VxLAN综述
VXLAN(Virtual Extensible LAN)虚拟可扩展局域网, 是一种overlay网络技术,将原始2层以太网帧进行UDP封装(MAC-in-UDP),增加8字节VXLAN头部,8字节UDP头部,20字节IP头部和14字节以太网头部,共50字节
image.png
VxLAN优点
- 应用灵活部署:通过VXLAN封装后的2层以太网帧可以跨3层网络边界,让组网以及应用部署变得更加灵活,同时解决多租户网络环境中IP地址冲突问题。
- 更好的扩展性:传统VLAN ID字段为12-bit,VLAN数量最大为4096;VXLAN使用24-bit VNID(VXLAN network identifier),最大支持16,000,000逻辑网络。
- 提高网络利用率:传统以太网使用STP预防环路,STP导致网络冗余路径处于阻塞状态,VXLAN报文基于3层IP报头传输,能有效利用网络路径,支持ECMP(equal-cost multipath )和链路聚合协议。
VxLAN术语
- VXLAN Tunnel Endpoint(VTEP):VXLAN使用VTEP设备对VXLAN报文进行封装与解封装,包括ARP请求报文和正常的VXLAN数据报文,VTEP将原始以太网帧通过VXLAN封装后发送至对端VTEP设备,对端VTEP接收到VXLAN报文后解封装然后根据原始MAC进行转发,VTEP可以是物理交换机、物理服务器或者其他支持VXLAN的硬件设备或软件来实现。
- Virtual Network ID(VNI):VNI封装在VXLAN头部,共24-bit,最大支持16,000,000逻辑网络。
- VXLAN 网关:VXLAN网关用于连接VXLAN网络和传统VLAN网络,VXLAN网关实现VNI和VLAN ID之间的映射,VXLAN 网关实际上也是一台VTEP设备。
- 组播组:VTEP设备要加入相同的组播组,主要用于Mac地址泛洪与学习。
VXLAN数据转发
-
控制平面:在VXLAN的实现中,当采用组播来实现的时后,他是一种数据驱动式的泛洪与学习,没有严格意义上的控制平面,VTEP设备之间使用无状态tunnel,VTEP设备之间不会维持状态化的长连接。VXLAN需要通过组播学习远端设备地址信息,在本地构建控制平面表项。控制平面表项由VNI、Inner Source MAC、Outer Source IP三元组组成。
注:采用组播会面临一些问题,控制层面可以采用EVPN(MP-BGP)。详见:《基于EVPN的VxLAN实验》") - 转发平面:控制平面学习地址映射信息后,转发平面负责实际数据的转发。VTEP为原始数据帧增加UDP报头,新的报头到达目的VTEP后才会被去掉,中间路径的网络设备只会根据外层包头内的目的地址进行数据转发。
VTEP发现和地址学习过程
如下图所示,举例说明采用组播实现的VxLAN场景中End System A和End System B通信过程中,ARP请求报文封装过程
VxLAN.png
- (1)终端设备A发送ARP请求,请求终端设备B的MAC地址;
- (2)VTEP-1收到终端设备A发送的ARP请求,此时VTEP-1还没有终端设备B对应的地址映射表项,VTEP-1将ARP请求进行VXLAN封装,VNI设置为10,outer-src-ip是VTEP-1的IP,outer-dst-ip是加入的组播组地址,封装完成后转发至VXLAN组播组;
- (3)VTEP-2、VTEP3加入相同的组播组,所有组成员都会收到VTEP-1发送的组播报文,解封装后检查VNI与本地VNI是否匹配,如匹配将ARP请求发送至本地网络,同时记录VNI、inner MAC、outer IP的对应关系,构建控制平面地址映射表项。如VNI不匹配则丢弃数据包。
- (4)终端设备B收到ARP请求后以单播方式发送ARP响应;
- (5)VTEP-2收到终端设备B的ARP响应后进行VXLAN封装,此时VTEP-2已经构建控制平面地址映射表项,通过VXLAN封装后以单播方式发送。Outer-src-ip是VTEP-2的IP地址,outer-dst-ip是VTEP-1的IP地址;
- (6)VTEP-1收到封装后的ARP响应后,解封装比对VNI,如匹配将ARP响应发送至终端设备A,同时记录VNI、inner MAC、outer IP的对应关系,构建控制平面表项;
- (7)此时VTEP-1、VTEP-2均已成功构建控制平面地址映射信息,后续VXLAN数据使用单播在VTEP-1和VTEP-2之间传输。
VxLAN单播数据流转发过程
通过上面的ARP请求,终端设备A已经有了终端B的MAC地址,VTEP-1也有了终端B对应的映射表项
image.png
- (1)终端设备A将单播报文转发给VTEP-1;
- (2)VTEP-1收到终端设备A单播报文,此时VTEP-1已经有终端设备B的MAC-to-VTEP地址映射表项,VTEP-1将单播报文进行VXLAN封装,VNI设置为10,outer-src-ip是VTEP-1的IP,outer-dst-ip是VTEP-2的IP,VTEP-1将报文转发给能够到达VTEP-2的下一跳路由器Router-1;
- (3)在IP骨干网基于VxLAN报文的Outer IP header源目IP进行路由转发给边缘路由器Router-2;
- (4)IP骨干网路由器Router-2继续将报文转发给VTEP-2;
- (5)VTEP-2收到终端设备B的单播报文后,进行VXLAN解封装,剥离outer Ethernet, IP, UDP, and VXLAN headers,将以太网帧转发给终端B;
VxLAN实验
实验拓扑:构造如下图所示网络拓扑;
实验目标:从LAN-EAST能够ping通LAN-WEST;
协议规划:ISP网络运行OSPF,启用组播,VxLAN控制面选用组播模式;
lab.JPG
实验使用的镜像文件:
- NXOS-VTEP-1/2:nxosv9k-7.0.3.I7.1
- ISP-EAST/WEST:IOL L3 15.4.2T Routers
- SW-EAST/WEST:vIOS L2 15.2 Switches
- LAN-EAST/WEST:VPCS hosts
VTEP-1配置:
feature ospf
feature pim
feature vn-segment-vlan-based
feature nv overlay
ip pim rp-address 10.1.1.1 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8
vlan 1,10
vlan 10
vn-segment 10000
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
interface Ethernet1/1
no switchport
ip address 20.1.1.2/24
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
interface Ethernet1/2
switchport mode trunk
switchport access vlan 10
interface loopback0
ip address 100.100.100.1/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
ip route 0.0.0.0/0 20.1.1.1
router ospf 1
router-id 100.100.100.1
VTEP-2配置:
feature ospf
feature pim
feature vn-segment-vlan-based
feature nv overlay
ip pim rp-address 10.1.1.1 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8
vlan 1,10
vlan 10
vn-segment 10000
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
interface Ethernet1/1
no switchport
ip address 30.1.1.2/24
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
interface Ethernet1/2
switchport mode trunk
switchport access vlan 10
interface loopback0
ip address 100.100.100.2/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
ip route 0.0.0.0/0 30.1.1.1
router ospf 1
router-id 100.100.100.2
ISP-EAST配置:
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/1
ip address 20.1.1.1 255.255.255.0
ip pim sparse-mode
!
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
network 20.1.1.0 0.0.0.255 area 0
!
ip pim rp-address 10.1.1.1
!
ISP-WEST配置:
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/1
ip address 30.1.1.1 255.255.255.0
ip pim sparse-mode
!
router ospf 1
network 10.1.1.2 0.0.0.0 area 0
network 30.1.1.0 0.0.0.255 area 0
!
ip pim rp-address 10.1.1.1
!
SW-EAST配置:
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
no cdp enable
!
SW-WEST配置:
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
no cdp enable
!
VTEP-1状态确认:
VTEP-1# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 100.100.100.2 Up DP 00:26:13 n/a
VTEP-1# show nve vni
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
SU - Suppress Unknown Unicast
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 10000 230.1.1.1 Up DP L2 [10]
VTEP-1# show runn interface nve1
!Command: show running-config interface nve1
!Time: Fri Dec 22 11:01:58 2017
version 7.0(3)I7(1)
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
VTEP-1# show nve internal platform interface detail
Printing details of all NVE Interfaces
|======|=========================|===============|===============|=====|=====|
|Intf |State |PriIP |SecIP |Vnis |Peers|
|======|=========================|===============|===============|=====|=====|
|nve1 |UP |100.100.100.1 |0.0.0.0 |1 |1 |
|======|=========================|===============|===============|=====|=====|
SW_BD/VNIs of interface nve1:
================================================
|======|======|=========================|======|====|======|========
|Sw BD |Vni |State |Intf |Type|Vrf-ID|Notified
|======|======|=========================|======|====|======|========
|10 |10000 |UP |nve1 |DP |0 |Yes
|======|======|=========================|======|====|======|========
Peers of interface nve1:
============================================
Peer_ip: 100.100.100.2
Peer-ID : 1
State : UP
Learning : Enabled
TunnelID : 0x0
Mode : Symmetric
MAC : 0000.0000.0000
Table-ID : 0x1
Encap : 0x1
VTEP-1# show ip mroute detail
IP Multicast Routing Table for VRF "default"
Total number of routes: 3
Total number of (*,G) routes: 1
Total number of (S,G) routes: 1
Total number of (*,G-prefix) routes: 1
(*, 230.1.1.1/32), uptime: 00:37:16, nve(1) ip(0) pim(0)
RPF Change only
RPF-Source: 10.1.1.1 [50/110]
Data Created: No
VXLAN Flags
VXLAN Encap
VXLAN Last Hop
Stats: 1/100 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Ethernet1/1, RPF nbr: 20.1.1.1
Outgoing interface list: (count: 1) (bridge_only: 0)
nve1, uptime: 00:37:16, nve
(100.100.100.1/32, 230.1.1.1/32), uptime: 00:37:16, nve(0) mrib(0) ip(0) pim(1)
RPF-Source: 100.100.100.1 [0/0]
Data Created: No
Received Register stop
VXLAN Flags
VXLAN Encap
Stats: 10/996 [Packets/Bytes], 13.333 bps
Stats: Active Flow
Incoming interface: loopback0, RPF nbr: 100.100.100.1
Outgoing interface list: (count: 1) (bridge_only: 0)
Ethernet1/1, uptime: 00:35:47, pim
(*, 232.0.0.0/8), uptime: 00:37:20, pim(0) ip(0)
RPF-Source: 0.0.0.0 [0/0]
Data Created: No
SSM route
Stats: 0/0 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Null, RPF nbr: 0.0.0.0
Outgoing interface list: (count: 0) (bridge_only: 0)
VTEP-1#
VTEP-2状态确认:
VTEP-2# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 100.100.100.1 Up DP 00:29:42 n/a
VTEP-2# show nve vni
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
SU - Suppress Unknown Unicast
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 10000 230.1.1.1 Up DP L2 [10]
VTEP-2# show runn interface nve1
!Command: show running-config interface nve1
!Time: Fri Dec 22 11:05:06 2017
version 7.0(3)I7(1)
interface nve1
no shutdown
source-interface loopback0
member vni 10000 mcast-group 230.1.1.1
VTEP-2# show nve internal platform interface detail
Printing details of all NVE Interfaces
|======|=========================|===============|===============|=====|=====|
|Intf |State |PriIP |SecIP |Vnis |Peers|
|======|=========================|===============|===============|=====|=====|
|nve1 |UP |100.100.100.2 |0.0.0.0 |1 |1 |
|======|=========================|===============|===============|=====|=====|
SW_BD/VNIs of interface nve1:
================================================
|======|======|=========================|======|====|======|========
|Sw BD |Vni |State |Intf |Type|Vrf-ID|Notified
|======|======|=========================|======|====|======|========
|10 |10000 |UP |nve1 |DP |0 |Yes
|======|======|=========================|======|====|======|========
Peers of interface nve1:
============================================
Peer_ip: 100.100.100.1
Peer-ID : 1
State : UP
Learning : Enabled
TunnelID : 0x0
Mode : Symmetric
MAC : 0000.0000.0000
Table-ID : 0x1
Encap : 0x1
VTEP-2# show ip mroute detail
IP Multicast Routing Table for VRF "default"
Total number of routes: 3
Total number of (*,G) routes: 1
Total number of (S,G) routes: 1
Total number of (*,G-prefix) routes: 1
(*, 230.1.1.1/32), uptime: 00:40:00, nve(1) ip(0) pim(0)
RPF Change only
RPF-Source: 10.1.1.1 [50/110]
Data Created: No
VXLAN Flags
VXLAN Encap
VXLAN Last Hop
Stats: 3/298 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Ethernet1/1, RPF nbr: 30.1.1.1
Outgoing interface list: (count: 1) (bridge_only: 0)
nve1, uptime: 00:40:00, nve
(100.100.100.2/32, 230.1.1.1/32), uptime: 00:40:00, nve(0) mrib(0) ip(0) pim(1)
RPF-Source: 100.100.100.2 [0/0]
Data Created: No
Received Register stop
VXLAN Flags
VXLAN Encap
Stats: 2/200 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: loopback0, RPF nbr: 100.100.100.2
Outgoing interface list: (count: 1) (bridge_only: 0)
Ethernet1/1, uptime: 00:38:33, pim
(*, 232.0.0.0/8), uptime: 00:40:03, pim(0) ip(0)
RPF-Source: 0.0.0.0 [0/0]
Data Created: No
SSM route
Stats: 0/0 [Packets/Bytes], 0.000 bps
Stats: Inactive Flow
Incoming interface: Null, RPF nbr: 0.0.0.0
Outgoing interface list: (count: 0) (bridge_only: 0)
VTEP-2#
LAN-EAST Ping测试:
VPCS> ping 192.168.10.12 -t
84 bytes from 192.168.10.12 icmp_seq=1 ttl=64 time=18.460 ms
84 bytes from 192.168.10.12 icmp_seq=2 ttl=64 time=67.473 ms
84 bytes from 192.168.10.12 icmp_seq=3 ttl=64 time=24.646 ms
84 bytes from 192.168.10.12 icmp_seq=4 ttl=64 time=13.696 ms
84 bytes from 192.168.10.12 icmp_seq=5 ttl=64 time=15.216 ms
84 bytes from 192.168.10.12 icmp_seq=6 ttl=64 time=48.122 ms
84 bytes from 192.168.10.12 icmp_seq=7 ttl=64 time=33.200 ms
84 bytes from 192.168.10.12 icmp_seq=8 ttl=64 time=14.530 ms
^C
VPCS>
网友评论