华为CloudEngine系列交换机VXLAN技术白皮书

VLAN技术白皮书华为技术有限公司北京市上地信息产业基地信息中路3号华为大厦 100085二ＯＯ三年三月摘要本文基于华为技术有限公司Quidway 系列以太网交换产品详细介绍了目前以太网平台上的主流VLAN技术以及华为公司在VLAN技术方面的扩展，其中包括基于端口的VLAN划分、PVLAN，动态VLAN注册协议，如GVRP和VTP等等。

本文全面地总结了当前的VLAN技术发展，并逐步探讨了Quidway 系列以太网交换产品在VLAN技术方面的通用特性和部分独有特性，并结合每个主题，简要的介绍了系列VLAN技术在实际组网中的应用方式。

关键词VLAN，PVLAN， GVRP，VTP1 VLAN概述VLAN（Virtual Local Area Network）即虚拟局域网，是一种通过将局域网内的设备逻辑地而不是物理地划分成一个个网段从而实现虚拟工作组的新兴技术。

IEEE于1999年颁布了用以标准化VLAN实现方案的802.1Q协议标准草案。

VLAN技术允许网络管理者将一个物理的LAN逻辑地划分成不同的广播域（或称虚拟LAN，即VLAN），每一个VLAN都包含一组有着相同需求的计算机工作站，与物理上形成的LAN有着相同的属性。

但由于它是逻辑地而不是物理地划分，所以同一个VLAN内的各个工作站无须被放置在同一个物理空间里，即这些工作站不一定属于同一个物理LAN网段。

一个VLAN内部的广播和单播流量都不会转发到其他VLAN中，从而有助于控制流量、减少设备投资、简化网络管理、提高网络的安全性。

VLAN是为解决以太网的广播问题和安全性而提出的一种协议，它在以太网帧的基础上增加了VLAN头，用VLAN ID把用户划分为更小的工作组，限制不同工作组间的用户二层互访，每个工作组就是一个虚拟局域网。

虚拟局域网的好处是可以限制广播范围，并能够形成虚拟工作组，动态管理网络。

VLAN在交换机上的实现方法，可以大致划分为4类:1、基于端口划分的VLAN这种划分VLAN的方法是根据以太网交换机的端口来划分，比如Quidway S3526的1~4端口为VLAN 10，5~17为VLAN 20，18~24为VLAN 30，当然，这些属于同一VLAN的端口可以不连续，如何配置，由管理员决定，如果有多个交换机，例如，可以指定交换机 1 的1~6端口和交换机 2 的1~4端口为同一VLAN，即同一VLAN可以跨越数个以太网交换机，根据端口划分是目前定义VLAN的最广泛的方法，IEEE 802.1Q规定了依据以太网交换机的端口来划分VLAN的国际标准。

1接口基础配置关于本章1.1 接口简介通过本小节，您可以了解到设备的接口分类和接口编号规则。

1.2 配置接口基本参数配置接口基本参数，包括接口描述信息、接口流量统计时间间隔功能以及开启或关闭接口。

1.3 维护接口您可以通过清除接口统计信息以方便查询一定时间内接口的流量信息。

1.1 接口简介通过本小节，您可以了解到设备的接口分类和接口编号规则。

接口分类接口是设备与网络中的其它设备交换数据并相互作用的部件，分为管理接口、物理业务接口和逻辑接口三类，其中：l管理接口管理接口主要为用户提供配置管理支持，也就是用户通过此类接口可以登录到设备，并进行配置和管理操作。

