Professional Documents
Culture Documents
Issue
V1.0
Date
2014-09-05
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Intended Audience
This document is intended for:
Marketing personnel
Sales personnel
Channel sellers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
ii
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
iii
Contents
Contents
About This Document ............................................................................................................... ii
1 Overview ................................................................................................................................... 1
1.1 Background ............................................................................................................................................... 1
1.2 Current Status............................................................................................................................................ 2
1.2.1 CPU-based Virtual Switching ............................................................................................................ 2
1.2.2 Physical NIC-based Virtual Switching ............................................................................................... 2
1.2.3 Switch-based Virtual Switching......................................................................................................... 3
2 Introduction .............................................................................................................................. 5
2.1 Overview................................................................................................................................................... 5
2.2 Solution Architecture ................................................................................................................................. 7
2.3 Characteristics ........................................................................................................................................... 7
iv
Contents
6 Glossary ................................................................................................................................... 23
6.1 Acronyms and Abbreviations ....................................................................................................................23
1 Overview
Overview
1.1 Background
The computing virtualization technology stimulates the development of network virtualization.
In traditional data centers, a server runs an operating system (OS), connects to a switch
through physical cables, and implements data exchange, traffic control, and security control.
After computing resources are virtualized, the server functions as multiple virtual hosts, and
each virtual host has its own CPU, memory, and network interface card (NIC). These virtual
hosts not only need to communicate with each other but also pose higher requirements for
security isolation and traffic control due to their sharing of one physical server. Therefore, the
requirement for the virtual switching technology is posed.
To unify and simplify the configuration and management of virtual switches deployed on
hosts, the definition of distributed virtual switches (DVSs) is introduced. A DVS allows
administrators to configure, manage, and monitor virtual switches on multiple servers, and
ensures network configuration consistency during VM migration among servers.
Figure 1-1 shows the network virtualization development.
Figure 1-1 Network virtualization development
1 Overview
High performance and low delay in packet forwarding between VMs on the same server
2.
High performance in layer 2 software forwarding among VMs powered by the DVS
3.
4.
Flexible scalability. Unlike physical switches that use layer 3 chips, servers use only
software to implement virtual switching, which provides flexible and rapid scalability to
better extend cloud computing networks.
5.
Large size of server memory. The layer 2 switching capability and access control list
(ACL) capability of a server are much greater than those of a physical switch.
1 Overview
Compared with DVSs that use Virtual Ethernet Bridge (VEB) for data exchange,
NIC-based virtual switching reduces CPU usage because NICs are directly used for
virtual switching and no CPU is required for virtual switching.
When the passthrough function is enabled for a physical NIC, the delay of packet
forwarding from a VM to the physical NIC is dramatically reduced. This is because the
passthrough function enables a VM to connect to a PCI Express (PCIe) device.
Traditional physical NICs for commercial use do not support live migration or flexible
security isolation, and are difficult to implement function extension.
Huawei self-developed iNIC hardware enables a direct connection between a virtual NIC
(vNIC) of a VM and the Virtual Machine Device Queues (VMDq) of an iNIC, and supports
live migration and security isolation functions.
802.1Qbg VEPA
Virtual Ethernet Port Aggregator (VEPA), which is based on the IEEE 802.1Qbg standards,
can allow packets to be forwarded in hairpin mode only after the VMM software and switch
software are upgraded.
Similar to a Virtual Ethernet Bridge (VEB), a VEPA can be implemented on the server either
in software as a thin layer in the hypervisor, or can be implemented in hardware in NICs, in
which case it can be used in conjunction with PCIe I/O virtualization technologies such as
SR-IOV. A VEPA can be used where a VEB is installed and deployed, but it cannot be an
alternative to the VEB because they have their own characteristics. The VEPA is characterized
in that it is part of the IEEE standards and has no special requirements for packet formats. In
1 Overview
addition, the VEPA approach is easy to implement with small modification performed for the
NIC driver, VMM bridge module, and external switch software so that it is cost-effective.
