VXLAN Static Routing
Feature Name |
Release Information |
Feature Description |
VXLAN Static Routing |
Release 7.11.1 |
Introduced in this release on:NCS 5500 fixed port routers;NCS 5700 fixed port routers;NCS 5500 modular routers(NCS 5700 line cards [Mode: Native]) You can now configure the source and destination virtual tunnel endpoints (VTEPs) for a particular traffic flow, which is particularly useful for scenarios where your data center is connected to an enterprise network, so multiple servers in the data center provide cloud services to your customers and the enterprise edge router. These endpoints help provide rapid convergence in case of failure. Plus, using the UDP header in the VXLAN packet, the VXLAN static routing (also called unicast VXLAN) facilitates network balancing by preventing the transmission of replicated packets. The feature introduces these changes: CLI: YANG Data Model:
|
Introduction to VXLAN
Traditionally, Virtual Local Area Networks (VLANs) are used to partition a single physical network into multiple logical networks. With VLANs, every VLAN has a VLAN ID, which is added to a frame to keep traffic unique. The VLAN ID is 12-bits long, allowing around 4000 unique VLANs.
But in today's networks, you might have a data center with lots of virtualization and need to isolate several virtual machines (VMs) from other VMs where you could easily run out of VLANs. So, there is a need to provide robust tunneling mechanisms to isolate and load-balance traffic inside the provider’s network.
Virtual Extensible LAN (VXLAN) addresses some of the limitations of traditional VLANs in large-scale and cloud-based environments. VXLAN is widely used in data center environments where there is a need for virtualized networks to support cloud computing and virtualization technologies. It is also used in service provider networks to provide virtualized network services to customers.
VXLAN is a Layer 2 tunneling protocol that connects multiple servers in a data center that provide cloud services to customers and the enterprise edge router and stretches Layer 2 networks over an underlying Layer 3 IP network. VXLAN automatically configures underlay tunnels between the router and servers and overlay routing within those tunnels. VXLAN creates virtual networks on top of an underlay network. The underlay network is typically a physical IP network. VXLAN underlay can be IPv4 packets. The underlay and overlay networks are independent, and changes in the underlay don't affect the overlay. You can add or remove a router in the underlay network without affecting the overlay network.
VXLAN allows you to tunnel Ethernet frames over IP transport that uses IP and UDP as the transport protocol. A tunnel is created that enables you to extend a Layer 2 segment over a Layer 3 network using MAC-in-UDP encapsulation. A VXLAN header is added to the Layer 2 frame and placed inside a UDP packet to send to the routed domain. The VXLAN tunnel endpoint (VTEP) is a router that encapsulates and de-encapsulates Layer 2 traffic. VTEP encapsulates Layer 2 Ethernet frames within the Layer 4 User Datagram Protocol (UDP) and transports the encapsulated frames over a Layer 3 network. For more information on VTEP, see VXLAN Tunnel Endpoint.
VXLAN introduces an 8-byte VXLAN header that consists of a 24-bit VXLAN network identifier (VNI) with the original Ethernet frame added in the UDP payload. The 24-bit VNI is used to identify Layer 2 segments and maintain Layer 2 isolation between the segments.
With all 24 bits in VNI, VXLAN can support 16 million LAN segments. The VNI is used to designate the individual VXLAN overlay network on which the communicating virtual machines (VMs) are situated. VMs in different VXLAN overlay networks cannot communicate with each other.
When a host sends traffic:
-
The VXLAN encapsulates the traffic in UDP and IP headers.
-
VXLAN encodes the flow information in the UDP source port to enable routers to perform flow-based load balancing.
Flow-based load balancing identifies different flows of traffic based on the key fields in the data packet. For example, IPv4 source and destination IP addresses can be used to identify a flow.
-
VXLAN encapsulates these packets into the tunnel with an IPv4 outer header.
-
After the traffic reaches the destination router, the router decapsulates the packet and sends it to the destination host.
-
VXLAN adds the custom source MAC address in the inner header that encodes the information in the MAC address where your internal network devices can extract the required information.
Benefits of VXLAN
-
High throughput through dedicated VPN connectivity between servers and enterprise edge routers.
-
Allows the creation of overlay networks independent of the underlying physical network, which provides greater flexibility in network design and deployment.
-
Flexible placement of multitenant segments throughout the data center with the creation of isolated virtual networks for multiple tenants, providing greater security and separation between different users. Multitenants are multiple independent tenants or customers on a shared infrastructure.
-
Provides a solution to extend Layer 2 segments over the underlying shared network infrastructure so that workload of a tenant can be placed across physical pods in the data center. Physical pod is a group of computing, networking, and storage resources that can be configured and allocated to a particular tenant.
-
Facilitates network load balancing using the source UDP port within the VXLAN outer header.
Compared to VLAN, VXLAN uses higher scalability to address more Layer 2 segments and utilizes available network paths in the underlying infrastructure in a better way.
