Esikhathini sokubalwa kwamafu kanye nokwenza i-network virtualization, i-VXLAN (i-Virtual Extensible LAN) isibe ubuchwepheshe obuyisisekelo bokwakha amanethiwekhi okumboza anganwebeka futhi aguquguqukayo. Enhliziyweni yokwakhiwa kwe-VXLAN kukhona i-VTEP (i-VXLAN Tunnel Endpoint), ingxenye ebalulekile evumela ukudluliselwa okungenamthungo kwethrafikhi yesigaba sesi-2 kumanethiwekhi esigaba sesi-3. Njengoba ithrafikhi yenethiwekhi ikhula ngokuyinkimbinkimbi ngezinqubo ezahlukahlukene zokufaka, indima yama-Network Packet Brokers (NPBs) ngamakhono e-Tunnel Encapsulation Stripping isibe yinto ebalulekile ekwenzeni ngcono imisebenzi ye-VTEP. Le bhulogi ihlola izisekelo ze-VTEP kanye nobudlelwano bayo ne-VXLAN, bese ihlola ukuthi umsebenzi we-NPBs' tunnel encapsulation stripping uthuthukisa kanjani ukusebenza kwe-VTEP kanye nokubonakala kwenethiwekhi.
Ukuqonda i-VTEP kanye nobudlelwano bayo ne-VXLAN
Okokuqala, ake sicacise imiqondo eyinhloko: I-VTEP, efushanisiwe i-VXLAN Tunnel Endpoint, iyinhlangano yenethiwekhi enesibopho sokufaka nokususa amaphakethe e-VXLAN kunethiwekhi ye-overlay ye-VXLAN. Isebenza njengendawo yokuqala neyokugcina yemigudu ye-VXLAN, isebenza njenge-"gateway" ehlanganisa inethiwekhi ye-overlay ebonakalayo kanye nenethiwekhi ye-underlay ebonakalayo. I-VTEP ingasetshenziswa njengamadivayisi angokoqobo (njengezishintshi noma ama-router anekhono le-VXLAN) noma izinhlangano zesofthiwe (njengezishintshi ezibonakalayo, ama-container hosts, noma ama-proxies emishinini ebonakalayo).
Ubudlelwano phakathi kwe-VTEP ne-VXLAN buhambisana ngokwemvelo—i-VXLAN ithembele ku-VTEP ukuze ifeze ukusebenza kwayo okuyinhloko, kuyilapho i-VTEP ikhona kuphela ukusekela imisebenzi ye-VXLAN. Inani eliyinhloko le-VXLAN ukudala inethiwekhi ye-virtual layer 2 phezu kwenethiwekhi ye-IP ye-layer 3 ngokusebenzisa i-MAC-in-UDP encapsulation, inqobe imikhawulo yokukhula kwama-VLAN endabuko (asekela kuphela ama-ID e-VLAN angu-4096) nge-24-bit VXLAN Network Identifier (VNI) evumela amanethiwekhi afinyelela ku-16 million. Nansi indlela ama-VTEP avumela ngayo lokhu: Lapho umshini we-virtual (VM) uthumela ithrafikhi, i-VTEP yendawo ihlanganisa uhlaka lwe-Ethernet lwe-layer 2 lokuqala ngokungeza i-header ye-VXLAN (equkethe i-VNI), i-header ye-UDP (isebenzisa i-port 4789 ngokuzenzakalelayo), i-header ye-IP yangaphandle (ene-IP yomthombo we-VTEP kanye ne-IP ye-destination VTEP), kanye ne-header ye-Ethernet yangaphandle. Iphakethe elihlanganisiwe libe selidluliselwa ngenethiwekhi ye-underlay engu-layer 3 liye kwi-VTEP yendawo ekude, ehlukanisa iphakethe ngokususa wonke ama-header angaphandle, ibuyise uhlaka lwe-Ethernet lwangempela, bese ilidlulisela ku-VM eqondiwe ngokusekelwe ku-VNI.
