Download Release Notes - Support

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts

Net bias wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Computer network wikipedia , lookup

Parallel port wikipedia , lookup

Airborne Networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Distributed firewall wikipedia , lookup

Network tap wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Virtual LAN wikipedia , lookup

Transcript 
Huawei FusionSphere 5.1
Technical White Paper on
Distributed Virtual Switch
Issue
V1.0
Date
2015-04-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://enterprise.huawei.com
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
About This Document
About This Document
Purpose
This document describes the distributed virtual switch provided by FusionSphere.
Intended Audience
This document is intended for:

Marketing personnel

Sales personnel

Channel sellers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
About This Document
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Issue V1.0 (2015-04-20)
This issue is the first official release.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
Contents
Contents
About This Document .................................................................................................................... ii
1 Overview......................................................................................................................................... 1
1.1 Background ...................................................................................................................................................... 1
1.2 Current Status ................................................................................................................................................... 2
1.2.1 CPU-based Virtual Switching ................................................................................................................. 2
1.2.2 Physical NIC-based Virtual Switching .................................................................................................... 2
1.2.3 Switch-based Virtual Switching .............................................................................................................. 3
2 Introduction.................................................................................................................................... 5
2.1 Overview .......................................................................................................................................................... 5
2.2 Solution Architecture........................................................................................................................................ 7
2.3 Characteristics .................................................................................................................................................. 7
3 Virtual Switching Management ................................................................................................. 9
3.1 Host .................................................................................................................................................................. 9
3.2 DVS.................................................................................................................................................................. 9
3.3 Port Group ........................................................................................................................................................ 9
4 Virtual Switching Features........................................................................................................ 10
4.1 Uplink and Uplink Aggregation ..................................................................................................................... 10
4.2 Virtual Switching............................................................................................................................................ 10
4.3 Traffic Shaping ............................................................................................................................................... 11
4.3.1 Network Plane-based Traffic Shaping................................................................................................... 11
4.3.2 vNIC-based Traffic Shaping ................................................................................................................. 11
4.4 Security .......................................................................................................................................................... 12
4.4.1 Layer 2 Network Security Policy .......................................................................................................... 12
4.4.2 Broadcast Packet Suppression............................................................................................................... 12
4.4.3 Security Group ...................................................................................................................................... 13
4.5 VM Network Passthrough .............................................................................................................................. 13
4.6 Trunk Port ...................................................................................................................................................... 14
4.7 Port Mirroring ................................................................................................................................................ 14
4.8 VXLAN .......................................................................................................................................................... 15
4.9 Ports Management .......................................................................................................................................... 15
4.10 Storage Plane Communication over the Layer 3 Network ........................................................................... 16
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
Contents
4.11 Management Plane VLAN Configuration .................................................................................................... 16
4.12 Service Management Plane .......................................................................................................................... 16
