vxlan--principle

1. Why do I need Vxlan

The average number of VLANs is only 4,096, unable to meet the needs of large-scale cloud computing IDC, and why IDC needs so many VLANs, because most of the IDC internal structure is mainly divided into two kinds of l2,l3. L2 structure inside, all servers are in a large LAN inside, Tor Transparent L2, different switches on the server interoperability by MAC address, communication isolation and broadcast isolated VLAN, gateway in the intranet core. And the L3 structure this is the protocol that starts at the Tor level to interconnect, Gateway on Tor, the interoperability between different switches by IP address.

In the cloud computing IDC, the server is required to be virtualized, the original server hangs on Tor A, I can arbitrarily migrate it to Tor B, without the need to change the IP address, this is a bit of the L2 network, because I this virtual server and the outside (gateway) communication also rely on L3, But my gateway internal exchange is to walk L2, this in L3 is unable to do. Because each IP in the L3 is unique, the address is also fixed, unless you physically relocate the entire network segment. So how to transmit L2 data in L3 network, this is overlay technology.

Therefore, Vxlan (virtual extensible LAN Extensible VLAN) was born, based on the IP network, using the MAC in UDP technology, originally OSI7 layer model is a layer, this and gre/ipsec and other tunnel technology is not very like , this encapsulation technology has no special requirements for the intermediary network, as long as you can identify the IP message can be transmitted.

Well, the explanation is clear, so now the summary why need Vxlan:

1. The size of the virtual machine is limited by the network specification, in the large L2 network, the message is forwarded by querying the MAC address, and the Mac table capacity limits the number of virtual machines.
2. Limitations of network isolation, common VLAN and VPN configurations do not meet the demands of dynamic network tuning, while configuring complex
3. Virtual machine relocation is limited, if the VM is not interrupted on the basis of the business to migrate the virtual machine to another physical machine, you need to keep the virtual machine's IP address and MAC address parameters remain unchanged, which requires the business network is a two-tier network.

2. Vxlan Message Format

Outer UDP port uses 4798, but can be modified

Outer IP Header Package: The IP address of the vtep to which the source IP is the virtual machine to which the message is sent, and the destination IP is the vtep IP address to which the destination virtual machine belongs.

Outer the destination IP address can be unicast and multicast address, unicast, the destination IP is vtep (Vxlan tunnel End point) IP address, in the case of multicast to introduce Vxlan management layer, using VNI and IP multicast group mapping to determine Vtep.

When the destination IP is the Vtep IP of the receiving end, if you do not know the IP address, you need to execute the ARP request to obtain the following steps:

1. The destination IP is replaced with a multicast group IP address that has the same vni as the source virtual machine;

2. All vtep receive this multi-broadcast, Vtep find all virtual machines on the host to match the inner destination Mac of the source virtual machine.
3. The virtual opportunity of the target vtep should be multicast packets to obtain the IP address of the target vtep.

4. Send End VTEP add vni-vtep-VM to the MAC mapping related to your Vxlan table in order to avoid multicast learning again.

Outer ether Package: SA is the Vtep MAC address of the virtual machine to which the message is sent, and Da is the vtep to which the destination virtual machine belongs to the next hop MAC address.

3. Vxlan Network structure

NVE (Network virtrualization Edge Networks Virtual Edge node) is a functional entity that implements network virtualization, and after the packets in the VM are NVE encapsulated, L3 Virtual network can be established between NVE on the basis of L2-based network. Both the network device entity and the vswitch on the server entity can be used as nve.

The Vtep is the endpoint of the Vxlan tunnel, encapsulated in Nve, for encapsulation and encapsulation of VXLAN messages. The Vtep is connected to the physical network and the assigned address is the physical network IP address. The source IP address in the Vxlan message is the Vtep address of this node, the destination IP address in the Vxlan message is the Vtep address of the peer node, and the Vtep address corresponds to a vxlan tunnel.

