Vxlan basis of understanding
A. Why do we need Vxlan
1. vlan quantitative restrictions
4096 vlan can not meet the needs of large-scale cloud computing data centers
2. Restrictions physical network infrastructure
Area dividing IP subnet need to limit the deployment of Layer 2 network connectivity application workloads
3. TOR switch MAC table depletion
Virtualization and east-west traffic leads to more MAC entries
4. The multi-tenant scenario
IP addresses overlap?
II. What is Vxlan
1. Vxlan message
vxlan (virtual Extensible LAN) scalable virtual local area network, the overlay network is a technique, a method using UDP MAC in feed
Line package, a total of 50 bytes of header encapsulation. Specific packet format is as follows:
(1) vxlan header
A total of eight bytes, currently using a flag in Flags 8bit and 24bit the VNI (Vxlan Network identifier),
The rest is not defined, but when in use must be set to 0x0000.
(2) the outer UDP header
Use destination port 4798, but can be modified as needed. Colleagues UDP checksum must be set to full-0.
(3) IP header
Destination IP address can be a unicast address, it can also be a multicast address. Unicast, the destination IP address is Vxlan Tunnel End Point
(VTEP) IP address. VXLAN management introduced in the multicast case, is determined using the map VTEPs VNI and IP multicast group. ? ? ?
- protocol: Set value 0x11, which is an explanatory UDP packet
- Source ip: Source vTEP_IP;
- Destination ip: The purpose VTEP IP.
(4) Ethernet Header
- Destination Address: The Mac address VTEP purpose, that is the next hop to the local address (usually the gateway Mac address);
- VLAN: VLAN Type is set to 0x8100, and you can set Vlan Id tag (which is vxlan the vlan tag).
- Ethertype: Set value of 0x8000, indicating that the data packet as IPv4.
Added: the role of VTEP?
VXLAN for packet encapsulation / decapsulation, including ARP request packets and normal data packets VXLAN, some packets encapsulated in
After sending the encapsulated packet through the tunnel to the other end VTEP other end VTEP receives an encapsulated packet decapsulates the MAC address of the package
Be fitted law. VTEP support VXLAN by hardware or software.
From a structural point of view the package, VXLAN Layer networks provide the ability to overlay the three-tier network, VXLAN Header has the VNI
'Bit 24, much greater than the number of 4096, and UDP encapsulation can pass through a three-layer network, VLAN better than scalability.
2. Vxlan data and control plane
(1) data-plane tunnel mechanism ---
Already know, VTEP virtual machine layer packet plus the header, the header of these new data arrives there after VTEP purpose will be removed.
Only the intermediate network device forwards data path according to the destination address in the outer header forwarding path on the network, one Vxlan
Packet with a normal IP packet is compared to a bigger head outside no difference.
Since packets VXLAN maintaining the integrity of the entire internal data forwarding process, so VXLAN data plane is based on a tunnel
Data plane.
Layer Protocol (2) improved control plane ----
VXLAN does not maintain a persistent connection between the virtual machine, it requires a control plane VXLAN recording end address reachable situation. control
To the surface plane (VNI, inner MAC, layer vtep_ip). Vxlan address learning when still preserved features of Layer 2 protocol, not between nodes
Periodically exchange their routing table for the MAC address is not recognized, VXLAN multicast relies acquires path information (if SDN Controller,
Unicast can get to the SDN).
On the other hand, VXLAN as well as self-learning function, when VTEP receive a UDP datagram, it checks whether they received the virtual machine
Data, if not, it will record the VTEP source vni / source layer ip / source mac inner correspondence relationship, multicast avoid learning.
3. VxlanARP request
(1) vxlan initialization
VXLAN VM1 and VM2 is connected to the network (VNI) 100, a host joins two VXLAN IP multicast group 239.119.1.1
(2) ARP Request
1) VM1 sends an ARP broadcast request form;
2) VTEP1 encapsulated packet. Marked VXLAN identified as 100, DA outer IP header is IP multicast group (239.119.1.1), SA is IP_VTEP1.