管理接口不承担业务传输。

关于管理接口的详细配置，请参见《CloudEngine 7800&6800&5800系列交换机配置指南-基础配置》。

设备支持的管理接口如表1-1所示：表1-1各管理接口介绍l V100R005C00版本下，仅CE6850-48S6Q-HI支持Mini USB接口。

V100R005C10及以后版本，CE6850-48S6Q-HI、CE6850–48T4Q-HI和CE6850U-HI支持Mini USB接口。

l CE6850HI和CE6850U-HI设备上有两个Combo类型的管理接口，每个Combo口包括一个光接口和一个电接口。

光接口和电接口只能同时激活其中一个。

l物理业务接口物理业务接口是真实存在、有器件支持的接口。

物理接口需要承担业务传输。

物理接口有时也被称为端口，为便于描述，在本手册中，统一描述为接口。

设备支持的物理接口如表1-2所示。

表1-2物理接口缺省情况下，设备的以太网接口工作在二层模式，如果需要应用接口的三层功能，可以使用undo portswitch命令将接口转换为三层模式。

l逻辑接口逻辑接口是指能够实现数据交换功能但物理上不存在、需要通过配置建立的接口。

逻辑接口需要承担业务传输。

设备支持的逻辑接口如表1-3所示。

CloudEngine Is the Foundation of the Intent-driven NetworkHuawei CloudEngine Series Switches Technical PresentationContentsClick to add Title 1Click to add Title 2Click to add Title 3CloudEngine Switch OverviewCloudEngine Switch HighlightsCloudEngine Switch Market ProgressSwitches Are the Cornerstone for Transforming Data Centers from Service Centers to Value CentersCloud computingBig DataDistributed storageMetcalfe's Law: The effect of a telecommunications network is proportional to the square of the number of connected users of the system.-Robert Metcalfe who invented Ethernet, founder of 3Com In the future, even if all hardware network devices will disappear, data center switches used as the buses connecting to servers, will always exist. The Ethernet helps release the value of data.AISDN NFVIntent-driven networkUltra-broadbandInfrastructureSimplifiedOpenController and management tool layerControllerAnalyzerSecurityCharacteristics of the Future of DC Switches: Ultra-broadband, Simplified, Intelligent, Secure, and OpenIntelligentSecureManagementControlAnalysisOpenConvergenceEcosystemSpine LeafGatewayBandwidth -> LatencyLayer 2 and Layer 3 -> SecurityManual driving -> Automated drivingWeb page -> Service integrationCloudEngine Series Data Center Switches Portfolio(1)Core SwitchesAccess SwitchesCloudEngine 6881-48S6CQ (New)CloudEngine 6863-48S6CQ (New)CloudEngine 16800 (New)CloudEngine 16816CloudEngine 16808CloudEngine 1680410GE ToR switch25GE ToR switchCloudEngine Series Data Center Switches Portfolio(2)Core SwitchesAccess Switches10GE ToR switchCE6851-48S6Q-HICE6810-48S4Q-LICE6810-32T16S4Q-LIGE ToR switchCE5855-48T4S2Q-EICE5855-24T4S2Q-EIVirtual SwitchesCE1800VCE6855/CE6856-48S6Q-HICE6855/CE6856-48T6Q-HI10GE large-buffer ToR switchCE6870-48S6CQ-EIToR switch with flexible cardsCE8861-4C-EI40GE switchCE7855-32Q-EICE6865-48S8CQ-EI25GE ToR switch100GE switchCE8850-64CQ-EICE12816CE12812CE12808CE12808S CE12804SCE12804CE12800CE12800SCE6870-48T6CQ-EICE6875-48S4CQ-EICE8850-32CQ-EICE6860-48S8CQ-EICE6857-48S6CQ-EICE8860-4C-EICE5880-48T6Q-EICE6880-24S4Q2CQ-EIOrthogonal architectureStrict front-to-back airflow designNon-blocking switchingCounter-rotating fansLine cardNo cabling of the backplaneIncreased bandwidth of the entire systemCE12800Patent No.: CN201110339954.1Independent front-to-back airflowEven heat dissipation, suitable for data centersCell switching and VoQTraffic balancing, improving bandwidth utilizationCounter-rotating and turbo fansHighly efficient heat dissipationLeading energy-conserving designHigh-Quality CloudEngine: High-Quality Architecture Creates a Green and Stable Network•Industry-leading architecture design and high quality:orthogonal SFU design,Clos architecture,cell switching,and Virtual Output Queue (VOQ)mechanism 1/31/31/31/31/31/31/31/31/31/31/31/31/31/31/31/31/31/3ContentsClick to add Title 1Click to add TitleCloudEngine Switch Overview3CloudEngine Switch Market Progress▪Ultra-broadband Cloud Engine ▪Simplified Cloud Engine ▪Intelligent Cloud Engine▪Secure Cloud Engine ▪Open Cloud Engine2CloudEngine Switch HighlightsClos Theory: Cluster Scale Is the Driving Force for Data Center Network Architecture EvolutionSpineLeafCore EdgeSpineLeafCoreEdgeSpineLeafEdgeL2L310GE10GE40GE 40GE 40GEL2BGPL3L3First generation: 3K GE serversSecond generation: 10K GE serversThird generation: 20K 10GE servers⚫The port capacity of cards increases continuously, and CE switches canprovide 36*100GE ports.⚫To avoid HASH polarization, CE switches provide 128 ECMP paths.⚫Network congestion control: CE switches provide large buffer, and split a single flow into multiple ones to load balance them.Difficulties in the non-blocking Clos architecture: The convergence ratio and packet loss ratio cannot be compromised.⚫Data center network architecture: A fat-tree topology is used and the capacity of the root node determines the server cluster scale.⚫Evolution direction: Add network layers, and increase the quantity and capacity of spine or code nodes.⚫Network congestion control: Increase the buffer and optimize load balancing.CE switches' buffer is 80 times higher than the industry average, implementing zero packet loss for microburst traffic. The switches' performance is 1032 Tbit/s. CE switches can connect to over 50,000 servers with no blocking.Larger Interface Rate: The Rise of 25GE Interfaces Balance the Cost and Efficiency10M1980100M: IEEE802.3u199519981000M: IEEE802.3ab/z20021G: IEEE802.3ae/ak201040G/100G: IEEE802.3ba2008DCB/PB (IETF TRILL)2013400G2009FCoE201625G: 802.byDevelopment of Ethernet:DPDKIn the past two years, why are 25GE interfaces used?