Ukuxoxa ngamasango e-VXLAN, kufanele siqale sixoxe nge-VXLAN ngokwayo. Khumbula ukuthi ama-VLAN endabuko (I-Virtual Local Area Networks) asebenzisa ama-ID e-VLAN angu-12-bit ukuze ahlukanise amanethiwekhi, asekela amanethiwekhi anengqondo afika ku-4096. Lokhu kusebenza kahle kumanethiwekhi amancane, kodwa ezikhungweni zedatha zesimanje, ezinezinkulungwane zemishini ebonakalayo, iziqukathi, nezindawo eziqashwe abantu abaningi, ama-VLAN awanele. I-VXLAN yazalwa, ichazwa yi-Internet Engineering Task Force (IETF) ku-RFC 7348. Inhloso yayo iwukwelula isizinda sokusakaza se-Layer 2 (Ethernet) phezu kwamanethiwekhi we-Layer 3 (IP) kusetshenziswa imigudu ye-UDP.
Kalula nje, i-VXLAN ihlanganisa ozimele be-Ethernet ngaphakathi kwamaphakethe e-UDP futhi yengeza i-24-bit VXLAN Network Identifier (VNI), ngokwengqondo esekela amanethiwekhi abonakalayo ayizigidi ezingu-16. Lokhu kufana nokunikeza inethiwekhi ngayinye "ikhadi likamazisi," elibavumela ukuthi bahambe ngokukhululeka kunethiwekhi yangempela ngaphandle kokuphazamisana. Ingxenye eyinhloko ye-VXLAN yi-VXLAN Tunnel End Point (VTEP), ebhekele ukuhlanganisa nokukhipha amaphakethe. I-VTEP ingaba isofthiwe (efana ne-Open vSwitch) noma ihadiwe (njenge-ASIC chip ekushintsheni).
Kungani i-VXLAN idume kangaka? Ngoba ihambisana ngokuphelele nezidingo ze-cloud computing kanye ne-SDN (Software-Defined Networking). Emafu omphakathi njenge-AWS ne-Azure, i-VXLAN inika amandla ukunwetshwa okungenamthungo kwamanethiwekhi abonakalayo abaqashi. Ezikhungweni zedatha eziyimfihlo, isekela izakhiwo zenethiwekhi ezimbondelanayo njenge-VMware NSX noma i-Cisco ACI. Cabanga ngesikhungo sedatha esinezinkulungwane zamaseva, ngayinye isebenzisa inqwaba yama-VM (Imishini Engokoqobo). I-VXLAN ivumela lawa ma-VM ukuthi azibone eyingxenye yenethiwekhi efanayo ye-Layer 2, eqinisekisa ukudluliswa okushelelayo kokusakaza kwe-ARP nezicelo ze-DHCP.
Nokho, i-VXLAN akuyona i-panacea. Ukusebenza kunethiwekhi ye-L3 kudinga ukuguqulwa kwe-L2-to-L3, okuyilapho isango lingena khona. Isango le-VXLAN lixhuma inethiwekhi ebonakalayo ye-VXLAN namanethiwekhi angaphandle (njengama-VLAN endabuko noma amanethiwekhi omzila we-IP), iqinisekisa ukuthi idatha igeleza isuka emhlabeni obonakalayo iye emhlabeni wangempela. Indlela yokudlulisa inhliziyo nomphefumulo wesango, enquma ukuthi amaphakethe acutshungulwa kanjani, ahanjiswa kanjani, futhi asakazwa kanjani.
Inqubo yokudlulisela phambili i-VXLAN ifana ne-ballet ethambile, isinyathelo ngasinye ukusuka emthonjeni kuya endaweni sixhunyaniswe eduze. Asihlephule kancane kancane.
Okokuqala, iphakethe lithunyelwa lisuka kumsingathi womthombo (ofana ne-VM). Lolu uhlaka olujwayelekile lwe-Ethernet oluqukethe ikheli le-MAC lomthombo, ikheli le-MAC okuyiwa kulo, ithegi ye-VLAN (uma ikhona), kanye nomthwalo okhokhelwayo. Ngemva kokuthola lolu hlaka, umthombo we-VTEP uhlola ikheli le-MAC okuyiwa kulo. Uma ikheli le-MAC okuyiwa kulo lisethebula layo le-MAC (elitholwe ngokufunda noma ngezikhukhula), iyazi ukuthi iyiphi i-VTEP ekude yokudlulisela iphakethe kuyo.
Inqubo ye-encapsulation ibalulekile: i-VTEP yengeza unhlokweni we-VXLAN (okuhlanganisa i-VNI, amafulegi, njalonjalo), bese kuba unhlokweni wangaphandle we-UDP (enembobo yomthombo esekelwe ku-hash yohlaka lwangaphakathi kanye nechweba lendawo elimisiwe elingu-4789), unhlokweni we-IP (nomthombo wekheli le-IP lekheli le-VTEP lendawo lendawo ye-VTEP yendawo ekude), kanye nendawo ephuma kuyo ye-VTEP ekude ekugcineni. Lonke iphakethe manje selivela njengephakethe le-UDP/IP, libukeka njengethrafikhi evamile, futhi lingahanjiswa kunethiwekhi ye-L3.
Kunethiwekhi ebonakalayo, iphakethe lidluliselwa umzila noma lishintshe lize lifike endaweni okuyiwa kuyo i-VTEP. I-VTEP okuyiwa kuyo ikhumula unhlokweni wangaphandle, ihlola unhlokweni we-VXLAN ukuze uqinisekise ukuthi i-VNI iyafana, bese iletha ifremu ye-Ethernet yangaphakathi kumsingathi wendawo. Uma iphakethe lingaziwa ithrafikhi ye-unicast, broadcast, noma multicast (BUM), i-VTEP iphindaphinda iphakethe kuwo wonke ama-VTEP afanele kusetshenziswa ukukhukhuleka, kuncike emaqenjini okusakaza okuningi noma ukuphindaphinda kwesihloko se-unicast (HER).
Umnyombo wesimiso sokudlulisa ukuhlukaniswa kwendiza yokulawula kanye nendiza yedatha. Indiza yokulawula isebenzisa i-Ethernet VPN (EVPN) noma indlela ye-Flood and Learn ukuze ifunde i-MAC ne-IP mapping. I-EVPN isekelwe kuphrothokholi ye-BGP futhi ivumela ama-VTEPs ukuthi ashintshisane ngolwazi lomzila, njenge-MAC-VRF (Umzila Obonakalayo Nokudlulisa) kanye ne-IP-VRF. Indiza yedatha inesibopho sokudlulisela phambili kwangempela, isebenzisa imigudu ye-VXLAN ukuze idlulise kahle.
Kodwa-ke, ekusetshenzisweni kwangempela, ukusebenza kahle kokudlulisela kuthinta ngqo ukusebenza. Izikhukhula zendabuko zingabangela kalula iziphepho zokusakaza, ikakhulukazi kumanethiwekhi amakhulu. Lokhu kuholela esidingweni sokwenza kahle kwesango: amasango awaxhumi kuphela amanethiwekhi angaphakathi nangaphandle kodwa futhi asebenza njengama-ejenti e-ARP yommeleli, aphathe ukuvuza komzila, futhi aqinisekise izindlela ezimfishane zokudlulisela phambili.
I-VXLAN Gateway ephakathi
Isango le-VXLAN elimaphakathi, elibizwa nangokuthi isango elimaphakathi noma isango le-L3, livamise ukufakwa emaphethelweni noma isendlalelo esiyinhloko sesikhungo sedatha. Isebenza njengehabhu emaphakathi, lapho yonke ithrafikhi ye-cross-VNI noma i-cross-subnet kufanele idlule.
Empeleni, isango elimaphakathi lisebenza njengesango elizenzakalelayo, elihlinzeka ngezinsizakalo zomzila ze-Layer 3 kuwo wonke amanethiwekhi e-VXLAN. Cabangela ama-VNI amabili: i-VNI 10000 (i-subnet 10.1.1.0/24) ne-VNI 20000 (i-subnet 10.2.1.0/24). Uma i-VM A ku-VNI 10000 ifuna ukufinyelela i-VM B ku-VNI 20000, iphakethe lifika kuqala ku-VTEP yendawo. I-VTEP yendawo ithola ukuthi ikheli le-IP lendawo alikho ku-subnet yendawo bese ilidlulisela kusango elimaphakathi. Isango linqamula iphakethe, lenze isinqumo somzila, bese lihlanganisa kabusha iphakethe libe emhubheni oya endaweni okuyiwa kuyo i-VNI.
Izinzuzo zisobala:
○ Ukuphatha okululaKonke ukulungiselelwa kwemizila kubekwe endaweni eyodwa kudivayisi eyodwa noma amabili, okuvumela opharetha ukuthi bagcine amasango ambalwa kuphela ukumboza yonke inethiwekhi. Le ndlela ifanele izikhungo zedatha ezincane neziphakathi nendawo noma izindawo ezithumela i-VXLAN okokuqala ngqa.
○Ukusebenza kahle kwensizaAmasango ngokuvamile asebenza kahle kakhulu (njenge-Cisco Nexus 9000 noma i-Arista 7050) ekwazi ukuphatha amanani amakhulu wethrafikhi. Indiza elawulayo iphakathi nendawo, yenza kube lula ukuhlanganiswa nezilawuli ze-SDN ezifana ne-NSX Manager.
○Ukulawula ukuphepha okuqinileIthrafikhi kufanele idlule esangweni, iqondise ukusetshenziswa kwama-ACLs (Uhlu Lokulawula Ukufinyelela), ama-firewall, kanye ne-NAT. Cabanga ngesimo esinabaqashi abaningi lapho isango elimaphakathi lingahlukanisa kalula ithrafikhi yabaqashi.
Kodwa ukushiyeka akukwazi ukushaywa indiva:
○ Iphuzu elilodwa lokwehlulekaUma isango lihluleka, ukuxhumana kwe-L3 kuyo yonke inethiwekhi kukhubazekile. Nakuba i-VRRP (i-Virtual Router Redundancy Protocol) ingase isetshenziselwe ukuphinda isetshenziswe, isenezingozi.
○Ukuphazamiseka kokusebenzaYonke ithrafikhi yasempumalanga-ntshonalanga (ukuxhumana phakathi kwamaseva) kufanele idlule isango, okuholela endleleni engafanele. Isibonelo, kuqoqo lamanodi angu-1000, uma umkhawulokudonsa wesango ungu-100Gbps, ukuminyana kungenzeka kwenzeke phakathi namahora aphakeme.
○I-scalability ephansiNjengoba isikali senethiwekhi sikhula, umthwalo wesango ukhuphuka kakhulu. Esibonelweni somhlaba wangempela, ngibone isikhungo sedatha yezezimali sisebenzisa isango elimaphakathi. Ekuqaleni, yayihamba kahle, kodwa ngemva kokuba inani lama-VM liphindwe kabili, ukubambezeleka kwenyuka kusuka kuma-microsecond kuya kuma-millisecond.
Isimo sohlelo lokusebenza: Ifanele izindawo ezidinga ukuphathwa kalula okuphakeme, njengamafu ebhizinisi ayimfihlo noma amanethiwekhi okuhlola. I-Cisco's ACI architecture ivamise ukusebenzisa imodeli emaphakathi, ehlanganiswe ne-leaf-spine topology, ukuze kuqinisekiswe ukusebenza kahle kwamasango abalulekile.
Kusatshalaliswe i-VXLAN Gateway
Isango elisabalalisiwe le-VXLAN, elaziwa nangokuthi isango elisabalalisiwe noma isango elisakazwayo, likhipha ukusebenza kwesango ekushintsheni kweqabunga ngalinye noma i-hypervisor VTEP. I-VTEP ngayinye isebenza njengesango lendawo, eliphatha ukudluliselwa kwe-L3 ku-subnet yendawo.
Umgomo uvumelana nezimo: i-VTEP ngayinye ihlelwa nge-IP efanayo (VIP) njengesango elizenzakalelayo, kusetshenziswa indlela ye-Anycast. Amaphakethe e-Cross-subnet athunyelwa ama-VM ahanjiswa ngokuqondile ku-VTEP yendawo, ngaphandle kokuthi adlule endaweni emaphakathi. I-EVPN iwusizo kakhulu lapha: nge-BGP EVPN, i-VTEP ifunda imizila yabasingathi abakude futhi isebenzisa ukubophezela kwe-MAC/IP ukugwema izikhukhula ze-ARP.
Isibonelo, i-VM A (10.1.1.10) ifuna ukufinyelela ku-VM B (10.2.1.10). Isango elizenzakalelayo le-VM A yi-VIP ye-VTEP yendawo (10.1.1.1). Imizila yendawo ye-VTEP eya ku-subnet yendawo, ihlanganisa iphakethe le-VXLAN, futhi ilithumela ngokuqondile ku-VTEP ye-VM B. Le nqubo inciphisa indlela nokubambezeleka.
Izinzuzo Ezivelele:
○ Ukukala okuphezuluUkusabalalisa ukusebenza kwesango kuwo wonke amanodi kukhulisa usayizi wenethiwekhi, okuzuzisa amanethiwekhi amakhulu. Abahlinzeki bamafu abakhulu njenge-Google Cloud basebenzisa indlela efanayo ukusekela izigidi zama-VM.
○Ukusebenza okuphezuluIthrafikhi yaseMpumalanga-ntshonalanga icutshungulwa endaweni ukuze kugwenywe izithiyo. Idatha yokuhlola ibonisa ukuthi ukuphuma kungakhuphuka ngo-30% -50% kumodi esabalalisiwe.
○Ukuvuselelwa kwephutha okusheshayoUkwehluleka okukodwa kwe-VTEP kuthinta kuphela umsingathi wendawo, okushiya amanye ama-node engathinteki. Kuhlanganiswe nokuhlangana okusheshayo kwe-EVPN, isikhathi sokutakula singemizuzwana.
○Ukusebenzisa kahle izinsizaSebenzisa i-Leaf switch ye-ASIC chip yokusheshisa izingxenyekazi zekhompuyutha, ngezinga lokudlulisela phambili elifinyelela izinga le-Tbps.
Yiziphi izinkinga?
○ Ukucushwa okuyinkimbinkimbiI-VTEP ngayinye idinga ukucushwa komzila, i-EVPN, nezinye izici, okwenza ukuthunyelwa kokuqala kudle isikhathi. Ithimba lokusebenza kufanele lijwayele i-BGP ne-SDN.
○Izimfuneko eziphezulu zehadiweIsango elisabalalisiwe: Akuwona wonke amaswishi asekela amasango asabalalisiwe; I-Broadcom Trident noma i-Tomahawk chips iyadingeka. Ukuqaliswa kwesoftware (okufana ne-OVS ku-KVM) akusebenzi kahle njengehadiwe.
○Izinselele zokungaguquguqukiUkusatshalaliswa kusho ukuthi ukuvumelanisa kwesifunda kuncike ku-EVPN. Uma iseshini ye-BGP ishintshashintsha, ingabangela umzila omnyama womzila.
Isimo sohlelo lokusebenza: Ilungele izikhungo zedatha ye-hyperscale noma amafu omphakathi. Irutha esabalalisiwe ye-VMware NSX-T iyisibonelo esijwayelekile. Ihlanganiswe ne-Kubernetes, isekela kalula iziqukathi zenethiwekhi.
I-Centralized VxLAN Gateway vs. Distributed VxLAN Gateway
Manje ngena kuvuthondaba: yikuphi okungcono? Impendulo ithi "kuncike", kodwa kufanele simbe sijule kudatha nezifundo zecala ukuze sikukholise.
Ngokombono wokusebenza, amasistimu asabalalisiwe asebenza kahle ngokusobala. Kubhentshimakhi evamile yesikhungo sedatha (ngokusekelwe kumishini yokuhlola ye-Spirent), ukubambezeleka okumaphakathi kwesango elimaphakathi kwaba ngu-150μs, kuyilapho lokho kwesistimu esabalalisiwe kwakungama-50μs kuphela. Ngokuphathelene nokuphuma, amasistimu asabalalisiwe angafinyelela kalula ukudluliselwa kwesilinganiso somugqa ngoba asebenzisa umzila we-Spine-Leaf Equal Cost Multi-Path (ECMP).
I-scalability ingenye inkundla yempi. Amanethiwekhi amaphakathi afanele amanethiwekhi anama-node angu-100-500; ngale kwalesi sikali, amanethiwekhi asabalalisiwe azuza isandla esiphezulu. Thatha i-Alibaba Cloud, isibonelo. I-VPC yabo (i-Virtual Private Cloud) isebenzisa amasango e-VXLAN asabalalisiwe ukuze isekele izigidi zabasebenzisi emhlabeni wonke, ngokubambezeleka kwesifunda esisodwa ngaphansi kuka-1ms. Indlela emaphakathi ngabe kade yabhidlika.
Kuthiwani ngezindleko? Isixazululo esimaphakathi sinikeza ukutshalwa kwezimali okuphansi kokuqala, okudinga kuphela amasango asezingeni eliphezulu. Isixazululo esisabalalisiwe sidinga wonke ama-leaf node ukuthi asekele ukulayishwa kwe-VXLAN, okuholela ezindlekweni eziphakeme zokuthuthukisa ihadiwe. Kodwa-ke, ngokuhamba kwesikhathi, isixazululo esisabalalisiwe sinikeza izindleko eziphansi ze-O&M, njengamathuluzi wokuzenzakalela afana ne-Ansible inika amandla ukucushwa kwenqwaba.
Ukuphepha nokuthembeka: Amasistimu abekwe endaweni eyodwa asiza ukuvikela endaweni eyodwa kodwa abeka engcupheni enkulu yephoyinti elilodwa lokuhlasela. Amasistimu asabalalisiwe aqinile kodwa adinga indiza yokulawula eqinile ukuze kuvinjelwe ukuhlaselwa kwe-DDoS.
Ucwaningo lwezwe langempela: Inkampani ye-e-commerce yasebenzisa i-VXLAN ephakathi ukuze yakhe indawo yayo. Phakathi nezikhathi eziphakeme kakhulu, ukusetshenziswa kwe-CPU yesango kukhuphuke kwafika ku-90%, okuholele ezikhalazoni zabasebenzisi mayelana nokubambezeleka. Ukushintshela kumodeli esabalalisiwe kuxazulule inkinga, kwavumela inkampani ukuthi iphinde kabili isikali sayo kalula. Ngakolunye uhlangothi, ibhange elincane laphikelela ekusetshenzisweni kwemodeli eyodwa ngenxa yokuthi labeka eqhulwini ukuhlolwa kocwaningomabhuku futhi lathola ukuphatha okuphakathi nendawo kulula.
Ngokuvamile, uma ufuna ukusebenza kwenethiwekhi ngokwedlulele nesikali, indlela esabalalisiwe iyindlela okufanele uhambe ngayo. Uma isabelomali sakho sinomkhawulo futhi ithimba lakho labaphathi lintula ulwazi, indlela emaphakathi iyasebenza kakhulu. Ngokuzayo, ngokukhuphuka kwe-5G kanye ne-edge computing, amanethiwekhi asabalalisiwe azothandwa kakhulu, kodwa amanethiwekhi aphakathi nendawo asazobaluleka ezimweni ezithile, ezifana nokuxhumana kwehhovisi legatsha.
I-Mylinking™ Network Packet Brokersisekela i-VxLAN, VLAN, GRE, MPLS Header Stripping
Kusekelwe unhlokweni we-VxLAN, VLAN, GRE, MPLS ehlutshiwe ephaketheni ledatha langempela kanye nokuphumayo okudluliselwa phambili.
Isikhathi sokuthumela: Oct-09-2025
