Shulou(Shulou.com)06/02 Report--

I. basic concepts of VXLAN

VXLAN is a network virtualization technology in NVO3 (Network Virtualization over Layer 3). By encapsulating the packets sent by the virtual machine in UDP, using the IP and MAC of the physical network as outer-header, and then transmitting them on the IP network, the data is unencapsulated by the tunnel terminal and sent to the target virtual machine when it arrives at the destination.

Schematic diagram of VXLAN structure:

Basic concepts of VXLAN:

Underlay network and Overlay network

VXLAN technology takes the existing physical network as Underlay network, and constructs a virtual layer 2 or layer 3 network on it, that is, Overlay network. Through the encapsulation technology and using the three-layer forwarding path provided by the Underlay network, the Overlay network realizes the transmission of tenant messages between different sites. For tenants, the Underlay network is transparent and can only be aware of the Overlay network.

NVE (Network Virtualization Edge)

Network virtual edge node NVE, a network entity that realizes the function of network virtualization. After the message is encapsulated and transformed by NVE, the two-layer virtualized network can be established between NVE based on three-layer basic network.

Description:

The virtual switch VSwitch on both the device and the server can be used as a NVE.

Depending on where NVE is deployed, it can be divided into the following three modes:

Hardware mode: all NVE are deployed on devices that support NVE, and all VXLAN messages are encapsulated and de-encapsulated on the device.

Software mode: all NVE is deployed on vSwitch, and all VXLAN packets are encapsulated and de-encapsulated on vSwitch.

Mixed mode: part of NVE is deployed on vSwitch and part of NVE is deployed on devices that support NVE. VXLAN messages may be encapsulated and unpackaged on both vSwitch and devices.

VTEP (VXLAN Tunnel Endpoints)

VTEP is the end point of VXLAN tunnel, which is encapsulated in NVE and used for encapsulation and de-encapsulation of VXLAN messages.

The VTEP is connected to the physical network and is assigned the IP address of the physical network, which is independent of the virtual network.

The source IP address in the VXLAN message is the VTEP address of the node, and the destination IP address in the VXLAN message is the VTEP address of the opposite node. A pair of VTEP addresses corresponds to a VXLAN tunnel.

VNI (VXLAN Network Identifier)

VXLAN network identity VNI is similar to VLAN ID, which is used to distinguish VXLAN segments. Virtual machines with different VXLAN segments can not directly communicate with each other at layer 2.

A VNI represents a tenant, even if multiple end users belong to the same VNI. VNI consists of 24 bits and supports up to 16m tenants.

In the scenario of distributed gateway deployment, VNI is divided into two layers of VNI and three layers of VNI.

Layer 2 VNI is an ordinary VNI, which is mapped to the broadcast domain BD at 1:1 to realize the forwarding of VXLAN packets with the subnet.

Layer 3 VNI is associated with × × instances for forwarding VXLAN messages across subnets.

BD (Bridge Domain)

BD is a layer 2 broadcast domain that forwards data packets in VXLAN networks.

In VXLAN network, mapping VNI to broadcast domain BD,BD at 1:1 becomes the entity that forwards data packets in VXLAN network.

VBDIF interface

A three-tier logical interface created based on BD. The configuration of IP address through VBDIF interface can realize the communication between VXLAN of different network segments, and between VXLAN and non-VXLAN, as well as layer 2 network access to layer 3 network.

VAP (Virtual Access Point)

The virtual access point VAP, or VXLAN service access point, can be a layer 2 subinterface or VLAN:

When the access node is a layer 2 subinterface, different interfaces can access different data packets by configuring the flow encapsulation type on the layer 2 subinterfaces. After the layer 2 subinterfaces are associated with the broadcast domain BD, the data packets can be forwarded through BD.

When the service access point is VLAN, you need to bind VLAN to the broadcast domain BD, and you can also forward data packets through BD.

Gateway (Gateway)

Similar to VLAN, VXLAN between different VNI, and between VXLAN and non-VXLAN cannot communicate with each other directly. In order to enable communication between VXLAN and between VXLAN and non-VXLAN, VXLAN introduces a VXLAN gateway.

VXLAN gateways are divided into:

Layer 2 gateway: used to solve the problem of tenants' access to VXLAN virtual network, and can also be used for subnet communication of the same VXLAN virtual network.

Layer 3 gateway: for cross-subnet communication of VXLAN virtual networks and access to external networks.

