一、VxLAN简介
1.1、VxLAN简要说明
- VxLAN是一种大二层网络技术,VxLAN也是SDN的基础;
- VxLAN是网络Overlay技术的一种实现;
- VxLAN具有良好的扩展性,支持数据中心多租户环境,解决了传统VLAN的局限性;
- VxLAN更适合云环境,解耦了物理网络(Underlay)和虚拟网络(Overlay),将物理网络当作网络功能池,和服务器虚拟化资源池一样,可实现虚拟网络的按需交付,即由上层应用驱动虚拟网络;
- VxLAN由RFC7348定义。
1.2、 VxLAN名词释义
- VTEP(Virtual Tunnel End Point):作为VxLAN隧道的起始点或终结点,负责VXLAN报文的封装与解封装,每个VTEP应具备两个接口:一个是本地桥接接口,负责原始以太帧接收和发送,另一个是IP接口,负责VXLAN数据帧接收和发送。VTEP可以是物理交换机或软件交换机;
- VxLAN Gateway:负责VXLAN和非VXLAN之间、不同VXLAN之间的网络通讯;
- VNI(Virtual Network Identifier):虚拟网络标识符,即VxLAN ID,用于划分不同的租户,需要和租户的VLAN ID进行映射绑定。不同租户通过不同的VNI实现隔离,每个租户的设备可以位于同一数据中心,也可以位于不同的数据中心,VNI类似传统网络中的VLAN,但是VNI比传统的VLAN容量要大;
- VTI(VxLAN Tunnel Interface):VxLAN隧道接口,思科叫NVE(Network Virtual Interface)接口,主要用于封装/解封装VxLAN的UDP头,还用于建立VxLAN的隧道;
- VxLAN Segment:指VxLAN的网络,一个VNI就是一个VxLAN Segment,类似于传统VLAN的概念,可以类比为一个广播域,但它运行在三层网络之上。
二、VxLAN报文封装
- 从以上两张图中可看出,VxLAN采用"MAC in UDP"的封装方式;
- VxLAN在原始帧前添加了8个字节的VxLAN头,添加了8个字节的UDP头,加了20个字节的新IP头,加了14字节的新MAC头,共新加50字节;
- VxLAN给原始帧新增了50字节的开销,所以在项目中使用VxLAN时应调整Underlay网络的MTU以减少报文分片;
- VxLAN头中的"VxLAN"字段第5位(上图中红色箭头)如果为1,表示使用VxLAN;
- VxLAN头中的"VNI"字段表示VxLAN ID,共24位(上图中红色箭头),所以VxLAN ID容量为:2^24=16,777,216个。
三、VxLAN的实现和部署方式
实现方式:
- 单播:单播静态方式、BGP EVPN方式;
- 组播:标准的组播方式。
部署方式:
- 单机方式:传统网络部署方式,按照网络规划登录到每台设备上进行配置。云计算数据中心中,此方式无法协同云平台实现网络的自动化部署;
- 控制器方式:在大二层网络中,为了方便控制与部署引入了控制器。控制器是统一的网络控制平台,实现网络资源统一协调及管理,协同云平台可实现业务和网络的自动化部署。
四、静态Ingress Replication实现VxLAN实验
4.1 实验环境
工具 | 版本 | 备注 |
---|---|---|
EVE-NG | 2.0.3-105 | 模拟器 |
Cisco Nexus 9000v | 7.0.3.I7.8 | 支持VxLAN的交换机,拓扑中的N9K1和N9K-2 |
IOL | 15.7.3 | 用于模拟路由器,拓扑中的DC1、SP和DC2 |
Wireshark | 3.2.2 | 抓包软件 |
4.2 实验拓扑
- Underlay:N9K-1的E1/1口、N9K-2的E1/1口、DC1、SP和DC2运行OSPF实现Underlay网络的互联互通;
- Overlay:实现VPC6能ping通VPC7。
4.3 实验配置
4.3.1 配置Underlay
4.3.1.1 接口IP与VLAN配置
N9K-1配置:
vlan 10
interface Ethernet1/2
switchport access vlan 10
spanning-tree port type edge
interface Ethernet1/1
no switchport
ip address 20.1.1.1/30
no shutdown
interface loopback0
ip address 1.1.1.1/32
DC1配置:
interface Ethernet0/0
ip address 20.1.1.2 255.255.255.252
no shutdown
interface Ethernet0/1
ip address 40.1.1.1 255.255.255.252
no shutdown
SP配置:
interface Ethernet0/1
ip address 40.1.1.2 255.255.255.252
no shutdown
interface Ethernet0/2
ip address 50.1.1.1 255.255.255.252
no shutdown
DC2配置:
interface Ethernet0/2
ip address 50.1.1.2 255.255.255.252
no shutdown
interface Ethernet0/0
ip address 30.1.1.2 255.255.255.252
no shutdown
N9K-2配置:
vlan 10
interface Ethernet1/2
switchport access vlan 10
spanning-tree port type edge
interface Ethernet1/1
no switchport
ip address 30.1.1.1/30
no shutdown
interface loopback0
ip address 2.2.2.2/32
VPC6设置:
VPCS> ip 192.168.1.1/24
Checking for duplicate address...
PC1 : 192.168.1.1 255.255.255.0
VPC7设置:
VPCS> ip 192.168.1.2/24
Checking for duplicate address...
PC1 : 192.168.1.2 255.255.255.0
4.3.1.2 OSPF配置
N9K-1配置:
feature ospf
router ospf 1
router-id 1.1.1.1
interface loopback0
ip router ospf 1 area 0.0.0.0
interface Ethernet1/1
ip router ospf 1 area 0.0.0.0
DC1配置:
router ospf 1
network 20.1.1.0 0.0.0.3 area 0
network 40.1.1.0 0.0.0.3 area 0
SP配置:
router ospf 1
network 40.1.1.0 0.0.0.3 area 0
network 50.1.1.0 0.0.0.3 area 0
DC2配置:
router ospf 1
network 30.1.1.0 0.0.0.3 area 0
network 50.1.1.0 0.0.0.3 area 0
N9K-2配置:
feature ospf
router ospf 1
router-id 2.2.2.2
interface loopback0
ip router ospf 1 area 0.0.0.0
interface Ethernet1/1
ip router ospf 1 area 0.0.0.0
查看N9K-1 OSPF路由表:
N9K-1# show ip route ospf
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
2.2.2.2/32, ubest/mbest: 1/0
*via 20.1.1.2, Eth1/1, [110/71], 00:02:15, ospf-1, intra
30.1.1.0/30, ubest/mbest: 1/0
*via 20.1.1.2, Eth1/1, [110/70], 00:02:15, ospf-1, intra
40.1.1.0/30, ubest/mbest: 1/0
*via 20.1.1.2, Eth1/1, [110/50], 00:04:59, ospf-1, intra
50.1.1.0/30, ubest/mbest: 1/0
*via 20.1.1.2, Eth1/1, [110/60], 00:04:59, ospf-1, intra
查看N9K-2 OSPF路由表:
N9K-2# show ip route ospf
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
1.1.1.1/32, ubest/mbest: 1/0
*via 30.1.1.2, Eth1/1, [110/71], 00:03:10, ospf-1, intra
20.1.1.0/30, ubest/mbest: 1/0
*via 30.1.1.2, Eth1/1, [110/70], 00:03:10, ospf-1, intra
40.1.1.0/30, ubest/mbest: 1/0
*via 30.1.1.2, Eth1/1, [110/60], 00:03:10, ospf-1, intra
50.1.1.0/30, ubest/mbest: 1/0
*via 30.1.1.2, Eth1/1, [110/50], 00:03:10, ospf-1, intra
4.3.1.3 连通性测试
N9K-1# ping 2.2.2.2 source 1.1.1.1
PING 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=251 time=11.635 ms
64 bytes from 2.2.2.2: icmp_seq=1 ttl=251 time=12.838 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=251 time=15.182 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=251 time=10.633 ms
64 bytes from 2.2.2.2: icmp_seq=4 ttl=251 time=10.743 ms
--- 2.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 10.633/12.206/15.182 ms
N9K-2# ping 1.1.1.1 source 2.2.2.2
PING 1.1.1.1 (1.1.1.1) from 2.2.2.2: 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=251 time=45.525 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=251 time=14.746 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=251 time=11.07 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=251 time=10.871 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=251 time=11.149 ms
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 10.871/18.672/45.525 ms
4.3.2 配置Overlay(static Ingress Replication VxLAN)
基于"Static Ingress Replication"实现的VxLAN,是流量驱动式的MAC地址泛洪和学习,没有控制层面。
4.3.2.1 配置VTEP(N9K1和N9K-2)
N9K-1配置:
N9K-1(config)# feature nv overlay
N9K-1(config)# feature vn-segment-vlan-based
N9K-1(config)# vlan 10
N9K-1(config-vlan)# vn-segment 10010
N9K-1(config-if-nve)#interface nve1
no shutdown
source-interface loopback0
member vni 10010
ingress-replication protocol static
peer-ip 2.2.2.2
N9K-2配置:
N9K-2(config)# feature nv overlay
N9K-2(config)# feature vn-segment-vlan-based
N9K-2(config)# vlan 10
N9K-2(config-vlan)# vn-segment 10010
N9K-2(config-if-nve)#interface nve1
no shutdown
source-interface loopback0
member vni 10010
ingress-replication protocol static
peer-ip 1.1.1.1
连通性测试:
从VPC6 ping VPC7
VPCS> ping 192.168.1.2
84 bytes from 192.168.1.2 icmp_seq=1 ttl=64 time=52.581 ms
84 bytes from 192.168.1.2 icmp_seq=2 ttl=64 time=38.518 ms
84 bytes from 192.168.1.2 icmp_seq=3 ttl=64 time=34.455 ms
84 bytes from 192.168.1.2 icmp_seq=4 ttl=64 time=39.765 ms
84 bytes from 192.168.1.2 icmp_seq=5 ttl=64 time=35.878 ms
从VPC7 ping VPC6
VPCS> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=64 time=36.590 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=64 time=34.301 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=64 time=40.432 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=64 time=50.963 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=64 time=34.739 ms
4.3.2.2 状态查看
查看NVE接口状态
N9K-1# show nve interface
Interface: nve1, State: Up, encapsulation: VXLAN
VPC Capability: VPC-VIP-Only [not-notified]
Local Router MAC: 5000.0001.0007
Host Learning Mode: Data-Plane
Source-Interface: loopback0 (primary: 1.1.1.1, secondary: 0.0.0.0)
查看NVE下的VNI状态,其中"DP"为数据层面
N9K-1# show nve vni
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
SU - Suppress Unknown Unicast
Xconn - Crossconnect
MS-IR - Multisite Ingress Replication
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 10010 UnicastStatic Up DP L2 [10]
查看NVE邻居、NVE数据层面、NVE Ingress-replication信息
N9K-1# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 2.2.2.2 Up DP 00:17:33 n/a
N9K-1#
N9K-1# show nve vni data-plane
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
SU - Suppress Unknown Unicast
Xconn - Crossconnect
MS-IR - Multisite Ingress Replication
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 10010 UnicastStatic Up DP L2 [10]
N9K-1#
N9K-1# show nve vni ingress-replication
Interface VNI Replication List Source Up Time
--------- -------- ----------------- ------- -------
nve1 10010 2.2.2.2 CLI 00:17:52
查看N9K-1的VxLAN MAC地址表
N9K-1的VxLAN MAC地址表中,0050.7966.6806为VPC6的MAC地址,0050.7966.6807为VPC7的MAC地址。
N9K-1# show system internal l2fwder mac
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
* 10 0050.7966.6806 dynamic 00:00:20 F F Eth1/2
* 10 0050.7966.6807 dynamic 00:00:20 F F (0x47000001) nve-peer1
2.2.2.2
查看VPC6和VPC7的MAC地址
VPC6
VPCS> show ip
NAME : VPCS[1]
IP/MASK : 192.168.1.1/24
GATEWAY : 0.0.0.0
DNS :
MAC : 00:50:79:66:68:06
