No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
VXLAN Implementation

VXLAN Implementation

VXLAN needs to be deployed on a downlink interface to provide access services and an uplink interface to establish a VXLAN tunnel. After VXLAN is deployed on both interfaces, packets can be forwarded on the VXLAN network. VXLAN implementation is described in three steps: Packet Identification, VXLAN tunnel establishment, and Packet Forwarding.

Packet Identification

On a VXLAN network, VNIs are mapped to BDs in 1:1 mode. After a packet reaches a VTEP, the VTEP can identify the BD to which the packet belongs, then select a correct tunnel to forward the packet. Two methods are available for a VTEP to identify the VXLAN to which a packet belongs.

VXLAN Identification by VLAN

The 1:1 or N:1 mapping between VLANs and BDs is configured on VTEPs based on network planning. After a VTEP receives a service packet, it correctly selects a VXLAN tunnel to forward the packet based on the mapping between VLANs and BDs and the mapping between BDs and VNIs.

In Figure 7-4, VLAN 10 and VLAN 20 belong to BD 10. The mapping between VLANs 10 and 20 and BD 10, as well as the mapping between BD 10 and VNI 1000 are configured on the VTEP. After the VTEP receives a packet from PC_1 or PC_2, the VTEP forwards the packet over the VXLAN tunnel for VNI 1000.

Figure 7-4  VXLAN identification by VLAN

VXLAN Identification by Encapsulation Mode

An encapsulation mode defines packet processing based on whether a packet contains VLAN tags. To implement VXLAN identification by encapsulation mode, Layer 2 sub-interfaces need to be configured on a downlink physical interface of a VTEP, and different encapsulation modes need to be configured for these sub-interfaces. The 1:1 mapping between Layer 2 sub-interfaces and BDs should also be defined. Then service packets are sent to specific Layer 2 sub-interfaces after reaching the VTEP. The VTEP selects a correct VXLAN tunnel to forward packets based on the mapping between Layer 2 sub-interfaces and BDs and the mapping between BDs and VNIs.

Table 7-3 lists the four encapsulation modes and packet processing methods.

Table 7-3  Packet processing in different encapsulation modes

Encapsulation Mode

Allowed Packet Type

Packet Encapsulation

Packet Decapsulation

dot1q

With specified VLAN tag

Removes the VLAN tag from original packets.

  • Removes the VLAN tag and adds a specified VLAN tag before forwarding them, if the inner packets contain a VLAN tag.
  • Adds a specified VLAN tag to the original inner packets before forwarding them, if the inner packets do not contain a VLAN tag.

untag

Without VLAN tags

Does not perform any operation on the original packets.

  • Removes the outer VLAN tag before forwarding them, if the inner packets contain a VLAN tag.
  • Directly forwards the packets if the inner packets do not contain VLAN tags.

default

All packets regardless of whether they contain VLAN tags

Does not perform any operation on the original packets.

Does not perform any operation on the original packets.

qinq

With specified double VLAN tags

Removes all the VLAN tags from original packets.

  • Removes all the VLAN tags and adds specified double VLAN tags before forwarding them, if the inner packets contain VLAN tags.
  • Adds specified double VLAN tags to the original inner packets before forwarding them, if the inner packets do not contain VLAN tags.
In Figure 7-5, the physical interface Eth2/0/0 on the VTEP has two Layer 2 sub-interfaces, which are configured with different encapsulation modes and associated with different BDs. PC_1 and PC_2 belong to VLAN 10 and VLAN 30, respectively. An uplink interface on the Layer 2 switch connecting to the VTEP is configured as a trunk interface with the PVID 30 and is configured to allow packets from VLANs 10 and 30 to pass through. When a packet from PC_1 reaches this interface, the interface transparently transmits the packet to the VTEP because the VLAN ID of the packet is different from the default VLAN ID of the interface. When a packet from PC_2 reaches this interface, the interface removes the VLAN tag 30 from the packet before forwarding it to the VTEP because the VLAN ID of the packet is the same as the default VLAN ID of the interface. As a result, when the packets reach Eth2/0/0 on the VTEP, the packet from PC_1 contains VLAN tag 10, while the packet from PC_2 does not contain a VLAN tag. To distinguish the two types of packets, Layer 2 sub-interfaces of the dot1q and untag types need to be configured on Eth2/0/0:
  • The encapsulation mode of the Layer 2 sub-interface Eth2/0/0.1 is dot1q, allowing packets with VLAN tag 10 to enter the VXLAN tunnel.

