Hello guys. I had the suggestion that this subject has people interested in, so today I’m gonna talk a little bit about VXLAN. Let’s get into it together? I will split the subject into multiple articles. This is the first one.
1. Introduction
Many of us have tried to figure out how to get some Virtual Machines into the same LAN even existing different networks between them. What you would like to do is run a Layer 2 LAN segment over the top of your Layer 3 networks.]
The good news is you actually have a way to accomplish this. It is called VXLAN (Virtual Extensible Local Area Network).
VXLAN helps to simplify the underlying network, making unnecessary the spanning tree protocol, trunking, and stretching VLANs. Virtual Machines can move between hosts on different VLANS without the need of changing IP addresses.
VXLAN is a standard that is defined by RFC 7348. There is no need to lock into a particular vendor..
2. VNI and VLAN
Every VLAN has a VLAN ID. The VLAN ID is a field in the IEEE 802.1q tag that is added in the frame in order to allow you to separate each VLAN as a different broadcast domain. The VLAN ID is 12 bits long, allowing a total of 4096 different Ids (2^12). Look at the image below.
Figure 1 – VID (VLAN ID) as a field 12 bits long
VXLAN is quite similar. Each VXLAN segment also has an identifier called VNI (VXLAN Network Identifier). This field is 24 bits long, which gives us around 16 million different segments (2^24). Much more than what VID provides us, right?
Figure 2 – VXLAN header showing that VNI field is 24 bits long.
Like in a VLAN, traffic in one VNI is kept separate from every other VNI. If you wish to allow devices in a VNI to communicate with one in a different VNI, you will need to route the traffic as you do for devices in different VLANs. While the VLAN tag is directly inserted in the Layer 2 frame, VXLAN actually encapsulates the entire original layer 2 frames in a UDP packet, this is why this technology is called MAC-in-UDP. The original frame is encapsulated in VXLAN packets, so VXLAN works as a tunnel over Layer 3 networks. You will see how it works soon, hold on.
You can be thinking that around 4000 VLANs are enough for everybody. Let's imagine that you are providing services for customers. They are tenants in your data center. If you give each customer 8 VLANs, you can have only a little bit more than 500 tenants before your VLANs are exhausted. After that, you will have to reuse VLAN Ids across different hardware, encapsulate VLANs inside VLAN using QinQ, or something like that. This is where VXLAN will help you. Multitenant SDN allows customers to allocate their own VLANs. With 16 million VNIs you can unique ID for your customers across your data centers or sites.
3. Overlays and Underlays
VXLAN will create virtual networks on top of the existing infrastructure. This makes VXLAN an overlay network and the existing infrastructure is the underlay network. The underlay network is all Layer 3. All ports in the underlay are routed, therefore, spanning tree or trunking is not needed. Dynamic routing is used in the underlay network: OSPF (usually choice), IS-IS, and BGP (more complicated) can be used. Figure 3 shows us the overlay and underlay network. VTEP's meaning will be explained later, but these devices understand VXLAN because they establish a VXLAN tunnel. The devices in the Middle that do not have a VTEP interface do not know that VXLAN exists.
Figure 3 – Overlay and underlay networks example.
Each VNI is a separate virtual network that runs over the underlay. Each of these VNI’s is called a bridge domain. In order to create this virtual network, traffic is encapsulated with UDP and IP before it is sent out. When it reaches the other device where the destination is, it is decapsulated. A hidden advantage to separating the overlay and underlay is that the underlay can be changed without needing to redesign the overlay. As long as there is IP connectivity between the devices composing the underlay, the overlay will be fine.
At this point, you should ask yourself how VXLAN encapsulation works.
.
4. VTEPs and Encapsulation
Switches or routes that participate in VXLAN have a special interface called VTEP (VXLAN Tunnel End Point). The VTEP provides the connection between the overlay and underlay. Each VTEP has an IP address in the underlay network. Each also has one or more VNIs. In order to deliver traffic from one host to another, a source and destination VTEP will create a stateless tunnel. These tunnels will be established only long enough to deliver the VXLAN packet. The devices that establish this tunnel are called NVE’s (Network Virtualization Edges). Tunnel VXLAN can be ended in network devices (like switches) or even in the virtual switch that resides in a server.
Figure 4 – VTEP interfaces are used to establish VXLAN tunnels among NVEs (Network Virtualization Edges).
When a frame for a remote host (a VM in another server) reaches the switch, the original frame is encapsulated in IP and UDP headers. The source IP address is the VTEP address of the switch and the destination IP address is the VTEP address of the switch that the frame needs to be sent in order to reach its final destination. The switch then forwards the packet over the underlay, which obviously knows the VTEP address because it is in the routing table (remember that the underlay is a layer 3 network). You should be asking:
1. How the switch knows the VTEP address that it needs to send the frame to. In other words, how does it discover the VTEP where the destined MAC address will be?
2. How the switch finds the other VTEPs?
We will learn it in this series.
5. Hosts a Gateways
VXLAN can be supported on hardware or software. An advantage of this is that it can run on a hypervisor like ESX or Hyper-V. This is the host-based method. The vSwitch on the host has a VTEP, which encapsulates traffic from VM’s before it reaches any physical switches. The physical switches just see IP traffic and are unaware of VXLAN. The advantage of this is a simplified physical network, which can simply focus on transporting the traffic.
The VTEPs could also be on physical switches or routers. An example of this is configuring VXLAN on Huawei Datacenter switches (CE X800 switches). This is called the VXLAN gateway. The VM sends traffic and the vSwitch forwards the traffic normally. When the traffic arrives on the physical switch, the VTEP encapsulates the frames. The advantage is that VXLAN may be implemented in hardware, improving performance. Not all platforms support VxLAN in hardware, so you need to choose switches properly. Obviously, a hybrid approach is also possible, with hosts and also switches having VXLAN supported. In this scenario, some devices are behind VXLAN gateways and some hosts have VxLAN configured.
In the next article, you will see a little more about VXLAN Header Format and Encapsulation.
I hope you have learned something about VxLAN.
