6.2 Virtual network overlays and tunneling protocols
3 min read•august 9, 2024
Network virtualization takes center stage in SDN environments. Virtual network overlays and tunneling protocols create logical networks on top of physical infrastructure, enabling and in modern data centers.
These technologies, like and , allow for and . They use to extend Layer 2 networks over Layer 3, supporting up to millions of logical networks and improving resource allocation in cloud environments.
Virtual Network Overlay Protocols
VXLAN and NVGRE: Layer 3 Overlay Solutions
Top images from around the web for VXLAN and NVGRE: Layer 3 Overlay Solutions
OpenStack Networking: Open vSwitch and VXLAN introduction · Artem Sidorenko View original
Is this image relevant?
Overlay network base on GRE/VXLAN with Openvswitch View original
Is this image relevant?
pelican@ainoniwa.net – VXLANネットワーク構築例 ユニキャスト編 View original
Is this image relevant?
OpenStack Networking: Open vSwitch and VXLAN introduction · Artem Sidorenko View original
Is this image relevant?
Overlay network base on GRE/VXLAN with Openvswitch View original
Is this image relevant?
1 of 3
Top images from around the web for VXLAN and NVGRE: Layer 3 Overlay Solutions
OpenStack Networking: Open vSwitch and VXLAN introduction · Artem Sidorenko View original
Is this image relevant?
Overlay network base on GRE/VXLAN with Openvswitch View original
Is this image relevant?
pelican@ainoniwa.net – VXLANネットワーク構築例 ユニキャスト編 View original
Is this image relevant?
OpenStack Networking: Open vSwitch and VXLAN introduction · Artem Sidorenko View original
Is this image relevant?
Overlay network base on GRE/VXLAN with Openvswitch View original
Is this image relevant?
1 of 3
- VXLAN (Virtual Extensible LAN) extends Layer 2 networks over Layer 3 infrastructure
- Uses MAC-in-UDP encapsulation
- Supports up to 16 million logical networks with 24-bit VXLAN Network Identifier (VNI)
- Operates on UDP port 4789
- Commonly used in data center environments for network segmentation and isolation
- NVGRE (Network Virtualization using Generic Routing Encapsulation) provides similar functionality to VXLAN
- Utilizes tunneling protocol with a 24-bit Tenant Network Identifier (TNI)
- Encapsulates Ethernet frames in IP packets
- Developed by Microsoft as an alternative to VXLAN
- Supports multi-tenancy in cloud environments
STT and GRE: Alternative Tunneling Protocols
- (Stateless Transport Tunneling) designed for high-performance network virtualization
- Uses TCP-like header for hardware offload capabilities
- Supports larger Maximum Transmission Units (MTUs) compared to other protocols
- Provides better performance in environments with TCP Segmentation Offload (TSO)
- GRE (Generic Routing Encapsulation) serves as a versatile tunneling protocol
- Encapsulates various network layer protocols (IP, IPv6, IPX)
- Adds minimal overhead to encapsulated packets
- Widely supported across different networking devices and platforms
- Forms the basis for other tunneling protocols (NVGRE)
Network Overlay Concepts
Fundamentals of Network Overlays
- Network Overlay creates a virtual network on top of physical infrastructure
- Enables logical separation of network services from underlying hardware
- Supports multi-tenancy and network segmentation in cloud environments
- Facilitates network agility and flexibility in software-defined networking (SDN)
- Tunneling establishes a virtual point-to-point connection between network nodes
- Creates a logical path for data transmission across different network segments
- Enables communication between geographically dispersed sites (VPNs)
- Supports various protocols (VXLAN, GRE, ) for different use cases
Encapsulation and Decapsulation Processes
- Encapsulation wraps original data packets with additional headers
- Adds information for routing and identification in overlay networks
- Preserves original packet integrity while traversing intermediate networks
- Supports different encapsulation methods based on overlay protocol (MAC-in-UDP for VXLAN)
- reverses the encapsulation process at the destination
- Removes added headers to reveal original packet contents
- Performed by network devices or software at overlay network endpoints
- Ensures proper delivery of encapsulated data to intended recipients
Network Overlay Management
Overlay Network Controller Functions
- Overlay Network Controller centralizes management of virtual network infrastructure
- Configures and provisions overlay networks across distributed environments
- Manages virtual network policies, security rules, and traffic flows
- Integrates with SDN controllers for comprehensive network orchestration
- Provides APIs for programmatic control and automation of overlay networks