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPC7
VPCS> show ip
NAME : VPCS[1]
IP/MASK : 192.168.1.2/24
GATEWAY : 0.0.0.0
DNS :
MAC : 00:50:79:66:68:07
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
4.3.3 数据转发流程
验证:从VPC6 ping VPC7,即从192.168.1.1 ping 192.168.1.2
- VPC6发出ARP请求报文,报文中源MAC为VPC6的MAC,目的MAC为广播MAC即FF:FF:FF:FF:FF:FF,ARP协议中源IP为192.168.1.1,目的IP为192.168.1.2;
- VTEP N9K-1收到VPC6的ARP请求报文,除了转发给本地的Trunk(已放行VLAN 10)和Access Vlan10接口外,还要对ARP请求进行VxLAN的封装,封装后VxLAN头部中VNI值为10010,外层新帧头源MAC为N9K-1 E1/1口的MAC,目的MAC为DC1 E0/0口的MAC,新IP包头即外层源IP为1.1.1.1,目的IP为2.2.2.2,被封装的原始数据包中源目MAC和源目IP不变(BUM流量,即广播、未知单播和组播流量会发给这个VNI下的所有peer);
- 通过Underlay网络数据包抵达VTEP N9K-2,N9K-2收到后解封装VxLAN报文,然后检查报文中的VxLAN ID:10010是否有本地的VLAN与其匹配,N9K-2发现VxLAN ID:10010对应本地的VLAN 10,这时N9K-2将原始ARP广播报文发送至VPC7,N9K-2同时也会记录报文中的VxLAN ID、原始报文的源MAC、外层的源IP信息,以构建VxLAN MAC地址表;
- VPC7收到ARP请求报文后,开始以单播发送ARP回复报文;
- N9K-2收到来自VPC7的单播报文后,由于之前构建的VxLAN MAC地址表中含有VPC6的MAC信息,N9K-2了解到去往VPC6的MAC下一跳为VTEP N9K-1即1.1.1.1,这时单播ARP回复报文被VxLAN封装后通过Underlay网络到达VTEP N9K-1(N9K-2发出报文时:报文的外层源IP为2.2.2.2,目的IP为1.1.1.1,外层源MAC为N9K-2 E1/1口的MAC,目的MAC为DC2的E0/0口的MAC。内层源IP为192.168.1.2,目的IP为192.168.1.1,内层源MAC为VPC7的MAC,目的MAC为VPC6的MAC);
- VTEP N9K-1收到单播ARP回复报文进行VxLAN解封装,找到报文中VxLAN ID与本地VLAN对应关系并转发报文,N9K-1同时也会记录报文中的VxLAN ID、原始报文的源MAC、外层的源IP信息,以构建VxLAN MAC地址表;
- 此时VTEP N9K-1和VTEP N9K-2完成控制层面的VxLAN MAC地址表构建,后续的ICMP报文均开始采用单播传输。
4.3.4 抓包分析
4.3.4.1 设备MAC信息表
下表中的MAC地址对应报文中的MAC地址。
设备 | 接口 | MAC地址 |
---|---|---|
N9K-1 | E1/1 | 50:00:00:01:00:07 |
DC1 | E0/0 | aa:bb:cc:0030:00 |
N9K-2 | E1/1 | 50:00:00:02:00:07 |
DC2 | E0/0 | aa:bb:cc:00:50:00 |
VPC6 | Eth0 | 00:50:79:66:68:06 |
VPC7 | Eth0 | 00:50:79:66:68:07 |
4.3.4.2 VPC6 Eth0口抓包
-
ARP请求报文
-
ARP回复报文
4.3.4.3 N9K-1 E1/1口抓包
- 使用icmp ping
VPCS> ping 192.168.1.2
84 bytes from 192.168.1.2 icmp_seq=1 ttl=64 time=51.790 ms
84 bytes from 192.168.1.2 icmp_seq=2 ttl=64 time=33.325 ms
84 bytes from 192.168.1.2 icmp_seq=3 ttl=64 time=39.743 ms
84 bytes from 192.168.1.2 icmp_seq=4 ttl=64 time=34.220 ms
84 bytes from 192.168.1.2 icmp_seq=5 ttl=64 time=44.490 ms
报文分析,可看出VxLAN采用"MAC in UDP"封装,UDP中源端口根据Hash随机,目的端口为4789。
- 使用TCP ping
VPCS> ping 192.168.1.2 -3
Connect 7@192.168.1.2 seq=1 ttl=64 time=36.241 ms
SendData 7@192.168.1.2 seq=1 ttl=64 time=44.041 ms
Close 7@192.168.1.2 seq=1 ttl=64 time=46.372 ms
Connect 7@192.168.1.2 seq=2 ttl=64 time=48.133 ms
SendData 7@192.168.1.2 seq=2 ttl=64 time=34.389 ms
Close 7@192.168.1.2 seq=2 ttl=64 time=58.858 ms
Connect 7@192.168.1.2 seq=3 ttl=64 time=49.761 ms
SendData 7@192.168.1.2 seq=3 ttl=64 time=35.541 ms
Close 7@192.168.1.2 seq=3 ttl=64 time=57.278 ms
Connect 7@192.168.1.2 seq=4 ttl=64 time=37.148 ms
SendData 7@192.168.1.2 seq=4 ttl=64 time=34.683 ms
Close 7@192.168.1.2 seq=4 ttl=64 time=50.096 ms
Connect 7@192.168.1.2 seq=5 ttl=64 time=36.775 ms
