Table of contents
Network architecture in virtualization
Virtual switch OVS (Open Vswitch)
Distributed Virtual Switch DVS
Communication mode between virtual machine and physical network card
Other features in the virtual switch
Network virtualization concept
Network virtualization is to separate some functions of the network layer from the hardware and establish a new network virtual layer; this virtual layer can take over network services and configurations, decouple network services from the physical layer, and break physical resource constraints; through the network The virtual layer can simulate multiple logical networks on a physical network, and multiple users are isolated from each other on the logical network to ensure network security.
Characteristics of network virtualization
Isolation: Traffic from different tenants cannot access each other; however, IP/MAC addresses can be planned independently
Mobility: Virtual machines can be migrated across Layer 2/Layer 3, and even across WANs (the VLAN and IP address of the virtual machine will not change before and after migration)
Scalability: The size and number of logical networks are scalable
Network architecture in virtualization
Taking the physical network card of the server as the boundary, the physical resources are below the physical network card, and the virtual resources are above the physical network card.
Virtual network card (network card is also an I/O device, so the idea of I/O virtualization can also be borrowed)
Network card virtualization includes software and hardware
Software network card virtualization: Use software to virtualize the same network card into multiple virtual network cards, allowing multiple virtual machines to share the same network card. The virtual network cards have separate IP addresses and MACs. Address
Hardware network card virtualization:Allow single/multiple virtual machines to directly access a single physical device (such as IO pass-through, SR-IOV) through hardware assistance
Computing Virtualization 3—I/O Device Virtualization-CSDN Blog
virtual switch
Currently, there are two main virtual switch solutions: OVS and DVS (the network architecture in the above picture is OVS mode)
By forming a virtual switch port on the virtual switch to connect the physical network port and virtual network card of the server, traffic transfer and communication between virtual machines and between virtual machines and external networks are realized.
virtual switch port
The port on the virtual switch is used to connect to the virtual network card and provide network access services for virtual machines.
port group
In order to facilitate management, virtual switches do not have the concept of physical switch ports, they are all called port groups (a group of virtual switch ports with the same attributes is called a port group - the port group includes features such as rate, Vlan, Qos, DHCP isolation, ARP suppression, etc. )
Precautions
A virtual switch can have multiple port groups
Port groups cannot span virtual switches (that is, the port group only takes effect locally)
Port group scenario examples
Create a port group, assign vlan2 to it, and then assign the virtual machine to the port group. The vlan to which the virtual machine belongs is vlan2.
uplink
The uplink is also part of the virtual switch. It is a virtual link that connects to the external physical network by being associated with the server's physical network card.
The uplink can be associated with a single physical network card or a logical channel bound by multiple network cards.
Precautions
Different virtual switches cannot share uplinks
All uplinks on the same virtual switch form an uplink group
The link between the virtual network card and the virtual switch is also a virtual link.
Virtual switch type
First understand the concept of Linux Bridge
Bridge is also a virtual network device implemented through software. Its function is similar to that of a physical switch.
For ordinary network equipment, data enters from one end and goes out from the other end; but with Bridge, data can enter from multiple ports and go out from multiple ports.
In the virtual machine switching scenario, the virtual machine virtual network card and the server physical network card are generally connected through the Bridge (the Bridge device is bound to the virtual network card and the physical network card), so that the virtual machines and the external network can be connected through the bridge. Communication
Virtual switch OVS (Open Vswitch)
OVS is an enhanced version of Bridge. Compared with Bridge, OVS has the following advantages
- OVS supports multiple standard management interfaces and protocols such as SDN
- Bridge only supports Vxlan, but OVS supports GRE, IPSec, Vxlan, etc.
- OVS is suitable for multiple virtualization architectures (such as Xen, KVM, VMware)
OVS also has other features, which will not be detailed here.