Ngaphezu kwalokho, ama-VTEP aphatha imisebenzi ebalulekile njengokufunda ikheli le-MAC (ukubeka amakheli e-MAC ngokuguquguqukayo kuma-IP e-VTEP) kanye nokucutshungulwa kwethrafikhi ye-Broadcast, i-Unknown Unicast, kanye ne-Multicast (BUM)—kungaba ngamaqembu e-multicast noma ukukopishwa kwe-head-end kwimodi ye-unicast kuphela. Empeleni, ama-VTEP ayizitini zokwakha ezenza i-VXLAN's network virtualization kanye ne-multi-tenant solidation ibe nokwenzeka.
Inselele Yomgwaqo Ohlanganisiwe We-VTEPs
Ezindaweni zesimanje zesikhungo sedatha, ithrafikhi ye-VTEP ayikhawulelwe ekufakweni kwe-VXLAN okumsulwa. Ithrafikhi edlula kuma-VTEP ivame ukuthwala izendlalelo eziningi zama-header e-encapsulation, kufaka phakathi i-VLAN, i-GRE, i-GTP, i-MPLS, noma i-IPIP, ngaphezu kwe-VXLAN. Lokhu bunzima bokufakwa kwe-encapsulation kuletha izinselele ezibalulekile ekusebenzeni kwe-VTEP kanye nokuqapha kwenethiwekhi okulandelayo, ukuhlaziya, kanye nokuphoqelelwa kokuphepha:
○ - Ukubonakala Okuncishisiwe: Amathuluzi amaningi okuqapha inethiwekhi kanye nokuphepha (njenge-IDS/IPS, abahlaziyi bokugeleza, kanye nabashwibi bephakethe) aklanyelwe ukucubungula ithrafikhi yomdabu yeleveli 2/leveli 3. Ama-header ahlanganisiwe afihla umthwalo wokuqala, okwenza kube nzima ngala mathuluzi ukuhlaziya ngokunembile okuqukethwe kwethrafikhi noma ukuthola okungafani.
○ - Ukwanda Kokusebenza Okuphezulu: Ama-VTEP ngokwawo kumele asebenzise izinsiza ezengeziwe zokubala ukucubungula amaphakethe ahlanganisiwe anezingqimba eziningi, ikakhulukazi ezindaweni ezinabantu abaningi. Lokhu kungaholela ekwandeni kokubambezeleka, ukwehla komthamo, kanye nezithiyo zokusebenza ezingaba khona.
○ - Izinkinga Zokusebenzisana: Izingxenye ezahlukene zenethiwekhi noma izindawo zabathengisi abaningi zingasebenzisa amaphrothokholi ahlukene okubethela. Ngaphandle kokususa amakhanda ngendlela efanele, ithrafikhi ingase yehluleke ukuthunyelwa noma ukucutshungulwa kahle lapho idlula kuma-VTEP, okuholela ezinkingeni zokusebenzisana.
Indlela i-NPB' Tunnel Encapsulation Stripping enika ngayo amandla i-VTEPs
Ama-Mylinking™ Network Packet Brokers (NPBs) anamakhono okubamba i-Tunnel Encapsulation abhekana nalezi zinselele ngokusebenza njenge-"Traffic pre-processor" yama-VTEP. Ama-NPB angasusa izihloko ezahlukahlukene ze-encapsulation (kufaka phakathi i-VXLAN, i-VLAN, i-GRE, i-GTP, i-MPLS, kanye ne-IPIP) kusuka kumaphakethe edatha okuqala ngaphambi kokudlulisela ithrafikhi kuma-VTEP noma kumathuluzi okuqapha/okuphepha. Lokhu kusebenza kuletha izinzuzo ezintathu ezibalulekile zokusebenza kwe-VTEP:
1. Ukubonakala Nokuphepha Kwenethiwekhi Okuthuthukisiwe
Ngokususa izihloko ze-encapsulation, ama-NPB aveza umthwalo wokuqala wamaphakethe, okwenza amathuluzi okuqapha kanye nokuphepha "abone" okuqukethwe kwethrafikhi yangempela. Isibonelo, lapho ithrafikhi ye-VTEP ithunyelwa ku-IDS/IPS, i-NPB iqala ngokususa izihloko ze-VXLAN kanye ne-MPLS, okuvumela i-IDS/IPS ukuthi ithole umsebenzi ononya (njenge-malware noma imizamo yokufinyelela engagunyaziwe) kufreyimu yokuqala. Lokhu kubaluleke kakhulu ezindaweni ezinabantu abaningi abaqashayo lapho ama-VTEP ephatha khona ithrafikhi evela kubaqashi abaningi—ama-NPB aqinisekisa ukuthi amathuluzi okuphepha angahlola ithrafikhi ethile yabaqashi ngaphandle kokuvinjelwa yi-encapsulation.
Ngaphezu kwalokho, ama-NPB angasusa ama-header ngokukhetha ngokusekelwe ezinhlotsheni zethrafikhi noma i-VNI, enikeza ukubonakala okuhlanganisiwe kumanethiwekhi athile abonakalayo. Lokhu kusiza abaphathi benethiwekhi ukuxazulula izinkinga (njengokulahleka kwephakethe noma ukubambezeleka) ngokunika amandla ukuhlaziywa okunembile kwethrafikhi ngaphakathi kwezingxenye ze-VXLAN ngazinye.
2. Ukusebenza kwe-VTEP Okulungiselelwe
Ama-NPB akhipha umsebenzi wokususa ama-header kusuka ku-VTEP, okunciphisa izindleko zokucubungula kumadivayisi e-VTEP. Esikhundleni sokuthi ama-VTEP asebenzise izinsiza ze-CPU ekususeni izendlalelo eziningi zama-header (isb., i-VLAN + GRE + VXLAN), ama-NPB aphatha lesi sinyathelo sangaphambi kokucubungula, okuvumela ama-VTEP ukuthi agxile emisebenzini yawo eyinhloko: ukufaka ama-capsulation/ukususa ama-capsulation amaphakethe e-VXLAN kanye nokuphathwa kwemihubhe. Lokhu kuphumela ekubambezelekeni okuphansi, ukudlula okuphezulu, kanye nokusebenza okuthuthukisiwe kwenethiwekhi ye-overlay ye-VXLAN—ikakhulukazi ezindaweni ze-virtualization eziphezulu ezinezinkulungwane zama-VM kanye nemithwalo yethrafikhi esindayo.
Isibonelo, esikhungweni sedatha esine-NPBs kanye nama-Switches asebenza njenge-VTEP, i-NPB (njenge-Mylinking™ Network Packet Brokers) ingasusa ama-header e-VLAN kanye ne-MPLS kuthrafikhi engenayo ngaphambi kokuba ifike kuma-VTEP. Lokhu kunciphisa inani lemisebenzi yokucubungula ama-header ama-VTEP okudingeka ayenze, okuwenza akwazi ukusingatha imigudu eminingi kanye nokugeleza kwethrafikhi ngasikhathi sinye.
3. Ukuxhumana Okuthuthukisiwe Kumanethiwekhi Ahlukahlukene
Kumanethiwekhi abathengisi abaningi noma ahlukene, izingxenye ezahlukene zengqalasizinda zingasebenzisa amaphrothokholi ahlukene okuhlanganisa idatha. Isibonelo, ithrafikhi evela esikhungweni sedatha esikude ingafika ku-VTEP yendawo ene-GRE encapsulation, kuyilapho ithrafikhi yendawo isebenzisa i-VXLAN. I-NPB ingasusa lawa ma-header ahlukahlukene (i-GRE, i-VXLAN, i-IPIP, njll.) bese idlulisela umfudlana wethrafikhi ohambisanayo, wendabuko ku-VTEP, isuse izinkinga zokusebenzisana. Lokhu kubaluleke kakhulu ezindaweni zamafu ezihlanganisiwe, lapho ithrafikhi evela kumasevisi amafu omphakathi (ngokuvamile isebenzisa i-GTP noma i-IPIP encapsulation) idinga ukuhlanganiswa namanethiwekhi e-VXLAN asendaweni nge-VTEP.