  • The encapsulation mode of the Layer 2 sub-interface Eth2/0/0.2 is untag, allowing packets without a VLAN tag to enter the VXLAN tunnel.

After packets from PC_1 or PC_2 reach the VTEP, the VTEP sends the packets to different Layer 2 sub-interfaces based VLAN tags in the packets. Then, the VTEP chooses a correct VXLAN tunnel to forward the packets based on the mapping between sub-interface and BD, as well as the mapping between BD and VNI.

Figure 7-5  VXLAN identification by encapsulation mode

Tunnel Establishment

A VXLAN tunnel is specified by a pair of VXLAN Tunnel Endpoint (VTEP) IP addresses. A static VXLAN tunnel can be created after the VXLAN Network Identifiers (VNIs) and IP addresses are configured for the source and destination VTEPs, and there is a reachable route between the two VTEP IP addresses.

A VXLAN tunnel is specified by a pair of VTEP IP addresses. After two VTEPs obtain the IP addresses from each other, a VXLAN tunnel is established so long as there is a reachable route between the two IP addresses.
  • A static VXLAN tunnel can be created by manually specifying the VNI of the tunnel source and destination as well as the IP addresses of source and destination VTEPs. This leads to heavy configuration workload and poor flexibility. Therefore, static VXLAN tunnels do not apply on a large-scale network.
  • BGP EVPN can be used to dynamically establish VXLAN tunnels by establishing a BGP EVPN peer relationship between two VTEPs and using BGP EVPN routes to transmit VNIs and VTEP IP addresses between the peer. In this mode, the EVPN protocol automatically discovers VTEPs and dynamically creates VXLAN tunnels. With high flexibility, this mode applies on a large-scale VXLAN network.

In Figure 7-6, Router1, Router2, Router3, and Router4 are enterprise egress gateways. VXLAN tunnels need to be established to enable communication between tenant branches and headquarters, as well as between tenant branches.

In this situation, VXLAN tunnels are established in the following two ways:

  • Tenant branches 1 and 2 are in the same subnet and VNI. Tenants in a VNI are in the same logical Layer 2 network, so they can directly communicate at Layer 2 over a VXLAN tunnel. To enable communication between tenant branches 1 and 2, the VNI and VTEP IP addresses need to be manually configured on Router1 and Router2. So long as Router1 and Router2 have a reachable route to the peer VTEP, a VXLAN tunnel can be established between them.

  • The tenant branch 2 and headquarters belong to different subnets and VNIs. They cannot directly communicate over a VXLAN tunnel, and a VXLAN Layer 3 gateway needs to be configured. To enable communication between the tenant branch 2 and headquarters, the static VNIs and VTEP IP addresses need to be manually configured for Router2 and Router3, as well as Router4 and Router3. So long as Router2 and Router3 have a reachable route to the peer VTEP, a VXLAN tunnel can be established between them. Similarly, so long as Router4 and Router3 have a reachable route to the peer VTEP, a VXLAN tunnel can be established between them.

Figure 7-6  VXLAN networking

Packet Forwarding

VXLAN encapsulates Layer 2 network packets to transmit them over traditional Layer 3 networks by constructing a large Layer 2 network among the Layer 3 networks.

MAC Address Learning

On a VXLAN, dynamic MAC address learning is supported to enable user communication. Figure 7-7 and Figure 7-7 describe the MAC address learning process during communication between hosts on the same subnet. For the first time, PC_1 does not know the MAC address of PC_2. PC_1 then sends an ARP broadcast packet to request the MAC address of PC_2.

Figure 7-7  Forwarding process of ARP request packets

Figure 7-7 shows the forwarding process of ARP request packets.