3) VTEP1 multicast within the multicast group;
4) VTEP2 parses the received multicast packet. Fill flow table (VNI, mac address inner layer, the outer layer address Ip), and in the range of 100 identifies the local VXLAN
Broadcast (is VXLAN comes in).
5) ARP VM2 in response to the received request;
(3) ARP reply
1) After preparing VM2 ARP response packet to the transmitted response packet VM1
After 2) VTEP2 VM2 received response packet wraps it in ip unicast message (VXLAN still identified as 100), then to send a unicast VM1
After 3) VTEP1 received unicast packets, MAC learning inner layer ip address mapping, decapsulated and forwarded to the destination MAC address VM1 The packaged content
4) VM1 received ARP response packet, the end of the ARP interaction
Data transmission 4
After (1) ARP request response, VM1 VM2 know the Mac address, and would like to VM2 communication (note, VM1 is TCP way to send data to VM2).
VTEP1 VM1 sends packets received, check the flow table using the MAC address belongs VM1 and VM2 with a VNI. Two VM is not only located in the same VNI
(VNI not the same in the gateway), and VTEP1 already know all the address information of VM2 (MAC and VTEP2_IP). VTEP1 new packet encapsulation. then
Linked to the switch.
(2) switch receives uplink UDP packets sent from the server, compare the destination IP address and its own routing table, and forwards the packet to the corresponding port.
(3) in the received packet object VTEP checker VNI, if the UDP datagram VNI VNI consistent with the VM2, the data is processed further to VM2 decapsulates the packet. At this point
A packet transmission is completed. Whole Vxlan related behaviors (may traverse multiple gateways) is transparent to the virtual machine, the virtual machine will not feel the process of transmission.
Although the start of the TCP to transfer data between VM1 and VM2, but the way the actual data packet is forwarded in the form of UDP, both ends of the VTEP does not check whether the data
Sequence is complete or correct, all of which work in the VM1 and VM2 are the TCP packet is received after the completion of the decapsulated. That is if if UDP encapsulation
The TCP connection, UDP and TCP stack, each will work as two separate agreements, there is no interaction between each other.
5 Vxlan Gateway
If you need VXLAN networks and non-VXLAN network connection, you must use VXLAN VXLAN gateway to the network and the external network bridging and
And routing the mapping between the ID and VLAN ID VXLAN, and the same VLAN, the communication between the networks need to support three VXLAN device,
That VXLAN support routing. The same can be VXLAN gateway hardware and software.
From a structural point of view the package, VXLAN Layer networks provide the ability to overlay the three-tier network, VXLAN Header has the VNI
'Bit 24, much greater than the number of 4096, and UDP encapsulation can pass through a three-layer network, VLAN better than scalability.
6. Deploy
(1) pure VXLAN deployment scenarios
For connection to a virtual machine within the VXLAN, due to the virtual machine VLAN information is no longer a basis for forwarding, virtual machine migration will
No longer limited by three gateways, migration can be achieved across three gateway.
(2) VXLAN mixed with deployment VLAN
In order to achieve interoperability between VLAN and VXLAN, VXLAN defined VXLAN gateway. There are two types of ports at the same time on VXLAN gateway: VXLAN port
And common port.
When data is received from the network to a common network VXLAN, VXLAN gateway removes the outer header is forwarded to the common port from the original inner header; when data
From general network to entering VXLAN network, the gateway is responsible for marked VXLAN outer header, and corresponds to a VNI The original VLAN ID, while the inner header is removed
The VLAN ID information. If the gateway discovery VXLAN respective inner frame head packet of a further VXLAN with original floor VLAN ID, the packet will be discarded directly.
The reason for this is the VLAN ID is a local information only on the second floor of a local network and its role, VXLAN tunnel mechanism does not rely on VLAN ID carried
Forwarding, VLAN ID can not be checked properly or not. Therefore, VXLAN gateway connecting the traditional network ports must be configured ACCESS mouth, can not enable TRUNK mouth.