Message encapsulation type

When the service access point is a layer 2 subinterface, different interfaces are configured with different flow encapsulation types to access different data packets. After the layer 2 subinterfaces are associated with the broadcast domain BD (Bridge-Domain), the data packets can be forwarded through BD.

Packet flow encapsulation type

Flow encapsulation type

Description

Dot1q

For messages with one layer of VLAN Tag, this type of interface only receives messages that match the specified VLAN Tag; for messages with two layers of VLAN Tag, this type of interface only receives messages whose outer VLAN Tag matches the specified VLAN Tag.

This type of interface strips the outermost VLAN Tag when VXLAN encapsulates the original message.

When the VXLAN message is unencapsulated, the specified VLAN Tag is added before it is forwarded.

The VLAN ID value of the Dot1q layer 2 subinterface can be a range. In this case, the interface will transparently transmit the message without stripping the VLAN.

When the configuration flow encapsulation type is dot1q, there are the following restrictions:

The vid encapsulated by the layer 2 subinterface cannot be the same as the VLAN allowed by the corresponding layer 2 main interface, nor can it be the same as the VLAN in the MUX VLAN.

The VLAN ID encapsulated by layer 2 and layer 3 subinterfaces cannot be the same.

The layer 2 subinterface VLAN ID of Dot1q under the same primary interface cannot overlap.

Untag

This type of interface only receives messages without VLAN Tag.

This type of interface does not add any VLAN Tag to the original message when it is encapsulated by VXLAN.

When unencapsulating the VXLAN message, if the inner message has VLAN Tag, the VLAN Tag is stripped off (for the QinQ message, only the outer VLAN Tag is stripped) and then forwarded.

When the configuration flow encapsulation type is untag, there are the following restrictions:

Make sure that there is no configuration on the physical interface corresponding to the layer 2 subinterface, and that the corresponding physical interface has exited the default VLAN.

Only untag type layer 2 subinterfaces can be created for layer 2 physical interfaces (including Eth-Trunk interfaces).

Only one layer 2 subinterface of untag type can be created under a primary interface.

Qinq

This type of interface only receives messages with the specified two layers of VLAN Tag.

When the original message is encapsulated by VXLAN for this type of interface, if the VLAN Tag operation of the configured layer 2 subinterface is stripping two layers of VLAN Tag operation, then all the VLAN Tag of the message will be stripped. If the VLAN Tag operation of the layer 2 subinterface is not configured to strip the layer two VLAN Tag operation, then all the VLAN Tag of the message will be retained.

When unencapsulating a VXLAN message, if the VLAN Tag operation of the configured layer 2 subinterface is stripping the layer 2 VLAN Tag operation, then add the specified layer 2 VLAN Tag and then forward it. If the VLAN Tag operation of the layer 2 subinterface is the stripping layer two VLAN Tag operation, the VLAN Tag of the message will be directly forwarded.

When the layer 2 subinterface of streaming encapsulation type is Default type, Dot1q transparent transmission type (configured with rewrite no-action command) or QinQ transparent transmission type (no rewrite pop double command configured), the BD does not support configuration of IGMP Snooping, configuration of DHCP Snooping, creation of VBDIF, and configuration of ARP broadcast message suppression.

Description:

The flow type of the QinQ interface bound to the same BD should be consistent.

If the VLAN segment is configured on the QinQ layer 2 subinterface, the rewrite pop double command is not supported at the same time.

The outer VLAN encapsulated on the QinQ layer 2 subinterface cannot be the same as the default VLAN configured on the corresponding layer 2 main interface and the VLAN allowed to pass through.

Default

Allows the interface to receive all messages, regardless of whether there is a VLAN Tag in the message.

Whether the original message is encapsulated by VXLAN or unencapsulated by VXLAN, this type of interface does not perform any VLAN Tag processing on the original message, including adding, replacing, or stripping.

When the configuration flow encapsulation type is default, there are the following restrictions:

You must ensure that the corresponding primary interface does not join the VLAN.

Only default type layer 2 subinterfaces can be created for layer 2 physical interfaces (including Eth-Trunk interfaces).

Default type layer 2 subinterfaces are created under the main interface, and other types of layer 2 subinterfaces are not allowed to be created.

Vxlan message format

Vxlan is the network virtualization technology of MAC in UDP, so its message encapsulation is to add a UDP encapsulation and VXLAN header encapsulation before the original Ethernet message.

Message format description:

Vxlan network model

VTEP (VXLAN Tunnel Endpoints,VXLAN Tunnel Endpoint)

The edge device of the VXLAN network is the starting point and end point of the VXLAN tunnel, which carries out the encapsulation and de-encapsulation of VXLAN packets. VTEP can be deployed either on network devices (network access switches) or on vSwitch (virtual switches on servers).