4.13 Service Plane IPv6 ....................................................................................................................................... 17
5 Application Scenario .................................................................................................................. 20
5.1 Unified Virtual Network Management ........................................................................................................... 20
5.2 Virtual Network Traffic Statistics ................................................................................................................... 20
5.3 Distributed Virtual Port Group ....................................................................................................................... 20
5.4 Distributed Virtual Uplink .............................................................................................................................. 20
5.5 Network Isolation ........................................................................................................................................... 21
5.6 Network Migration ......................................................................................................................................... 21
5.7 Network Security ........................................................................................................................................... 21
5.8 Port Mirroring ................................................................................................................................................ 21
5.9 Management VLAN Configuration ................................................................................................................ 21
5.10 Service Management Plane .......................................................................................................................... 22
5.11 Service Plane IPv6........................................................................................................................................ 22
6 Glossary ........................................................................................................................................ 23
6.1 Acronyms and Abbreviations ......................................................................................................................... 23
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
1 Overview
1
Overview
1.1 Background
The computing virtualization technology stimulates the development of network virtualization.
In traditional data centers, a server runs an operating system (OS), connects to a switch
through physical cables, and implements data exchange, traffic control, and security control.
After computing resources are virtualized, the server functions as multiple virtual hosts, and
each virtual host has its own CPU, memory, and network interface card (NIC). These virtual
hosts not only need to communicate with each other but also pose higher requirements for
security isolation and traffic control due to their sharing of one physical server. Therefore, the
requirement for the virtual switching technology is posed.
To unify and simplify the configuration and management of virtual switches deployed on
hosts, the definition of distributed virtual switches (DVSs) is introduced. A DVS allows
administrators to configure, manage, and monitor virtual switches on multiple servers, and
ensures network configuration consistency during VM migration among servers.
Figure 1-1 shows the network virtualization development.
Figure 1-1 Network virtualization development
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
1 Overview
1.2 Current Status
Virtual switching modes are classified as server-based virtual switching, which is called layer
2 virtual switching, and switch-based virtual switching.
Server-based virtual switching can be implemented using a CPU or NIC.
In summary, virtual switching can be implemented on a server CPU, server NIC, and physical
switch.
1.2.1 CPU-based Virtual Switching
The CUP-based virtual switching is a mature and well-commercialized technical plan. Full
virtual switching is implemented on a server CPU. A virtual port is assigned to a virtual NIC
of a VM for virtual switching, and physical NICs of a server function as virtual switching
uplink ports.
The packet forwarding mechanism of a VM is as follows: A distributed virtual switch (DVS)
receives Ethernet packets from the source virtual or physical port, queries the layer 2
forwarding table for the destination port based on the MAC address and VLAN of the VM,
and forwards the packet to the VM through the destination virtual or physical port.
The characteristics of this plan are as follows:
1.
High performance and low delay in packet forwarding between VMs on the same server
2.
High performance in layer 2 software forwarding among VMs powered by the DVS
3.
Moderate performance in cross-server communication. For a server CPU, the
cross-server communication requests must be forwarded by a physical switch. Therefore,
the virtual switching performance of the CPU is inferior to a physical switch.
4.
Flexible scalability. Unlike physical switches that use layer 3 chips, servers use only
software to implement virtual switching, which provides flexible and rapid scalability to
better extend cloud computing networks.
5.
Large size of server memory. The layer 2 switching capability and access control list
(ACL) capability of a server are much greater than those of a physical switch.
1.2.2 Physical NIC-based Virtual Switching
The physical NIC-based virtual switching function is designed to enable an iNIC to
implement virtual switching. In addition, when NIC performance is improved, a DVS uses
less CPU resources so that VM performance is improved. With the help of the passthrough
function of physical NICs, the virtual switching performance is enhanced.
Traditional Single-Root I/O Virtualization (SR-IOV) NICs for commercial use can also
support virtual switching functions. However, due to its design limitation and no interaction
with the hypervisor, SR-IOV NICs can hardly support live migration and other virtualization
features.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
1 Overview
Figure 1-2 shows the SR-IOV-based virtual switching mechanism.
Figure 1-2 SR-IOV-based virtual switching mechanism
NIC-based virtual switching has the following characteristics:

Compared with DVSs that use Virtual Ethernet Bridge (VEB) for data exchange,
NIC-based virtual switching reduces CPU usage because NICs are directly used for
virtual switching and no CPU is required for virtual switching.

When the passthrough function is enabled for a physical NIC, the delay of packet
forwarding from a VM to the physical NIC is dramatically reduced. This is because the
passthrough function enables a VM to connect to a PCI Express (PCIe) device.

Traditional physical NICs for commercial use do not support live migration or flexible
security isolation, and are difficult to implement function extension.
Huawei self-developed iNIC hardware enables a direct connection between a virtual NIC
(vNIC) of a VM and the Virtual Machine Device Queues (VMDq) of an iNIC, and supports
live migration and security isolation functions.
1.2.3 Switch-based Virtual Switching
The switch-based virtual switching mechanism can be implemented using the following
methods:

802.1Qbg VEPA
Virtual Ethernet Port Aggregator (VEPA), which is based on the IEEE 802.1Qbg standards,
can allow packets to be forwarded in hairpin mode only after the VMM software and switch
software are upgraded.
Similar to a Virtual Ethernet Bridge (VEB), a VEPA can be implemented on the server either
in software as a thin layer in the hypervisor, or can be implemented in hardware in NICs, in
which case it can be used in conjunction with PCIe I/O virtualization technologies such as
SR-IOV. A VEPA can be used where a VEB is installed and deployed, but it cannot be an
alternative to the VEB because they have their own characteristics. The VEPA is characterized
in that it is part of the IEEE standards and has no special requirements for packet formats. In
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
1 Overview
addition, the VEPA approach is easy to implement with small modification performed for the
NIC driver, VMM bridge module, and external switch software so that it is cost-effective.

802.1Qbh Bridge Port Extension
The Port Extension (PE) technology introduces a new device called a Port Extender, which is
a physical switch with limited functions and usually acts as the line card of an uplink physical
switch. The Port Extender maps its physical ports into a virtual port on the uplink physical
switch by packet tags added using the PE technology, and it uses the tags to implement packet
forwarding and policy control.
VN-tag defines the source and destination VM ports of packets and specifies broadcast
domains for packets. With the assistance of DVSs and NICs that support VN-tag technology,
the approach similar to Edge Virtual Bridging (EVB) multi-channels can be implemented.
However, the VN-tag technology has some defects.
Because VN-tag is a new tagging technology which fails to comply with current standards,
such as IEEE 802.1Q, IEEE 802.1ad, and IEEE 802.1X tags. The VN-tags can be applied
only to NICs, switches, software, and other new network products that support these VN-tags.
Initially, the IEEE 802.1 working group had a consideration to regard the "PE" as part of the
EVB standard, but eventually made it an independent standard, the 802.1 Bridge Port
Extension. Cisco once advised IEEE 802.1Q working group using Cisco' proprietary VN-tag
technology to implement EVB, but the working group refused. Recently, Cisco modified their
VN-tag draft, which is now called M-tag. This modified draft also aims at implementing
communication standardization between Port Extenders and uplink switches.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
2 Introduction
2
Introduction
2.1 Overview
Figure 2-1 shows a virtual switching scenario.
Figure 2-1 Virtual switching scenario
A Huawei DVS consists of centralized DVS management modules. The centralized
management modules provide a unified portal for configuration, thereby simplifying user
management.
The DVS on each physical server provides VMs with capabilities, such as layer 2
communication, isolation, quality of service (QoS), and maintenance.
The DVS model has the following characteristics:

Multiple DVSs can be configured, and each DVS can serve multiple CNA nodes in a
cluster.

A DVS provides several virtual switch ports (VSPs) with their own attributes, such as the
rate, statistics, and ACL. The ports with the same attributes are assigned to a port group
for management. The port groups with the same attributes use the same VLAN.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
2 Introduction

Different physical ports can be configured for the management plane, storage plane, and
service plane. An uplink port or an uplink port aggregation group can be configured for
each DVS to enable external communication of VMs served by the DVS. An uplink
aggregation group comprises multiple physical NICs working based on load balancing
policies.

Each VM provides multiple vNIC ports, each of which can connect to a unique VSP.

Administrators or users can specify a server, which allows layer 2 migration in a cluster,
to create a virtual layer 2 network based on service requirements and configure the
subnet and VLAN used by this network.
Figure 2-2 shows the DVS model.
Figure 2-2 DVS model
Table 2-1 describes parameters required for virtual switching.
Table 2-1 Parameters required for virtual switching
Name
Description
Remarks
Port Group
Specifies a port group that consists
of multiple ports with the same
attributes.
Setting port group attributes,
including bandwidth QoS,
layer 2 security attributes,
and VLAN ID, facilitates
VM port group attributes
setting. The port group
attributes setting has no
impact on the proper
running of VMs.
Uplink Port
Specifies an uplink that connects
to the host and the DVS.
Administrators can query
information about an uplink,
including its name, traffic
rate, mode, and status.
Uplink Aggregation
Specifies a subfunction that allows
multiple physical ports on a server
to be bound as one port to connect
to VMs.
Administrators can set the
bound ports to loading
balancing mode or
active/standby mode.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
2 Introduction
2.2 Solution Architecture
Figure 2-3 shows the DVS architecture.
Figure 2-3 DVS architecture
As shown in Figure 2-3, a Huawei DVS supports the virtual switching function of an
open-source DVS and the virtual switching function of an iNIC which fully takes over the
virtual switching function of a CPU. Although virtual switching functions of open DVSs and
iNICs are completely the same, the DVS Manager (DVSM) manages them using different
plug-ins.
2.3 Characteristics
The solution has the following characteristics:
1.
Unified portal and centralized management modules are used for simplifying user
management and configuration.
2.
Open DVSs are integrated to use and inherit virtual switching functions of open source
communities.
3.
iNICs are used to provide virtual switching functions of CPUs, and VM network
passthrough capacities are provided to improve VM network performance and reduce
CPU usage. The FusionCompute and Huawei iNICs provide a combined force to enable
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
2 Introduction
passthrough and VM live migration capacities, and allow all DVS features to be
compatible with each other.
4.
Issue V1.0 (2015-04-20)
Various layer 2 network features are provided, including switching, QoS, security
isolation, and maintenance.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
3
3 Virtual Switching Management
Virtual Switching Management
3.1 Host
A host is physical server for running VMs after the FusionCompute is installed on it.
A host provides CPU and memory resource for VMs and enables the VMs to access networks.
3.2 DVS
A DVS manages Elastic Virtual Switches (EVSs) and iNICs associated with multiple hosts
and also manages ports on hosts and VMs. A DVS ensures that network configurations are
consistent for VM migration between hosts.
3.3 Port Group
A port group is used to facilitate ports configuration. When a port group is defined, users can
configure multiple ports in the port group at the same time. vNICs connected to the same port
group share the same network attributes, including bandwidth limiting, priority, VLAN ID,
DHCP quarantine, and IP-MAC address binding.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4
4 Virtual Switching Features
Virtual Switching Features
4.1 Uplink and Uplink Aggregation
An uplink connects the host and the DVS, and the uplink port can be either a NIC port or an
iNIC port.
The uplink aggregation allows multiple physical ports on a server to be bounded as one port.
Huawei supports the following common NIC aggregation policies: active/standby mode, load
sharing based on source and destination MACs, and round-robin mode. In addition, Huawei
supports the following iNIC aggregation policies: active/standby mode, load sharing based on
source and destination MACs, and load sharing based on source and destination IP addresses.
4.2 Virtual Switching
A Huawei DVS provides the following virtual switching modes:

Front- and back-end mode
In this mode, a VM has two vNICs, front-end iNIC and back-end iNIC. The front-end
iNIC connects to a port on the DVS. VM network packets are transmitted between the
front- and back-end iNICs through an annular buffer and event channel, and forwarded
by the DVS connected to the front-end iNIC.

VMDq
Intel VMDq is a hardware-assisted I/O virtualization technology. This technology can
speed up the virtual switching between hardware using NICs, improving virtual I/O
performance of NICs.
The VMDq is implemented using Huawei-developed iNICs. The VMDq allows a vNIC
to connect to the virtual queue of an iNIC so that network packets can be directly
transmitted without passing through the hypervisor, thereby reducing the performance
overhead incurred by packet processing through Domain 0. As the VMDq is not
compatible with memory swapping, it cannot be enabled when the memory
overcommitment function is in use.

