Tunneling and network Virtualization: NVGRE vs VXLAN

Tunneling and network Virtualization: NVGRE vs VXLAN

We believe that the NVGRE and VXLAN tunneling protocols are no stranger, but in fact the Tunneling Protocol is only part of the virtual network. It does not provide substantive functions, but only defines how to encapsulate and forward packets between different virtual machines. This article would like to emphasize two points: first, both NVGRE and VXLAN use layer-3 protocols to encapsulate layer-2 protocols; second, both technologies solve the problem of fixed VLAN scale and are no longer limited to 4094. With the rise of various new technologies, a standard has been unable to meet the demand. technology giants are scrambling to turn their standards into a unified standard in the industry. NVGRE and VXLAN are typical examples, so what are the differences between the two technologies?

VXLAN

VXLAN is mainly introduced by Cisco. The VXLAN header has a 24-bit ID segment, which means 16 million unique virtual network segments, this ID is usually generated by using a pseudo-random algorithm on the UDP port (the UDP port is generated by the original MAC Hash in the frame ). The advantage of doing so is to ensure Load Balancing Based on 5-tuples and save the order of data packets between VMS. The specific practice is to map the MAC group inside the data packet to the unique UDP port group. The layer-2 broadcast is converted to IP multicast. VXLAN uses IP multicast to flood in the virtual network segment and relies on dynamic MAC learning. VXLAN encapsulation expands the packet size to 50 bytes, as shown in:

Because of the large data packets, VXLAN must use transmission networks that support large frames to support the expansion of data packets.

NVGRE

The main supporter of NVGRE is Microsoft. Unlike VXLAN, NVGRE does not use the standard transmission protocol (TCP/UDP), but uses the common Routing Encapsulation Protocol (GRE ). NVGRE uses the lowest 24 bits of the GRE header as the tenant network identifier (TNI), and supports 1600 virtual networks like VXLAN. To provide a stream that describes the bandwidth utilization granularity, the transmission network needs to use the GRE header, but this causes NVGRE to be incompatible with traditional load balancing. This is the biggest difference between NVGRE and VXLAN. To improve the Load Balancing Capability, we recommend that each NVGRE host use multiple IP addresses to ensure that more traffic can be balanced.

NVGRE does not need to rely on pan-flood and IP multicast for learning, but broadcast in a more flexible way, but it depends on Hardware/vendor. The last difference is that NVGRE supports reducing the maximum transmission unit of data packets to reduce the size of data packets in the internal virtual network. The transmission network does not need to support transmission of large frames.

Lab

OVS (open Vswitch) supports these two tunneling protocols. You can implement simple communication between two VMS, run VMS on both hosts, and create a tunnel between VMS. If there is no GRE tunnel, the two VMS cannot be connected. Simple steps to create a tunnel between hosts:

1. Configure HOST 1 as follows:

ovs-vsctl add-br brgreovs-vsctl add-br brvmovs-vsctl add-port brgre eth0ifconfig eth0 0ifconfig brgre 192.168.1.100 netmask 255.255.255.0route add default gw 192.168.1.1 brgreifconfig brvm 10.1.2.10 netmask 255.255.255.0ovs-vsctl add-port brvm gre1 -- set interface gre1 type=gre options:remoteip=192.168.1.111

2. Configure host 2 as follows:

ovs-vsctl add-br brgreovs-vsctl add-br brvmovs-vsctl add-port brgre eth0ifconfig eth0 0ifconfig brgre 192.168.1.111 netmask 255.255.255.0route add default gw 192.168.1.1 brgreifconfig brvm 10.1.2.11 netmask 255.255.255.0ovs-vsctl add-port brvm gre1 -- set interface gre1 type=gre options:remoteip=192.168.1.100

Create two bridges in each host. The brvm is used to simulate the virtual machine, and the other brgre is used to connect to other hosts as a tunnel (VTEP. Eth0 connects to brgre, and brgre binds an IP address for tunneling. To simplify the experiment, I set the GRE tunnel in the same subnet. Of course, it can be placed in different domains to make the simulation scenario more realistic. Now we can test it. 10.1.2.10 and 10.2.1.11 can be pinged. The two VM domains are connected through tunnel, and can also be changed to VXLAN tunnel configuration.