➢The 25GE interface can better match the SerDes rate: 1.25 Gbit/s -> 3.125 Gbit/s -> 6.25 Gbit/s -> 10.3125 Gbit/s -> 25 Gbit/s -> 56 Gbit/s➢Compared with the 40GE NIC, the 25GE NIC has higher use efficiency of the PCIe channel. (40G+40G)/8G*16= 62.5%; 25G*2/(8G*8) = 78%➢Lower cabling costs for 25GE interfaces: The SFP28 module is used. Because only single-channel connections are used, the SFP28 module is compatible with LC optical fibers in the 10GE era, without cabling.➢The bandwidth between NICs has exceeded 10 Gbit/s: As technologies such as RDMA, SR-IOV, and DPDK develop, the bandwidth between NICs has exceeded 10 Gbit/s.APP RDMA NICCoprocess or/FPGAAPPRDMA NICFast CNPCNPPPVIQ: eliminates packet lossinside chipsVIQ12Dynamic ECN3Dynamic ECNFast CNPPacket lossTraditionalVIQVIQ enables the outbound interface to send backpressure signals to the inbound interface, achieving zero packet loss.PFCSRECNNormal CNPPhysical queueThreshold (Port-Buffer)SwitchServer Q0Q1ECN waterline ECN waterlineRR ServerServerServer.. .Dynamic ECN uses dynamic collection and dynamic threshold adjustment to realize low latency and high throughput.Fast CNP provides fast congestion feedback to improve networkconvergence performance by 30%.AI Fabric: Intelligent Lossless Data Center Network Solution Provides Low latency and Zero Packet LossFast CNPUltra-broadband Cloud Engine Simplified Cloud Engine Intelligent Cloud Engine Secure CloudEngine Open Cloud Engine➢Independent forwarding, control, anddetection, and 3-channel cluster design ➢Four dedicated GE interfaces are used ascluster control channels.➢ A maximum of 3.2 Tbit/s cluster bandwidthis supported.Unique three-channel separated cluster, control plane coupling…Control signalingchannelData forwardingchannel Dual-active detection (DAD) channel➢The control plane runs independently and synchronizes asmall amount of information about interface status entries.➢Devices in the DFS group can be upgraded independently,without interrupting services.➢When the peer-link is faulty or the M-LAG master devicefails twice, the M-LAG backup device can still work properly.Independent control plane, protocol-level coupling…Peer-linkDAD channelDevice Virtualization: Easy-to-Manage, High-Performing, Highly Reliable Virtual SystemsC luster S witch S ystem (CSS)M ulti-Chassis LAG (M-LAG)➢The control plane runs independently anddoes not have synchronization information.➢Two switches are configured with the samegateway IP address and MAC address.➢Two links of the server NIC are configured tosend broadcast packets simultaneously.Independent control planewithout couplingM-LAG Lite➢Provide a maximum of 1:16virtualization capabilities in port and port group mode.On-demand VS allocation, improving resource utilization➢Exclusive CPU, memory, and MAC/VLAN/FIB entriesExclusive resources in VSs and highest specificationsFault isolation between VSs, improving securityVS (V irtual S ystem )Ultra-broadband Cloud Engine Simplified Cloud Engine Intelligent Cloud Engine Secure CloudEngine Open Cloud EngineLayer 2 Boundary Extension: Build a Large-Scale Network Resource Pool Based on BGP EVPNBGP EVPN acts as the VXLAN control plane to provide the following functions:➢Triggers automatic VXLAN tunnel setup between VTEPs to avoid the need to manually configure full-mesh tunnels.➢Advertises host routes and MAC address table, prevents unknown traffic flooding, and optimizes packet forwarding.➢Implements Layer 2 interconnection between data centers in different networking.Layer 2 large-scale horizontal expansion in the data centerand extension to the remote DCVXLAN BGP EVPNVTEP VTEP VTEP VTEP RRRRBGP EVPNVTEP VTEPProtocol vitality: open interconnection and interworkingbetween devices from different vendorsNetwork Automation: Interconnection with Third-Party Management Tools, Controllers, Virtualization Management Platforms, and Cloud PlatformsScenario 1: traditional network management➢Interconnection with a third-party management tool : CE switches can interconnect with a third-party management tool such as Ansible to implement automatic network configuration.Scenario 2: network and computing association➢Interconnection with a virtualization management platform : CE switches are connected to the Agile Controller-DCN, and the Agile Controller-DCN is associated with the third-party computing management platform.Scenario 3: third-party management on the overlay➢Interconnection with a third-party controller : The CE switch functions as the VXLAN Layer 2 VTEP and is managed by the NSX.Scenario 4: cloud-network integration➢Interconnection with a cloud platform through the Agile Controller-DCN : CE switches are connected to the AgileController-DCN, and the Agile Controller-DCN connects to the third-party cloud platform.SpineLeafGateway10GE40GEDCScenario 1Interconnection with a managementtoolISP2Scenario 