Overlay Virtual Networking Explained. Ivan Pepelnjak NIL Data Communications

Transcription

1 Overlay Virtual Networking Explained Ivan Pepelnjak NIL Data Communications

2 2 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

3 3 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

4 Where To? 4 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

5 Who is Ivan Pepelnjak Networking engineer since 1985 Technical director, later Chief Technology NIL Data Communications Consultant, blogger (blog.ioshints.info), book and webinar author Currently teaching Scalable Web Application Design at University of Ljubljana Focus: Large-scale data centers and network virtualization Networking solutions for cloud computing Scalable application design Core IP routing/mpls, IPv6, VPN 5 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

6 Disclaimers This presentation is an analysis of currently available virtual networking architectures It s not an endorsement or bashing of companies, solutions or products mentioned on the following slides It describes features shipping in September 2013, not futures announced by individual vendors The crucial question: Does It Scale? 6 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

7 Your mission, should you choose to accept it, is to build stable and scalable cloud infrastructure supporting thousands of virtual networks

8 Why Do We Care? 8 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

9 Complex Application Stacks Need Network Services DB servers Outside Web servers App servers L2/L3 packet forwarding with multiple address spaces Firewalling (inter-subnet and VM-level) Load balancing NAT VPN access (public cloud deployments) 9 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

10 Cloud Services Must Support Multi Tenancy DB servers Outside Web servers App servers Each application stack deployed in a cloud must be independent Retain existing connectivity model (internal addressing, network services and security model) Isolated virtual segments and network services Per-tenant QoS limits (prevent noisy neighbor problems) Ideal case: every application is an independent tenant 10 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

11 The Traditional Approach 11 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

12 The Traditional Solution: VLANs Virtual machines Physical server Hypervisor Virtual segments implemented with VLANs Layer-2 connectivity also required for VM mobility Manual VLAN provisioning or every-vlan-on-every-port approach Warning: Layer-2 network = single failure domain 12 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

13 VLANs: Scalability Constraints Number of VLANs: 4K VM MAC addresses usually visible in the core Hypervisor NICs work in promiscuous mode Flooded packets handled by hypervisor CPU Common design: every VLAN on every server port Every hypervisor processes multicasts for every VLAN Even when it has no active VM in that VLAN Identical to single VLAN design from scalability perspective current broadcast domains can support around 1,000 endhosts in a single bridged LAN of 100 bridges (RFC TRILL) We never mentioned STP applies equally well to SPB or TRILL 13 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

14 CDP ESX ESX The Networking Industry s Way Hypervisors flooded with broadcasts VM-aware networking (edge VLAN pruning) Spanning Tree problems Routing protocol (IS-IS) for MAC addresses Links blocked by STP ECMP Brouting (routing at layer-2) VLAN limits Add another VLAN tag MAC address limits Add another MAC header (PBB, TRILL) Still too much flooding core VLAN pruning 14 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

15 Let s Recap You need: EVB (802.1Qbg) or equivalent (VM tracer, HyperLink, VM-FEX...) TRILL, SPB (802.1Qaq) or equivalent (FabricPath, VCS Fabric, QFabric) 802.1ad (Q-in-Q) or 802.1ah (PBB) 802.1ak (MVRP) or equivalent (VTP) Numerous other features (e.g. BPDU guard, storm control)... and you still have a single failure domain With sufficient thrust, pigs fly just fine RFC 1925 Can we afford the fuel costs? And who wants to fly pigs anyway? Randy Bush 15 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

16 Can We Do Better? 16 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

17 Decouple Virtual Networking From Physical Transport Principles: Network provides simple IP transport Complex operations performed in virtual switches Virtual network traffic encapsulated in IP datagrams just another IP application Decision points: L2 or L3 hypervisor switching Encapsulation:, NVGRE, STT Control plane or flooding Connectivity with the outside world Smart edge, simple core... Sounds like Internet, right? 17 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

18 Shipping Products 18 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

19 A Day in the Life of an Overlaid Packet IP transport network 19 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

20 A Day in the Life of an Overlaid Packet IP packet MAC unicast IP transport network VM generates Ethernet packet for a MAC destination in the same segment 20 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