- Controller responsibilities include:
- Maintaining overlay network topology and endpoint information
- Coordinating tunnel establishment between network nodes
- Implementing traffic engineering and load balancing across overlay networks
- Monitoring overlay network performance and health
Virtual Extensible LAN Implementation and Benefits
- Virtual Extensible LAN (VXLAN) extends Layer 2 domains across Layer 3 boundaries
- Overcomes limitations of traditional VLANs (4096 VLAN ID limit)
- Supports up to 16 million logical networks with 24-bit VXLAN Network Identifier
- Enables workload mobility and flexible resource allocation in data centers
- VXLAN implementation involves:
- Configuring VXLAN Tunnel End Points (VTEPs) on network devices or hypervisors
- Defining VXLAN segments and mapping them to VLANs or tenant networks
- Establishing multicast groups for VXLAN traffic distribution (optional)
- Integrating with overlay controllers for automated provisioning and management
- Benefits of VXLAN include:
- Improved network scalability and flexibility in multi-tenant environments
- Enhanced workload mobility across Layer 3 boundaries
- Simplified network design and reduced complexity in large-scale deployments
- Better utilization of network infrastructure through efficient traffic distribution
Key Terms to Review (18)
Data center interconnect: Data center interconnect refers to the technologies and methods used to connect multiple data centers, allowing them to communicate and share resources seamlessly. This connection facilitates data transfer, resource pooling, and redundancy, ensuring high availability and reliability in service delivery. By leveraging technologies like virtual network overlays and tunneling protocols, data center interconnect enhances scalability and flexibility for service providers and businesses.
Decapsulation: Decapsulation is the process of removing encapsulation from data packets as they travel through a network. This occurs when the outer headers added by tunneling protocols or virtual network overlays are stripped away, allowing the original data packet to be processed by the next layer in the networking stack. It is essential for proper routing and delivery of data, especially in environments utilizing multiple layers of encapsulation.
Encapsulation: Encapsulation is a fundamental concept in networking where data is wrapped in a specific protocol header before being transmitted across a network. This process allows for the creation of virtual network overlays and helps in establishing communication between different types of networks by providing a method to transport packets while maintaining their integrity and privacy.
Flexibility: Flexibility refers to the ability of a network architecture to adapt and change in response to varying requirements and conditions. This characteristic is vital in modern networking, enabling rapid adjustments in configurations, resource allocation, and service delivery without extensive manual intervention. Flexibility supports innovation and efficiency by allowing networks to scale, integrate new technologies, and respond dynamically to changing traffic patterns and user demands.
GRE: GRE, or Generic Routing Encapsulation, is a tunneling protocol developed by Cisco that encapsulates a wide variety of network layer protocols into point-to-point links. It plays a critical role in establishing virtual network overlays, enabling the seamless transport of different protocols across a single network. GRE is essential for connecting remote networks and creating virtual private networks (VPNs), thereby enhancing network scalability and flexibility.
Ipsec: IPsec, or Internet Protocol Security, is a suite of protocols designed to secure Internet Protocol (IP) communications through authenticating and encrypting each IP packet in a communication session. It provides end-to-end security for both IPv4 and IPv6 packets, ensuring the integrity, authenticity, and confidentiality of data as it travels over potentially insecure networks. This makes IPsec crucial in creating secure tunnels and overlays for virtual networks, as well as ensuring secure communication in software-defined networking environments.
LISP: LISP, which stands for Locator/ID Separation Protocol, is a protocol designed to decouple the identity of network endpoints from their location in the network. This separation enables greater flexibility in managing IP addresses and allows for more efficient routing and mobility. By using LISP, networks can create virtual overlays that simplify address management and support tunneling protocols, making it easier to deploy services across diverse infrastructures.