2Interconnection with avirtualization managementplatformScenario 3Interconnectionwith a third-party controller Scenario 4Interconnection with a cloud platformSimplified Deployment: IPv4 and IPv6, Unicast and Overlay Multicast, and Rollout of Full-stack Services Within MinutesServer leaf IPv6IPv4VTEP Server leaf SpineVTEPServer leaf VM VM VMOVSBorder-LeafBMVTEP VM VM VMOVSServer leaf VTEPBMIPv4 extranetIPv4Service-centered IPv6 evolution mode➢2018 Q3: virtualization ➢2019 Q1: cloud-network cooperationServer leafIPv6IPv4VTEP Server leaf SpineVTEPServer leaf VM VM VMOVSBorder-LeafBMVTEP VM VM VMOVSServer leaf VTEPIPv6 extranetIPv4 extranetIPv4IPv6 extranetReplicate IPv4 O&MexperiencesServer leafVTEP Server leaf SpineVTEPServer leaf VM VM VMOVSBM VTEP VM VM VMOVSServer leaf VTEPIPv4 extranetIPv4 extranetOverlay multicastSave bandwidthServer leafVTEP Server leaf SpineVTEPServer leaf VM VM VMOVSBM VTEP VM VM VMOVSServer leaf VTEPIPv4 extranetIPv4 extranetDual-stackMulticastIngress replicationIGMP/PIM-SM➢2018 Q3: commercial chip ready ➢2019 Q1: controller mappingCollectorAnalyzerCPU Forwarding Chip CollectorAnalyzerCPUForwarding ChipCollectorAnalyzerCPUForwarding ChipNP•SNMP or NETCONF uses the query/response mechanism, minute-level reporting, and XML or text encoding, which is inefficient.•NetStream uses the flow sampling mechanism and requires CPU participation, which has low performance and is inaccurate.•gRPC uses the subscription/reporting mechanism, subsecond-level reporting , protobuffer coding, and HTTP transmission, which has a high efficiency .•ERSPAN+ adds ingress and egress ports or timestamps of original flows to calculate the flow path and delay .•INT supports in-line path or quality detection.SNMP NetconfNetstreamERSPANSNMP NetconfNetstreamERSPAN+INTgRPCSNMP NetconfFlow tableProtobuf over UDPgRPCERSPAN+Netstream1:1•Protobuf over UDP is used to encode andtransmit forwarding plane information, which is efficient and does not affect CPU performance .•Small NP intelligent analysis algorithm is used to perform in-depth analysis of abnormal flows to learn in-depth information such as the latency, jitter, packet loss ratio, and packet loss location .Historical CapabilitiesCurrent CapabilitiesFuture EvolutionTelemetry Capability: Transformation of the Data Collection Mode Is the Basis of Big Data O&MUltra-broadband Cloud Engine Simplified Cloud Engine Intelligent Cloud Engine Secure CloudEngine Open Cloud EngineMicroburst Detection Capability: Millisecond-level Buffer Monitoring and Subscription Collection, Which Are Visible and ClearData CenterService exceptionNormal networkTraditional NMSArtifactFreezeSubsecond-levelcollectiongRPC subscription . . .Content feedbackOne request formultiple tasks•Visible: subsecond-level subscription data collection510us50%100%The buffer is full and packet loss may occur.2-ms buffer monitoring•Clear: high-precision data monitoring5-minute pollingperiodSNMP request and response. . .Multiple requests for a single task510s50%100%Normal buffer detectionMicrosecond-level buffer monitoring•The collection period is too long, which may ignore network details.•The detection interval is too long, so device details may be incomplete.Forwarding chipCPUFPGACE8860Monitoring queueNote: The CE8860 supports this function.VM 1VM 2VM 3 1.1.1.1 1.1.1.2 1.1.1.3VM 4VM 5VM 6 2.2.2.1 2.2.2.2 2.2.2.3As Is: subnet-based isolation To Be:VM-level isolationFine-grained DefenseDefining applications based on VM names and discrete IP addresses, with finer granularity and wider dimensionsFlexible DeploymentDefining services based on application groups and decoupling from subnets to achieve flexible deployment Distributed SecurityTraffic of access switches is filtered nearby and east-west isolation is implemented without using firewalls.Use Microsegmentation to Achieve Fine-grained Isolation and Service SecurityWebAppAFW IDS LB NATVASResource poolSimplified deploymentThe SDN controller definesservice chains through drag-and-drop operations.Efficient forwardingProvide traffic diversion for one time, simple configuration, service traffic forwarding, and secure monitoring.Flexible orchestrationDecouple the VAS function from Fabric, providing flexible orchestration.Switch SwitchSwitchAgile CloudEngine: Supporting NSH Service Chains, Providing Easier VAS OrchestrationACOpticalfiber/transmissiondevice/Layer 2 transparenttransmissionMacSec at the Link Layer: IP Layer 3 Features such as Encryption Are Introduced to the MAC Link LayerSwitch ASwitch BScenario➢In scenarios that require high data confidentiality, such asgovernment, military, and finance scenarios, interconnection is required between data centers or between different modules of data centers across buildings.➢The CE6875 uplink port (100GE), and CEL16CQFD (16*100GE) and CEL08CFFG1 (8*200GE) cards of the CE12800 can be used.Definition➢Media Access Control Security (MACsec) ensures securecommunication within LANs in compliance with IEEE 802.1AE and 802.1X. It provides identity authentication, data encryption, integrity check, and replay protection to protect Ethernet frames and prevent devices from processing attack packets.NetworkingNetworkingOriginal packetData encryption protectionMACsec packetData integrity protectionStandardsChinaIntegration InnovationEcological cooperationGermany MoscowMulti-vendor pre-integration verificationMulti-layer open ecosystemOpen Ecosystem: Huawei Joins Hands with 20+ Industry Chain Partners to Perform System IntegrationOpen ecosystem: fast integration andsimplified managementSystem integration: 10+ OpenLabs in the globeManufacturerNSXAnsible. . .Rapid response to service requirementsHardware BFDMicrosegmentationNSH modeIPv6 over VXLANCPUForwarding chipIntra-card CPU chip Quad-core CPU:▪Protocol packet processing▪FIB entry delivery ▪. . .Co-processor▪Hardware BFD ▪High-performance sFlow ▪. . .Forwarding chipAdjustable processes New service processes Adjustable entry resourcesEnhanced serviceprocessesVRPnetconfCLILinux ContainergRPCopenflowSSHpuppetFuncEditnetconfSNMPLinux and driverFragmentation and reassemblyOpen architecture, Flexible Business Innovation•Higher interface rate: 25GE interfaces and larger buffer cope with traffic surge in N:1 scenarios.•Flowlet&DLB: One flow is load balanced among multiple links.•AI Fabric intelligent lossless data center network solution: low latency and zero packet lossUltra-broadband: higher interface rate, more even load balancing, larger buffer, and lower latency•Telemetry capability•Microburst detection •Edge analysis capability•Microsegmentation used to isolate east-west traffic on switches (east-west traffic is isolated on firewalls originally)•SFC used to divert traffic from the control plane to the data plane•MACsec hardware encryption, providing high security and reliability•Open API•Interconnection with third-party management tools: Ansible•Interconnection with third-party management tools or controllers: VMaare NSX•Multiple virtualization technologies: CSS, M-LAG, M-LAG Lite, and VS •VXLAN + BGP EVPN: intra-DC and inter-DC virtualization•SDN controller: deployment in drag-and-drop mode, IPv4 and IPv6, rollout of unicast and multicast full-stack services in minutesIntelligent: enabling service agilitySimplified: automatic deployment of full-stack services and service rollout within minutesOpen: easy integration and timelyresponse to servicesSecure: best quality in the industry and pioneering energy-saving technology CloudEngine High-Performance Cloud SwitchesContents1Click to add Title 2CloudEngine Switch OverviewCloudEngine Switch Highlights Click to add Title 3CloudEngine Switch Market ProgressChina's No.1 and One of World's Top 3 DCN Vendors2014Source: IHS “2015 Infonetics Data Center and Enterprise SDN Vendor Leadership Analysis ”20132012•Data center network vendor with the fastest growth•First release of InterOP impressing the world •Industry-leading ultra-high performance2015•Huawei was the only Chinese vendor in the global SDN leadership list.•Largest market share in China in Q2•Huawei was the global data center network vendor with the fastest growth.•Annual growth rate up to 137%Global SDN AuthoritativeReport of Leading Vendors2016•The market share ranks No. 1 in Chi na and the third largest in the world .•SDN capability won the Best of ShowNet Award at Tokyo Interop.2017•Huawei was positioned as challenger in Gartner's Magic Quadrant for Data Center Networking.2018•Huawei has been positioned as a leader in data center hardware platforms for SDN.•The AI Fabric won the Best of Show Gold Award.In 2013, the CloudEngine 12800 won the Best of Show Award at Interop, which is the highest exhibition in the IT industry. Huawei is the first Chinese provider that wins the position.Highly Recognized PerformanceAward of Excellent Product Trusted byCIOAward of the Most Competitive Product Awards and CertificationsPreferred Brand of Cloud Computing and Network SolutionAward of Annual Excellent TechnologyChina SDN SDN Best Practice AwardAward of Excellent Product in Big DataIn 2016, the CE8860 and CE6851 won the Best of Show Award at Interop.InterOP AwardsHuawei's AI FabricIntelligent Lossless Data Center Network Solution Takes Home Interop Tokyo Best of Show AwardCloudEngineSeries Switches Serve 7800+ Global Customers⚫The market share is No.1in China and No.3in theworld.⚫The global market share growth rate is No. 1 for fourconsecutive years .⚫Over 32,000 CE12800 switches have been soldaround the world, serving 7800+customers in 120+countries.DC SDN SDN hardware platform leader⚫2018 Approaching the Leaders Quadrant ⚫2017 ChallengerGartner Peer InsightsCustomers’ Choice for Data Center NetworkingCopyright©2018 Huawei Technologies Co., Ltd.All Rights Reserved.The information in this document may contain predictivestatements including, without limitation, statements regarding the future financial and operating results, future productportfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.把数字世界带入每个人、每个家庭、每个组织，构建万物互联的智能世界。

