No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VXLAN

CloudEngine 12800 and 12800E V200R003C00

This document describes the configurations of VXLAN.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
VRRP over VXLAN

VRRP over VXLAN

Background

To improve reliability of ever-growing services, some enterprises require DCs to be deployed in different regions and multi-active gateways to be deployed in each DC (The following description uses active-active gateways as an example). If one DC fails to work, the backup DC takes over services, thereby improving DC reliability. To implement the master/backup gateway function in different DCs that have VXLAN deployed, deploy VRRP over VXLAN.

VRRP over VXLAN is implemented by deploying VRRP on the VBDIF interfaces of gateways and using the VXLAN tunnel between DCs to transmit VRRP Advertisement packets, thereby completing master/backup negotiation to determine the master/backup gateway status of the two DCs.

NOTE:

This function is only supported for IPv4 over IPv4 networks but not for other combinations of underlay and overlay networks.

Usage Scenario

VRRP over VXLAN applies to the following scenarios:
  • The DCs both run VXLAN (as shown in Figure 5-27).
  • The DCs run VXLAN and VLAN, respectively (as shown in Figure 5-28).
Figure 5-27 Inter-DC master and backup gateways on different VXLAN networks
Figure 5-28 Inter-DC master and backup gateways on VXLAN and VLAN networks, respectively
NOTE:

One DC is deployed on a VXLAN network, and the other DC is deployed on a VLAN network, as shown in Figure 5-28. If the VXLAN proxy is directly connected to L3GW3 and L3GW4 rather than device 2, a loop may occur on the VLAN network. For example, if a packet enters DC2 from the VXLAN proxy device, a forwarding loop (VXLAN proxy->L3GW3–>Device2–>L3GW4–>VXLAN proxy) may occur because the packet is broadcast on the VLAN network. In this case, a loop prevention protocol needs to be deployed on the VLAN network, which increases configuration complexity. Therefore, the networking shown in Figure 5-28 is recommended for the scenario where a VXLAN network is deployed in one DC and a VLAN network is deployed in the other DC.

Principles

VRRP master/backup negotiation

  1. VBDIF interfaces are configured on gateways (or on a VXLAN proxy), and the same VRRP IDs and virtual IP addresses are configured for the gateways.
  2. VRRP Advertisement packets are encapsulated and transmitted by a gateway in one DC to a gateway (or the VXLAN proxy) in the other DC through the inter-DC VXLAN tunnel.
  3. The gateway (or the VXLAN proxy) in the other DC decapsulates the VXLAN-encapsulated VRRP Advertisement packets, transmits the VRRP Advertisement packets to VBDIF interface, and compares the VRRP priority carried in the packets with its own VRRP priority to negotiate the master/backup status.

Gateways in the same VXLAN DC support VXLAN split horizon and therefore do not allow VRRP negotiation. As such, multi-active gateways are implemented in the DC, and VRRP master/backup negotiation is performed only on inter-DC gateways. When one gateway in a DC receives a VRRP packet, the gateway synchronizes the VRRP packet to the other active gateway in the same DC through a distributed file system (DFS) to ensure that the dual-active gateways have the same VRRP status.

Gateways in a VLAN network can have services deployed only in a traditional way, such as in the VLANIF+VRRP+MSTP way. Therefore, these gateways will negotiate VRRP master/backup status, instead of being active-active.

Data traffic forwarding

Two types of service traffic are available:

  • Layer 2 traffic for intra-subnet communication between hosts. This traffic is forwarded at Layer 2, without involving VRRP. In the networking diagram shown in Figure 5-27 where two different VXLAN networks are configured, traffic between the hosts in the same network segment is forwarded through the VXLAN tunnel between Device1 and Device2. In the networking diagram shown in Figure 5-28 where one VXLAN and one VLAN networks are configured, traffic between the hosts in the same network segment is forwarded through the VXLAN tunnel between Device1 and VXLAN proxy and is then forwarded to the VLAN network by the VXLAN proxy at Layer 2.

  • Layer 3 traffic for inter-subnet communication between hosts or VXLAN access of hosts. The following example shows the forwarding process for north-south traffic. The forwarding process for east-west traffic is similar, except that the routes on L3GWs are pointing to different next hops.

    If two VXLAN networks are deployed and the VRRP status of DC1 is master, the forwarding process for north-south traffic is as follows:
    1. After a host in DC1 learns the VRRP virtual MAC address using ARP, it sends service packets with the destination MAC address being the VRRP virtual MAC address.
    2. After Device1 receives the service packets, it searches the local MAC address table and finds that the outbound interface of the service packets is a VXLAN tunnel. Device1 then encapsulates the service packets into VXLAN packets and sends the VXLAN packets to the destination L3GW through the VXLAN tunnel.
    3. Upon receipt, the L3GW decapsulates the VXLAN packets and sends the service packets to its BDIF interface. The BDIF interface obtains the next hop address and outbound interface based on the destination MAC address (VRRP virtual MAC address) of the packets and forwards the service packets to the network side.
    4. Network-to-user traffic is transmitted over routes. To ensure that network-to-user traffic also travels through DC1, the costs of direct routes can be changed. For example, set a larger route cost for DC2 whose VRRP status is backup so that the route to DC1 will be preferred.

    If one network is a VXLAN network and the other network is a VLAN network, traffic entering DC2 will be forwarded based on the VLAN.

Fault-triggered protection switching

The fault processing process varies by fault type:
  • Master DC failure

    Because active-active L3GWs are deployed in the master DC, if a single L3GW fails, the other L3GW takes over, without involving DC protection switching. If both L3GWs in the master DC fail, the backup DC must be able to detect the failure and take over as the master DC. Inter-DC protection switching can be implemented as follows:
    • VRRP timeout: After the Master_Down timer of DC1 expires, DC2 becomes the master.

    • VRRP Increase mode: DC2 tracks the routes to DC1's VTEP address in Increase mode. If both L3GWs in DC1 fail, DC2 detects the route unreachability and considers DC1 failed. DC2 then increases its VRRP priority to allow it to become the master and forward traffic.

    After DC1 recovers, user traffic is either switched back after a delay or not switched back, depending on the switching policy.

  • Uplink failure

    If the link between an L3GW and the network side fails, the master DC can receive service traffic but cannot forward it. Therefore, VRRP must be able to detect the uplink failure and perform traffic switching. To achieve this, configure VRRP to monitor network-side routes. If network-side routes become unreachable, the VRRP priority of one DC is lowered to allow the other DC to become the master and forward traffic.

    If multi-active gateways are deployed and VRRP is deployed to monitor the network-side routes, route unreachability must be simultaneously detected by all the gateways in the DC; otherwise, VRRP status becomes incorrect. To allow all the active gateways receive identical packets, DFS must be deployed on these gateways in the same DC to complete packet replication.

NOTE:

In DCs that both have VXLAN deployed, if the gateways in one DC fail, the host traffic will be forwarded to a new master gateway through a VXLAN tunnel between Device and the gateway in the other DC.

Benefits

VRRP over VXLAN enhances DC reliability, ensuring inter-DC service continuity.

Translation
Download
Updated: 2019-05-05

Document ID: EDOC1100004207

Views: 31051

Downloads: 66

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next