Data center network technology upstarts: VXLAN and campus network virtualization

Abstract: In order to cope with the limitations of traditional data center network on server virtualization technology, VXLAN technology came into being.

1 overview

Problems with traditional data center networks

The vm size is limited by device entry specifications

On a traditional Layer 2 network, the switch forwards data frames by querying the MAC address table, and the number of VMS is limited by the capacity of the MAC address table.

After servers are virtualized, the number of VMS increases by an order of magnitude compared with the number of physical servers. However, the MAC address table of layer 2 devices on the access side is too small to meet the rapidly increasing number of VMS.

Network isolation capability limitation

The VLAN Tag contains only 12 bits. In the scenario of large-scale virtualized cloud computing services, the ISOLATION capability of vlans cannot be met.

Vlans in traditional Layer 2 networks cannot meet the requirements of dynamic network adjustment.

The VM migration range is limited

Vm migration must take place on a Layer 2 network.

Traditional layer 2 networks restrict vm migration to a small local area.

Introduction of VXLAN

Virtual eXtensible Local Area Network (VXLAN) is a Virtual private Network (VPN) technology that enables layer-2 Virtual networks to be superimposed on any reachable Network to realize internal communication through the VXLAN gateway. It can also communicate with traditional non-VXLAN networks.
The VXLAN extends layer 2 networks by using MAC in UDP encapsulation to encapsulate Ethernet packets with IP packets and transmit Ethernet packets through routes on the network. The intermediate transmission network does not need to pay attention to THE MAC addresses of VMS, and the routed network has no network structure restriction, enabling large-scale expansion. Routed networks allow VM migration regardless of network architecture.

VXLAN applications in data centers

The widespread deployment of server virtualization technology has greatly increased the computing density of data centers. In addition, to achieve flexible service change, VMS must be able to migrate on the network without restriction, which brings new challenges to the traditional Layer 2 + Layer 3 DATA center network. In order to cope with the limitations of traditional DATA center network on server virtualization technology, VXLAN technology emerged as The Times required to solve the following problems:

The vm scale is limited by device entry specifications

O After servers are virtualized, the number of VMS increases by an order of magnitude compared with the number of physical servers. However, the MAC address table of layer 2 devices on the access side is too small to meet the rapidly increasing number of VMS.

O VXLAN encapsulates original packets sent by VMS in the same area as planned by the administrator into UDP packets, and uses the IP and MAC addresses of the physical network as the outer header. In this way, the packets are only encapsulated parameters for other devices on the network. Therefore, the MAC address requirements for large Layer 2 networks are greatly reduced.

Limit network isolation capability

O As a mainstream network isolation technology, VLAN has only 12 bits in the standard definition. Therefore, the number of available vlans is only 4096. For public cloud or other large virtual cloud computing services with tens of thousands or more tenants, the ISOLATION capability of VLANS cannot be met.

O VXLAN introduces a user Identifier similar to the VLAN ID, called the VXLAN Network Identifier (VNI). It consists of 24 bits and supports up to 16 MB of VXLAN segments, effectively solving the problem of massive tenant isolation in cloud computing.

The VM migration range is limited

O VM migration refers to migrating a VM from a physical machine to another physical machine. To ensure that services are not interrupted during VM migration, ensure that THE IP address of the VM remains unchanged. Therefore, VM migration must be performed on a Layer 2 network. In traditional layer 2 networks, VM migration is limited to a small local area.

O VXLAN Encapsulates the original packets sent by VMS and transmits them through the VXLAN tunnel. The VMS at both ends of the tunnel do not need to know the physical architecture of the transmission network. In this way, VMS with IP addresses on the same network segment are in the same Layer 2 domain even though their physical locations are not in the same Layer 2 network. The VXLAN technology constructs a large virtual layer 2 network on top of the layer 3 network. As long as the VMS are reachable, they can be added to the same large layer 2 network. This solves the problem of limited virtual machine migration scope.

Using VXLAN in campus Network to Achieve Multi-Purpose in One Network

By introducing virtualization technology, multiple Virtual networks (VN) are created based on one physical Network in campus Network. Different virtual networks are used for different businesses, such as office, research and development, or the Internet of Things.
The iMaster NCE (Huawei Campus network SDN controller) manages devices on the entire network in a centralized manner. The administrator configures the network on a GRAPHICAL user interface (GUI).
The iMaster NCE translates the administrator’s network service configuration intention into device commands and delivers the configuration to each device through the NETCONF protocol, realizing automatic driving of the network.