vxlan概述-回复什么是VXLAN？VXLAN（Virtual Extensible LAN）是一种网络虚拟化技术，用于在计算机网络之上创建虚拟局域网（VLAN）。

VXLAN在网络中封装数据包，使其可以在现有的IP网络基础上进行传输。

它旨在解决传统VLAN技术在大规模数据中心网络中面临的限制，如VLAN数量受限和扩展性差等问题。

1. VXLAN的起源VXLAN最初由VMware、Cisco和Arista共同推出。

它被设计用于在云计算环境中，特别是大规模虚拟化环境中提供更好的虚拟局域网解决方案。

为了解决传统VLAN技术所面临的限制，VXLAN采用了一种新的封装方法。

2. VXLAN的工作原理VXLAN通过将原始数据包封装在一个UDP数据包中，以实现在IP网络上进行传输。

VXLAN使用一个24位的虚拟网络标识符（VNI），将传输的数据包与特定VXLAN网络相关联。

这样可以实现虚拟隔离、多租户隔离和跨子网通信等功能。

VXLAN数据包的源和目的地IP地址是物理网络中用于传输的设备。

3. VXLAN的组成要素VXLAN由三个主要组成要素构成：VXLAN头、内部数据报和UDP封装。

VXLAN头包含VNI和VXLAN网络标识符标志，用于标识传输的虚拟网络。

内部数据报是原始数据包的载体，其将被封装在VXLAN头之后。

UDP 封装则用于在IP网络上传输VXLAN数据包。

4. VXLAN的优势相比传统的VLAN技术，VXLAN具有以下几个优势：- 扩展性: VXLAN支持数量庞大的虚拟网络标识符（VNI），可以满足大规模数据中心网络的需求。

- 多租户隔离: VXLAN通过虚拟隔离，可以为不同的用户或组织提供独立的虚拟网络，提高了网络的安全性和隔离性。

- 跨子网通信: VXLAN可以在不同的子网之间进行通信，解决了传统VLAN技术在这方面的限制。

- 灵活性: VXLAN可以在现有的IP网络基础上部署，不需要对底层网络进行修改或改造。

华为CloudFabric 技术白皮书目录1执行摘要/Executive Summary (4)2简介/Introduction (5)2.1传统数据中心组网技术 (5)2.2云数据中心网络的需求 (5)3解决方案/Solution (7)3.1Fabric 概念 (7)3.2Overlay 基本原理 (8)3.3Underlay 路由 (9)3.4VxLAN 部署模式 (10)3.5VxLAN 与SDN (16)4典型应用/Typical Application (17)5结论/Conclusion (19)缩略语表/Acronyms and Abbreviations (20)1执行摘要/Executive Summary本白皮书主要介绍了云数据中心Fabric 的概念，主要业务需求以及构建云数据中心 Fabric 的主流Overlay 及VxLAN 技术，并详细介绍了 Overlay 网络的几种部署方式，说明了各自的特点和使用场景，最后结合具体的商业应用给出 Fabric 典型部署方式。

2简介/Introduction2.1传统数据中心组网技术众所周知，数据中心出于对可靠性的强烈需求，通常会采用冗余设备、冗余链路来保障业务不会因为单点、单链路故障而中断，而二层网络的核心问题就是冗余设备与链路带来的环路问题和环路产生的广播风暴，传统数据中心用来规避二层环路的最主要的技术就是 VLAN 和xSTP。

VLAN 技术通过将一个大的物理二层域划分成许多小的逻辑二层域，同一个VLAN 内可以进行二层通信，不同VLAN 之间是二层隔离的，但是VLAN 技术不能解决广播风暴问题。

xSTP，则是从环路产生的根源—冗余设备与链路，通过在正常情况下阻塞掉冗余的设备端口和链路来防止环路的产生。

xSTP 原理上永远有部分端口与链路被闲置，这样的资源利用效率显然是无法接受的。

并且这种阻断端口与链路的方式，只适应在小规模组网场景下，当网络规模到一定程度，网络出现故障整网的收敛速度会呈指数级下降，显然无法满足云数据中心所需的大二层网络。

BrochureProduct OverviewThe CloudEngine S5732-H series switches are the next-generation enhanced Ethernet switches developed by Huawei. The CloudEngine S5732-H builds on Huawei's unified Versatile Routing Platform (VRP) and boasts various IDN features. For example, the integrated wireless AC capabilities can manage up to 1,024 wireless APs; the free mobility feature ensures consistent user experience; the VXLAN functionality implements network virtualization; and built-in security probes support abnormal traffic detection, threat analysis even in encrypted traffic, and network-wide threat deception. With these merits, the CloudEngine S5732-H can function as core switches for small-sized campus networks and branches of medium- and large-sized campus networks, and also work as access switches for Metropolitan Area Network.Models and AppearancesThe following models are available in the CloudEngine S5732-H series.CloudEngine S5732-H24S6QCloudEngine S5732-H48S6QFeatures and HighlightsEnabling Networks to Be More Agile for Services●CloudEngine S5732-H has a built-in high-speed and flexible processor chip. The chip's flexible packet processing and traffic control capabilities can meet current and future service requirements, helping build a highly scalable network.●In addition to capabilities of traditional switches, the CloudEngine S5732-H provides open interfaces and supports user-defined forwarding behavior. Enterprises can use the open interfaces to develop new protocols and functions independently or jointly with equipment vendors to build campus networks meeting their own needs.●CloudEngine S5732-H series switches, on which enterprises can define their own forwarding models, forwarding behavior, and lookup algorithms. Microcode programmability makes it possible to provide new services within six months, without the need of replacing the hardware. In contrast, traditional ASIC chips use a fixed forwarding architecture and follow a fixed forwarding process. For this reason, new services cannot be provisioned until new hardware is developed to support the services one to three years later.Delivering Abundant Services More Agilely●This CloudEngine S5732-H provides the integrated WLAN AC function that can manage 1,024 APs, reducing the costs of purchasing additional WLAN AC hardware and breaking the forwarding performance bottleneck of an external WLAN AC. With this switch series, customers can stay ahead in the high-speed wireless era.●With the unified user management function, the CloudEngine S5732-H authenticates both wired and wireless users, ensuring a consistent user experience no matter whether they are connected to the network through wired or wireless access devices. The unified user management function supports various authentication methods, including 802.1x, MAC address, and Portal authentication, and is capable of managing users based on user groups, domains, and time ranges. These functions visualize user and service management and boost the transformation from device-centric management to user-centric management.●The CloudEngine S5732-H provides excellent quality of service (QoS) capabilities and supports queue scheduling and congestion control algorithms. Additionally, it adopts innovative priority queuing and multi-level scheduling mechanisms to implement fine-grained scheduling of data flows, meeting service quality requirements of different user terminals and services.Providing Fine Granular Network Management More Agilely●The CloudEngine S5732-H uses the Packet Conservation Algorithm for Internet (iPCA) technology that changes the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow anywhere and anytime, without extra costs. It can detect temporary service interruptions in a very short time and can identify faulty ports accurately. This cutting-edge fault detection technology turns "extensive management" to "fine granular management."●The CloudEngine S5732-H supports Two-Way Active Measurement Protocol (TWAMP) to accurately check any IP link and obtain the entire network's IP performance. This protocol eliminates the need of using a dedicated probe or a proprietary protocol.●The CloudEngine S5732-H supports SVF and functions as a parent switch. With this virtualization technology, a physical network with the "Small-sized core/aggregation switches + Access switches + APs" structure can be virtualized into a "super switch", greatly simplifying network management.●With the Easy Deploy function, the CloudEngine S5732-H manages access switches in a similar way an AC manages APs. In deployment, access switches and APs can go online with zero-touch configuration. In the Easy Deploy solution, the Commander collects topology information about the connected clients and stores the clients' startup information based on the topology. Clients can be replaced with zero-touch configuration. The Commander can deliver configurations and scripts to clients in batches and query the delivery results. In addition, the Commander can collect and display information about power consumption on the entire network.Comprehensive VPN Technologies●The CloudEngine S5732-H supports the MPLS function, and can be used as access devices of high-quality enterprise leased line.●The CloudEngine S5732-H allows users in different VPNs to connect to the same switch and isolates users through multi-instance routing. Users in multiple VPNs connect to a provider edge (PE) device through the same physical port on the switch, which reduces the cost on VPN network deployment.Flexible Ethernet Networking●In addition to traditional Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP), the CloudEngine S5732-H supports Huawei-developed Smart Ethernet Protection (SEP) technology and the latest Ethernet Ring Protection Switching (ERPS) standard. SEP is a ring protection protocol specific to the Ethernet link layer, and applies to various ring network topologies, such as open ring topology, closed ring topology, and cascading ring topology. This protocol is reliable, easy to maintain, and implements fast protection switching within 50 ms. ERPS is defined in ITU-TG.8032. It implements millisecond-level protection switching based on traditional Ethernet MAC and bridging functions.●The CloudEngine S5732-H supports Smart Link and Virtual Router Redundancy Protocol (VRRP), which implement backup of uplinks. One CloudEngine S5732-H switch can connect to multiple aggregation switches through multiple links, significantly improving reliability of access devices.Various Security Control Methods●The CloudEngine S5732-H supports 802.1x authentication, MAC address authentication, Portal authentication, and hybrid authentication, and can dynamically delivery user policies such as VLANs, QoS policies, and access control lists (ACL). It also supports user management based on user groups.●The CloudEngine S5732-H provides a series of mechanisms to defend against DoS and user-targeted attacks. DoS attacks are targeted at switches and include SYN flood, Land, Smurf, and ICMP flood attacks. User-targeted attacks include bogus DHCP server attacks, IP/MAC address spoofing, DHCP request flood, and change of the DHCP CHADDR value.