SR-IOV cut-through
Most commercial 10GE NICs support the SR-IOV cut-through technology. This
technology creates multiple physical functions (PFs) on a physical NIC, each of which
provides multiple virtual functions (VFs).
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
This feature allows a VM to exclusively use a VF which is derived from a PF. In this
case, the VM can directly use physical NIC resources without CPU overhead caused by
virtual switching, thereby improving network performance and reducing latency for
VMs.
The SR-IOV cut-through technology allows VLAN and MAC to be configured for
virtual switching. It can also provide the QoS control function based on PCIe VFs.
4.3 Traffic Shaping
Traffic shaping allows users to configure the outbound bandwidth based on the network plane
or the vNIC.
4.3.1 Network Plane-based Traffic Shaping
Figure 4-1 illustrates the network plane-based traffic shaping mechanism.
Figure 4-1 Network plane-based traffic shaping mechanism
iSCSI
Internet Small Computer Systems Interface
Mgr
Management plane
VM
Virtual machine
The management plane, storage plane, and service plane are allocated with specified
bandwidth based on physical bandwidth resources. The traffic congestion on a plane does not
affect I/O on other planes. Administrators can configure the average bandwidth, peak
bandwidth, and burst traffic to implement network I/O controls.
4.3.2 vNIC-based Traffic Shaping
Average bandwidth, peak bandwidth, burst traffic, and bandwidth priority can be configured
for a host to ensure the quality of communication between VMs. This control policy also
prevents conflict between VMs during resource contention. The administrator can set the
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
upper bandwidth limit for vNICs to limit the maximum bandwidth of a VM. The bandwidth
priority empowers a VM with a higher priority to occupy more bandwidths.
4.4 Security
4.4.1 Layer 2 Network Security Policy
Figure 4-2 illustrates the layer 2 network security policy mechanism.
Figure 4-2 Layer 2 network security policy mechanism
The layer 2 network security policies are the policies for preventing IP or MAC address
spoofing and DHCP server spoofing for user VMs.
IP-MAC address binding prevents IP address or MAC address spoofing initiated by changing
the IP address or MAC address of a vNIC, thereby enhancing network security of user VMs.
With this feature enabled, an IP address is bound to an MAC address using the DHCP
snooping feature, and then the packets from untrusted sources are filtered using IP Source
Guard and dynamic ARP inspection (DAI).
DHCP quarantine blocks users from unintentionally or maliciously enabling the DHCP server
service for a VM, ensuring common VM IP address assignment.
4.4.2 Broadcast Packet Suppression
In the FusionSphere and FusionCloud scenarios, the broadcast packet suppression function is
enabled for DVSs so that network exceptions due to broadcast packet attacks, such as network
attacks or virus attacks, can be prevented.
A DVS provides the suppression function for ARP broadcast packets and IP broadcast packets
at the VM sending direction and also provides the suppression threshold setting function. You
can enable the broadcast packet suppression function for the port group to which vNICs
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
belong to set the suppression threshold, reducing the consumption of layer 2 network
bandwidth by excessive broadcast packets.
Administrators can configure the broadcast packet suppression function and set the ARP
broadcast packet suppression threshold and IP broadcast packet suppression threshold for
DVS port group objects on the system portal.
4.4.3 Security Group
Figure 4-3 shows a security group.
Figure 4-3 Security group
Users can create security groups based on VM security requirements. Each security group
provides a set of access rules. VMs that are added to a security group are protected by the
access rules of the security group. Users can add VMs to security groups when creating VMs.
Service administrators can create security groups and security group rules for VPCs on
FusionManager. Security group rules include the rules for protocols, source IP address
segments, subnets or security groups, and VM-accessible port range. The supported protocols
are Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet
Control Messages Protocol (ICMP).
4.5 VM Network Passthrough
Huawei has developed an iNIC that provides passthrough capacities for VMs to implement
full virtual switching functions.
Huawei iNICs can offer functions that are provided by a DVS, including uplink aggregation,
layer 2 switching, vNIC-based traffic control, layer 2 security control, and maintenance
functions. In addition, the iNICs support ACL and stateful ACL.
