Ngexesha le-cloud computing kunye ne-network virtualization, i-VXLAN (Virtual Extensible LAN) ibe yiteknoloji eyintloko yokwakha iinethiwekhi ze-overlay ezinokukhula neziguquguqukayo. Embindini we-VXLAN architecture kukho i-VTEP (VXLAN Tunnel Endpoint), into ebalulekileyo evumela ukuhanjiswa okungenamthungo kwe-traffic ye-layer 2 kwiinethiwekhi ze-layer 3. Njengoko i-traffic yenethiwekhi ikhula ngokuntsonkotha ngeeprotokholi ezahlukeneyo ze-encapsulation, indima ye-Network Packet Brokers (NPBs) kunye ne-Tunnel Encapsulation Stripping capabilities iye yaba yinto ebalulekileyo ekuphuculeni imisebenzi ye-VTEP. Le blog ihlola iziseko ze-VTEP kunye nolwalamano lwayo ne-VXLAN, ize ihlolisise indlela umsebenzi we-NPBs' tunnel encapsulation stripping ophucula ngayo ukusebenza kwe-VTEP kunye nokubonakala kwenethiwekhi.
Ukuqonda i-VTEP kunye nobudlelwane bayo ne-VXLAN
Okokuqala, masicacise iingcamango eziphambili: I-VTEP, isifinyezo se-VXLAN Tunnel Endpoint, sisigqeba senethiwekhi esinoxanduva lokufaka kunye nokususa iipakethe ze-VXLAN kwinethiwekhi ye-VXLAN overlay. Isebenza njengendawo yokuqala kunye neyokugqibela yee-VXLAN tunnels, isebenza njenge "gateway" edibanisa inethiwekhi ye-virtual overlay kunye nenethiwekhi ye-physical underlay. Ii-VTEP zingasetyenziswa njengezixhobo ezibonakalayo (ezifana neeswitshi okanye ii-routers ezikwaziyo i-VXLAN) okanye izinto zesoftware (ezifana neeswitshi ezibonakalayo, ii-container hosts, okanye ii-proxies kwiimashini ezibonakalayo).
Ubudlelwane phakathi kwe-VTEP kunye ne-VXLAN buhambelana ngokwemvelo—i-VXLAN ixhomekeke kwi-VTEP ukuze ifezekise umsebenzi wayo oyintloko, ngelixa ii-VTEP zikhona kuphela ukuxhasa imisebenzi ye-VXLAN. Ixabiso eliphambili le-VXLAN kukudala inethiwekhi ye-virtual layer 2 phezu kwenethiwekhi ye-IP ye-layer 3 ngokusebenzisa i-MAC-in-UDP encapsulation, ukoyisa imida yokukhula kwee-VLAN zemveli (ezixhasa kuphela ii-ID ze-VLAN ezingama-4096) nge-24-bit VXLAN Network Identifier (VNI) evumela ukuya kuthi ga kwiinethiwekhi ze-virtual ezili-16. Nantsi indlela ii-VTEP ezenza ngayo oku: Xa umatshini we-virtual (VM) uthumela ithrafikhi, i-VTEP yendawo igubungela isakhelo se-Ethernet ye-layer 2 yokuqala ngokongeza i-header ye-VXLAN (equlethe i-VNI), i-header ye-UDP (isebenzisa i-port 4789 ngokungagqibekanga), i-header ye-IP yangaphandle (ene-IP ye-VTEP yomthombo kunye ne-IP ye-destination VTEP), kunye ne-header ye-Ethernet yangaphandle. Ipakethi evalekileyo emva koko idluliselwa ngenethiwekhi ye-underlay yomaleko wesi-3 ukuya kwi-VTEP yendawo ekuyiwa kuyo, esusa ipakethi ngokususa zonke ii-headers zangaphandle, ibuyisele isakhelo se-Ethernet sokuqala, ize iyithumele kwi-VM ekujoliswe kuyo ngokusekelwe kwi-VNI.
Ukongeza, ii-VTEP zisingatha imisebenzi ebalulekileyo efana nokufunda idilesi ye-MAC (ukudibanisa iidilesi ze-MAC zeehost zasekhaya nezikude kwi-VTEP IPs) kunye nokucubungula i-Broadcast, i-Unknown Unicast, kunye ne-Multicast traffic (BUM)—nokuba ngamaqela e-multicast okanye ukuphindaphinda kwentloko kwimo ye-unicast kuphela. Ngokwenyani, ii-VTEP zizinto zokwakha ezenza i-VXLAN's network virtualization kunye ne-multi-tenant solidation ibe nokwenzeka.
Umngeni weTrafikhi efihliweyo ye-VTEPs
Kwiindawo zanamhlanje zeziko ledatha, ithrafikhi ye-VTEP ayikhawulelwanga kwi-VXLAN encapsulation ecocekileyo. Ithrafikhi edlula kwi-VTEPs idla ngokuba neeleya ezininzi zee-headers ze-encapsulation, kuquka i-VLAN, i-GRE, i-GTP, i-MPLS, okanye i-IPIP, ukongeza kwi-VXLAN. Olu bunzima be-encapsulation buzisa imingeni ebalulekileyo kwimisebenzi ye-VTEP kunye nokubeka esweni inethiwekhi elandelayo, uhlalutyo, kunye nokunyanzeliswa kokhuseleko:
○ - Ukubonakala Okunciphileyo: Uninzi lwezixhobo zokubeka esweni inethiwekhi kunye nokhuseleko (ezifana ne-IDS/IPS, ii-flow analyzers, kunye nee-packet sniffers) zenzelwe ukucubungula i-trafikhi ye-native layer 2/layer 3. Ii-headers ezifakwe ngaphakathi ziyawufihla umthwalo wokuqala, okwenza kube nzima ukuba ezi zixhobo zihlalutye ngokuchanekileyo umxholo we-trafikhi okanye zibone izinto ezingaqhelekanga.
○ - Ukwanda kokusetyenziswa kwe-Overhead: Ii-VTEP ngokwazo kufuneka zichithe izixhobo ezongezelelweyo zekhompyutha ukuze zicubungule iipakethi ezifakwe kwiileya ezininzi, ingakumbi kwiindawo ezinabantu abaninzi abasebenzisa i-intanethi. Oku kunokukhokelela ekwandeni kokulibaziseka, ukuncipha kokuphuma kwe-intanethi, kunye nemiqobo yokusebenza enokubakho.
○ - Iingxaki zokusebenzisana: Amacandelo enethiwekhi ahlukeneyo okanye iindawo zabathengisi abaninzi zinokusebenzisa iiprotokholi ezahlukeneyo ze-encapsulation. Ngaphandle kokususa iintloko ngokufanelekileyo, ithrafikhi inokungaphumeleli ukuthunyelwa okanye ukucutshungulwa ngokuchanekileyo xa kudlula kwi-VTEPs, nto leyo ekhokelela kwiingxaki zokusebenzisana.
Indlela i-NPBs' Tunnel Encapsulation Stripping enika amandla ngayo ii-VTEP
IiMylinking™ Network Packet Brokers (NPBs) ezineTunnel Encapsulation Stripping capabilities zijongana nale mingeni ngokusebenza njenge "Traffic pre-processor" yeVTEP. IiNPB zinokususa ii-headers ezahlukeneyo ze-encapsulation (kuquka i-VXLAN, i-VLAN, i-GRE, i-GTP, i-MPLS, kunye ne-IPIP) kwiipakethi zedatha zokuqala ngaphambi kokuba zithumele i-traffic kwi-VTEP okanye kwizixhobo zokubeka esweni/zokhuseleko. Olu sebenzi lubonelela ngeenzuzo ezintathu ezibalulekileyo kwimisebenzi ye-VTEP:
1. Ukubonakala Okuphuculweyo Kwenethiwekhi Nokhuseleko
Ngokususa ii-headers ze-encapsulation, ii-NPB zityhila umthwalo wokuqala weepakethi, zivumela izixhobo zokubeka esweni nezokhuseleko ukuba "zibone" umxholo wokwenyani wethrafikhi. Umzekelo, xa ithrafikhi ye-VTEP ithunyelwa kwi-IDS/IPS, i-NPB iqala ngokususa ii-headers ze-VXLAN kunye ne-MPLS, ivumela i-IDS/IPS ukuba ibone imisebenzi enobungozi (efana ne-malware okanye imizamo yokufikelela engagunyaziswanga) kwisakhelo sokuqala. Oku kubaluleke kakhulu kwiindawo ezinabantu abaninzi abaqeshisayo apho ii-VTEP zisingatha ithrafikhi evela kubaqeshi abaninzi—ii-NPB ziqinisekisa ukuba izixhobo zokhuseleko zinokuhlola ithrafikhi ethile yabaqeshi ngaphandle kokuthintelwa yi-encapsulation.
Ngaphezu koko, ii-NPB zinokususa ii-headers ngokukhetha ngokusekelwe kwiintlobo zethrafikhi okanye i-VNI, zibonelela ngokubonakala okuncinci kwiinethiwekhi ezithile ezibonakalayo. Oku kunceda abaphathi benethiwekhi ukusombulula iingxaki (ezifana nokulahleka kwepakethi okanye i-latency) ngokwenza ukuba uhlalutyo oluchanekileyo lwethrafikhi ngaphakathi kwamacandelo e-VXLAN nganye.
2. Ukusebenza kakuhle kwe-VTEP
Ii-NPB zikhupha umsebenzi wokususa ii-header kwi-VTEPs, nto leyo enciphisa iindleko zokucubungula izixhobo ze-VTEP. Endaweni yokuba ii-VTEP zichithe izixhobo ze-CPU ekususeni iileya ezininzi zee-headers (umz., i-VLAN + GRE + VXLAN), ii-NPB zisingatha eli nyathelo lokulungisa kwangaphambili, zivumela ii-VTEP ukuba zigxile kwimisebenzi yazo ephambili: ukufaka iipakethi ze-VXLAN kunye nolawulo lwe-tunnel. Oku kubangela ukuba i-latency iphantsi, i-throughput ephezulu, kunye nokusebenza okuphuculweyo kwenethiwekhi ye-VXLAN overlay—ingakumbi kwiindawo ze-virtualization ezinoxinano olukhulu kunye namawaka ee-VM kunye nemithwalo enzima yezithuthi.
Umzekelo, kwiziko ledatha elineeNPB kunye neeSwitches ezisebenza njengeeVTEP, i-NPB (efana neMylinking™ Network Packet Brokers) inokususa ii-headers ze-VLAN kunye ne-MPLS kwi-traffic engenayo ngaphambi kokuba ifike kwi-VTEP. Oku kunciphisa inani lemisebenzi yokucubungula ii-header ekufuneka yenziwe yi-VTEP, nto leyo ebenza bakwazi ukusingatha ii-tunnels ezininzi ngaxeshanye kunye nokuhamba kwe-traffic ngaxeshanye.
3. Ukuphuculwa kokusebenzisana kwiinethiwekhi ezahlukeneyo
Kwinethiwekhi zabathengisi abaninzi okanye ezineenxalenye ezininzi, iindawo ezahlukeneyo zeziseko zingasebenzisa iiprotokholi ezahlukeneyo zokudibanisa idatha. Umzekelo, ithrafikhi evela kwiziko ledatha elikude inokufika kwi-VTEP yendawo ene-GRE encapsulation, ngelixa ithrafikhi yendawo isebenzisa i-VXLAN. I-NPB inokuhluba ezi zihloko zahlukeneyo (i-GRE, i-VXLAN, i-IPIP, njl.njl.) kwaye idlulisele umsinga wethrafikhi ohambelanayo, wendalo kwi-VTEP, isuse imiba yokusebenzisana. Oku kubaluleke kakhulu kwiindawo zelifu ezixutyiweyo, apho ithrafikhi evela kwiinkonzo zelifu zikawonke-wonke (ezidla ngokusebenzisa i-GTP okanye i-IPIP encapsulation) kufuneka idibane neenethiwekhi ze-VXLAN ezikwindawo nge-VTEPs.
Ukongeza, ii-NPB zinokuthumela ii-headers ezihlutyiweyo njenge-metadata kwizixhobo zokubeka esweni, ziqinisekisa ukuba abalawuli bagcina umxholo malunga ne-encapsulation yokuqala (njengelebula ye-VNI okanye ye-MPLS) ngelixa besenza ukuba kuhlalutywe umthwalo wendalo. Olu lungelelwaniso phakathi kokususwa kwee-header kunye nokugcinwa komxholo lubalulekile kulawulo olusebenzayo lwenethiwekhi.
Ungawusebenzisa njani umsebenzi wokuqhawula ipakeji ye-tunnel kwi-VTEP?
Ukuhlutywa kwe-tunnel encapsulation kwi-VTEP kunokuphunyezwa ngokusebenzisa uqwalaselo lwe-hardware, imigaqo-nkqubo echazwe yisoftware, kunye nokusebenzisana nabalawuli be-SDN, kunye ne-core logic egxile ekuchongeni ii-tunnel headers → ukwenza izenzo zokuhlutywa → ukuthumela imithwalo yokuqala. Iindlela ezithile zokusetyenziswa ziyahluka kancinci ngokusekelwe kwiintlobo ze-VTEP (eziphathekayo/isoftware), kwaye iindlela eziphambili zezi zilandelayo:
Ngoku, sithetha ngokuphunyezwa kwi-Physical VTEPs (umz.,Iiarhente zeepakethi zenethiwekhi ezikwaziyo ukusebenza nge-Mylinking™ VXLAN) Apha.
Ii-VTEP ezibonakalayo (ezifana neMylinking™ VXLAN-capable Network Packet Brokers) zixhomekeke kwiitships zehardware kunye nemiyalelo yoqwalaselo oluzinikeleyo ukuze kufezekiswe ukuhluthwa kwe-encapsulation okusebenzayo, okufanelekileyo kwiimeko zeziko ledatha elinabantu abaninzi:
Ukudibanisa i-encapsulation esekwe kwi-interface: Yenza ii-sub-interfaces kwizibuko zokufikelela ezibonakalayo ze-VTEPs kwaye ulungiselele iintlobo ze-encapsulation ukuze zihambelane kwaye zihlube ii-headers ze-tunnel ezithile. Umzekelo, kwi-Mylinking™ VXLAN-capable Network Packet Brokers, lungiselela ii-sub-interfaces ze-Layer 2 ukuze ziqaphele iithegi ze-802.1Q VLAN okanye iifreyimu ezingafakwanga i-tag, kwaye uhlube ii-headers ze-VLAN ngaphambi kokuthumela i-traffic kwi-VXLAN tunnel. Kwi-trafikhi efakwe i-GRE/MPLS, vumela ukuhlalutya kweprotocol ehambelanayo kwi-sub-interface ukuze uhlube ii-headers zangaphandle.
Ukuhluzwa kweentloko okusekelwe kumgaqo-nkqubo: Sebenzisa i-ACL (Uluhlu loLawulo loFikelelo) okanye umgaqo-nkqubo wethrafikhi ukuchaza imithetho yokufanisa (umz., ukufanisa i-UDP port 4789 ye-VXLAN, uhlobo lweprotocol 47 ye-GRE) kunye nezenzo zokuhluzwa ezibophayo. Xa ithrafikhi ihambelana nemithetho, itshiphu yehardware ye-VTEP ihluba ngokuzenzekelayo ii-headers ze-tunnel ezichaziweyo (ii-headers zangaphandle ze-VXLAN/UDP/IP, iilebhile ze-MPLS, njl.njl.) kwaye idlulisele phambili umthwalo wokuqala we-Layer 2.
I-Distributed gateway synergy: Kwi-Spine-Leaf VXLAN architectures, i-physical VTEPs (Leaf nodes) zinokusebenzisana ne-Layer 3 gateways ukuze kugqitywe i-multi-layer stripping. Umzekelo, emva kwe-Spine nodes zidlulisela i-MPLS-encapsulated VXLAN traffic kwi-Leaf VTEPs, ii-VTEP ziqala zihlube iilebhile ze-MPLS, emva koko zenze i-VXLAN decapsulation.