Ngaphezu kwalokho, ama-NPB angathumela ama-header ahlutshiwe njenge-metadata kumathuluzi okuqapha, aqinisekise ukuthi abaphathi bagcina umongo mayelana nokubethelwa kokuqala (njengelebula le-VNI noma le-MPLS) ngenkathi besavumela ukuhlaziywa komthwalo wendabuko. Lokhu kulinganisela phakathi kokususwa kwama-header nokulondolozwa komongo kuyisihluthulelo sokuphathwa kwenethiwekhi okuphumelelayo.
Ungawusebenzisa kanjani umsebenzi wokuhlubula iphakheji yomhubhe ku-VTEP?
Ukususwa kwe-tunnel encapsulation ku-VTEP kungenziwa ngokusebenzisa ukucushwa kwezinga lehadiwe, izinqubomgomo ezichazwe yisofthiwe, kanye nokusebenzisana nabalawuli be-SDN, nge-logic eyinhloko egxile ekuboneni izihloko ze-tunnel → ukwenza izenzo zokususwa kwe-tunnel → ukudlulisa imithwalo yokuqala. Izindlela ezithile zokusetshenziswa ziyahlukahluka kancane ngokusekelwe ezinhlotsheni ze-VTEP (ezingokoqobo/isofthiwe), futhi izindlela ezibalulekile yilezi ezilandelayo:
Manje, sikhuluma ngokusetshenziswa kwe-Physical VTEPs (isb.,Abathengisi Bepakethe Lenethiwekhi Abakwazi Ukulingisa™ VXLAN) lapha.
Ama-VTEP angokoqobo (njenge-Mylinking™ VXLAN-cable Network Packet Brokers) athembele kuma-hardware chips kanye nemiyalo yokucushwa ezinikele ukuze kufezwe ukuhlubula okusebenzayo kwe-encapsulation, okufanelekela izimo zesikhungo sedatha esinabantu abaningi:
Ukufanisa i-encapsulation okusekelwe ku-interface: Dala ama-sub-interface kuma-port okufinyelela ngokomzimba e-VTEP bese ulungiselela izinhlobo ze-encapsulation ukuze zifane futhi zihlubule ama-header athile e-tunnel. Isibonelo, ku-Mylinking™ VXLAN-cable Network Packet Brokers, lungiselela ama-sub-interface e-Layer 2 ukuze ubone amathegi e-VLAN angu-802.1Q noma ozimele abangafakwanga amathegi, bese uhlubula ama-header e-VLAN ngaphambi kokudlulisela ithrafikhi ku-VXLAN tunnel. Ku-traffic ehlanganisiwe ye-GRE/MPLS, vumela ukuhlungwa kwephrothokholi ehambisanayo ku-sub-interface ukuze uhlubule ama-header angaphandle.
Ukususa amakhanda okusekelwe kunqubomgomo: Sebenzisa i-ACL (Uhlu Lokulawula Ukufinyelela) noma inqubomgomo yethrafikhi ukuze uchaze imithetho yokufanisa (isb., ukufanisa i-UDP port 4789 ye-VXLAN, uhlobo lwephrothokholi 47 ye-GRE) kanye nezenzo zokubopha ukususwa. Uma ithrafikhi ihambisana nemithetho, i-chip yehadiwe ye-VTEP isusa ngokuzenzakalelayo amakhanda e-tunnel acacisiwe (amakhanda angaphandle e-VXLAN/UDP/IP, amalebula e-MPLS, njll.) bese idlulisela phambili umthwalo wokuqala we-Layer 2.
Ukusebenzisana kwesango elisabalalisiwe: Ku-architectures ye-Spine-Leaf VXLAN, ama-VTEP angokwenyama (ama-Leaf nodes) angabambisana nama-Layer 3 gateways ukuze aqedele ukuhlubula okunezingqimba eziningi. Isibonelo, ngemva kwama-Spine nodes adlulisela ithrafikhi ye-VXLAN ehlanganiswe yi-MPLS ku-Leaf VTEPs, ama-VTEP aqala ngokuhlubula amalebula e-MPLS, bese enza i-VXLAN decapsulation.
Ingabe udinga isibonelo sokucushwa kwedivayisi ethile ye-VTEP yomthengisi (njenge-Abathengisi Bepakethe Lenethiwekhi Abakwazi Ukulingisa™ VXLAN) ukusebenzisa i-tunnel encapsulation stripping?
