20180503

//During the interaction between GW1 and GW2, they both use IP20.1.1.1 of VNI20. Note that they send ARP packets. Although the destination IP is different, the source IP is the same. GW2 receives ARP request packets from its own IP and different MAC, and can still process them normally. Is this necessary or is there another reason?

Three-layer communication process between virtual machine and external network

For a virtual machine to communicate with an external network at Layer 3, it needs to specify the next hop for traffic on the local distributed VXLAN IP gateway that accesses the virtual machine as Border, which can be achieved as follows:

Configure static routes on the local distributed VXLAN IP gateway, and specify that the next hop of the route is the IP address of the VSI virtual interface corresponding to the same VXLAN on the Border.

·Configure policy routing on the local distributed VXLAN IP gateway, and set the default next hop of the message to the IP address of the VSI virtual interface corresponding to the same VXLAN on the Border by using the apply default-next-hop command.

Taking VM1 accessing host 50.1.1.1 in the external network as an example, the three-layer communication process of virtual machine accessing the external network is as follows:

(1)VM 1 broadcast sends ARP request message to obtain MAC address of gateway 10.1.1.1.

(2)GW 1 After receiving the ARP request message, learn the ARP information of VM1, and send an ARP reply message to VM1. The MAC address of the reply is the MAC address of VSI virtual interface 10.// ARP proxy

(3)VM 1 sends a message for visiting an external network to GW1.

(4)GW 1 After receiving the message, determine the next-hop address of the message as 10.1.1.2 according to the policy route. GW1 broadcasts and sends ARP request messages to local sites and remote sites in VXLAN 10 to obtain MAC addresses corresponding to 10.1.1.2.// That is to say, GW1 already knows that the destination address is in the external network.

(5)Border decapsulates the VXLAN packet, learns ARP information of GW1, and replies with an ARP response message through the VXLAN tunnel.// The answer is MAC address of 10.1.1.2

(6)GW 1 decapsulate the VXLAN packet and obtain ARP information of 10.1.1.2.

(7)GW 1 encapsulates the link layer address (MAC address corresponding to 10.1.1.2) for the packet sent by VM1 according to the obtained information, and sends the packet to Border through the VXLAN tunnel.

(8)Border decapsulates the received message and forwards the message in Layer 3.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.