  1. PC_1 sends an ARP broadcast packet with the source MAC address MAC_1, all-F destination MAC address, source IP address IP_1, and destination IP address IP_2 to request the MAC address of PC_2.
  2. Router1 receives an ARP request packet sent by PC_1, and chooses a VXLAN tunnel based on the interface that receives the packet. Due to the 1:1 mapping between interfaces and BDs, VTEP1 obtains the VNI to which the packet belongs after determining the BD of the packet. VTEP1 then learns the mapping between MAC_1, VNI, and interface receiving the packet, and saves the mapping to the local MAC address table. After obtaining the ingress replication list for the VNI based on the corresponding BD, VTEP1 replicates packets and performs VXLAN tunnel encapsulation. During packet encapsulation, VTEP1 adds the IP addresses of the source VTEP (VTEP1) and destination VTEPs (VTEP2 and VTEP3), the MAC addresses of VTEP1 and the next-hop device on the route to the destination VTEP as the outer source IP, destination IP, source MAC, and destination MAC addresses respectively. The encapsulated packet is transmitted based on the outer MAC and IP addresses until it reaches the destination VTEP (VTEP2/VTEP3).
  3. VTEP2/VTEP3 on Router2/Router3 receives the encapsulated VXLAN packet and decapsulates the packet to obtain the original packet sent by PC_1. VTEP2 and VTEP3 also learn the mapping between PC_1's MAC address, VNI, and IP address of the remote VTEP, and saves the mapping in the local MAC address table. VTEP 2 and VTEP 3 then process the packet based on the interface configuration and broadcast the packet in the corresponding Layer 2 domain.
  4. After receiving the ARP request packet, PC_2 and PC_3 check whether the destination IP address in the packet is its own IP address. If so, PC_2 or PC_3 sends an ARP reply packet. If not, PC_2 or PC_3 discards the packet.
Figure 7-8  Forwarding process of ARP reply packets

Figure 7-8 shows the forwarding process of ARP reply packets.

  1. PC_2 sends a unicast ARP reply packet after learning the MAC address of PC_1. The source MAC, destination MAC, source IP, and destination IP addresses in the packet are MAC_2, MAC_1, IP_2, and IP_1, respectively.
  2. After receiving the ARP reply packet, VTEP2 checks the VNI to which the packet belongs. At the same time, VTEP2 learns the mapping between MAC_2, VNI, and interface receiving the packet, and saves the mapping to the local MAC address table. VTEP2 then encapsulates the packet. During packet encapsulation, VTEP2 adds the IP addresses of the source VTEP (VTEP2) and destination VTEP (VTEP1), the MAC addresses of VTEP2 and the next-hop device on the route to VTEP1 as the outer source IP, destination IP, source MAC, and destination MAC addresses respectively. The encapsulated packet is transmitted based on the outer MAC and IP addresses until it reaches the destination VTEP (VTEP1).
  3. VTEP1 receives the encapsulated VXLAN packet and decapsulates the packet to obtain the original packet sent by PC_2. VTEP1 also learns the mapping between PC_2's MAC address, VNI, and IP address of the remote VTEP (VTEP2), and saves the mapping in the local MAC address table. VTEP1 then sends the decapsulated packet to PC_1. After learning the MAC address of each other, PC_1 and PC_2 communicate in unicast mode.
Intra-Subnet Packet Forwarding

The packet forwarding process is classified into known unicast packet forwarding and broadcast, unknown unicast, and multicast (BUM) packet forwarding based on the type of destination MAC address in original packets.

Only VXLAN Layer 2 gateways can implement known unicast packet forwarding in a subnet and BUM packet forwarding. The forwarding processes do not require any Layer 3 gateway.

  • Forwarding Process of Known Unicast Packets

    Figure 7-9 shows the known unicast packet forwarding process.

    Figure 7-9  Forwarding process of known unicast packets

    1. After Router1 receives a packet from PC_1, Router1 determines the Layer 2 bridge domain (BD) of the packet based on the access interface and VLAN information carried in the packet, and searches for the outbound interface and encapsulation information based on the BD.
    2. The VXLAN Tunnel Endpoint (VTEP1) on Router1 encapsulates the packet based on the found encapsulation information and forwards the packet to the outbound interface.
    3. After the VTEP2 on Router2 receives the VXLAN packet, it verifies the UDP destination port number, source and destination IP addresses, and VXLAN Network Identifier (VNI) of the packet to determine its validity. After confirming that the packet is valid, the VTEP obtains the BD based on the VNI and decapsulates the VXLAN packet to obtain the inner Layer 2 packet.
    4. Router2 finds out the outbound interface and encapsulation information in the local MAC address table based on the destination MAC address in the inner Layer 2 packet, adds a VLAN tag to the packet, and forwards it to PC_2.

    Packet forwarding from PC_2 to PC_1 is similar to that described above, and is not mentioned here.

