3. Basic knowledge of network in cloud computing
1. Network architecture in virtualization
1.1 Network architecture in virtualization
The Layer 2 switch is used as an access switch, and the Layer 3 switch can be used as an aggregation switch or a core switch. When the network security device is discarded, the router is directly connected to the Internet.
1.2 Broadcast and Unicast
The physical server mainly runs virtual machines, and there are two ways for virtual machines to connect to the network: broadcast and unicast
All devices in the same broadcast domain can hear the broadcast, and the target device responds after listening to the broadcast. The two perform a single-line connection, that is, unicast, and non-target devices will ignore the broadcast information.
**Broadcast Disadvantages:** There are security risks (VRP attack); the network is full of broadcast traffic, which will block business traffic and affect efficiency
1.3VLAN
VLAN adds a VLAN ID to the data header of each data packet as an identification. The same ID means that in the same broadcast domain, broadcast traffic between different broadcast domains cannot be received.
There are two types of VLAN switch interfaces: Access and Trunk. Access is usually configured on the interface connected to the computer, allowing only one VLAN to pass through; Trunk is usually configured on the interface connecting two switches, allowing multiple VLANs to pass through. Only 4096 VLANs can be created on each switch, among which VLAN 0 and VLAN 4095 cannot be used
1.4 Routing
Virtual machines with different VLAN IDs cannot communicate directly, and need to use routers for communication.
The communication source sends the information to the network segment of the target virtual machine through routing forwarding.
Multiple interfaces are routed, and each interface corresponds to a VLAN.
1.5 default route
Also known as default gateway and gateway, it is a special case of routing. There is only one interface, which can correspond to multiple VLANs.
2. Introduction to physical network in virtualization
2.1 The role of routers in virtualization
Routers in virtualization are usually placed at the egress of the cloud data center, connecting upward to the Internet and downward to the data center
2.2 The role of three-layer switch in virtualization
In cloud computing, traffic is usually classified according to its purpose and isolated by VLAN. It is usually divided into management traffic, business traffic, storage traffic, and management & business traffic. Communication between different traffic requires a layer-3 switch to separate all traffic and The default route is set on the Layer 3 switch to realize the communication between different functional traffic.
2.3 The role of layer 2 switches in virtualization
Different traffic is logically separated by VLAN to play a security role, but physically, a channel is still used, and the channel bandwidth is limited. In order to ensure that all traffic has sufficient bandwidth, different Layer 2 switches need to be used carry different traffic.
The separation of management switches, storage switches, and service switches is called out-of-band management; the combination of management switches and service switches is called in-band management.
When there are many devices, the Layer 2 switch can be used as an access switch, which aggregates the traffic and transmits it to the Layer 3 switch.
2.4 The role of physical network cards in virtualization
① Logical form
Logically divides traffic into management traffic, business traffic, and storage traffic, and divides large business links into several business channels, each of which carries separate traffic
②Physical form
In terms of physical form, it is divided into bound and unbound: unbound means that one network card only passes one traffic, or one network card carries multiple different flows; bound means that multiple network cards are combined to form an aggregated link, and the traffic will be interrupted while increasing the link bandwidth.
3. Introduction to virtual network in virtualization
3.1 Mainstream architecture of virtual network
There are generally three ways for a virtual machine to communicate externally through a physical network: bridging, NAT, and virtual switches
These three methods are all bridges, but they are different from each other.
①Bridging and NAT
Connect the network card of the virtual machine to the network card of the physical machine. When communicating externally, you must write your own address into it as the source address. The source address transmission methods of the two are different: bridging does not modify the source address of the packet sent by the virtual machine; NAT needs to modify the source address when it reaches the bridge. The full name of NAT is "Network Address Translation", translated as "Network Address Translation".
②Virtual switch
Connect through virtual switches, virtual switches and physical networks.
Taking Open cSwitch as an example, it has four characteristics: security, monitorability, QoS capability, and automation.
Advantages of introducing a virtual switch:
-
It is convenient for administrators to monitor the network status and data flow of the entire cloud environment
-
The introduction of a cache mechanism can accelerate the forwarding efficiency and addressing speed of data packets
-
The essence of SDR (Software Defined Networking) is separation of transfer and control (separation of control plane and data plane), and only virtual switches can achieve separation of transfer and control
-
Supports more protocols than bridging, bridging only supports vxlan, virtual switch supports gre tunnel, vxlan, ipsan, etc.; there are also many applicable scenarios, suitable for xen, kvm, virtual box, vmware, etc.
Virtual switches are divided into standard virtual switches and distributed virtual switches
- A standard virtual switch runs on only one host
- The distributed virtual switch is distributed on multiple hosts, and multiple hosts share a virtual switch. Only one virtual switch needs to be modified, and other hosts can also be updated.
4. Network features of Huawei virtualization products
4.1FusionCompute Network Architecture
port group:
- The port connected to the virtual switch by each virtual machine network card is a virtual port. Ports with the same attributes will form a port group, which is convenient for administrators to manage. It is not necessary to configure each port. If the attributes are consistent, You only need to modify the port group configuration
Uplink:
- The port connecting the virtual switch to the physical NIC is called the uplink. The uplink is a dividing line between the virtual network and the physical network in FC. The upward link is the virtual network, and the downward link is the physical network. Each virtual switch is on the CNA host. There is one uplink. If there are multiple virtual switches on the CNA host, multiple uplinks are required; the uplink can correspond to a separate network port, or it can be a link after binding multiple network ports.
4.2 Flow direction
There are three types of traffic flow between different virtual machines
① Different port groups of the same CNA host
One of the attributes of the port group is the VLAN ID, and VLANs cannot communicate with each other. They need to go through a Layer 3 switch, and then the traffic needs to go through the physical network when it is transmitted back.
②Same CNA host same port group
A virtual switch is equivalent to a Layer 2 switch, and all belong to a VLAN, so communication can be completed directly inside the virtual switch without going through a physical network.
③ Different CNA hosts in the same port group
must go through the physical network because they are different CAN hosts.
4.3 Security Group
There are many rules in the security group to match traffic, and each rule is a warning line. Only when the data packet matches the rules can it be allowed or rejected; if it does not match, it will be prohibited.