The Port Extension (PE) technology introduces a new device called a Port Extender, which is
a physical switch with limited functions and usually acts as the line card of an uplink physical
switch. The Port Extender maps its physical ports into a virtual port on the uplink physical
switch by packet tags added using the PE technology, and it uses the tags to implement packet
forwarding and policy control.
VN-tag defines the source and destination VM ports of packets and specifies broadcast
domains for packets. With the assistance of DVSs and NICs that support VN-tag technology,
the approach similar to Edge Virtual Bridging (EVB) multi-channels can be implemented.
However, the VN-tag technology has some defects.
Because VN-tag is a new tagging technology which fails to comply with current standards,
such as IEEE 802.1Q, IEEE 802.1ad, and IEEE 802.1X tags, the VN-tags can be applied only
to NICs, switches, software, and other new network products that support these VN-tags.
Initially, the IEEE 802.1 working group had a consideration to regard the "PE" as part of the
EVB standard, but eventually made it an independent standard, the 802.1 Bridge Port
Extension. Cisco once advised IEEE 802.1Q working group using Cisco' proprietary VN-tag
technology to implement EVB, but the working group refused. Recently, Cisco modified their
VN-tag draft, which is now called M-tag. This modified draft also aims at implementing
communication standardization between Port Extenders and uplink switches.
2 Introduction
Introduction
2.1 Overview
Figure 2-1 shows a virtual switching scenario.
Figure 2-1 Virtual switching scenario
Multiple DVSs can be configured, and each DVS can serve multiple CNA nodes in a
cluster.
A DVS provides several virtual switch ports (VSPs) with their own attributes, such as the
rate, statistics, and ACL. The ports with the same attributes are assigned to a port group
for management. The port groups with the same attributes use the same VLAN.
2 Introduction
Different physical ports can be configured for the management plane, storage plane, and
service plane. An uplink port or an uplink port aggregation group can be configured for
each DVS to enable external communication of VMs served by the DVS. An uplink
aggregation group comprises multiple physical NICs working based on load-balancing
policies.
Each VM provides multiple vNIC ports, each of which can connect to a unique VSP.
Administrators or users can specify a server, which allows layer 2 migration in a cluster,
to create a virtual layer 2 network based on service requirements and configure the
subnet and VLAN used by this network.
Description
Remarks
Port Group
Uplink Port
Uplink Aggregation
2 Introduction
As shown in Figure 2-3, a Huawei DVS supports the virtual switching function of an
open-source DVS and the virtual switching function of an iNIC which fully takes over the
virtual switching function of a CPU. Although virtual switching functions of open DVSs and
iNICs are completely the same, the DVS Manager (DVSM) manages them using different
plug-ins.
2.3 Characteristics
The solution has the following characteristics:
1.
Unified portal and centralized management modules are used for simplifying user
management and configuration.
2.
Open DVSs are integrated to use and inherit virtual switching functions of open source
communities.
3.
iNICs are used to provide virtual switching functions of CPUs, and VM network
passthrough capacities are provided to improve VM network performance and reduce
CPU usage. The FusionCompute and Huawei iNICs provide a combined force to enable
2 Introduction
passthrough and VM live migration capacities, and allow all DVS features to be
compatible with each other.
4.
Various layer 2 network features are provided, including switching, QoS, security
isolation, and maintenance.
3.1 Host
A host is physical server for running VMs after the FusionCompute is installed on it.
A host provides CPU and memory resource for VMs and enables the VMs to access networks.
3.2 DVS
A DVS manages Elastic Virtual Switches (EVSs) and iNICs associated with multiple hosts
and also manages ports on hosts and VMs. A DVS ensures that network configurations are
consistent for VM migration between hosts.
VMDq
Intel VMDq is a hardware-assisted I/O virtualization technology. This technology can
speed up the virtual switching between hardware using NICs, improving virtual I/O
performance of NICs.
The VMDq is implemented using Huawei-developed iNICs. The VMDq allows a vNIC
to connect to the virtual queue of an iNIC so that network packets can be directly
transmitted without passing through the hypervisor, thereby reducing the performance
overhead incurred by packet processing through Domain 0. As the VMDq is not
compatible with memory swapping, it cannot be enabled when the memory
overcommitment function is in use.
SR-IOV cut-through
Most commercial 10GE NICs support the SR-IOV cut-through technology. This
technology creates multiple physical functions (PFs) on a physical NIC, each of which
provides multiple virtual functions (VFs).
10
This feature allows a VM to exclusively use a VF which is derived from a PF. In this
case, the VM can directly use physical NIC resources without CPU overhead caused by
virtual switching, thereby improving network performance and reducing latency for
VMs.
The SR-IOV cut-through technology allows VLAN and MAC to be configured for
virtual switching. It can also provide the QoS control function based on PCIe VFs.
iSCSI
Mgr
Management plane
VM
Virtual machine
The management plane, storage plane, and service plane are allocated with specified
bandwidth based on physical bandwidth resources. The traffic congestion on a plane does not
affect I/O on other planes. Administrators can configure the average bandwidth, peak
bandwidth, and burst traffic to implement network I/O controls.
11
upper bandwidth limit for vNICs to limit the maximum bandwidth of a VM. The bandwidth
priority empowers a VM with a higher priority to occupy more bandwidths.
4.4 Security
4.4.1 Layer 2 Network Security Policy
Figure 4-2 illustrates the layer 2 network security policy mechanism.
Figure 4-2 Layer 2 network security policy mechanism
The layer 2 network security policies are the policies for preventing IP or MAC address
spoofing and DHCP server spoofing for user VMs.
IP-MAC address binding prevents IP address or MAC address spoofing initiated by changing
the IP address or MAC address of a vNIC, thereby enhancing network security of user VMs.
With this feature enabled, an IP address is bound to an MAC address using the DHCP
snooping feature, and then the packets from untrusted sources are filtered using IP Source
Guard and dynamic ARP inspection (DAI).
DHCP quarantine blocks users from unintentionally or maliciously enabling the DHCP server
service for a VM, ensuring common VM IP address assignment.
12
belong to set the suppression threshold, reducing the consumption of layer 2 network
bandwidth by excessive broadcast packets.
Administrators can configure the broadcast packet suppression function and set the ARP
broadcast packet suppression threshold and IP broadcast packet suppression threshold for
DVS port group objects on the system portal.
Users can create security groups based on VM security requirements. Each security group
provides a set of access rules. VMs that are added to a security group are protected by the
access rules of the security group. Users can add VMs to security groups when creating VMs.
Service administrators can create security groups and security group rules for VPCs on
FusionManager. Security group rules include the rules for protocols, source IP address
segments, subnets or security groups, and VM-accessible port range. The supported protocols
are Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet
Control Messages Protocol (ICMP).
13
14
4.8 VXLAN
VXLAN, the short form of virtual extensible local area network, is a technology for
encapsulating layer 2 packets using layer 3 protocols and extending the layer 2 network on
layer 3. In addition, the VXLAN is used in a data center and enables VMs to be migrated
within the interconnected layer 3 network without changing IP or MAC addresses. VXLANs
ensure service continuity and support large-scale network deployment. A VXLAN adopts
24-bit VXLAN IDs, which allow users to create a maximum of about 16 million virtual
networks (a traditional layer 2 network supports only about 4000 virtual networks). This
facilitates the deployment of large-scale cloud computing environments with applications and
tenants logically isolated.
For details, see the Huawei FusionSphere 5.0 Technical White Paper on VXLAN.
15
Virtual port information refers to the number of packets received and forwarded from virtual
ports and the packet receiving and forwarding traffic.
Table 4-4 lists the port information about virtual port traffic data.
Table 4-4 Port information about virtual port traffic data
Host and VM traffic rates are collected from the port information.
16
IPv6 uses a 128-bit address structure and provides a larger addressing space than IPv4.
2.
IPv6 permits hierarchical address allocation, which facilitates route aggregation across
the Internet and therefore limits the expansion of routing tables. The route aggregation
mechanism allows an entry in the routing table to represent a subnet, thereby
significantly reducing the length of the routing table and increasing the packet
forwarding speed of the router.
3.
4.