VNI (VXLAN Network Identifier,VXLAN Network Identifier)

VNI is a network identity similar to VLAN ID, which is used to identify VXLAN layer 2 network. A VNI represents a VXLAN segment, and virtual machines with different VXLAN segments cannot directly communicate with each other at layer 2.

VXLAN tunnel

A logical tunnel established between two VTEP for the transmission of VXLAN messages. After entering the VXLAN tunnel, the service message is encapsulated by VXLAN, UDP and IP headers, and then transparently forwarded to the remote VTEP through three-layer forwarding, and the remote VTEP unencapsulates the message.

VXLAN message forwarding process

The communication between VM of the same network segment briefly introduces the process of message forwarding in VXLAN network.

VM1 sends a message with a destination address of VM2.

After receiving the message, VTEP1 is encapsulated by VXLAN, and the outer purpose IP of the package is VTEP2. According to the outer MAC and IP information, the encapsulated message is transmitted in the IP network until it reaches the peer VTEP2.

After receiving the message, VTEP2 unencapsulates the message to get the original message sent by VM1, and then forwards it to VM2.

Network architecture

In the data center network, there is only the so-called spine (backbone) and leaf (leaf) architecture, which is different from the traditional access, aggregation and core architecture.

2. Basic experiment of VXLAN

2.1 configure VXLAN layer 2 interworking-no tunnel mode

Only spine-1 deploys VXLAN,Leaf-1A and Leaf-1B switches to simulate PC, making VXLAN realize layer 2 interworking just like VLAN does.

Lab Topology:

1. Configure the IP address of Leaf-1 and Leaf-2

System-view immediately # enters immediate effective mode [HUAWEI] sysname Leaf-1A [Leaf-1] interface GE1/0/ 5 [Leaf-1-GE1/0/5] [Leaf-1-GE1/0/5] undo portswitch # configure interface as layer 3 interface [Leaf-1-GE1/0/5] ip address 192.168.10.1 24 # configure IP address

Leaf-1A

[HUAWEI] sysname Leaf-1B [Leaf-1] interface GE1/0/ 6 [Leaf-1-GE1/0/6] [Leaf-1-GE1/0/6] undo portswitch # configure interface as layer 3 interface [Leaf-1-GE1/0/6] ip address 192.168.10.2 24

Leaf-1B

2. Configure the basic vxlan configuration of spine-1

[HUAWEI] sysname Spine-1 [Spine-1] bridge-domain 10 # configure bridge domain, layer 2 broadcast domain [Spine-1-bd10] vxlan vni 5000 # configure vni 5000, map to bd 10Info: Please disable dynamic ARP learning when the controller is used to deliver ARP entries.[ spine-1-bd10] Q

3. Configure the service access point of Spine-1

[Spine-1] interface GE 1 mode 0 Universe 5.1 mode L2 # create a layer 2 subinterface That is, GE1/05.1 [Spine-1-GE1/0/5.1] encapsulation do [Spine-1-GE1/0/5.1] encapsulation untag # package mode is untagWarning: Exercise caution when configuring an untagged default sub-interface and ensure that no configurations exist on the main interface before you configure an untagged default sub-interface. Otherwise, it will produce unpredictable results. [Spine-1-GE1/0/5.1] bridge-domain 10 # binds layer 2 subinterface to bd10 layer 2 broadcast domain [Spine-1-GE1/0/5.1] Q [Spine-1] interface GE1/0/6.1 mode L2 [Spine-1-GE1/0/6.1] encapsulation untag Warning: Exercise caution when configuring an untagged default sub- Interface and ensure that no configurations exist on the main interface before you configure an untagged default sub-interface. Otherwise, it will produce unpredictable results. [spin-1-GE1/0/6.1] bridge-domain 10 [Spine-1-GE1/0/6.1] Q [Spine-1]

4. Verify the configuration results

Leaf1A ping Leaf-1B

It is proved that leaf-1A and leaf-1B are in the same bd10 layer 2 domain and vni is the same.

Grab the bag in the ge1/0/5 of leaf-1A

You can see that the ipv4 icmp message is normal

Grab the bag on spine-1, GE1/0/5

It is also a normal icmp message

View the mac address table on spine-1

You can see that in the layer 2 broadcast domain br10, the layer 2 subinterface dynamically learns the mac addresses of leaf-1A and leaf-1B

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.