VIRTUAL NETWORKING WITH VMWARE VXLAN

Very few I have talked to heard about VXLan so here is a post. I will do my best to cover most of the info.

vQuicky – For the impatient like me

> VXLAN – Virtual eXtensible Local Area Network

> VXLAN is a way to move towards Network Virtualization

> VXLAN is an Mac-over-ip based methodology/protocol

> VXLAN is an attempt to solve the datacenter problems of 4095 vlans or 4095 mac address limits in top of the rack switches (TOR switches)

> VXLAN is a way to float “virtual domains” called VNI (VXLAN Network Identifier) over current hardware and network layers (Layer 2 and layer 3)

> Only VMs with in the same VXLAN segment can talk to each other.

> The VNI is a 24 bit segment id which allows for 16 million VXLAN segment ids in a single administrative domain.

>  The VNI is a outer header address with the inner MAC address of the VM

> VXLAN can also be considered similar to a L2 tunneling over L3 however it is stateless

> VTEP – VXLAN Tunnel End Point is where the VXLAN packet terminates and is within the hypervisor that houses the VM

>  VTEP’s can also be a VXLAN aware physical server or even a physical switch.

> VXLAN’s currently don’t take security into account as of today but its in works to make this a more inherent protocol to provide some sort of security towards a rogue node in L2 layer.

> There are recommendations of coupling VXLANs using IPSEC

inDepth

Before I even attempt to write about VXLAN – let me snag this nice picture – courtesy of VMware.

Get the idea? Well VXLAN is a way to solve the datacenter issues where you are limited by vlans, switch ports and/or mac address limits. Its all about network virtualization and VMware is to work with Cisco and hopefully other software vendors to make this happen.

Looks like VMware finally realized that even though provisioning a vm can take any where from a few minutes to seconds (if you have SSDs) – getting the network part done can take days and sometimes even weeks. Clearly this is a big deal for Enterprises. There are ways to speed things up however they all still reply on the vlan, mac address and switch port limits.

So how does a typical vm to vm communication take place over VXLAN. Any machines on the same VNI are said to be in the same VXLAN Overlay Network. Now a vm in the VXLAN overlay network may be unaware that it is actually participating in MAC-Over-IP network virtualization. Now if this vm wants to send data to another vm – it does this by sending the packets to that mac address. Now the VXLAN Tunnel End point (VTEP) which lives on the host looks up the VNI to which this vm belongs to. The VTEP also checks if the destination vm belongs to the same VNI as well and if it does then it takes the outer ip address, outer mac and the VXLAN header are inserted to the original mac frame. Now the packet is sent over to the destination which is the remote ip of the VTEP hypervisor that hosts the destination vm.

When the other VTEP receives the packet, it verifies if the VNI is valid and if the vm belongs to it, then stripes off the headers to the mac frame that were added by the source VTEP and then passes the packet to the VM. The destination vm also learns about the inner source mac of the source vm and the outer ip address as well. It records/stores this info so if that vm needs to send a response or has to communicate in the future, it does not have to flood the request.

A brief about broadcast communications – Any broadcast traffic with the VXLAN is done by adding a header that includes VXLAN VNI information along with the IP header and the UDP header. Now this broadcast traffic is sent to the IP Multicast group that has the VXLAN overlay network defined to it. For this to be possible there must be a association of the IP multicast group to a specific VXLAN overlay group and this is done at the management layer and provided to the VTEP through a management channel.

Within VMware’s context – the encapsulation is performed between the virtual NIC of the guest VM and the logical port on the virtual switch. This makes VXLAN transparent to both the guest VMs and the underlying Layer 3 network. Gateway services between VXLAN and non-VXLAN hosts are performed by Security Edge gateway appliance. The Edge gateway translates VXLAN segment IDs to VLAN IDs, so that non-VXLAN hosts can communicate with VXLAN virtual servers.

Feel free to comment 🙂

http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-00

http://www.vmware.com/solutions/datacenter/vxlan.html

http://blog.ioshints.info/2011/08/finally-mac-over-ip-based-vcloud.html

http://networkheresy.com/2011/08/31/vxlan-moving-towards-network-virtualization/

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation