Ukuze sixoxe ngeengcango zeVXLAN, kufuneka siqale sixoxe ngeVXLAN ngokwayo. Khumbula ukuba iiVLAN zemveli (iiVirtual Local Area Networks) zisebenzisa ii-ID zeVLAN ze-12-bit ukwahlulahlula iinethiwekhi, zixhasa ukuya kuthi ga kwiinethiwekhi ezinengqondo ezingama-4096. Oku kusebenza kakuhle kwiinethiwekhi ezincinci, kodwa kumaziko edatha anamhlanje, kunye namawaka oomatshini bazo ababonakalayo, izikhongozeli, kunye neendawo eziqeshisayo ezininzi, iiVLAN azanele. I-VXLAN yazalwa, ichazwa yi-Internet Engineering Task Force (IETF) kwi-RFC 7348. Injongo yayo kukwandisa i-domain yokusasaza yeLayer 2 (Ethernet) kwiinethiwekhi zeLayer 3 (IP) kusetyenziswa imigudu ye-UDP.
Ngamafutshane, i-VXLAN ihlanganisa iifreyimu ze-Ethernet ngaphakathi kwiipakethi ze-UDP kwaye yongeza i-24-bit VXLAN Network Identifier (VNI), exhasa ngokwethiyori iinethiwekhi ze-virtual ezili-16 lezigidi. Oku kufana nokunika inethiwekhi nganye ye-virtual "ikhadi lobunikazi," elibavumela ukuba bahambe ngokukhululekileyo kwinethiwekhi ebonakalayo ngaphandle kokuphazamisana. Icandelo eliphambili le-VXLAN yi-VXLAN Tunnel End Point (VTEP), enoxanduva lokufaka kunye nokususa iipakethi. I-VTEP ingaba yisoftware (efana ne-Open vSwitch) okanye i-hardware (efana ne-ASIC chip kwiswitshi).
Kutheni iVXLAN ithandwa kangaka? Kuba ihambelana ngokugqibeleleyo neemfuno ze-cloud computing kunye ne-SDN (Software-Defined Networking). Kwi-clouds zikawonke-wonke ezifana ne-AWS kunye ne-Azure, iVXLAN ivumela ulwandiso olungenamthungo lweenethiwekhi ezibonakalayo zabaqeshi. Kwiziko ledatha zabucala, ixhasa uyilo lwenethiwekhi olungaphezulu njengeVMware NSX okanye iCisco ACI. Khawuthelekelele iziko ledatha elinamawaka eeseva, nganye isebenzisa amashumi eeVM (iiMashini ezingokoqobo). I-VXLAN ivumela ezi VM ukuba zibone njengenxalenye yenethiwekhi efanayo yeLayer 2, iqinisekisa ukuhanjiswa okubushelelezi kosasazo lwe-ARP kunye nezicelo ze-DHCP.
Nangona kunjalo, i-VXLAN ayiloyeza. Ukusebenza kwinethiwekhi ye-L3 kufuna ukuguqulwa kwe-L2 ukuya kwi-L3, kulapho isango lingena khona. Isango le-VXLAN lidibanisa inethiwekhi ebonakalayo ye-VXLAN neenethiwekhi zangaphandle (ezifana nee-VLAN zemveli okanye iinethiwekhi zokuhambisa i-IP), ukuqinisekisa ukuhamba kwedatha ukusuka kwihlabathi elibonakalayo ukuya kwihlabathi lokwenyani. Indlela yokudlulisela phambili yintliziyo nomphefumlo wesango, emisela indlela iipakethi ezicutshungulwa ngayo, ezihanjiswa ngayo, kwaye zisasazwa ngayo.
Inkqubo yokudlulisela phambili i-VXLAN ifana ne-ballet ethambileyo, apho inyathelo ngalinye ukusuka kumthombo ukuya kwindawo eliya kuyo liqhagamshelwe ngokusondeleyo. Masiyihlalutye inyathelo ngenyathelo.
Okokuqala, ipakethi ithunyelwa kwi-source host (efana ne-VM). Le yifreyimu ye-Ethernet eqhelekileyo equlathe idilesi ye-source MAC, idilesi ye-destination MAC, i-VLAN tag (ukuba ikhona), kunye nomthwalo wokuhlawula. Xa ifumana le freyimu, i-source VTEP ijonga idilesi ye-destination MAC. Ukuba idilesi ye-destination MAC ikwitheyibhile yayo ye-MAC (efunyenwe ngokufunda okanye ngokukhukula), iyazi ukuba yeyiphi i-remote VTEP ekufuneka ithumele kuyo ipakethi.
Inkqubo yokufaka i-encapsulation ibalulekile: i-VTEP yongeza i-VXLAN header (kuquka i-VNI, iiflegi, njalo njalo), emva koko i-UDP header yangaphandle (ene-source port esekelwe kwi-hash yesakhelo sangaphakathi kunye ne-fixed destination port ye-4789), i-IP header (ene-source IP address ye-local VTEP kunye ne-destination IP address ye-remote VTEP), kwaye ekugqibeleni i-Ethernet header yangaphandle. Lonke ipakethi ngoku livela njengepakethi ye-UDP/IP, libonakala njengetrafikhi eqhelekileyo, kwaye linokuhanjiswa kwinethiwekhi ye-L3.
Kwinethiwekhi ebonakalayo, ipakethi ithunyelwa yi-router okanye iswitshi ide ifike kwindawo ekuyiwa kuyo i-VTEP. Indawo ekuyiwa kuyo i-VTEP isusa i-header yangaphandle, ijonge i-header ye-VXLAN ukuqinisekisa ukuba i-VNI iyahambelana, ize emva koko ihambise ifreyimu yangaphakathi ye-Ethernet kwi-host yendawo ekuyiwa kuyo. Ukuba ipakethi ayaziwa njenge-unicast, i-broadcast, okanye i-multicast (BUM), i-VTEP iphinda ipakethi kuzo zonke ii-VTEP ezifanelekileyo isebenzisa i-flooding, ixhomekeke kumaqela e-multicast okanye i-unicast header replication (HER).
Eyona nto iphambili kumgaqo wokudlulisela phambili kukwahlulwa kwendiza yokulawula kunye nendiza yedatha. Indiza yokulawula isebenzisa i-Ethernet VPN (EVPN) okanye indlela yeFlood and Learn yokufunda iimephu ze-MAC kunye ne-IP. I-EVPN isekelwe kwi-BGP protocol kwaye ivumela ii-VTEP ukuba zitshintshiselane ngolwazi lwe-routing, olufana ne-MAC-VRF (Virtual Routing and Forwarding) kunye ne-IP-VRF. Indiza yedatha inoxanduva lokudlulisela phambili, isebenzisa imigudu ye-VXLAN ukuze idlulisele ngempumelelo.
Nangona kunjalo, kwiindawo zokusasazwa kwezixhobo, ukusebenza kakuhle kokudlulisela umbane kuchaphazela ngokuthe ngqo ukusebenza. Izikhukula zemveli zinokubangela iziphepho zokusasaza ngokulula, ingakumbi kwiinethiwekhi ezinkulu. Oku kukhokelela kwimfuneko yokwenza ngcono isango: iisango aziqhagamsheli nje kuphela iinethiwekhi zangaphakathi nezangaphandle kodwa zikwasebenza njengeearhente ze-ARP ezimeleyo, zisingatha ukuvuza kwendlela, kwaye ziqinisekisa iindlela ezimfutshane zokudlulisela umbane.
Isango le-VXLAN elisembindini
Isango le-VXLAN elisembindini, elikwabizwa ngokuba yisango elisembindini okanye isango le-L3, lidla ngokubekwa kumphetho okanye kumaleko ophakathi weziko ledatha. Lisebenza njengehabhu ephakathi, apho zonke iitrafikhi ze-cross-VNI okanye ze-cross-subnet kufuneka zidlule khona.
Ngokomgaqo, isango eliphakathi lisebenza njengesango elimiselweyo, libonelela ngeenkonzo zokuhambisa i-Layer 3 kuzo zonke iinethiwekhi ze-VXLAN. Cinga ngee-VNI ezimbini: i-VNI 10000 (i-subnet 10.1.1.0/24) kunye ne-VNI 20000 (i-subnet 10.2.1.0/24). Ukuba i-VM A kwi-VNI 10000 ifuna ukufikelela kwi-VM B kwi-VNI 20000, iphakheji ifika kuqala kwi-VTEP yendawo. I-VTEP yendawo ifumanisa ukuba idilesi ye-IP yendawo ayikho kwi-subnet yendawo kwaye iyithumele kwi-gateway ephakathi. Isango liyayisusa ipakethe, lenze isigqibo sokuhambisa, kwaye emva koko liyifake kwakhona ipakethe kwi-tunnel ukuya kwi-VNI yendawo.
Iingenelo zicacile:
○ Ulawulo olululaZonke iindlela zokucwangcisa i-routing zibekwe kwindawo enye okanye ezimbini, nto leyo evumela abaqhubi ukuba bagcine iingcango ezimbalwa kuphela zokugubungela lonke inethiwekhi. Le ndlela ifanelekile kumaziko edatha amancinci naphakathi okanye kwiindawo ezisebenzisa i-VXLAN okokuqala.
○Ukusebenzisa izixhobo kakuhleIiGateways zihlala zizixhobo ezisebenza kakuhle (ezifana neCisco Nexus 9000 okanye iArista 7050) ezikwaziyo ukuphatha ithrafikhi eninzi. Iplani yokulawula ibekwe kwindawo enye, nto leyo enceda ukuhlanganiswa nabalawuli be-SDN abanjengo-NSX Manager.
○Ulawulo lokhuseleko oluqinileyoIzithuthi kufuneka zidlule kwisango, nto leyo eyenza kube lula ukuphunyezwa kwee-ACL (Uluhlu loLawulo loFikelelo), ii-firewall, kunye ne-NAT. Khawucinge ngemeko enabantu abaninzi abaqeshayo apho isango eliphakathi linokwahlula ngokulula izithuthi zabaqeshi.
Kodwa iziphene azinakubethwa ngoyaba:
○ Ingongoma enye yokusilelaUkuba isango liyasilela, unxibelelwano lwe-L3 kuyo yonke inethiwekhi luyacinywa. Nangona i-VRRP (Virtual Router Redundancy Protocol) ingasetyenziselwa ukuphindaphindwa kweenkcukacha, isenemingcipheko.
○Umqobo wokusebenzaZonke iitrafikhi ezisuka empuma ukuya entshona (unxibelelwano phakathi kweeseva) kufuneka zidlule isango, nto leyo ekhokelela kwindlela engaphantsi. Umzekelo, kwi-cluster ye-1000-node, ukuba i-bandwidth yesango yi-100Gbps, ukuxinana kunokwenzeka ngexesha leeyure ezixakekileyo.
○Ukungakwazi ukukhulisa kakuhleNjengoko isikali senethiwekhi sikhula, umthwalo wesango uyanda ngokukhawuleza. Kumzekelo wokwenyani, ndibone iziko ledatha yezemali lisebenzisa isango eliphakathi. Ekuqaleni, liqhube kakuhle, kodwa emva kokuba inani lee-VM liphindaphindwe kabini, i-latency yanda kakhulu ukusuka kwi-microseconds ukuya kwi-milliseconds.
Imeko yoSetyenziso: Ifanelekile kwiindawo ezifuna ulawulo olulula oluphezulu, njengee-clouds zabucala zeshishini okanye iinethiwekhi zovavanyo. Uyilo lwe-ACI lweCisco ludla ngokusebenzisa imodeli ephakathi, edityaniswe ne-topology ye-leaf-spine, ukuqinisekisa ukusebenza kakuhle kwee-core gateways.
Isango le-VXLAN elisasazwe
I-VXLAN gateway esasazekileyo, eyaziwa ngokuba yi-distributed gateway okanye i-anycast gateway, ithumela umsebenzi we-gateway kwi-leaf switch nganye okanye kwi-hypervisor VTEP. I-VTEP nganye isebenza njenge-local gateway, ephatha ukuthunyelwa kwe-L3 kwi-subnet yendawo.
Lo mgaqo uguquguqukayo ngakumbi: i-VTEP nganye icwangciswe nge-IP ebonakalayo (VIP) efanayo nesango elimiselweyo, kusetyenziswa indlela ye-Anycast. Iipakethi ze-cross-subnet ezithunyelwa yi-VM zithunyelwa ngqo kwi-VTEP yendawo, ngaphandle kokudlula kwindawo ephakathi. I-EVPN iluncedo kakhulu apha: nge-BGP EVPN, i-VTEP ifunda iindlela zeehost ezikude kwaye isebenzisa i-MAC/IP binding ukuthintela ukugcwala kwe-ARP.
Umzekelo, i-VM A (10.1.1.10) ifuna ukufikelela kwi-VM B (10.2.1.10). Isango elimiselweyo le-VM A yi-VIP ye-VTEP yendawo (10.1.1.1). I-VTEP yendawo iya kwi-subnet yendawo, igquma ipakethe ye-VXLAN, kwaye iyithumele ngqo kwi-VTEP ye-VM B. Le nkqubo inciphisa indlela kunye nokubambezeleka.
Iingenelo eziBalaseleyo:
○ Ukukhula okuphezuluUkusasaza ukusebenza kwesango kuyo yonke indawo kwandisa ubungakanani benethiwekhi, nto leyo eluncedo kwiinethiwekhi ezinkulu. Ababoneleli bamafu amakhulu njengeGoogle Cloud basebenzisa indlela efanayo ukuxhasa izigidi zeeVM.
○Ukusebenza okugqwesileyoItrafikhi esuka eMpuma-ntshona icutshungulwa apha ekuhlaleni ukuze kuthintelwe iingxaki. Idatha yovavanyo ibonisa ukuba i-throughput inokunyuka nge-30%-50% kwindlela esasazwe ngayo.
○Ukulungiswa ngokukhawuleza kwempazamoUkusilela okukodwa kwe-VTEP kuchaphazela kuphela i-host yendawo, kushiya amanye ama-node engachaphazeleki. Xa idibene nokuhlangana okukhawulezayo kwe-EVPN, ixesha lokubuyisela likwimizuzwana.
○Ukusetyenziswa kakuhle kwezixhoboSebenzisa itshiphu ye-ASIC yeLeaf switch ekhoyo ukukhawulezisa izixhobo, kunye namazinga okudlulisela afikelela kwinqanaba le-Tbps.
Zithini iingxaki?
○ Uqwalaselo oluntsonkothileyoI-VTEP nganye ifuna uqwalaselo lwendlela yokusebenza, i-EVPN, kunye nezinye iimpawu, nto leyo eyenza ukuba ukuqaliswa kokuqala kuthathe ixesha. Iqela lokusebenza kufuneka liqhelene ne-BGP kunye ne-SDN.
○Iimfuno eziphezulu zehardwareIsango elisasazwayo: Ayizizo zonke iiswitshi ezixhasa iisango ezisasazwayo; iitships zeBroadcom Trident okanye zeTomahawk ziyafuneka. Ukuphunyezwa kwesoftware (njenge-OVS kwi-KVM) akusebenzanga kakuhle njengehardware.
○Imingeni yokungaguquguqukiI-Distributed ithetha ukuba ulungelelwaniso lwe-state luxhomekeke kwi-EVPN. Ukuba iseshoni ye-BGP iyatshintshatshintsha, inokubangela umngxuma omnyama we-routing.
Imeko yesicelo: Ifanelekile kwiindawo zedatha ezikumgangatho ophezulu okanye amafu kawonke-wonke. I-router esasazwayo ye-VMware NSX-T ngumzekelo oqhelekileyo. Idityaniswe neKubernetes, ixhasa uthungelwano lweekhonteyina ngaphandle komthungo.
I-VxLAN Gateway ephakathi kunye ne-Distributed VxLAN Gateway
Ngoku sijonge kwincopho: yeyiphi engcono? Impendulo ithi "kuxhomekeke", kodwa kufuneka singene nzulu kwidatha kunye nezifundo zetyala ukuze sikukholise.
Ngokwembono yokusebenza, iinkqubo ezisasaziweyo zisebenza kakuhle kakhulu. Kwi-benchmark eqhelekileyo yeziko ledatha (esekelwe kwizixhobo zovavanyo lweSpirent), i-latency ephakathi yesango eliphakathi yayiyi-150μs, ngelixa eyenkqubo esasaziweyo yayiyi-50μs kuphela. Ngokuphathelele i-throughput, iinkqubo ezisasaziweyo zinokufikelela ngokulula kwi-line-rate forwarding kuba zisebenzisa i-Spine-Leaf Equal Cost Multi-Path (ECMP) routing.
Ukwanda kwesantya se-intanethi yenye indawo yokulwa. Iinethiwekhi ezikwindawo enye zifanelekile kwiinethiwekhi ezinee-node ezili-100-500; ngaphaya kwesi silinganiso, iinethiwekhi ezikwindawo enye zifumana amandla aphezulu. Umzekelo, thatha i-Alibaba Cloud. I-VPC yabo (i-Virtual Private Cloud) isebenzisa ii-gateways ze-VXLAN ezikwindawo enye ukuxhasa izigidi zabasebenzisi kwihlabathi liphela, kunye ne-latency yesithili esinye phantsi kwe-1ms. Indlela ekwindawo enye ibiya kuwa kudala.
Kuthekani ngeendleko? Isisombululo esiphakathi sinika utyalo-mali oluphantsi lokuqala, olufuna kuphela amasango ambalwa aphezulu. Isisombululo esisasazwayo sifuna zonke iindawo zamagqabi ukuxhasa ukukhutshwa kwe-VXLAN, nto leyo ekhokelela kwiindleko eziphezulu zokuphucula izixhobo. Nangona kunjalo, ekuhambeni kwexesha, isisombululo esisasazwayo sinika iindleko eziphantsi ze-O&M, njengoko izixhobo zokwenza izinto ngokuzenzekelayo ezifana ne-Ansible zivumela ukucwangciswa kwebhetshi.
Ukhuseleko kunye nokuthembeka: Iinkqubo ezikwindawo enye zenza kube lula ukhuseleko olukwindawo enye kodwa zibeka umngcipheko omkhulu wokuhlaselwa ngamanqaku athile. Iinkqubo ezisasazekileyo zinamandla ngakumbi kodwa zifuna ulawulo oluqinileyo ukuthintela uhlaselo lwe-DDoS.
Isifundo sokwenyani: Inkampani ye-e-commerce isebenzise i-VXLAN ephakathi ukwakha indawo yayo. Ngexesha lexesha elixakekileyo, ukusetyenziswa kwe-CPU yesango kunyuke ukuya kwi-90%, nto leyo ekhokelele kwizikhalazo zabasebenzisi malunga nokubambezeleka. Ukutshintshela kwimodeli esasazwe kusombulule le ngxaki, kwavumela inkampani ukuba iphindaphindeke kabini ubukhulu bayo ngokulula. Ngokwahlukileyo koko, ibhanki encinci yagxininisa kwimodeli ephakathi kuba yayibeka phambili uphicotho lokuthobela imithetho kwaye yafumanisa ukuba ulawulo oluphakathi lulula.
Ngokubanzi, ukuba ufuna ukusebenza kwenethiwekhi okugqithisileyo kunye nobukhulu bayo, indlela esasazwayo yindlela efanelekileyo. Ukuba uhlahlo lwabiwo-mali lwakho luncinci kwaye iqela lakho lolawulo alinawo amava, indlela esasazwayo iyasebenza ngakumbi. Kwixesha elizayo, ngokunyuka kwe-5G kunye ne-edge computing, iinethiwekhi ezisasazwayo ziya kuba zithandwa ngakumbi, kodwa iinethiwekhi ezisasazwayo ziya kuba luncedo kwiimeko ezithile, ezifana nokunxibelelana kweofisi yesebe.
IiPakethi zeNethiwekhi zeMylinking™inkxaso ye-VxLAN, VLAN, GRE, MPLS Header Stripping
Ixhase i-header ye-VxLAN, VLAN, GRE, MPLS ehluthwe kwiphakheji yedatha yokuqala kwaye ikhuphe imveliso ethunyelweyo.
Ixesha leposi: Okthobha-09-2025
