Notes on Logical Switch Networks

Here are my course notes from the VCP6-NV v6.2 Course touching on Logical Switch Networks. I will keep posting the rest of my notes in hopes it will assist someone else as it did me.

Section 4.1

  • OSI
    • OSI model is conceptual model that describes how data flows from one device to another in a network
    • Lower layers add headers and sometimes trailers from higher layer
    • Network entities such as switches and routers move traffic based on the header info at each layer
  • Ethernet – 802.3 IEEE
    • 48 bit mac addresses
  • Frame Types
    • Unicast – explicit to known MAC or then flooded to all ports except receiving port or port it left on
    • Multicast – sent to group
    • Broadcast –
  • Each port is collision domain
    • Every end system in L2 domain must process the broadcast frame and consume resources
  • NSX eliminates need to extend L2 across DC
    • Logical switches provide L2 adjacency even if hosts not L2 adjacent
  • MAC  tables
    • Table empty
    • Device sends frame to another the physical switch reads header and learns mac address is associated with X port
    • Sends out frame to all ports except original – all drop frame except the actual destiation
  • 0X0800 ethertype is IPV4
    • ARP
      • Source creates arp request
      • Source encapsulates packet in broadcast ethernet frame
      • Frame sent across local subnet
      • Destination systems open frame to check IP in destination field
      • Matching system sends arp reply to source with destination mac as new source
      • Source receives frame and learns mac address
  • NSX controller cluster caches IP:MAC mappings to suppress ARP broadcast traffic
  • Frame protocol field 6 =TCP and 17 = 17 UDP
  • TCP guaranteed delivery 16 bit tcp port number
  • UDP no reliability overhead best effort
  • Unicast and hybrid replication modes support ARP traffic suppression

 

4.2 Ethernet VLANS 0x8100

Subdivide network into smaller networks

  • 802.1q – 1522 frame size
  • Configured on trunk interface
  • Adds numerical tag to frame
  • Native vlan is untagged vlan on 802.1q port
    • Untagged traffic is assumed to be for native

 

4.3 Ethernet Loop Avoidance

  • Broadcast storm – looped L2 network frames repeat and loop until dropped due to congestion
  • STP – spanning tree stops loops because Ethernet frame has no TTL
  • STP is link layer protocol, puts redundant connection in blocking state
    • Convergence generally 45 seconds
  • STP blocks all ports except one to root bridge
  • Link Aggregation
    • Increases bandwidth
    • Increases redundancy
  • LACP allows multiple links between LAG

 

4.4 vSphere Networking

  • vDist Switch up to 500 ESXi host
  • Proxy switch created on each host but managed by vcenter
  • Advantages:
    • Centralized Management
      • At vcenter vs host level
    • Advanced Feature Support
      • IO control v3
      • Differentiated service code point (dscp) marking QoS
      • Traffic monitoring
      • Multicast filtering 6
    • Scalability
      • LACP
      • SR-IOV
      • 40gig nic support
    • NIOC v3
      • Reserve bw for system traffic based on phy adapter capacity
      • Enable detailed resource control at vm network adapter level
      • Improve resource reservation and allocation
    • LACP – multiple LAGs 64 per host and 64 per vDS
    • VMKernel
      • port is port on virtual switch to which a vNIC is connected
      • Used by ESXi to provide kernel level services
      • Exposes
        • Management
        • Vmotion
        • Ip storage
        • Replication
        • FT
        • vSAN
        • Vxlan tunnel end point (VTEP)

 

