VXLAN technology, implemented in VMware, enhances network virtualization, addressing scalability and isolation challenges. It ensures robust security for virtual machines within data center environments.
Updated by Dan Zeng on 2023/10/16
VMware VXLAN is a technology that was born in response to a series of challenges faced by virtualization in the era of cloud computing.
Against the backdrop of the rise of virtualization, challenges have emerged. This includes limitations imposed by the specifications of network device tables on the scale of VMs, limited isolation capabilities in traditional networks, and restricted scope for VM migration. To address these challenges, VMware VXLAN emerged. VMware VXLAN is a technology jointly introduced by major enterprises such as VMware and Cisco. Currently, the standard documentation for VXLAN is documented in RFC 7348.
The full name of VXLAN is Virtual eXtensible Local Area Network. It is an overlay technology. It adopts L2 over L4 (MAC-in-UDP) encapsulation and is a network virtualization technology in NVO3 (Network Virtualization over Layer 3). Layer 2 messages are encapsulated with Layer 3 protocols, which enables the virtual Layer 2 network to be extended within the Layer 3 range. It also meets the needs of large Layer 2 virtual migration and multi-tenancy in data centers. The description on RFC7348 is this: A framework for overlaying virtualized layer 2 networks over lay 3 networks.
For large Layer 2 networks, the emergence of VXLAN VMware effectively addresses the isolation and scalability issues faced by data centers in the era of cloud computing when implementing server virtualization on physical network infrastructure.
l The 24-bit VNI can support network isolation of up to 16M VXLAN VMware segments, and the isolation. Users are no longer restricted in terms of isolation and identification, which can satisfy a large number of tenants.
l Except for VXLAN network edge devices, other devices in the network do not need to recognize the MAC addresses of VMs. This reduces the pressure of learning the MAC address of the device and improves the performance of the device.
l By using MAC in UDP encapsulation to extend the Layer 2 network, it realizes decoupling of physical and virtual networks. Tenants can plan their own virtual networks without considering the limitations of physical network IP addresses and broadcast domains, greatly reducing the difficulty of network management.
VXLAN in VMware is mainly used in data center networks. VXLAN VMware takes an existing Layer 3 physical network as an Underlay network and builds a virtual Layer 2 network on top of it, known as an Overlay network. Overlay networks use the Mac-in-UDP encapsulation technique and leverage the layer-three forwarding paths provided by the Underlay network to facilitate the transfer of Layer 2 messages between different sites.
For tenants, the Underlay network remains transparent, and different sites of the same tenant appear as if they are operating within a single LAN. Simultaneously, it is possible to establish multiple VMware VXLAN networks on the same physical network, each identified by a unique VNI. These different VXLAN VMware networks do not interfere with each other, thereby achieving isolation between tenant networks.
The following basic elements are included in a typical network model for VXLAN in VMware :
VM: Multiple VMs can be created on a single server, and different VMs can belong to different VMware VXLANs. VMs in the same VXLAN VMware are in the same logical Layer 2 network and are Layer 2 interoperable with each other; VMs belonging to different VXLANs are isolated at Layer 2.
VXLAN Tunnel: It is used to transmit messages encapsulated by VMware VXLAN. It is a virtual channel established between two VTEPs. The two parties in a VXLAN communication consider themselves to communicate directly through a Layer 2 VSI and are unaware of the existence of the underlying network.
VTEP (VXLAN Tunnel Endpoints): An edge device of a VMware VXLAN network used to encapsulate and de-encapsulate VXLAN VMware messages. The VTEP can be understood as a footing point where the Overlay network is based on the Underlay physical network. The VTEP is assigned the IP address of the physical network, independent of the virtual network. In VXLAN VMware messages, the source IP address is the VTEP address of one end of the tunnel, and the destination IP address is the VTEP address of the other end of the tunnel. Each pair of VTEP addresses corresponds to a VMware VXLAN tunnel. VTEP can be a standalone network device (for example, a switch), or a physical server (for example, the host where a VM is located).
VNI (VXLAN Network Identifier): VNI is a user identifier similar to a VLAN ID, where one VNI represents one tenant. Even if multiple end users belong to the same VNI, it still signifies a single tenant. A VNI consists of 24 bits and can support as many as 16 million tenants. VMs belonging to different VNIs cannot directly communicate at the Layer 2 level. When VMware VXLAN messages are encapsulated, sufficient space is allocated for the VNI to support the isolation of a vast number of tenants.
IP Core Equipment/Tunnel Intermediate Equipment: It is a common routing/forwarding device in the network that does not participate in VMware VXLAN processing. It only needs to perform regular layer 3 forwarding along the VXLAN tunnel path based on the destination VTEP IP address encapsulated in the VXLAN VMware message.
VSI (Virtual Switch Instance): It is a virtual switching instance on VTEP that provides layer 2 switching services for each VMware VXLAN. VSI can be seen as a virtual switch on VTEP that performs layer 2 forwarding for data frames within a specific VXLAN. It has all the functionalities of a traditional switch, including source MAC address learning, MAC address aging, and flooding. Each VSI corresponds to a VXLAN.
VSI-Interface: The virtual layer 3 interface of VSI. Similar to Vlan-Interface, it is used to handle traffic across VNI, that is, across VXLAN. VSI-Interface corresponds to VSI one-to-one, and it may not exist when there is no traffic across VNI.
During a network implementation of VMware VXLAN, it is critical to maintain security and secure the underlying VMs. While VXLAN in VMware greatly improves network virtualization and the flexibility of data transfer across virtual networks, it is also critical to secure VMs.
Vinchin Backup & Recovery is a backup solution designed for VMs of VMware, Hyper-V, XenServer, XCP-ng, oVirt, RHV, etc. It provides comprehensive and powerful VM backup and recovery features like agentless backup, instant recovery, V2V migration designed to protect and manage critical data in the virtualization environment.
Vinchin Backup & Recovery’s operation is very simple, just a few simple steps. Just select VMs on the host > then select backup destination > select strategies > finally submit the job
Vinchin offers a free 60-day trial for users to experience the functionality in a real-world environment. For more information, please contact Vinchin directly or contact our local partners.
VXLAN technology has emerged as a pivotal solution to overcome challenges in network virtualization. While it revolutionizes network flexibility, it's equally vital to ensure VM security. Solutions like Vinchin Backup & Recovery provide a straightforward tends to protect and manage your virtualization.
Share on:
