[Cloud Data Center] "Cloud Data Center Network Architecture and Technology" Reading Notes Chapter 6 Building the Logical Network of the Data Center (Overlay Network)

Overview

Built on the Underlay network,
building a large two-layer network
VXLAN is a wide application of NVo3 technology

6.1 Overlay network

The decoupling of Overlay and Underlay networks is conducive to the deployment
of SDN architecture, which is equivalent to superimposing a large Layer 2 network on top of the existing network, using NVo3 tunnel encapsulation technology to achieve

6.2 VXLAN basics and related concepts

Key technology: L2 over L4 (MAC-in-UDP) to
meet the requirements:

• Expansion of the Layer 2 network within the range of the Layer 3 network
• Large second-tier virtual migration
• Multi-tenant isolation

Basic concepts:
VTEP
VXLAN edge device, the starting and ending point of VXLAN tunnel,
VNI
meets a large number of multi-tenant requirements, reaching 16 million
VXLAN tunnels,
established between two VTEPs, tunnels
encapsulated by

VXLAN header VXLAN performs the following encapsulation on Ethernet frames VXLAN Header : Contains 24bits VNI field
UDP Header: destination port 4789, source port is the value after Ethernet frame Hash
Outer IP Header: IP of VTEP at both ends
Outer MAC Header: MAC of source VTEP -> MAC of next hop device
VXLAN Features:
Its flexibility can support complex services such as L2VPN and L3VPN. There is
no need for intermediate devices to learn the MAC of the VM.
No need to consider the IP and broadcast domains of the physical network. The
VXLAN source UDP port number is a hash value, and the Underlay network can directly perform load sharing.

6.3 VXLAN Overlay Network

Types include (depending on the type of equipment where the VTEP is located):

• Network Overlay: Both VTEPs are physical machines
• Host Overlay: virtual machine vSwitch
• Hybrid Overlay: Hybrid method

6.3.1 VXLAN Overlay network type

Network Overly:
Pay attention to the direction of the dotted line in the figure

Centralized Network Overlay:

• Leaf only serves as a VXLAN Layer 2 gateway
• Spine or Border Leaf as VXLAN Layer 3 Gateway

Distributed Network Overlay:

• Leaf serves as a Layer 2 and Layer 3 gateway of VXLAN at the same time
• Spine does not process VXLAN packets

Host Overlay:
Note that the direction of the dotted line in the figure is the direction of the VXLAN tunnel.

East-west services use the vSwitch on the device where the VM is located to establish a VXLAN tunnel. There is no centralized type, only distributed .
Because the north-south service passes through physical machines such as Leaf and Spine, it does not need to process VXLAN packet
Hybrid Overlay:
Pay attention to the dotted line in the figure. The two ends of the hybrid network VXLAN tunnel are the physical VTEP and the vSwitch of the VM where the VM is located.


East-west traffic: VXLAN is established between Leaf and vSwitch
North-south traffic: VXLAN is established between vSwitch/Leaf physical switch – Spine/Edge

6.3.2 Comparison of network types

For the absolute advantage of physical equipment performance, the best solution is Network Overlay.
To prevent equipment overload, the best solution is further determined to be distributed Network Overlay.

6.4 VXLAN control plane

Disadvantages of no control plane: There is a large amount of flooding in the network, and network expansion is difficult.
Using EVPN as the control plane has the following advantages:

• VTEP auto-discovery, VXLAN tunnel auto-establishment, improve scalability
• EVPN can publish Layer 2 and Layer 3 information at the same time
• Reduce flooding in the network

The basic principles of EVPN

Type2 routing-MAC/IP routing: advertise the host's MAC, ARP and routing information
Type 3 routing-Inclusive Multicast routing: VTEP automatic discovery / dynamic establishment of VXLAN tunnel
Type 5 routing-IP prefix routing: replace the host's IP address, this type of routing can Advertise network segment

VXLAN tunnel establishment in the same subnet interconnection scenario

After VTEP established, the host can communicate in the same two-story broadcast domain,
the following conditions that is dynamically established VXLAN tunnel :

• The IP routes of the VTEPs at both ends are reachable
• Establish BGP EVPN peers between VTEPs at both ends
• Peers exchange VNI and VTEP IP information through Type3 routing

Tunnel establishment under cross-subnet interconnection scenarios

The leaves advertise the IP routes of subordinate hosts or network segments to
each other. The leaves of the other party need to tell the local leaf which network segment routes are available, otherwise there is no judgment whether to forward the data.
In this scenario, the establishment of the VXLAN tunnel is achieved through Type2 and Type5 routing.