21 A Day in the Life of an Overlaid Packet IP packet MAC unicast UDP IP transport network VM generates Ethernet packet for a MAC destination in the same segment adds /UDP envelope (maps remote MAC to hypervisor IP) 21 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

22 A Day in the Life of an Overlaid Packet IP packet MAC unicast UDP IP packet Hypervisor/Rtr MAC IP transport network VM generates Ethernet packet for a MAC destination in the same segment adds /UDP envelope (maps remote MAC to hypervisor IP) sends IP packet toward target hypervisor 22 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

23 A Day in the Life of an Overlaid Packet IP packet IP transport network VM generates Ethernet packet for a MAC destination in the same segment adds /UDP envelope (maps remote MAC to hypervisor IP) sends IP packet toward target hypervisor 23 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

24 A Day in the Life of an Overlaid Packet IP packet MAC unicast UDP IP packet Rtr/Hypervisor MAC IP packet IP transport network VM generates Ethernet packet for a MAC destination in the same segment adds /UDP envelope (maps remote MAC to hypervisor IP) sends IP packet toward target hypervisor IP packet received by hypervisor kernel 24 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

25 A Day in the Life of an Overlaid Packet IP packet MAC unicast UDP IP packet IP transport network VM generates Ethernet packet for a MAC destination in the same segment adds /UDP envelope (maps remote MAC to hypervisor IP) sends IP packet toward target hypervisor IP packet received by hypervisor kernel UDP packet delivered to 25 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

26 A Day in the Life of an Overlaid Packet IP packet MAC unicast IP packet IP transport network VM generates Ethernet packet for a MAC destination in the same segment adds /UDP envelope (maps remote MAC to hypervisor IP) sends IP packet toward target hypervisor IP packet received by hypervisor kernel UDP packet delivered to Inner Ethernet packet delivered to target VM 26 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

27 The Encapsulation Wars (Are Stupid) (NV)GRE Outer Eth Outer IP GRE w/key VM Eth VM IP VM TCP Data Outer Eth Outer IP UDP VM Eth VM IP VM TCP Data STT Outer Eth Outer IP TCP(STT) VM Eth VM IP VM TCP Data The same The same Three competing encapsulations Minor technological differences (load balancing, TCP offload) None supported by legacy networking hardware or IDS/IPS gear No security features transport network MUST be secure What really matters is the control plane 27 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

28 Control Plane Matters Most 28 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

29 What Really Matters in Overlay Virtual Networking Questions that impact an overlay virtual network scalability: How will the source hypervisor find out the IP address of the target hypervisor (MAC-to- mapping)? How much information (and state) must be kept in hypervisors and central controllers or databases? Does the forwarding information change in real-time or only on topology change? What is a topology change? 29 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

30 (Lack Of) Control Plane L2 (Ethernet) vsphere host vds port group : 1 : 2 : 2 : 3 Nexus 1000V or vds 5.1 VMkernel interface IP UDP IP / IP-MC IP IP (layer-3) transport network Relies on traditional L2 flooding/learning behavior BUM (Broadcast, Unknown Unicast, Multicast) frames are flooded IP multicast in transport network is used to flood VM L2 frames Pool of IP multicast addresses or IP multicast address per segment Hypervisors build VM-MAC-to-host-IP maps by listening to flooded frames Unicast shipping since June ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

31 Flooding and Learning IP transport network 31 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

32 Flooding and Learning ARP request MAC broadcast IP transport network VM generates ARP broadcast 32 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

33 Flooding and Learning ARP request MAC broadcast UDP IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination 33 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

34 Flooding and Learning ARP request MAC broadcast UDP IP multicast MAC multicast IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet 34 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

35 Flooding and Learning IP packet IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet 35 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

36 Flooding and Learning ARP request MAC broadcast UDP IP multicast MAC multicast IP packet IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet 36 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

37 Flooding and Learning ARP request MAC broadcast UDP IP multicast MAC multicast IP packet IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet receives IP multicast 37 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

38 Flooding and Learning ARP request MAC broadcast UDP IP packet IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet receives IP multicast UDP packet delivered to 38 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

39 Flooding and Learning ARP request MAC broadcast UDP IP packet IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet receives IP multicast UDP packet delivered to module remembers remote MAC-to- mapping 39 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

40 Flooding and Learning ARP request MAC broadcast IP packet IP transport network VM generates ARP broadcast module sends UDP packet to segment-specific multicast destination sends multicast IP packet receives IP multicast UDP packet delivered to module remembers remote MAC-to- mapping ARP request is delivered to VM 40 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

41 VMware NSX (Nicira NVP) OpenFlow-capable hypervisor switches (OVS) L2 segments implemented with VLANs or IP tunneling (GRE, STT) Logical routers with NAT Stateful firewalls x86-based L2 or L3 gateways with outside world Open vswitch Hypervisor GRE IP network Hypervisor Scalability aspects Control plane = cluster of OpenFlow controllers Proactive flow setups controllers are not involved in data plane forwarding L2 BUM flooding implemented in hypervisors or through service nodes No IP multicast required, no network-wide flooding OVSDB OF 41 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

42 NSX Control Plane Example Starting point: GRE-based virtual segment between VMs on A and B Host A MAC-A Host B MAC-B Host C OVS OVS OVS IP-A IP-B IP-C IP network OVSDB OpenFlow Orchestrator NVP 42 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

43 NSX Control Plane Example Starting point: GRE-based virtual segment between VMs on A and B 1. Cloud orchestration platform starts a new Host C Host A Host B Host C MAC-A MAC-B MAC-C OVS OVS OVS IP-A IP-B IP-C IP network OVSDB OpenFlow Orchestrator NVP 43 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

44 NSX Control Plane Example Starting point: GRE-based virtual segment between VMs on A and B 1. Cloud orchestration platform starts a new Host C 2. NVP receives information from orchestration platform Host A Host B Host C MAC-A MAC-B MAC-C OVS OVS OVS IP-A IP-B IP-C IP network OVSDB OpenFlow Orchestrator NVP 44 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

45 NSX Control Plane Example Starting point: GRE-based virtual segment between VMs on A and B 1. Cloud orchestration platform starts a new Host C 2. NVP receives information from orchestration platform 3. NVP creates OVSDB entries for new GRE/STT tunnels (A-C, B-C) Host A Host B Host C MAC-A MAC-B MAC-C OVS OVS OVS IP-A IP-B IP-C IP network OVSDB OpenFlow Orchestrator NVP 45 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

46 NSX Control Plane Example Starting point: GRE-based virtual segment between VMs on A and B 1. Cloud orchestration platform starts a new Host C 2. NVP receives information from orchestration platform 3. NVP creates OVSDB entries for new GRE/STT tunnels (A-C, B-C) 4. OVS switches create new interfaces Host A Host B Host C MAC-A MAC-B MAC-C OVS OVS OVS IP-A IP-B IP-C IP network OVSDB OpenFlow Orchestrator NVP 46 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

47 NSX Control Plane Example Starting point: GRE-based virtual segment between VMs on A and B 1. Cloud orchestration platform starts a new Host C 2. NVP receives information from orchestration platform 3. NVP creates OVSDB entries for new GRE/STT tunnels (A-C, B-C) 4. OVS switches create new interfaces 5. NVP pushes new OpenFlow entries to hypervisor hosts Switch OpenFlow entry Interface Host-A DMAC = MAC-C A-C tunnel Host A Host B Host C MAC-A MAC-B MAC-C OVS OVS OVS IP-A IP-B IP-C IP network OVSDB OpenFlow Orchestrator NVP Host-B DMAC = MAC-C B-C tunnel Host-C DMAC = MAC-A C-A tunnel Host-C DMAC = MAC-B C-B tunnel 47 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

48 Gateway to the Outside World 48 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

49 Gateways? What Gateways? Existing networking gear rarely supports overlay networks Shipping: support on Arista 7150 (L2 gateway), on F5 BGI-IP, NVGRE on IRON Networks MNV Appliance Announced: NVGRE on F5 BIG-IP, on Brocade ADX, NVGRE on Dell Force10... Brocade reaffirmed its commitment to NVGRE Avaya is actively supporting the initiative Don t despair, focus on VM-based appliances Reasonable performance Acceptable feature set Much higher flexibility and ease-of-deployment 49 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

50 Sample Layer-3 VM Appliance Integration Scenario VM VLAN IP transport network Outside 50 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

51 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC VLAN IP transport network VM sends IP packet to appliance MAC address Outside 51 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

52 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC UDP VLAN IP transport network Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope 52 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

53 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC UDP VLAN IP multicast MAC multicast IP transport network Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope sends IP packet to hypervisor running the appliance 53 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

54 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC UDP VLAN IP multicast MAC multicast IP packet IP transport network Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope sends IP packet to hypervisor running the appliance IP packet received by kernel IP stack 54 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

55 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC UDP VLAN IP packet IP transport network Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope sends IP packet to hypervisor running the appliance IP packet received by kernel IP stack UDP packet delivered to 55 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

56 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC IP transport network IP packet VLAN Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope sends IP packet to hypervisor running the appliance IP packet received by kernel IP stack UDP packet delivered to Inner IP packet delivered to VM appliance 56 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

57 Sample Layer-3 VM Appliance Integration Scenario IP packet VM Appliance MAC IP transport network IP packet VLAN Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope sends IP packet to hypervisor running the appliance IP packet received by kernel IP stack UDP packet delivered to Inner IP packet delivered to VM appliance VM appliance processes IP packet 57 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

58 Sample Layer-3 VM Appliance Integration Scenario IP packet Appliance MAC VM IP packet VLAN tag Next-hop MAC IP transport network IP packet VLAN Outside VM sends IP packet to appliance MAC address module encapsulates VM packet in +UDP envelope sends IP packet to hypervisor running the appliance IP packet received by kernel IP stack UDP packet delivered to Inner IP packet delivered to VM appliance VM appliance processes IP packet VM appliance sends IP packet to outside VLAN 58 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

59 Network core Putting It All Together: Network Fabric = Resource Pool Build a leaf-and-spine (or multistage Clos) fabric Connect compute + storage capacity to the fabric Deploy virtual appliances in a dedicated cluster linked to the network core 59 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

60 Conclusions 60 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

61 Scalability Solution Space and Scalability VLANs 4096 segments VM-aware Networking (Arista VM Tracer) Edge Virtual Bridging (EVB, 802.1Qbg) Emerging EVB with PBB/SPB (L2 over L2) Theoretical (Cisco / VMware) No control plane Unicast VMware NSX (L2+L3 over IP + Control Plane) Juniper Contrail (L3 over IP + Control Plane) Microsoft WNV (L3 over IP + Control Plane) Based on features shipping in September ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

62 When Should You Use Overlay Networking? Private or public clouds Use overlay virtual networks for stability and scalability Use virtual appliances for fast and more flexible deployment Traditional server virtualization Migrate toward virtual appliances Overlay networks will enable faster virtual network provisioning Use them if you re approaching VLAN scalability limits Overlay virtual networks are not a good fit Siloed IT not yet ready for restructuring / convergence Small deployments where existing solutions are good enough 62 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

63 Reference: Virtualization Webinars on ipspace.net vsphere 5.5 Update Coming in 2014 Virtual Firewalls VMware NSX Architecture Deep Dive Overlay Virtual Networking VMware Networking Cloud Computing Networking Introduction to Virtualized Networking Availability Live sessions Recordings of individual webinars Yearly subscription Other options Customized webinars ExpertExpress On-site workshops Inter-DC More information FCoE very limited use and requires no bridging 63 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

64 Reference: Blogs and Podcasts Packet Pushers Podcast & blog (packetpushers.net) The Cloudcast (.net) Network Heresy (Martin Casado, Nicira/VMware) Blog.scottlowe.org (Scott Lowe, VMware) BradHedlund.com (Brad Hedlund, VMware) RationalSurvivability.com (Christopher Hoff, Juniper) High Scalability Blog it20.info (Massimo Re Ferre, VMware) NetworkJanitor.net (Kurt Bales) Yellow bricks (Duncan Epping, VMware) blog. ipspace.net (yours truly) 64 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained

65 Questions? Send them to 65 ipspace.net / NIL Data Communications 2013 Overlay Virtual Networking Explained