  • BUM Packet Forwarding Process

    After a BUM packet enters the VXLAN tunnel, the source VTEP replicates the BUM packet based on the tunnel list and encapsulates the original and replicated packets. When these packets leave the VXLAN tunnels, the destination VTEPs decapsulate them. Figure 7-10 shows the BUM packet forwarding process.
    NOTE:

    On a VXLAN network, multiple destination VTEP IP addresses can be configured for a VNI, and the list of these IP addresses is regarded as a tunnel list. After an interface receives the BUM packet, the source VTEP replicates the packet based on the tunnel list and forwards it to all the VTEPs with the same VNI.

    Figure 7-10  BUM packet forwarding process

    1. After Router1 receives a packet from PC_1, Router1 determines the BD of the packet based on the access interface and VLAN information carried in the packet.
    2. The VTEP1 on Router1 obtains the tunnel list for the VNI based on the BD, replicates the packet based on the tunnel list, and performs VXLAN tunnel encapsulation before forwarding it to the outbound interface.
    3. After the VTEP2 on Router2 or Router3 receives the VXLAN packet, it verifies the UDP destination port number, source and destination IP addresses, and VNI of the packet to determine its validity. After confirming that the packet is valid, the VTEP obtains the BD based on the VNI and decapsulates the VXLAN packet to obtain the inner Layer 2 packet.
    4. Router2 or Router3 checks the destination MAC address of the inner Layer 2 packet and finds that it is a BUM packet, Router2 or Router3 then broadcasts the packet in the corresponding BD to the user side. Router2 or Router3 finds out all outbound interfaces to the user side and encapsulation information in the local MAC address table, adds a VLAN tag to the packet, and forwards it to PC_2 or PC_3.
    Packet forwarding from PC_2 or PC_3 to PC_1 is similar to the known unicast packet forwarding process, and is not mentioned here.
Inter-Subnet Packet Forwarding

If end users in a VXLAN site need to access the Internet or communicate with end users in another VXLAN site, a VXLAN Layer 3 gateway needs to be deployed to provide end users with Layer 3 services. Figure 7-11 shows the inter-subnet packet forwarding process.

IP addresses of PC_1and PC_2 are in different network segments. For the first time, PC_1 needs to broadcast an ARP request packet to request the MAC address of VBDIF 10. After obtaining the MAC address of the gateway, PC_1 sends a data packet to the gateway. The gateway also broadcasts an ARP request packet to request the MAC address of PC_2. After obtaining the MAC address, the gateway forwards the data packet to PC_2. The preceding MAC address learning process is the same as that in MAC Address Learning.

Figure 7-11  Inter-subnet packet forwarding process

  1. After Router1 receives a packet from PC_1, Router1 determines the Layer 2 BD of the packet based on the access interface and VLAN information carried in the packet, and searches for the outbound interface and encapsulation information based on the BD.
  2. The VTEP1 on Router1 performs VXLAN tunnel encapsulation based on the outbound interface and encapsulation information, and forwards the packet to Router3.
  3. Router3 decapsulates the received VXLAN packet, finds that the destination MAC address in the inner packet is MAC_3 of the Layer 3 gateway interface VBDIF10, and determines that the packet needs to be forwarded at Layer 3.
  4. Router3 removes the Ethernet header from the inner packet to parse the destination IP address. It then searches the routing table based on the destination IP to obtain the next-hop address, and searches ARP entries based on the next hop to obtain the destination MAC address, VXLAN tunnel outbound interface, and VNI.
  5. Router3 re-encapsulates the VXLAN packet and forwards it to Router2. The source MAC address in the Ethernet header of the inner packet is MAC_4 of the Layer 3 gateway interface VBDIF20.
  6. After the VTEP2 on Router2 receives the VXLAN packet, it verifies the UDP destination port number, source and destination IP addresses, and VXLAN Network Identifier (VNI) of the packet to determine its validity. The VTEP then obtains the BD based on the VNI, decapsulates the packet to obtain the inner Layer 2 packet, and searches for the outbound interface and encapsulation information in the corresponding BD.
  7. Router2 adds a VLAN tag to the packet based on the outbound interface and encapsulation information, and forwards the packet to PC_2.

Packet forwarding from PC_2 to PC_1 is similar to that described above, and is not mentioned here.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31709

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next