Isimo Sokusebenza Esiwusizo
Cabanga ngesikhungo sedatha sebhizinisi elikhulu esisebenzisa inethiwekhi ye-VXLAN overlay enezinkinobho ze-H3C njenge-VTEP, isekela ama-VM amaningi aqashiwe. Isikhungo sedatha sisebenzisa i-MPLS yokudlulisa ithrafikhi phakathi kwezinkinobho ze-core kanye ne-VXLAN yokuxhumana kwe-VM-to-VM. Ngaphezu kwalokho, amahhovisi egatsha akude athumela ithrafikhi esikhungweni sedatha ngemigudu ye-GRE. Ukuqinisekisa ukuphepha nokubonakala, ibhizinisi lisebenzisa i-NPB ene-Tunnel Encapsulation Stripping phakathi kwenethiwekhi ye-core kanye ne-VTEP.
Uma ithrafikhi ifika esikhungweni sedatha:
(1) I-NPB iqala ngokususa ama-header e-MPLS kuthrafikhi evela kunethiwekhi eyinhloko kanye nama-header e-GRE avela kuthrafikhi yehhovisi legatsha.
(2) Kuthrafikhi ye-VXLAN phakathi kwe-VTEP, i-NPB ingasusa izihloko ze-VXLAN zangaphandle lapho idlulisela ithrafikhi kumathuluzi okuqapha, okuvumela amathuluzi ukuthi ahlole ithrafikhi ye-VM yokuqala.
(3) I-NPB idlulisela ithrafikhi ecutshungulwe ngaphambilini (ehlutshiwe ngamakhanda) kuma-VTEP, adinga kuphela ukuphatha ukufakwa kwe-VXLAN/ukuhlukaniswa kwe-capsulation yomthwalo wendabuko. Lokhu kusetha kunciphisa umthwalo wokucubungula i-VTEP, kuvumela ukuhlaziywa okuphelele kwethrafikhi, futhi kuqinisekisa ukusebenzisana okungenamthungo phakathi kwezingxenye ze-MPLS, GRE, kanye ne-VXLAN.
Ama-VTEP ayinsika yamanethiwekhi e-VXLAN, okwenza kube lula ukusebenzisa i-virtualization ekwazi ukukhuliswa kanye nokuxhumana kwabantu abaningi. Kodwa-ke, ubunzima obukhulayo bethrafikhi ehlanganisiwe kumanethiwekhi anamuhla buletha izinselelo ezinkulu ekusebenzeni kwe-VTEP kanye nokubonakala kwenethiwekhi. Abathengisi Bepakethe Yenethiwekhi abanamakhono okukhumula i-Tunnel Encapsulation babhekana nalezi zinselele ngokucubungula ithrafikhi kusengaphambili, bakhumule izihloko ezahlukahlukene (i-VXLAN, i-VLAN, i-GRE, i-GTP, i-MPLS, i-IPIP) ngaphambi kokuba ifinyelele kuma-VTEP noma amathuluzi okuqapha. Lokhu akugcini nje ngokuthuthukisa ukusebenza kwe-VTEP ngokunciphisa izindleko zokucubungula kodwa futhi kuthuthukisa ukubonakala kwenethiwekhi, kuqinisa ukuphepha, futhi kuthuthukisa ukusebenzisana kuzo zonke izindawo ezingafani.
Njengoba izinhlangano ziqhubeka nokwamukela izakhiwo ezisekelwe efwini kanye nokusetshenziswa kwamafu ahlanganisiwe, ukusebenzisana phakathi kwama-NPB nama-VTEP kuzoba yinto ebaluleke kakhulu. Ngokusebenzisa umsebenzi wokususa imigudu ye-NPB, abaphathi benethiwekhi bangavula amandla aphelele amanethiwekhi e-VXLAN, baqinisekise ukuthi asebenza kahle, aphephile, futhi avumelana nezidingo zebhizinisi ezishintshayo.
Isikhathi sokuthunyelwe: Jan-09-2026
