244
Logically segregated virtual networks in a data center are sometimes referred to as data center VPNs
.
VXLAN is one of VPNs
.
Others include E-VPNs, IP VPNs, TRILL, and VPLS.
The encapsulation and decapsulation required by VXLAN is done by devices called Virtual Tunnel Endpoints
(VTEPs) or NVEs. VTEPs/NVEs are most commonly implemented within a virtualized server. However, there
are cases where it is necessary to implement the VTEP/NVE in a stand-alone networking device. This
section describes the functional behavior of the QNOS implementation of a hardware-based VXLAN
gateway service and provides configuration scenarios.
9.6.1.1. VXLAN
VXLAN is one method of creating tenant networks on a common network infrastructure. VXLAN
encapsulates Ethernet frames in IP packets, thus enabling the network to provide the illusion that hosts
connected to arbitrary access routers are attached to a common layer-2 networks. The VXLAN encapsulation
includes a 24-bit virtual network ID (VNID). Hosts can be
associated
to a VNID and
restricted
to
communicate
only with hosts associated to the same VNID. This association segregates communities of interest, or tenants,
into different virtual networks. VXLAN allows a public or private data center operator to use a common
network infrastructure to provide virtual private network service to multiple tenants while distributing any
given tenant's compute and storage resources anywhere in the network infrastructure.
In a data center, VXLAN encapsulation and decapsulation of tenant packets is normally done by a virtual
switch within a virtualized server; however, not all tenant systems are virtualized. Non-virtualized tenant
systems can participate in a VXLAN by using a VXLAN gateway. A VXLAN gateway is a networking device that
does VXLAN encapsulation and
decapsulation.
A server's first-hop router, often referred to as a top-of-rack
(ToR) device, can be a VXLAN gateway.
With VXLAN, the inner Ethernet header can optionally include an incoming VLAN tag. The VXLAN application
always strips the inner VLAN information from the incoming Ethernet packet during encapsulation. The
inner payload in the VXLAN encapsulated packet does not contain the incoming VLAN tag information in it,
which enables flexibility in mapping available VLANs to VNIDs.
The allowed range of VNID values is 1–16777214. VNID 16777215 is reserved for internal purposes.
9.6.2. Functional Description
9.6.2.1. VTEP to VN Association
The operator must configure switches that are to serve as VXLAN gateways. A gateway may serve one or
more VPNs. For VXLAN, the operator specifies the virtual network ID (VNID), the type of network (VXLAN),
and a method for identifying which incoming native packets belong to the VPN. The ingress VLAN ID can be
used as this classifier. Only one VLAN ID can be associated with a specific VNID on a given router. However,
the VLAN ID used has no significance beyond that router, and so the same ID can be used on other routers.
In this case the number of tenant networks is not limited to VLAN ID space (i.e., 4096). All ingress ports that
are members of specified VLAN ID are treated as access ports for the VPN identified by VNID. This defines
the access port set for the specified VPN. The access port set for the VXLAN can be altered by updating the
VLAN membership configuration. All incoming VLAN traffic is translated to virtual network traffic identified
by VNID. A VLAN ID that is already used or configured for routing is not allowed to be configured as an
access VLAN for VXLAN.
To Next Page
Loading...
Need help?
General