VNI (VXLAN networks Identifier): VXLAN network identity VNI similar VLAN ID, used to differentiate VXLAN segments, virtual machines of different VXLAN segments cannot communicate with each other directly at Layer two. A vni represents a tenant, even if multiple end users belong to the same vni. The VNI consists of 24 bits, supporting up to 16M ((2^24-1)/1024^2) tenants.

VAP (Virtual access point): The VAP is unified as a two-layer sub-interface for accessing data packets. Configure different flow packages for two-layer sub-interfaces to enable different data packets to access different two-layer sub-interfaces.

Vxlan Gateway

There are 3 main modes of communication between VMS: different VMS under the same VNI (two types distributed in the same entity and different entities), cross-network access under different Vni, and access between Vxlan and non-Vxlan.

Vxlan gateways are divided into:

Two-layer Gateway: The end-user communication in the same network segment, after the L2 gateway receives the user message, according to the purpose of the message contained in the MAC type, the message forwarding process is divided into:

1. MAC address is bum (broadcast&unknown-unicast&multicast) address, processed according to Bum message forwarding process

2. The MAC address is a known unicast address and is processed according to the known unicast forwarding process

Three-tier Gateway: For end-user communications that are not the same network segment or for communication between Vxlan and non-vxlan users.

Vxlan Two-tier gateway:

The main solution of L2 Gateway is the mutual exchange between VMs under the same vni.

VXLAN three-tier gateway:

The L3 gateway addresses the exchange of visits between different vni and Vxlan and non-Vxlan. The L3 gateway is divided into centralized gateways and distributed gateways, the main difference between the 2 is whether the L3 gateway is on the leaf or on the spine.

As shown, the centralized L3 GW is on the spine, while the distribution is l2,l3 GW on the leaf. When the network scale is large, it is necessary to adopt the distributed gateway, because of the bottleneck of the ARP table entry in the centralized spine and the subnet traffic forwarding detour. Distributed gateway, vtep on the leaf. Spine nodes do not perceive vxlan tunnels.

It is important to note that when VM1 and VM2 are on the same subnet, but hang on different leaf, their three-tier gateway needs to be configured with the same gateway IP address and MAC address, and when the tenant's VM location is moved, no configuration of the gateway needs to be changed.

Bum Message forwarding Process

When the bum message enters the Vxlan tunnel, the access Terminal Vtep uses the head-end copy method (the interface receives the bum message, the local vtep obtains the Vni list of the same vtep through the control plane, The received bum message is copied according to the Vtep list and sent to all vtep belonging to the same vni) for the Vxlan encapsulation of the message, bum the Vxlan tunnel, the exit port Vtep the packet solution encapsulation,

Summary: Vxlan network structure is defined, here in plain words to explain again: on a physical server can be virtual out of a switch, this switch is vswitch, and this vswitch is not the physical server, but a VM, A VM is actually a tenant rented server, different tenants must not be able to exchange visits, otherwise the security of the tenant data is guaranteed, this isolation is relying on the Vni ID, in fact, this you can down VLAN is how to isolate, the purpose is to isolate tenants. If I have 2 VMs in a tenant, then I should be able to exchange visits between the 2 of them. So the tenant is based on VNI definition, not VM based. The structure of the internal said clearly how to access the upstream, in a L2 switch you want to cross-network access must go through the gateway, the IP address of this gateway is Vtep IP, there is a concept on the network called Arp-proxy, the general purpose is to protect the internal private network, All responses to the outside world have gateways instead of answers (which can be understood as gatekeepers). Here the outside world only need your vtep IP, to the end of the message arrives Vtep this gateway itself in the internal walk L2 to forward. Therefore, the destination IP in the Vxlan message is the gateway to the end (VTEP IP), and the source address is naturally its own gateway (VTEP IP). For the same vni VMs on different leaf, their vtep IP must be configured identically, and it is clear how the gateway for the server under the same VLAN is configured.

vxlan--principle