MPLS: MPLS, or Multi-Protocol Label Switching, is a versatile data-carrying technique that directs packets through a network based on short path labels rather than long network addresses. This labeling allows for more efficient routing and traffic management, making it ideal for creating virtual network overlays and supporting tunneling protocols, as it enables service providers to offer various services over a single infrastructure while maintaining high performance.
Multi-tenancy: Multi-tenancy is an architecture principle where a single instance of software serves multiple customers or tenants, allowing for efficient resource sharing while maintaining data isolation and security. This concept is essential in modern networking as it enables different users to share the same infrastructure while preserving their unique configurations and data privacy. It also facilitates scalability and cost-effectiveness, making it a crucial aspect of virtualized networks and cloud computing.
Network segmentation: Network segmentation is the practice of dividing a computer network into smaller, manageable segments or sub-networks, which helps improve performance, security, and overall management. By isolating different segments, organizations can control traffic flow, enhance security measures, and optimize resource allocation, all while making it easier to troubleshoot and maintain the network infrastructure.
Network Slicing: Network slicing is a technique that allows multiple virtual networks to be created on top of a shared physical infrastructure, enabling different types of services and applications to coexist while maintaining performance and security. This method supports the tailored delivery of network resources according to specific needs, making it vital in contexts where diverse applications require unique characteristics.
NVGRE: NVGRE, or Network Virtualization using Generic Routing Encapsulation, is a tunneling protocol that encapsulates Ethernet frames in an IP packet, enabling the creation of virtual networks over existing physical networks. It allows multiple virtual networks to coexist on the same physical infrastructure by adding a layer of abstraction, facilitating network scalability and efficiency. This approach plays a significant role in the evolution of networking by addressing the need for more flexible and efficient ways to manage network resources in large data centers and cloud environments.
Overlay isolation: Overlay isolation refers to the technique of separating different virtual networks in a software-defined networking environment to ensure that data and traffic from one overlay network do not interfere with others. This method provides security and operational efficiency, allowing multiple tenants or applications to share the same physical infrastructure while maintaining their own isolated virtual environments.
RFC 7348: RFC 7348 is a Request for Comments document that specifies the Virtual eXtensible Local Area Network (VXLAN) protocol, which provides a method for encapsulating Layer 2 Ethernet frames within Layer 4 UDP packets. This enables the creation of overlay networks over existing IP infrastructure, allowing for greater scalability and flexibility in network design. By using tunneling techniques, RFC 7348 facilitates the deployment of virtual networks that can span multiple physical locations, enhancing network virtualization and multi-tenancy support.
RFC 7637: RFC 7637 is a formal document that specifies the use of the Hash-Based Message Authentication Code (HMAC) for verifying the integrity and authenticity of the data transmitted in Secure Internet Protocol (SIP) communications. It addresses concerns regarding message integrity and protects against unauthorized modifications, which is critical in ensuring secure and reliable communication in network overlays and tunneling protocols.
Scalability: Scalability refers to the ability of a network or system to accommodate growth and handle increased demand without sacrificing performance. In the context of software-defined networking (SDN), scalability is essential as it allows networks to expand seamlessly, integrating new devices and services while maintaining efficient operations.
STT: STT, or Stateless Transport Tunneling, is a protocol designed for efficient encapsulation of packets in software-defined networking environments. It enables the creation of virtual network overlays, allowing multiple logical networks to coexist over a shared physical infrastructure while maintaining isolation and scalability. By facilitating tunneling, STT enhances the flexibility and management of network resources.
VXLAN: VXLAN, or Virtual Extensible LAN, is a network virtualization technology that encapsulates Ethernet frames in UDP packets to create virtualized Layer 2 networks over Layer 3 infrastructures. This approach allows for the creation of large-scale cloud computing environments by enabling multiple virtual networks to coexist over the same physical infrastructure without interfering with each other.