OVSNetwork architecture of virtual switch
OVSVirtual machine communication path in the virtual machine network
Communication within the same host
Same Vlan communication (VM1 and VM2): communication can be done directly through port group 1 of OVS
Different Vlan communication (VM1 and VM3): need to communicate through a physical switch
Communication between different hosts
Virtual machine communication between different hosts needs to cross physical switches, mainly including the following situations
Same Vlan communication (VM1 and VM3)
Different Vlan communication (VM1 and VM6)
Virtual machine communicates with the outside world
Communicates directly through physical switches
Distributed Virtual Switch DVS
DVSThe difference between OVS
Compared with OVS, OVS is on one server, and DVS is on multiple servers.
A DVS distributed virtual switch can be distributed on multiple physical servers
DVSNetwork architecture of virtual switch
DVSVirtual machine communication path under the virtual machine network
Communication within the same host
Virtual machine communication between different hosts needs to cross physical switches, mainly including the following situations
Same Vlan, same DVS communication (VM4 and VM5): communication can be done directly through port group 1 of DVS
Same Vlan, different DVS communication (VM1 and VM3): communication needs to be done through a physical switch
Different Vlan: communication needs to be done through a physical switch
Communication within different hosts
Virtual machine communication between different hosts needs to cross physical switches, mainly including the following situations
Same Vlan, same DVS communication (VM3 and VM4): need to communicate through a physical switch
Same Vlan, different DVS communication (VM1 and VM6): communication needs to be done through a physical switch
Different Vlan: communication needs to be done through a physical switch
Virtual machine communicates with the outside world
Communicates directly through physical switches
Communication mode between virtual machine and physical network card
Computing Virtualization 3—I/O Device Virtualization-CSDN Blog
Normal mode (the virtual network card of the virtual machine is simulated by software)
Virtual machine routing and forwarding involves two virtual network card devices at the front and back ends; the front-end network card is connected to the virtual port of the virtual switch, and the back-end network card is the network card that the virtual switch connects to the real physical network port.
When the virtual machine forwards data, the virtual machine sends the data to the front-end network card, and the front-end network card sends the data to the back-end network card, and finally it is transmitted through the physical network port.
The network performance of this method is not very good, and the network delay is higher.
Passthrough mode (Each virtual network card used by the virtual machine corresponds to a physical network card)
Using VMDq technology, after the traffic sent by the virtual machine reaches the VMM through an independent message queue, the VMM forwards the traffic to the physical network card.
Compared with the SR-IOV passthrough method, this method supports advanced functions such as live migration.
SR-IOVPassthrough mode (the virtual network card used by the virtual machine is simulated by the corresponding hardware)
The physical network card needs to use a smart network card, and a network card driver needs to be installed on the virtual machine
The SR-IOV type physical network card can virtualize multiple virtual network cards for virtual machines to use. The virtual machine thinks that it has a separate physical network card; when forwarding traffic, the virtual machine sends the traffic to the PCI controller on the VMM. This control The server forwards traffic directly to the physical network card
Improved network I/O performance and reduced the number of network cards compared to hardware passthrough
Other features in the virtual switch
security group
Set access rules through security groups. By adding the virtual machine to the security group, it will be protected by the access rule group to limit the communication of the virtual machine (you can choose the security group to join when creating the virtual machine)
Layer 2 security strategy
These Layer 2 security policies can be implemented by setting up port groups. The main strategies are as follows:
DHCP ServerIsolation: Prevent DHCP Server counterfeiting, prohibit user virtual machines from starting the DHCP Server service, and prevent users from starting the DHCP Server service unintentionally or maliciously , affecting the normal virtual machine IP address allocation process
ARPBroadcast suppression and IP broadcast suppression
Prevent ARP or IP broadcast flooding from affecting device performance; it can also prevent ARP spoofing
IPJapanese MAC location determination
Prevent virtual machine users from launching IP and MAC spoofing attacks by modifying the IP and MAC addresses of virtual network cards.
Network interface type
Trunk、Access
Vlan port and ARP explanation (Access-Trunk-Hybrid, free ARP-proxy ARP)-CSDN Blog
Network QoS
QoS theory explanation_qos priority_calm down and knock on Muyu’s blog-CSDN blog
Network card binding technology
Through network card bonding (bond) technology, network card redundancy and load balancing can be achieved to achieve high reliability and high availability.
Vxlantechnology