Search This Blog

Wednesday, May 29, 2013

How does Nexus 1000v support VXLAN protocol

In the previous post we we explained how VXLAN works. Below is a complementary video about VXLAN from a Cisco product manager Han Yang showing a live Cisco Nexus 1000V training session.


Interesting facts that are not directly mentioned in the previous post:
  • Only one Nexus 1000V (N1V) can be deployed on a single hypervisor (multiple hypervisors have its own 1000V virtual switch)
  • Nexus 1000V has built in mechanism for loop prevention (time ~21:00)
    • if it receives a packet on the outside interface with a src MAC address that belongs to one of its attached VMs it drops it
    • it drops STP BPDU; as hypervisors are considered 'leaves' in the network topology they don't have to participate in STP 
  • As VXLAN is an L3/L4 network overlay it handles the VM generated broadcast, multicast and unknowns unicast with a help of IP multicast (time ~27:00)
  • The point above says that for example VM ARP request will be distributed to all hypervisors using IP multicast (remember that each hypervisor has its own IP; when there is a communication between hypervisors they communicate using their own IPs. The real VMs communication is encapsulated using VXLAN and is carry over in UDP datagram)
  • You don't have to have a separate multicast domain per VXLAN domain (resulting in separate multicast trees and multicast groups that a router need to managed). A single multicast can be shared by many VXLAN (time ~36:00)
  • Not sure about this: I have couple of VMs in my VXLAN that want to communicate together using IP multicast. This multicast traffic is not the same like when an ARP need to be distributed among hypervisors. This is VMs internal traffic. Will this VM IP multicast traffic be distributed to all hypervisors or only to these who actually host a relevant VM(s) that joined the VM multicast group before (IGMP snooping) (time 30:00-30:35)
  • In a single VXLAN you can have multiple customer defined VLANs (this becomes obvious when you look at the VXLAN frame headers) (time ~30:00)
  • You can tunnel VXLAN using OTV (time 45:00)
  • You need an L3 gateway device to allow traffic between traditional VLAN and VXLAN domains
  • There is an option to integrate within VXLAN network a vASA (virtual ASA) firewall
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)