●The CloudEngine S5732-H sets up and maintains a DHCP snooping binding table, and discards the packets that do not match the table entries. You can specify DHCP snooping trusted and untrusted ports to ensure that users connect only to the authorized DHCP server.●The CloudEngine S5732-H supports strict ARP learning, which prevents ARP spoofing attackers from exhausting ARP entries.Mature IPv6 Features●The CloudEngine S5732-H is developed based on the mature, stable VRP and supports IPv4/IPv6 dual stacks, IPv6 routing protocols (RIPng, OSPFv3, BGP4+, and IS-IS for IPv6). With these IPv6 features, the CloudEngine S5732-H can be deployed on a pure IPv4 network, a pure IPv6 network, or a shared IPv4/IPv6 network, helping achieve IPv4-to-IPv6 transition.Intelligent Stack (iStack)●The CloudEngine S5732-H supports the iStack function that combines multiple switches into a logical switch. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability. iStack provides high network scalability. You can increase a stack's ports, bandwidth, and processing capacity by simply adding member switches. iStack also simplifies device configuration and management. After a stack is set up, up to nine physical switches can be virtualized into one logical device. You can log in to any member switch in the stack to manage all the member switches in the stack.VXLAN Features●VXLAN is used to construct a Unified Virtual Fabric (UVF). As such, multiple service networks or tenant networks can be deployed on the same physical network, and service and tenant networks are isolated from each other. This capability truly achieves 'one network for multiple purposes'. The resulting benefits include enabling data transmission of different services or customers, reducing the network construction costs, and improving network resource utilization.●The CloudEngine S5732-H series switches are VXLAN-capable and allow centralized and distributed VXLAN gateway deployment modes. These switches also support the BGP EVPN protocol for dynamically establishing VXLAN tunnels and can be configured using NETCONF/YANG.Big Data Security Collaboration●The CloudEngine S5732-H switches use NetStream to collect campus network data and then report such data to the Huawei Cybersecurity Intelligence System (CIS). The purposes of doing so are to detect network security threats, display the security posture across the entire network, and enable automated or manual response to security threats. The CIS delivers the security policies to the Agile Controller. The Agile Controller then delivers such policies to switches that will handle security events accordingly. All these ensure campus network security.●The CloudEngine S5732-H supports Encrypted Communication Analytics (ECA). It uses built-in ECA probes to extract characteristics of encrypted streams based on NetStream sampling and Service Awareness (SA), generates metadata, and reports the metadata to Huawei Cybersecurity Intelligence System (CIS). The CIS uses the AI algorithm to train the traffic model and compare characteristics of extracted encrypted traffic to identify malicious traffic. The CIS displays detection results on the GUI, provides threat handling suggestions, and automatically isolates threats with the Agile Controller to ensure campus network security.●The CloudEngine S5732-H supports deception. It functions as a sensor to detect threats such as IP address scanning and port scanning on a network and lures threat traffic to the honeypot for further checks. The honeypot performs in-depth interaction with the initiator of the threat traffic, records various application-layer attack methods of the initiator, and reports security logs to the CIS. The CIS analyzes security logs. If the CIS determines that the suspicious traffic is an attack, it generates an alarm and provides handling suggestions. After the administrator confirms the alarm, the CIS delivers a policy to the Agile Controller. The Agile Controller delivers the policy to the switch for security event processing, ensuring campus network security.Intelligent O&M●The CloudEngine S5732-H provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.●The CloudEngine S5732-H supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the switch can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.Intelligent Upgrade●Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.●The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures.Open Programmability System (OPS)●Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M.LicensingCloudEngine S5732-H supports both the traditional feature-based licensing mode and the latest Huawei IDN One Software (N1 mode for short) licensing mode. The N1 mode is ideal for deploying Huawei CloudCampus Solution in the on-premises scenario, as it greatly enhances the customer experiences in purchasing and upgrading software services with simplicity.Software Package Features in N1 ModeNote: Only V200R019C00 and later versions can support N1 modeProduct SpecificationsService FeaturesNetworking and ApplicationsLarge-Scale Enterprise Campus NetworkCloudEngine S5732-H series switches can be deployed at the access layer of a campus network to build a high-performance and highly reliable enterprise network.Small- or Medium-scale Enterprise Campus NetworkCloudEngine S5732-H series switches can be deployed at the aggregation layer of a campus network to build a high-performance, multi-service, and highly reliable enterprise network.Small-scale Enterprise Campus NetworkWith powerful aggregation and routing capabilities of CloudEngine S5732-H series switches make them suitable for use as core switches in a small-scale enterprise network. Two or more S5732-H switches use iStack technology to ensure highreliability. They provide a variety of access control policies to achieve centralized management and simplify configuration.Application on a MANCloudEngine S5732-H series switches can be deployed at the access layer of a MAN(Metropolitan Area Network) to build ahigh-performance, multi-service, and highly reliable ISP MAN network.Application in Public CloudCloudCampus Solution is a network solution suite based on Huawei public cloud. CloudEngine S5732-H series switches can be located at the access layer.The switches are plug-and-play. They go online automatically after being powered on and connected with network cables, without the need for complex configurations. The switches can connect to the management and control system (CloudCampus@AC-Campus for switches running V200R019C00 and earlier versions; iMaster NCE-Campus for switches running V200R019C10 and later versions), and use bidirectional certificate authentication to ensure management channel security. The switches provide the NETCONF and YANG interfaces, through which the management and control system delivers configurations to them. In addition, remote maintenance and fault diagnosis can be performed on the management and control system.The following table lists ordering information of the CloudEngine S5732-H series switches.More InformationFor more information about Huawei Campus Switches, visit or contact us in the following ways: ●Global service hotline: /en/service-hotline ●Logging in to the Huawei Enterprise technical support website: /enterprise/ ●Sendinganemailtothecustomerservicemailbox:********************Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, andrecommendations in this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address:Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website:。