Based on the FusionCompute, iNICs can enhance the VM passthrough performance and
support VM live migration.
Table 4-1 lists the functions supported by iNICs.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
Table 4-1 Functions supported by iNICs
4.6 Trunk Port
A vNIC connects to a DVS through a virtual port to implement network data packet
transmission. Ports on the DVS can be configured as trunk ports, and the VLAN IDs are
specified for defining the VLANs that these trunk ports can access. Therefore, the virtual
ports allow the transmission of network data packets with different VLAN IDs, which meets
the requirement of trunk ports supported by vNICs.
4.7 Port Mirroring
The port mirroring function is used to send a copy of network packets on the source port of a
mirror session to the destination port so that users can start the analysis program on the
destination port.
FusionSphere 5.1 supports local port mirroring. Its working mechanism is as follows: A DVS
can make a note of the mirroring session configuration in addition to the configuration based
on the traffic- and MAC-based forwarding mechanism. A mirror session selects the traffic
mirrored from a specified DVS port. When traffic that meets configuration requirements
passes through the source port, the DVS copies and handles the traffic based on the session
configuration and sends it to the destination port.
FusionSphere 5.1 also supports remote port mirroring, including mirroring sessions from
source and destination ports remotely. The source port vSwitch saves a session configuration.
When traffic from the source port meets requirements in the session configuration, the source
port vSwitch copies the traffic, processes it based on the session configuration, and then
forwards it to the uplink NICs connected to the vSwitch. The destination port vSwitch also
saves a session configuration. If the uplink receives traffic with VLAN tags specified in a
session, the destination port vSwitch forwards the traffic to the specified destination port.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
4.8 VXLAN
VXLAN, the short form of virtual extensible local area network, is a technology for
encapsulating layer 2 packets using layer 3 protocols and extending the layer 2 network on
layer 3. In addition, the VXLAN is used in a data center and enables VMs to be migrated
within the interconnected layer 3 network without changing IP or MAC addresses. VXLANs
ensure service continuity and support large-scale network deployment. A VXLAN adopts
24-bit VXLAN IDs, which allow users to create a maximum of about 16 million virtual
networks (a traditional layer 2 network supports only about 4000 virtual networks). This
facilitates the deployment of large-scale cloud computing environments with applications and
tenants logically isolated.
For details, see the Huawei FusionSphere 5.1 Technical White Paper on VXLAN.
4.9 Ports Management
A Huawei DVS manages both physical and virtual ports.
Physical port information refers to the number of packets received and forwarded from
physical ports, the packet receiving and forwarding traffic, NIC state, NIC rate, and NIC
operation modes.
Table 4-2 lists the port information about physical port traffic data.
Table 4-2 Port information about physical port traffic data
Table 4-3 lists the physical port specifications.
Table 4-3 Physical port specifications
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
Virtual port information refers to the number of packets received and forwarded from virtual
ports and the packet receiving and forwarding traffic.
Table 4-4 lists the port information about virtual port traffic data.
Table 4-4 Port information about virtual port traffic data
Host and VM traffic rates are collected from the port information.
4.10 Storage Plane Communication over the Layer 3
Network
FusionSphere 5.1 supports storage plane communication over the layer 3 network.
Administrators can set storage plane communication over layer 2 or layer 3 network based on
site requirements. If storage plane communication over layer 3 network is configured, the
route gateway address is required. The management plane and storage plane, limited by OS,
can support only one gateway address configured for CNA DOM0. The default gateway
address is the management plane gateway address. To add a storage plane gateway address,
add routing policies to CNA DOM0.
4.11 Management Plane VLAN Configuration
Compared with earlier versions, FusionSphere 5.1 allows administrators to flexibly set
management plane VLAN IDs, significantly reducing the dependence of management plane
VLANs on access switches. Whereas, in earlier versions, the management plane VLAN ID
can be only set to 0 and therefore, VLAN tagging can be implemented by setting ports on an