IPv6 provides higher security than IPv4. On an IPv6 network, users can encrypt
network-layer data and verify IP packets. IPv6-based encryption and authentication
ensure packet confidentiality and integrity, thereby significantly enhancing network
security.
The system supports VM configuration on the service plane and also supports VM
communication using IPv6 addresses. VMs can communicate one another over a single-stack
IPv4 or IPv6 network or dual-stack IPv4 and IPv6 networks.
Dual stack is a technology used for transition from IPv4 to IPv6. The nodes in a dual-stack
infrastructure support both IPv4 and IPv6 protocol stacks. A source node determines the
protocol stack to be used based on the destination node. Network devices choose a protocol
stack to process and forward IP packets based on the protocol type of the packets.
On a dual-stack network, all devices must support the IPv4/IPv6 dual stack, and ports
connected to the dual-stack network must have both IPv4 and IPv6 addresses configured.
The dual-stack technology is the basis for the transition from IPv4 to IPv6.
IPv4/IPv6 Dual Stack Scheme
As defined in RFC4213, dual stack refers to installing IPv4 and IPv6 protocol stacks on
terminal devices and network nodes to implement information interworking with IPv4 nodes
and IPv6 nodes separately. Nodes configured with IPv4/IPv6 dual stack are called dual-stack
nodes, as shown in Figure 4-4. These nodes can send and receive IPv4 and IPv6 packets. They
can interwork with IPv4 nodes through the IPv4 protocol, and interwork with IPv6 nodes
through the IPv6 protocol.
17
The port on a device configured as dual stack can have one IPv4 address, or one IPv6 address,
or both. The router contains two independent routing tables: one is for IPv4 addressing, and
the other for IPv6 addressing. Two tables reside on the same router.
When a dual-stack node receives a data segment on the link layer, the node unpacks the data
segment and checks the packet header. If the value of the first field in the IPv4/IPv6 packet
header is 4, this packet needs to be processed by the IPv4 protocol stack. If the value is 6, this
packet needs to be processed by the IPv6 protocol stack.
To support IPv6 route-learning, the dual-stack router must also support IPv6-compliant
routing protocols. If the Open Shortest Path First (OSPF) protocol is supported on the live
network, add OSPFv3 to support IPv6. If the Intermediate System to Intermediate System
(IS-IS) protocol is deployed on the live network, deploy IS-IS multi-topology to support the
learning of IPv6 routes. The BGP4+ that applies to IPv6 can be configured to support the IPv6
route advertisement by configuring and enabling the IPv6 address family, and to support the
IPv6 route reflection function by upgrading the RR (if necessary).
Dual-stack architecture allows equipment to receive, process, and forward IPv4/IPv6 traffic.
This architecture supports network equipment (routers) in the IPv4/IPv6 dual stack mode, has
two logically coexisting networks, and supports smooth transition from IPv4 to IPv6.
A dual-stack node supports the following three work modes:
IPv6-only: A node can be configured with only an Ethernet port, IPv6 port, IPv6 address,
IPv6 router. The IPv6 function must be enabled for the router configured for the node.
IPv4-only: A node can be configured with only an Ethernet port, IPv4 address, and IPv4
router.
IPv6 Capability
An IPv6 VM supports only external networking and supports the following IP address
assignment modes:
18
The DVS functions, such as security groups, bound ports, QoS, port mirroring, and trunking,
can support both IPv4 and IPv6.
The system supports IPv6-based VM lifecycle management, including VM start, stop, hot
migration, snapshot, hibernating, and restoration.
To use an IPv6 network, ensure that all external devices, such as switches, firewalls, load
balancers, can support IPv4 and IPv6 networks. You can configure gateway addresses, virtual
private networks (VPN), access control list (ACL) policies, and load balancing functions for
IPv6 VMs on a physical switch or firewall.
19
5 Application Scenario
Application Scenario
20
5 Application Scenario
21
5 Application Scenario
22
6 Glossary
Glossary
Full Name
ACL
ARP
DAI
DHCP
DVS
DVSM
IDC
iNIC
PF
Physical Function
SR-IOV
VDI
VEB
VEPA
VF
Virtual Function
VMDq
VSP
23