VxLAN綜述
VXLAN(Virtual Extensible LAN)虛擬可擴展局域網(wǎng), 是一種overlay網(wǎng)絡技術(shù)怎披,將原始2層以太網(wǎng)幀進行UDP封裝(MAC-in-UDP)瓶摆,增加8字節(jié)VXLAN頭部群井,8字節(jié)UDP頭部,20字節(jié)IP頭部和14字節(jié)以太網(wǎng)頭部诬辈,共50字節(jié)
image.png
VxLAN優(yōu)點
- 應用靈活部署:通過VXLAN封裝后的2層以太網(wǎng)幀可以跨3層網(wǎng)絡邊界自晰,讓組網(wǎng)以及應用部署變得更加靈活,同時解決多租戶網(wǎng)絡環(huán)境中IP地址沖突問題瞧哟。
- 更好的擴展性:傳統(tǒng)VLAN ID字段為12-bit,VLAN數(shù)量最大為4096咧党;VXLAN使用24-bit VNID(VXLAN network identifier)傍衡,最大支持16,000,000邏輯網(wǎng)絡负蠕。
- 提高網(wǎng)絡利用率:傳統(tǒng)以太網(wǎng)使用STP預防環(huán)路遮糖,STP導致網(wǎng)絡冗余路徑處于阻塞狀態(tài),VXLAN報文基于3層IP報頭傳輸屡江,能有效利用網(wǎng)絡路徑惩嘉,支持ECMP(equal-cost multipath )和鏈路聚合協(xié)議俄删。
VxLAN術(shù)語
- VXLAN Tunnel Endpoint(VTEP):VXLAN使用VTEP設備對VXLAN報文進行封裝與解封裝畴椰,包括ARP請求報文和正常的VXLAN數(shù)據(jù)報文斜脂,VTEP將原始以太網(wǎng)幀通過VXLAN封裝后發(fā)送至對端VTEP設備,對端VTEP接收到VXLAN報文后解封裝然后根據(jù)原始MAC進行轉(zhuǎn)發(fā)玷或,VTEP可以是物理交換機偏友、物理服務器或者其他支持VXLAN的硬件設備或軟件來實現(xiàn)对供。
- Virtual Network ID(VNI):VNI封裝在VXLAN頭部,共24-bit舞竿,最大支持16,000,000邏輯網(wǎng)絡窿冯。
- VXLAN 網(wǎng)關(guān):VXLAN網(wǎng)關(guān)用于連接VXLAN網(wǎng)絡和傳統(tǒng)VLAN網(wǎng)絡醒串,VXLAN網(wǎng)關(guān)實現(xiàn)VNI和VLAN ID之間的映射芜赌,VXLAN 網(wǎng)關(guān)實際上也是一臺VTEP設備。
- 組播組:VTEP設備要加入相同的組播組椎木,主要用于Mac地址泛洪與學習香椎。
VXLAN數(shù)據(jù)轉(zhuǎn)發(fā)
-
控制平面:在VXLAN的實現(xiàn)中禽篱,當采用組播來實現(xiàn)的時后躺率,他是一種數(shù)據(jù)驅(qū)動式的泛洪與學習悼吱,沒有嚴格意義上的控制平面,VTEP設備之間使用無狀態(tài)tunnel笨枯,VTEP設備之間不會維持狀態(tài)化的長連接馅精。VXLAN需要通過組播學習遠端設備地址信息洲敢,在本地構(gòu)建控制平面表項茄蚯。控制平面表項由VNI、Inner Source MAC忆畅、Outer Source IP三元組組成尸执。
注:采用組播會面臨一些問題如失,控制層面可以采用EVPN(MP-BGP)褪贵。詳見:《基于EVPN的VxLAN實驗》") - 轉(zhuǎn)發(fā)平面:控制平面學習地址映射信息后脆丁,轉(zhuǎn)發(fā)平面負責實際數(shù)據(jù)的轉(zhuǎn)發(fā)。VTEP為原始數(shù)據(jù)幀增加UDP報頭跟压,新的報頭到達目的VTEP后才會被去掉震蒋,中間路徑的網(wǎng)絡設備只會根據(jù)外層包頭內(nèi)的目的地址進行數(shù)據(jù)轉(zhuǎn)發(fā)查剖。
VTEP發(fā)現(xiàn)和地址學習過程
如下圖所示噪窘,舉例說明采用組播實現(xiàn)的VxLAN場景中End System A和End System B通信過程中效览,ARP請求報文封裝過程
VxLAN.png
- (1)終端設備A發(fā)送ARP請求丐枉,請求終端設備B的MAC地址瘦锹;
- (2)VTEP-1收到終端設備A發(fā)送的ARP請求闪盔,此時VTEP-1還沒有終端設備B對應的地址映射表項泪掀,VTEP-1將ARP請求進行VXLAN封裝异赫,VNI設置為10塔拳,outer-src-ip是VTEP-1的IP峡竣,outer-dst-ip是加入的組播組地址适掰,封裝完成后轉(zhuǎn)發(fā)至VXLAN組播組类浪;
- (3)VTEP-2、VTEP3加入相同的組播組戚宦,所有組成員都會收到VTEP-1發(fā)送的組播報文个曙,解封裝后檢查VNI與本地VNI是否匹配,如匹配將ARP請求發(fā)送至本地網(wǎng)絡受楼,同時記錄VNI垦搬、inner MAC、outer IP的對應關(guān)系艳汽,構(gòu)建控制平面地址映射表項猴贰。如VNI不匹配則丟棄數(shù)據(jù)包。
- (4)終端設備B收到ARP請求后以單播方式發(fā)送ARP響應河狐;
- (5)VTEP-2收到終端設備B的ARP響應后進行VXLAN封裝,此時VTEP-2已經(jīng)構(gòu)建控制平面地址映射表項馋艺,通過VXLAN封裝后以單播方式發(fā)送栅干。Outer-src-ip是VTEP-2的IP地址,outer-dst-ip是VTEP-1的IP地址捐祠;
- (6)VTEP-1收到封裝后的ARP響應后碱鳞,解封裝比對VNI,如匹配將ARP響應發(fā)送至終端設備A踱蛀,同時記錄VNI窿给、inner MAC贵白、outer IP的對應關(guān)系,構(gòu)建控制平面表項崩泡;
- (7)此時VTEP-1禁荒、VTEP-2均已成功構(gòu)建控制平面地址映射信息,后續(xù)VXLAN數(shù)據(jù)使用單播在VTEP-1和VTEP-2之間傳輸角撞。
VxLAN單播數(shù)據(jù)流轉(zhuǎn)發(fā)過程
通過上面的ARP請求呛伴,終端設備A已經(jīng)有了終端B的MAC地址,VTEP-1也有了終端B對應的映射表項
image.png
- (1)終端設備A將單播報文轉(zhuǎn)發(fā)給VTEP-1侧啼;
- (2)VTEP-1收到終端設備A單播報文咬清,此時VTEP-1已經(jīng)有終端設備B的MAC-to-VTEP地址映射表項,VTEP-1將單播報文進行VXLAN封裝,VNI設置為10穿香,outer-src-ip是VTEP-1的IP,outer-dst-ip是VTEP-2的IP驯用,VTEP-1將報文轉(zhuǎn)發(fā)給能夠到達VTEP-2的下一跳路由器Router-1驼鞭;
- (3)在IP骨干網(wǎng)基于VxLAN報文的Outer IP header源目IP進行路由轉(zhuǎn)發(fā)給邊緣路由器Router-2;
- (4)IP骨干網(wǎng)路由器Router-2繼續(xù)將報文轉(zhuǎn)發(fā)給VTEP-2衫贬;
- (5)VTEP-2收到終端設備B的單播報文后德澈,進行VXLAN解封裝,剝離outer Ethernet, IP, UDP, and VXLAN headers固惯,將以太網(wǎng)幀轉(zhuǎn)發(fā)給終端B梆造;
VxLAN實驗
實驗拓撲:構(gòu)造如下圖所示網(wǎng)絡拓撲;
實驗目標:從LAN-EAST能夠ping通LAN-WEST葬毫;
協(xié)議規(guī)劃:ISP網(wǎng)絡運行OSPF镇辉,啟用組播,VxLAN控制面選用組播模式贴捡;
lab.JPG
實驗使用的鏡像文件:
- NXOS-VTEP-1/2:nxosv9k-7.0.3.I7.1
- ISP-EAST/WEST:IOL L3 15.4.2T Routers
- SW-EAST/WEST:vIOS L2 15.2 Switches
- LAN-EAST/WEST:VPCS hosts
VTEP-1配置:
feature ospf
feature pim
feature vn-segment-vlan-based
feature nv overlay
ip pim rp-address 10.1.1.1 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8
vlan 1,10
vlan 10
vn-segment 10000
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
interface Ethernet1/1
no switchport
ip address 20.1.1.2/24
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
interface Ethernet1/2
switchport mode trunk
switchport access vlan 10
interface loopback0
ip address 100.100.100.1/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
ip route 0.0.0.0/0 20.1.1.1
router ospf 1
router-id 100.100.100.1
VTEP-2配置:
feature ospf
feature pim
feature vn-segment-vlan-based
feature nv overlay
ip pim rp-address 10.1.1.1 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8
vlan 1,10
vlan 10
vn-segment 10000
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
interface Ethernet1/1
no switchport
ip address 30.1.1.2/24
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
interface Ethernet1/2
switchport mode trunk
switchport access vlan 10
interface loopback0
ip address 100.100.100.2/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
ip route 0.0.0.0/0 30.1.1.1
router ospf 1
router-id 100.100.100.2
ISP-EAST配置:
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/1
ip address 20.1.1.1 255.255.255.0
ip pim sparse-mode
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
network 20.1.1.0 0.0.0.255 area 0
!
ip pim rp-address 10.1.1.1
!
ISP-WEST配置:
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/1
ip address 30.1.1.1 255.255.255.0
ip pim sparse-mode
!
router ospf 1
network 10.1.1.2 0.0.0.0 area 0
network 30.1.1.0 0.0.0.255 area 0
!
ip pim rp-address 10.1.1.1
!
SW-EAST配置:
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
no cdp enable
!
SW-WEST配置:
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
no cdp enable
!
VTEP-1狀態(tài)確認:
VTEP-1# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 100.100.100.2 Up DP 00:26:13 n/a
VTEP-1# show nve vni
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
SU - Suppress Unknown Unicast