4.5 Vmware NSX Logical Switches and VXLAN

  • Logical Switch
    • A logical switch is a L2 broadcast domain implemented using VXLAN
    • Each logical switch is assigned a unique VXLAN numerical identifier (VNI)
      • 24bit number added to VXLAN frame
      • Multiple VNI can exist in same transport zone
      • NSX starts at VNI 5000
    • Each logical switch is created as a port group on the distributed switch
    • Logical switches can extend across multiple dist switches
  • VXLAN
    • Ethernet in ip overlay that gets rid of virtual network segmentation
    • Allows L2 across L3 without hardware
    • In NSX6.1 vxlan uses UDP port 8472
    • The RFC 7348 uses UDP 4789
    • Source Ethernet frame is encapsulated in new UDP packet and 50bytes added
  • Encapsulation and De-capsulation
    • Vm doesn’t see VXLAN ID or the physical network and sends a regular L2 frame
    • Source hypervisor (VTEP) adds VXLAN, UDP and IP headers
    • Physical network forwards fram
    • Destination host (VTEP) de-capsulates
    • L2 frame is delivered to the right vm
  • VTEP – vxlan tunnel endpoint
    • VMkernel port that encaps a frame in a vxlan frame or reverse
    • VTEPs make VXLAN tunnels between hosts and a dist switch port groups is created for all VTEPs
    • A VTEP proxy forwards VXLAN traffic from VTEP in remote segment to local segment
    • Number of VTEPs created depends on the nic teaming algorithim and number of vmnics used for vxlan
  • NIC Teaming Algorithm
    • Originating virtual port ID – selects physical network adapter based on port where traffic originates
    • Source MAC hash –  selects physical network adapter based on MAC
    • IP hash – selects physical network adapter – spread load across physical adapters
    • Explicit failover order – always highest uplink is used 1 at a time
  • VXLAN is routable
    • VTEP segment is a collection of ESXi hosts with their VTEP in same subnet
    • Vsphere switches have a detect and filter feature that detects loops and no need for STP
  • Control Plane
    • NSX controller cluster maintains tables with state info of logical switches and each logical switch has tables
    • ” removes vxlan dependency on multicast routing or PIM ion physical network when using unicast or hybrid replication modes
  • VTEP report
    • Each VTEP informs VMWare NSX controller about each VNI of which it belongs
    • NSX controller sends a copy of the full VTEP table per VNI to each VTEP
    • Based on config’d control plane mode proxies are either Unicast Tunnel End Points (UTEP) or Multicast Tunnel End Points (MTEP)
  • MAC Report
    • VTEPs send a copy of all learned macs in each VNI to NSX controller
    • VNI
    • Mac Address
    • VTEP IP that reported
    • If unknown unicast frame is sent to VTP then it sends a MAC request to NSX controller, if there controller sends info back, if not then VTEP floods frame to other VTEPs
  • IP Report
    • VTEP gets all ARP requests from vms
    • Vtep asks controller if it has no idea
    • If NSX controller doesn’t know then frame is broadcast to all vms in same vni that runs in the VTEP and to all other VTEPS in same VNI
  • QOS
    • CoS L2 tags
    • DSCP marking L3 Tag
  • Prepare for VXLAN – create vni pool
  • Specify the multicast ranges for hybrid or multicast replication modes for logical switches
    • 239.0.1.0/24 excluding 239.128.0.0/24 is recommended mc range
  • Transport Zones control the hosts a logical network can span

 

4.6 NSX replication and frame walk

  • Traffic must sometimes be sent to all the other vms on same logical switch
    • Broadcast
    • Unknown unicast
    • Multicast
  • Replicate Locally Bit
    • Set to 1 to a proxy VTEP
    • When set to 1 the proxy vtep is responsible to replicate frame to other VTEPS in same IP subnet
  • VXLAN control plane modes
    • Unicast mode
      • No multicast needed on physical
      • Higher overhead on source vtep and utep
      • Configurable per VXLAN NI
      • Based on NSX controller provides replication using unicast
      • Vtep proxy is a UTEP
      • Source replicates encap frame to each local vtep via unicast – – replicates encap frame to each remote UTEP via unicast
      • Destination receives frame from UTEP – – replicate the encap frame to each host that has joined the VNI using unicat
    • Hybrid mode
      • Provides local replication that is offloaded to physical network and remote replication via unicast
      • Source vtep replicates encap from to local vtep via multicast – replicates encap frome to each remote mtep
      • Destination received encap frame from source – -replicates from to each local vtep via multicast
      • Igmp snooping needed
      • Multi to local uni to remote
    • Multicast mode
      • Requires internet group management protocol (IGMP) for L2 and multicast routing for L3
      • Needs IGMP snooping on physical network
      • Lowest overhead on source VTEP
      • Only VTEPs that are interested (have vms needed) will join the multicast group

 

 

 

plasebikan