Ngaba ufuna umzekelo woqwalaselo lwesixhobo se-VTEP somthengisi othile (esifanaIiarhente zeepakethi zenethiwekhi ezikwaziyo ukusebenza nge-Mylinking™ VXLAN) ukuphumeza ukuhlutywa kwe-tunnel encapsulation?
Imeko Esebenzayo Yokusetyenziswa
Cinga ngeziko ledatha elikhulu leshishini elisebenzisa inethiwekhi ye-VXLAN overlay ene-H3C switches njenge-VTEPs, exhasa ii-VM ezininzi eziqeshisayo. Iziko ledatha lisebenzisa i-MPLS ukuhambisa ithrafikhi phakathi kwe-core switches kunye ne-VXLAN kunxibelelwano lwe-VM-to-VM. Ukongeza, ii-ofisi zamasebe ezikude zithumela ithrafikhi kwiziko ledatha ngee-GRE tunnels. Ukuqinisekisa ukhuseleko kunye nokubonakala, eli shishini lisebenzisa i-NPB ene-Tunnel Encapsulation Stripping phakathi kwenethiwekhi engundoqo kunye ne-VTEPs.
Xa ithrafikhi ifika kwiziko ledatha:
(1) I-NPB iqala ngokususa ii-headers ze-MPLS kwitrafikhi evela kwinethiwekhi ephambili kunye nee-headers ze-GRE kwitrafikhi yeofisi yesebe.
(2) Kwithrafikhi ye-VXLAN phakathi kwe-VTEPs, i-NPB inokususa ii-headers ze-VXLAN zangaphandle xa ithumela ithrafikhi kwizixhobo zokubeka esweni, ivumela izixhobo ukuba zihlole ithrafikhi ye-VM yokuqala.
(3) I-NPB ithumela ithrafikhi esele isetyenzisiwe (ehluthwe ziintloko) kwi-VTEP, ezifuna kuphela ukusingatha i-VXLAN encapsulation/decapsulation yomthwalo wemali wendalo. Olu seto lunciphisa umthwalo wokucubungula i-VTEP, lwenza ukuba uhlalutyo olupheleleyo lwethrafikhi, kwaye luqinisekisa ukusebenzisana okungenamthungo phakathi kwamacandelo e-MPLS, GRE, kunye ne-VXLAN.
Ii-VTEP zingumqolo weenethiwekhi ze-VXLAN, zivumela ukwenziwa kwe-virtualization okunokwandiswa kunye nonxibelelwano olunabantu abaninzi. Nangona kunjalo, ubunzima obukhulayo bethrafikhi ehlanganisiweyo kwiinethiwekhi zanamhlanje bubangela imingeni ebalulekileyo ekusebenzeni kwe-VTEP kunye nokubonakala kwenethiwekhi. Ii-Network Packet Brokers ezineTunnel Encapsulation Stripping zijongana nale mingeni ngokucubungula ithrafikhi kwangaphambili, zisusa ii-headers ezahlukeneyo (i-VXLAN, i-VLAN, i-GRE, i-GTP, i-MPLS, i-IPIP) ngaphambi kokuba ifikelele kwi-VTEP okanye izixhobo zokubeka esweni. Oku akupheleli nje ekuphuculeni ukusebenza kwe-VTEP ngokunciphisa iindleko zokucubungula kodwa kuphucula ukubonakala kwenethiwekhi, komeleza ukhuseleko, kwaye kuphucula ukusebenzisana kwiindawo ezahlukeneyo.
Njengoko imibutho iqhubeka nokwamkela uyilo lwendalo lwamafu kunye nokufakwa kwamafu axutyiweyo, ukusebenzisana phakathi kwe-NPB kunye ne-VTEP kuya kuba yinto ebalulekileyo ngakumbi. Ngokusebenzisa umsebenzi we-NPB's tunnel encapsulation stripping, abalawuli benethiwekhi banokuvula amandla apheleleyo eenethiwekhi ze-VXLAN, ukuqinisekisa ukuba zisebenza kakuhle, zikhuselekile, kwaye ziyazivumelanisa neemfuno zoshishino eziguqukayo.
Ixesha lokuthumela: Jan-09-2026