2 Basic concepts of VXLAN

VXLAN packet format

Network Virtualization Edge (NVE)

An NVE is a network entity that implements network virtualization. It can be a hardware switch or a software switch. An NVE builds a Layer 2 virtual network on a Layer 3 network and runs the VXLAN. In the figure, SW1 and SW2 are Nves.

VTEP (VXLAN Tunnel Endpoints)

The VTEP is a VXLAN tunnel endpoint on the NVE and is used to encapsulate and decapsulate VXLAN packets.
In the VXLAN packet (outer IP header), the source IP address is the IP address of the source VTEP, and the destination IP address is the IP address of the destination VTEP.
A pair of VTEP addresses corresponds to a VXLAN tunnel.
After packets are encapsulated at the source end, the VTEP sends the packets to the destination VTEP over the tunnel. The VTEP decapsulates the received packets.
Generally, the Loopback interface address of the device is used as the VTEP address.

VXLAN Network Identifier (VNI)

Similar to the VLAN ID, it is used to distinguish VXLAN segments. VMS in different VXLAN segments cannot communicate with each other at Layer 2.
A tenant can have one or more vNiS, which are 24 bits long.

Bridge Domain (BD)

In a VXLAN network, a BD identifies a large layer 2 broadcast domain.
VNI is mapped to the BROADCAST domain BD in 1:1 mode. Terminals in the same BD can communicate with each other at Layer 2.

Virtual Access Point (VAP)

VXLAN service access is implemented. The VAP can be configured in layer 2 subinterface mode or VLAN binding mode.

1. Layer-2 subinterface access. For example, in this example, a Layer-2 subinterface is associated with BD 10 on SW1, indicating that only specific traffic on this interface is injected into BD 10.

2. Access in VLAN binding mode. For example, in SW2, VLAN10 is associated with broadcast domain BD 10, indicating that traffic from VLAN10 is injected into BD 10.

3 VXLAN Layer 2 gateway and Layer 3 gateway

** Layer 2 (L2) gateway: ** Enables traffic to enter the VIRTUAL VXLAN network and communicate with the subnet of the same virtual VXLAN network. For example, Edge1 and Edge2 in the figure below.

** Layer 3 (L3) gateway: ** Used for cross-subnet communication of VXLAN virtual networks and access of external networks (non-VXLAN networks). For example, Border in the figure below.

4 VBDIF

The concept of VBDIF is introduced in VXLAN, which is similar to the method of using VLANIF to solve the intercommunication between different broadcast domains in traditional networks.
The VBDIF interface is configured on the Layer 3 gateway of the VXLAN and is a layer 3 logical interface created based on BD.
By using the VBDIF interface to configure IP addresses, vxLAns of different network segments can communicate with other VXLans and connect layer-2 networks to layer-3 networks.

5 Distributed and centralized gateways

Centralized gateway

The L3 gateway is deployed on one device. All cross-subnet traffic is forwarded by the gateway for centralized traffic management.

Advantages: Centrally manages cross-subnet traffic, simplifying gateway deployment and management.

Disadvantages: The forwarding path is not optimal.

Distributed gateway

The L3 gateway is deployed on multiple devices. The VTEP serves as both the L2 gateway and the L3 gateway.

Advantages: The cross-subnet traffic forwarding path is better.

Disadvantages: Compared with centralized gateways, gateway deployment, fault location, and network o&M are more complex. VTEP nodes communicate with each other and maintain host routes.

6 VXLAN tunnel establishment mode

A VXLAN tunnel is defined by a pair of VTEP IP addresses. Packets are encapsulated by the VTEP and transmitted through routes in the VXLAN tunnel. After the VXLAN tunnel is configured, the VXLAN tunnel can be established as long as the VTEP IP addresses at both ends of the VXLAN tunnel are routable to Layer 3.

Static VXLAN: establishes a tunnel

A VXLAN tunnel is determined by a pair of VTEP IP addresses. A static VXLAN tunnel can be created by manually configuring the VNI and VTEP IP addresses of the local and remote ends. A VXLAN tunnel can be established only when the VTEP IP addresses of both ends of the TUNNEL are routable to Layer 3.

BGP EVPN is used as the control plane protocol

The original VXLAN solution (RFC 7348) does not define a control plane. That is, you need to manually configure a VXLAN tunnel and learn the host address through traffic flooding. As a result, a large amount of flooding exists on the network and network expansion is difficult.

To solve these problems, the Ethernet Virtual Private Network (EVPN) is used as the control plane of the VXLAN. EVPN is an extension of BGP and defines several new route types to implement automatic VTEP discovery and host address learning.

7 Typical Application of VXLAN in CloudCampus Solution

demand

The Fabric requirements:

Build a Fabric based on the physical network.
The distributed gateway solution is adopted.

.vn requirements:

Create two VNS, office (OA) and R&D (RD).
By default, the two VNS are isolated from each other and can communicate with the same subnet or across subnets.
Both VNS can access external networks connected to the FW.
Terminals in two VNS can obtain IP addresses from the DHCP Server.

Management of the Fabric

Fabric creation and configuration:

Users can add physical devices (core switches, aggregation switches, and access switches) to the Fabric based on service requirements.
Users specify the roles of the switch: Border node and Edge node.
The iMaster NCE automatically specifies Border as RR to optimize the network logical architecture and BGP peer relationship model.
The user predefined two External networks for two VNS to reach the external network.
You can define a Network service resource (DHCP Server) for terminals to obtain IP addresses from this resource.

Automated Deployment of Fabric and Underlay networks:

The iMaster NCE automatically orchestrates networks based on discovered physical network topologies and user-defined Fabric networks. Users can choose OSPF multi-area or single-area and whether to authenticate OSPF packets.
The iMaster NCE automatically delivers the Underlay network configuration to devices based on the network orchestration result, making IP addresses reachable between devices. After this step is complete, the switches automatically obtain the IP address, VLAN configuration, and OSPF configuration. The switches are routable.
The iMaster NCE automatically delivers Fabric configurations to devices and establishes BGP EVPN peers between devices to complete the preparation of the control plane.

.vn management

Create VN** : **

You can create OA and RD virtual networks respectively and specify the IP network segment /VLAN, gateway address, associated external network, network service resources, and terminal access point of the virtual networks.
The iMaster NCE translates user intents into configurations and delivers them to network devices.

VXLAN tunnels are automatically established

BGP EVPN is used to advertise information about VXLAN tunnel establishment between peers.
A VXLAN tunnel is established between devices to facilitate data forwarding.

Terminal address acquisition

Sales employee A accesses the network and completes user authentication. After the authentication is successful, authentication point Edge1 obtains the authorization result of the user and allocates the user to the corresponding VLAN.
A initiates A DHCP request. After the request reaches Edge1, the gateway relays the DHCP request and forwards the relay message to Border through the VXLAN tunnel.
Border decapsulates the VXLAN and forwards DHCP relay packets to the DHCP Server.
The DHCP Server assigns an IP address to USER A.

The sameVNAccess between the subnet in

Sales employees A and B pass the access authentication and access the campus network.
Take sales employee B as an example. Edge2 advertises the MAC address of employee B to the Border through BGP update packets, which is reflected to Edge1.
Edge1 learns the MAC address 0000.0002.
When A sends data to B, Edge1 encapsulates the traffic and forwards it to Edge2 after the traffic reaches Edge1. The VXLAN decapsulates the packet and delivers it to the destination.

The sameVNAccess between subnets

Sales employee C passes the authentication and accesses the campus network.
Edge2 advertises its host route to the Border through BGP update packets, which are reflected to Edge1.
Edge1 learns route 1.20.1/32. The next hop of the route is 2.2.2.2 and the outbound interface is the VXLAN tunnel interface.
When A sends data to C, Edge1 encapsulates the traffic and forwards it to Edge2 after the traffic reaches Edge1. The VXLAN decapsulates the packet and delivers it to the destination.

Accessing an External Network

After the user associates the external network (the destination network segment is 2.3.0/24) with the OA virtual network, the iMaster NCE delivers the route information to the Border, which resends the external route to BGP and advertises the route to Edge1 and Edge2.
When A sends data to 2.3.0/24, Edge1 encapsulates the traffic by VXLAN and then sends the traffic to Border, which decapsulates the VXLAN and forwards the IP packets to FW.

This article is shared by huawei Cloud community “New HCIE knowledge: VXLAN and Campus network virtualization”, originally written by: Fan Tu little bookboy.

Click to follow, the first time to learn about Huawei cloud fresh technology ~