SendData 7@192.168.1.2 seq=5 ttl=64 time=37.062 ms
Close 7@192.168.1.2 seq=5 ttl=64 time=50.684 ms
报文分析,可看出VxLAN采用"MAC in UDP"封装,UDP中源端口根据Hash随机,目的端口为4789。
- 使用UDP ping
VPCS> ping 192.168.1.2 -2
84 bytes from 192.168.1.2 udp_seq=1 ttl=64 time=48.823 ms
84 bytes from 192.168.1.2 udp_seq=2 ttl=64 time=56.103 ms
84 bytes from 192.168.1.2 udp_seq=3 ttl=64 time=34.814 ms
84 bytes from 192.168.1.2 udp_seq=4 ttl=64 time=37.074 ms
84 bytes from 192.168.1.2 udp_seq=5 ttl=64 time=34.839 ms
报文分析同上
4.3.4.4 SP E0/2口抓包
- 使用icmp ping
VPCS> ping 192.168.1.2
84 bytes from 192.168.1.2 icmp_seq=1 ttl=64 time=38.286 ms
84 bytes from 192.168.1.2 icmp_seq=2 ttl=64 time=34.641 ms
84 bytes from 192.168.1.2 icmp_seq=3 ttl=64 time=36.486 ms
84 bytes from 192.168.1.2 icmp_seq=4 ttl=64 time=35.365 ms
84 bytes from 192.168.1.2 icmp_seq=5 ttl=64 time=38.622 ms
报文抓取,分析同上
4.3.5 VxLAN网关
4.3.5.1 集中式网关配置说明
通过三层网关能实现不同子网之间的互通。
基于泛洪学习(非BGP EVPN)的VxLAN网关配置注意:
- NX-OS版本7.0(3)I1(2)或之前,集中式网关必须在外部路由设备上配置;
- NX-OS版本7.0(3)I2(1)或之后,为保障可靠性,集中式网关建议配置在一对运行了vPC+FHRP(HSRP/VRRP)协议的设备上;
- NX-OS版本7.0(3)I2(1)或之后,仅支持集中式3层网关,不支持任播网关;
-
需配置"hardware access-list tcam region arp-ether size double-wide"命令以使保障正常的L3泛洪和学习,使用此命令之前,必须释放现有TCAM区域的空间占用;
a,通过"show hardware access-list tcam region"命令查看当前TCAM的分配情况;
b,举例:通过"hardware access-list tcam region racl 512"命令释放"racl"占用的TCAM空间;
c,举例:通过"hardware access-list tcam region arp-ether 256 double-wide"命令为"arp-ether"分配TCAM空间;
d,配置完毕后保存并重启设备生效;
e,注:本实验未配置"hardware access-list tcam region arp-ether size double-wide"命令。 - 基于BGP EVPN实现的VxLAN,建议在所有VTEP上配置分布式任播网关。
参考链接:
4.3.5.2 在VTEP上配置集中式三层网关
由于本实验未规划vPC环境,所以不在本篇展示vPC环境下的VxLAN配置,vPC环境下的VxLAN将在另外一篇中展示。
N9K-1变更后的配置:
vlan 20
vn-segment 10020
interface nve1
no shutdown
source-interface loopback0
member vni 10010
ingress-replication protocol static
peer-ip 2.2.2.2
member vni 10020
ingress-replication protocol static
peer-ip 2.2.2.2
feature interface-vlan
interface Vlan10
no shutdown
ip address 192.168.1.254/24
interface Vlan20
no shutdown
ip address 192.168.2.254/24
N9K-2变更后的配置:
vlan 20
vn-segment 10020
interface nve1
no shutdown
source-interface loopback0
member vni 10020
ingress-replication protocol static
peer-ip 1.1.1.1
interface Ethernet1/2
switchport access vlan 20
VPC7变更后的配置:
VPCS> show ip all
NAME IP/MASK GATEWAY MAC DNS
VPCS1 192.168.2.1/24 192.168.2.254 00:50:79:66:68:07
连通性测试:
VPC6 ping VPC7:
VPCS> ping 192.168.2.1
84 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=71.132 ms
84 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=41.996 ms
84 bytes from 192.168.2.1 icmp_seq=3 ttl=63 time=44.948 ms
84 bytes from 192.168.2.1 icmp_seq=4 ttl=63 time=113.173 ms
84 bytes from 192.168.2.1 icmp_seq=5 ttl=63 time=40.646 ms
VPC7 ping VPC6:
VPCS> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=63 time=42.753 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=63 time=45.416 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=63 time=38.233 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=63 time=45.141 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=63 time=39.792 ms
数据流分析:
- 当VPC7 ping VPC6时,VPC7发现目的IP为非本地直连网段,所以会将流量通过VxLAN隧道交由网关即192.168.2.254处理;
- 由于VPC7并不知道网关的MAC地址,所以需发起ARP请求以获取网关的MAC,在N9K-2的E1/1口抓包,可看到数据包内层二层帧头源MAC为00:50:79:66:68:07,目的MAC为ff:ff:ff:ff:ff:ff,此ARP请求(属于BUM中的广播)报文会被封装进VxLAN然后被泛洪到N9K-1;
- N9K-1收到VxLAN报文并解封装后,N9K-1的SVI 20以单播回复来自VPC7的ARP请求,至此第一个ICMP包结束,由于ping第一个ICMP包ARP请求的时间超过了ping ICMP包连续发送的间隔时间,通常跨网段ping测试时第一个包会丢包;
- 第二个ICMP包,N9K-1解封装后发现报文中目标IP为192.168.1.1,查询路由表后发现为本地直连路由,N9K-1将直接进行ARP/MAC地址表查询,然后将流量从E1/2口发出,此时流量到达VPC6;
- VPC6回复报文原理同上,此处不再赘述。
N9K-1 SVI 20的MAC地址:
N9K-1# show interface vlan 20
Vlan20 is up, line protocol is up, autostate enabled
Hardware is EtherSVI, address is 5000.0001.0007
Internet Address is 192.168.2.254/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA
Last clearing of "show interface" counters never
L3 in Switched:
ucast: 0 pkts, 0 bytes
N9K-2 E1/1口抓包:
ARP请求报文:
ARP回复报文:
4.3.5.3 在外部路由设备上配置集中式网关
本实验采用单臂路由方式,SW3作为外部路由设备。
N9K-1变更后的配置:
N9K-1(config)# no interface vlan 10
N9K-1(config)# no interface vlan 20
N9K-1(config)# no feature interface-vlan
interface nve1
no shutdown
source-interface loopback0
member vni 10010
ingress-replication protocol static
peer-ip 2.2.2.2
N9K-2变更后的配置:
interface nve1
no shutdown
source-interface loopback0
member vni 10010
ingress-replication protocol static
peer-ip 1.1.1.1
member vni 10020
ingress-replication protocol static
peer-ip 1.1.1.1
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 10,20
SW1配置:
ip routing
interface Ethernet0/0
no ip address
interface Ethernet0/0.1
encapsulation dot1Q 10
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/0.2
encapsulation dot1Q 20
ip address 192.168.2.254 255.255.255.0
连通性测试:
VPC6 ping VPC7:
VPCS> ping 192.168.2.1
84 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=59.828 ms
84 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=83.546 ms
84 bytes from 192.168.2.1 icmp_seq=3 ttl=63 time=60.527 ms
84 bytes from 192.168.2.1 icmp_seq=4 ttl=63 time=63.410 ms
84 bytes from 192.168.2.1 icmp_seq=5 ttl=63 time=61.804 ms
VPC7 ping VPC6:
VPCS> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=63 time=131.247 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=63 time=61.279 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=63 time=102.038 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=63 time=63.945 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=63 time=65.245 ms
- 以上在VTEP上配置集中式网关和在外部路由设备上配置集中式网关时,应注意VTEP上NVE接口下VNI的映射关系;
- 在一个VTEP上配置集中式网关或外部路由设作为网关连接到这个VTEP,那么这个Ingress VTEP上应有完整的VNI,否则流量无法被封装进VxLAN隧道!