The following table describes how VLAN and VXLAN use the scalability and available network paths:
VLAN |
VXLAN |
---|---|
VLANs use a 12-bit VLAN ID to address Layer 2 segments, which results in limiting scalability of only 4094 VLANs. |
VXLAN uses a 24-bit segment ID known as the VXLAN network identifier (VNID), which enables up to 16 million VXLAN segments to co-exist in the same administrative domain. |
VLAN uses the Spanning Tree Protocol for loop prevention, which ends up not using half of the network links in a network by blocking redundant paths. |
VXLAN packets are transferred through the underlying network based on its Layer 3 header and can take complete advantage of Layer 3 routing, equal-cost multipath (ECMP) routing, and link aggregation protocols to use all available paths. |
VXLAN Static Routing
You can use VXLAN static routing to interconnect non-VXLAN, such as MPLS and VXLAN domains. VXLAN static routing defines the path for VXLAN traffic from the source VTEP to reach the destination VTEP and involves configuring static routes on the underlying Layer 3 network to direct the VXLAN traffic to the appropriate VTEPs.
Benefits of Static VXLAN
-
You can use static routes in scenarios where consistent routing decisions are required. Because the static routes are manually configured and the routing behavior is predictable and stable.
-
You can specify the next hop for each destination using static routes and thereby have direct control over traffic.
-
Static routes are useful for specific traffic engineering or policy requirements.
-
You do not have to maintain routing tables for static routing, hence reduces any overhead associated with routing protocols.
VXLAN Packet Format
VXLAN defines a MAC-in-UDP encapsulation scheme where the original Layer 2 frame has a VXLAN header added and is then placed in a UDP-IP packet. With this MAC-in-UDP encapsulation, VXLAN tunnels Layer 2 network over Layer 3 network. The following illustration shows VXLAN packet format:
VXLAN introduces an 8-byte VXLAN header that consists of a 24-bit VNID and a few reserved bits. The VXLAN header together with the original Ethernet frame goes in the UDP payload. The 24-bit VNID is used to identify Layer 2 segments and to maintain Layer 2 isolation between the segments. With all 24 bits in VNID, VXLAN can support approximately 16 million LAN segments.
The following table describes the VXLAN fields with parameters:
Field |
Parameters |
---|---|
Outer Mac Header |
|
Outer IP Header |
|
UDP Header |
|
VXLAN Header |
|
VXLAN Tunnel Endpoint
A VXLAN tunnel endpoint (VTEP) can be a physical or virtual router that connects the overlay and the underlay networks. A VTEP device is identified in the IP transport network using a unique IP address, which is a loopback interface IP address. The VTEP device uses this IP address to encapsulate Ethernet frames and transmits the encapsulated packets to the transport network through the IP interface. A source and destination VTEP creates a stateless tunnel to deliver traffic from one host to another. When a frame for a remote host reaches a device, the frame is encapsulated in IP and UDP headers. A maximum of 8k VXLAN tunnel interface per VTEP is supported.
Load Sharing with VXLANs
Most data center transport networks are designed and deployed with multiple redundant paths that utilize various multipath load-sharing technologies to distribute traffic loads on all available paths. Encapsulated VXLAN packets are forwarded between VTEPs based on the native forwarding decisions of the transport network.
A typical VXLAN transport network is an IP-routing network that uses the standard IP equal cost multipath (ECMP) to balance the traffic load among multiple best paths. To avoid out-of-sequence packet forwarding, flow-based ECMP is commonly deployed. An ECMP flow is defined by the source and destination IP addresses.
All the VXLAN packet flows between a pair of VTEPs have the same outer source and destination IP addresses. All VTEP devices must use one identical destination UDP port, either the Internet Allocated Numbers Authority (IANA)-allocated UDP port 4789 or a customer-configured port. The source UDP port is the only variable element in the ECMP flow definition that can differentiate VXLAN flows from the transport network standpoint. The VXLAN outer-packet header uses source UDP port for link load-share hashing, which is the only element that can uniquely identify a VXLAN flow. A VXLAN flow is unique as the VXLAN inner frame header considers the VXLAN source UDP port for load balancing.
Encapsulation
The encapsulation of VXLAN packets happens based on the outgoing packets:
-
The destination IP and the egress VNI are derived from the L2VPN configuration.
-
The source IP is the local Network Virtualization Endpoint (NVE) interface.
-
The destination UDP port is the configured NVE destination UDP port.
-
The source UDP port is allocated by the router.
Decapsulation
The decapsulation of VXLAN packets happens based on the incoming packets:
-
The destination IP and destination UDP port are used to attract traffic in underlay network.
-
The destination IP is the NVE source IP.
-
Local router listens to destination UDP port based on locally configured NVE destination UDP port.
-
The service is identified by destination IP, source IP, and VNI at disposition.
-
The service is held by the PWHE interface.
-
The source IP identifies the remote VRF source IP.
-
The source UDP port is allocated by the remote router.
Implement ACL and QoS for VXLAN
You can configure Access Control List (ACL) and QoS for VXLAN. The VXLAN decapsulation for ingress ACL and ingress QoS happens over PW-Ether interfaces. If Layer 3 ACL is configured on PW-Ether interface, the flow remains the same as on a regular interface.
Note |
The VXLAN encapsulation is not supported on ACL and QoS configurations, as egress ACL and egress QoS are not supported. |