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 10000 230.1.1.1 Up DP L2 [10]
VTEP-1# show runn interface nve1
!Command: show running-config interface nve1
!Time: Fri Dec 22 11:01:58 2017
version 7.0(3)I7(1)
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
VTEP-1# show nve internal platform interface detail
Printing details of all NVE Interfaces
|======|=========================|===============|===============|=====|=====|
|Intf |State |PriIP |SecIP |Vnis |Peers|
|======|=========================|===============|===============|=====|=====|
|nve1 |UP |100.100.100.1 |0.0.0.0 |1 |1 |
|======|=========================|===============|===============|=====|=====|
SW_BD/VNIs of interface nve1:
================================================
|======|======|=========================|======|====|======|========
|Sw BD |Vni |State |Intf |Type|Vrf-ID|Notified
|======|======|=========================|======|====|======|========
|10 |10000 |UP |nve1 |DP |0 |Yes
|======|======|=========================|======|====|======|========
Peers of interface nve1:
============================================
Peer_ip: 100.100.100.2
Peer-ID : 1
State : UP
Learning : Enabled
TunnelID : 0x0
Mode : Symmetric
MAC : 0000.0000.0000
Table-ID : 0x1
Encap : 0x1
VTEP-1# show ip mroute detail
IP Multicast Routing Table for VRF "default"
Total number of routes: 3
Total number of (*,G) routes: 1
Total number of (S,G) routes: 1
Total number of (*,G-prefix) routes: 1
(*, 230.1.1.1/32), uptime: 00:37:16, nve(1) ip(0) pim(0)
RPF Change only
RPF-Source: 10.1.1.1 [50/110]
Data Created: No
VXLAN Flags
VXLAN Encap
VXLAN Last Hop
Stats: 1/100 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Ethernet1/1, RPF nbr: 20.1.1.1
Outgoing interface list: (count: 1) (bridge_only: 0)
nve1, uptime: 00:37:16, nve
(100.100.100.1/32, 230.1.1.1/32), uptime: 00:37:16, nve(0) mrib(0) ip(0) pim(1)
RPF-Source: 100.100.100.1 [0/0]
Data Created: No
Received Register stop
VXLAN Flags
VXLAN Encap
Stats: 10/996 [Packets/Bytes], 13.333 bps
Stats: Active Flow
Incoming interface: loopback0, RPF nbr: 100.100.100.1
Outgoing interface list: (count: 1) (bridge_only: 0)
Ethernet1/1, uptime: 00:35:47, pim
(*, 232.0.0.0/8), uptime: 00:37:20, pim(0) ip(0)
RPF-Source: 0.0.0.0 [0/0]
Data Created: No
SSM route
Stats: 0/0 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Null, RPF nbr: 0.0.0.0
Outgoing interface list: (count: 0) (bridge_only: 0)
VTEP-1#
VTEP-2狀態(tài)確認:
VTEP-2# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 100.100.100.1 Up DP 00:29:42 n/a
VTEP-2# show nve vni
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
SU - Suppress Unknown Unicast
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 10000 230.1.1.1 Up DP L2 [10]
VTEP-2# show runn interface nve1
!Command: show running-config interface nve1
!Time: Fri Dec 22 11:05:06 2017
version 7.0(3)I7(1)
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
VTEP-2# show nve internal platform interface detail
Printing details of all NVE Interfaces
|======|=========================|===============|===============|=====|=====|
|Intf |State |PriIP |SecIP |Vnis |Peers|
|======|=========================|===============|===============|=====|=====|
|nve1 |UP |100.100.100.2 |0.0.0.0 |1 |1 |
|======|=========================|===============|===============|=====|=====|
SW_BD/VNIs of interface nve1:
================================================
|======|======|=========================|======|====|======|========
|Sw BD |Vni |State |Intf |Type|Vrf-ID|Notified
|======|======|=========================|======|====|======|========
|10 |10000 |UP |nve1 |DP |0 |Yes
|======|======|=========================|======|====|======|========
Peers of interface nve1:
============================================
Peer_ip: 100.100.100.1
Peer-ID : 1
State : UP
Learning : Enabled
TunnelID : 0x0
Mode : Symmetric
MAC : 0000.0000.0000
Table-ID : 0x1
Encap : 0x1
VTEP-2# show ip mroute detail
IP Multicast Routing Table for VRF "default"
Total number of routes: 3
Total number of (*,G) routes: 1
Total number of (S,G) routes: 1
Total number of (*,G-prefix) routes: 1
(*, 230.1.1.1/32), uptime: 00:40:00, nve(1) ip(0) pim(0)
RPF Change only
RPF-Source: 10.1.1.1 [50/110]
Data Created: No
VXLAN Flags
VXLAN Encap
VXLAN Last Hop
Stats: 3/298 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Ethernet1/1, RPF nbr: 30.1.1.1
Outgoing interface list: (count: 1) (bridge_only: 0)
nve1, uptime: 00:40:00, nve
(100.100.100.2/32, 230.1.1.1/32), uptime: 00:40:00, nve(0) mrib(0) ip(0) pim(1)
RPF-Source: 100.100.100.2 [0/0]
Data Created: No
Received Register stop
VXLAN Flags
VXLAN Encap
Stats: 2/200 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: loopback0, RPF nbr: 100.100.100.2
Outgoing interface list: (count: 1) (bridge_only: 0)
Ethernet1/1, uptime: 00:38:33, pim
(*, 232.0.0.0/8), uptime: 00:40:03, pim(0) ip(0)
RPF-Source: 0.0.0.0 [0/0]
Data Created: No
SSM route
Stats: 0/0 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Null, RPF nbr: 0.0.0.0
Outgoing interface list: (count: 0) (bridge_only: 0)
VTEP-2#
LAN-EAST Ping測試:
VPCS> ping 192.168.10.12 -t
84 bytes from 192.168.10.12 icmp_seq=1 ttl=64 time=18.460 ms
84 bytes from 192.168.10.12 icmp_seq=2 ttl=64 time=67.473 ms
84 bytes from 192.168.10.12 icmp_seq=3 ttl=64 time=24.646 ms
84 bytes from 192.168.10.12 icmp_seq=4 ttl=64 time=13.696 ms
84 bytes from 192.168.10.12 icmp_seq=5 ttl=64 time=15.216 ms
84 bytes from 192.168.10.12 icmp_seq=6 ttl=64 time=48.122 ms
84 bytes from 192.168.10.12 icmp_seq=7 ttl=64 time=33.200 ms
84 bytes from 192.168.10.12 icmp_seq=8 ttl=64 time=14.530 ms
^C
VPCS>