6.5 VXLAN data plane

Flow model:

Traffic on the same subnet in the same VPC: it belongs to L2 VXLAN encapsulation and is processed by TOR
. Traffic across subnets in the same VPC: belongs to L3 VXLAN encapsulation.
Traffic between different VPCs is processed by TOR : there is a requirement for security isolation and needs to be bypassed to the firewall. Then it reaches the three-layer gateway.
Access traffic inside and outside the data center: passes through IPS (Intrusion Prevention system)/FW, LB, VXLAN gateway, TOR node, and reaches VPC

Forwarding of known unicast messages in the same subnet (including ARP request/response distance)

ARP request and response process:

1. Initiate ARP request
2. Determine which VNI belongs to by BD, then perform VXLAN encapsulation and then spread to all VTEPs
3. The two VTEPs decapsulate the packets they receive. First, they learn that IP A is in a mapping relationship with VTEP_1. Then, after checking the internal ARP packets, they find that the destination IP in the request received by VTEP_2 is not in their jurisdiction. , So the message is discarded. VTEP_3 responds normally

ARP response process:

4. The returned ARP response is a known unicast
5. VTEP_3 records the correspondence between MAC_C, VNI, and the inbound interface by the way, and then performs VXLAN encapsulation
. 6. VTEP_1 records the MAC_C, VNI, and MAC_C, VNI, and The corresponding relationship of IP_3 of the remote VTEP_3, and finally the decapsulated packet is sent to VM_A.
At this point, VM_A and VM_C have learned each other’s MAC, and all VTEPs have also obtained important MAC and VNI information.

Inter-subnet message forwarding

Distributed gateway scenario

Several key points of the forwarding process:
The destination MAC in the message sent by Host1 is the three-layer gateway IP, so it is judged that three-layer forwarding is required. During the
VXLAN encapsulation and decapsulation process, the inner layer of the message has two MAC address replacements. This is also a feature of inter-subnet forwarding

Inter-VPC packet forwarding

The

key points of this scenario are recorded as follows:
NVE1 finds that the destination IP is not in this VRF_A, so it forwards the message to the Service Leaf through the default route, and the Service Leaf also forwards the message to the firewall application through the default route, where the firewall finds that the route exists In VRF_B, therefore, send a message to VRF_B in the Service Leaf to NVE2.

Packet forwarding inside and outside the data center

This process is based on cross-VPC communication.
Only during this forwarding, the firewall sends the message to the Public vRouter instead of the NVE
Public vRouter. After the Boarder Leaf
completes the VXLAN forwarding, the BL decapsulates the message and sends the message to the PE node through the Underlay network.
PE directly connected to the Internet

6.6 Mapping of business model and network

The logic model is the modeling abstraction of the user network on the
controller. The controller translates the designed logic model into configuration and sends it to the device through NETCONF or OpenFlow.
Common controller logic model functions:

Take packet forwarding inside and outside the data center as an example to analyze the physical model:

1-4 is the logical model configuration point of Server Leaf.
Service Leaf and Boarder Leaf are essentially VTEPs, so both need to join the VTEP model. The connection between 9 and 10 on the way is also based on the interconnection between the VTEP models.

Route publishing and message forwarding

When the VM needs to send a packet to the outside of the data center, the controller will configure a default route on the Service Leaf, and the Service Leaf will advertise the default route to EVPN. At this time, the controller participates in the EVPN route calculation and will be downloaded to the flow table after the calculation. Send to vSwitch