access switch in hybrid mode.
4.12 Service Management Plane
In versions earlier than FusionSphere 5.1, VM migration, HA, storage DR, and shared storage
heartbeat communication are all implemented on the management plane. However,
FusionSphere 5.1 supports the configuration of the service management plane, which allows
administrators to perform these services on the service management plane. Therefore, service
management data can be isolated from management maintenance data. Traffic limits can be
set for each plane, thereby implementing system fine-grained management.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
4.13 Service Plane IPv6
IPv6, short for Internet Protocol Version 6, is the latest version of Internet Protocol (IP). IPv6
is developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated
problem of IPv4 address exhaustion.
IPv6 has the following characteristics:
1.
IPv6 uses a 128-bit address structure and provides a larger addressing space than IPv4.
2.
IPv6 permits hierarchical address allocation, which facilitates route aggregation across
the Internet and therefore limits the expansion of routing tables. The route aggregation
mechanism allows an entry in the routing table to represent a subnet, thereby
significantly reducing the length of the routing table and increasing the packet
forwarding speed of the router.
3.
IPv6 allows address automatic configuration, which is an improvement and expansion of
the DHCP-based IP address assignment mechanism and facilitates network (especially
LAN) management.
4.
IPv6 provides higher security than IPv4. On an IPv6 network, users can encrypt
network-layer data and verify IP packets. IPv6-based encryption and authentication
ensure packet confidentiality and integrity, thereby significantly enhancing network
security.
The system supports VM configuration on the service plane and also supports VM
communication using IPv6 addresses. VMs can communicate one another over a single-stack
IPv4 or IPv6 network or dual-stack IPv4 and IPv6 networks.
Dual stack is a technology used for transition from IPv4 to IPv6. The nodes in a dual-stack
infrastructure support both IPv4 and IPv6 protocol stacks. A source node determines the
protocol stack to be used based on the destination node. Network devices choose a protocol
stack to process and forward IP packets based on the protocol type of the packets.
On a dual-stack network, all devices must support the IPv4/IPv6 dual stack, and ports
connected to the dual-stack network must have both IPv4 and IPv6 addresses configured.
The dual-stack technology is the basis for the transition from IPv4 to IPv6.
IPv4/IPv6 Dual Stack Scheme
As defined in RFC4213, dual stack refers to installing IPv4 and IPv6 protocol stacks on
terminal devices and network nodes to implement information interworking with IPv4 nodes
and IPv6 nodes separately. Nodes configured with IPv4/IPv6 dual stack are called dual-stack
nodes, as shown in Figure 4-4. These nodes can send and receive IPv4 and IPv6 packets. They
can interwork with IPv4 nodes through the IPv4 protocol, and interwork with IPv6 nodes
through the IPv6 protocol.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features
Figure 4-4 IPv4/IPv6 dual-stack structure diagram
The port on a device configured as dual stack can have one IPv4 address, or one IPv6 address,
or both. The router contains two independent routing tables: one is for IPv4 addressing, and
the other for IPv6 addressing. Two tables reside on the same router.
When a dual-stack node receives a data segment on the link layer, the node unpacks the data
segment and checks the packet header. If the value of the first field in the IPv4/IPv6 packet
header is 4, this packet needs to be processed by the IPv4 protocol stack. If the value is 6, this
packet needs to be processed by the IPv6 protocol stack.
To support IPv6 route-learning, the dual-stack router must also support IPv6-compliant
routing protocols. If the Open Shortest Path First (OSPF) protocol is supported on the live
network, add OSPFv3 to support IPv6. If the Intermediate System to Intermediate System
(IS-IS) protocol is deployed on the live network, deploy IS-IS multi-topology to support the
learning of IPv6 routes. The BGP4+ that applies to IPv6 can be configured to support the IPv6
route advertisement by configuring and enabling the IPv6 address family, and to support the
IPv6 route reflection function by upgrading the RR (if necessary).
Dual-stack architecture allows equipment to receive, process, and forward IPv4/IPv6 traffic.
This architecture supports network equipment (routers) in the IPv4/IPv6 dual stack mode, has
two logically coexisting networks, and supports smooth transition from IPv4 to IPv6.
A dual-stack node supports the following three operation modes:

IPv6-only: A node can be configured with only an Ethernet port, IPv6 port, IPv6 address,
IPv6 router. The IPv6 function must be enabled for the router configured for the node.

IPv4-only: A node can be configured with only an Ethernet port, IPv4 address, and IPv4
router.

IPv4/IPv6 dual stack: If a dual-stack node is connected to an IPv4/IPv6 network, two
sets of IPv4- and IPv6-based data must be both configured. In addition, the IPv4/IPv6
function must be enabled for the router in the IPv4/IPv6 network.
IPv6 Capability
An IPv6 VM supports only external networking and supports the following IP address
assignment modes:
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
4 Virtual Switching Features

IPv6 addresses assigned by a third-party DHCPv6 server

Stateless address automatic configuration using hardware gateway

Static IP address injection
The DVS functions, such as security groups, bound ports, QoS, port mirroring, and trunking,
can support both IPv4 and IPv6.
The system supports IPv6-based VM lifecycle management, including VM start, stop, hot
migration, snapshot, hibernating, and restoration.
To use an IPv6 network, ensure that all external devices, such as switches, firewalls, load
balancers, can support IPv4 and IPv6 networks. You can configure gateway addresses, virtual
private networks (VPN), access control list (ACL) policies, and load balancing functions for
IPv6 VMs on a physical switch or firewall.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
5 Application Scenario
5
Application Scenario
A DVS can be used in the following scenarios:
5.1 Unified Virtual Network Management
A centralized portal is provided for ease of virtual network deployment and management. On
this portal, administrators can create and manage a DVS that has multiple port groups.
5.2 Virtual Network Traffic Statistics
DVSs report information about uplinks, bound ports, and VSP traffic on it. All the statistics
are displayed on the portal.
5.3 Distributed Virtual Port Group
A port group consists of ports on a DVS. vNICs connected to the same port group share the
same network attributes, including bandwidth limiting, priority, VLAN ID, DHCP quarantine,
and IP-MAC address binding.
Administrators can manage and configure a port group on the unified portal, simplifying the
configuration of VM port attributes.
5.4 Distributed Virtual Uplink
A distributed virtual uplink connects physical hosts and DVSs. One DVS can connect to or
bind with ports on multiple hosts.
Binding ports can improve port reliability or increase port bandwidth.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
5 Application Scenario
5.5 Network Isolation
VLANs and VXLANs are two methods used by DVSs for VM network isolation.
VLANs comply with IEEE 802.1Q standards.
IEEE 802.1Q VLAN tagging applies to uplinks or all inbound flows to user VMs to isolate
traffic, thereby enhancing network security. This also restricts the scope of the layer 2
broadcast domain.
For details about VXLANs, see section 4.8 "VXLAN."
5.6 Network Migration
This subfunction allows original network configuration data move to the new network during
VM migration to prevent network interruption and network reconfiguration.
5.7 Network Security
This subfunction prevents the IP or MAC address spoofing and DHCP server spoofing for
user VMs.
IP-MAC address binding prevents IP address or MAC address spoofing initiated by changing
the IP address or MAC address of a VM NIC, and therefore enhances network security of user
VMs.
DHCP quarantine blocks users from unintentionally or maliciously enabling the DHCP server
service for a VM, ensuring common VM IP address assignment.
Broadcast packet suppression prevents network exceptions in the FusionSphere and
FusionCloud scenarios due to broadcast packet attacks caused by network attacks or virus
attacks.
5.8 Port Mirroring
The port mirroring function can copy the traffic at the source port of the mirror session to the
destination port so that users can start the analysis program at the destination port.
This function also allows users to rapidly locate network faults.
5.9 Management VLAN Configuration
In common scenario, ports on an access switch are configured in hybrid mode, and the switch
tags packets transferred by the switch with VLAN IDs. CNA and VRM nodes do not need to
configure VLANs.
In flexible networking scenarios, for example, ports on an access switch can be configured
only in trunk mode, a management VLAN must be configured. You can configure VLANs for
specified ports by following instructions provided by the installation wizard when installing a
host, or configure VLANs when deploying VRM nodes.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
5 Application Scenario
5.10 Service Management Plane
When the security requirement is high, administrators can configure a service management
plane for VM migration, HA, storage DR, and shared storage heartbeat communication.
Therefore, service management data can be isolated from management maintenance data.
5.11 Service Plane IPv6
In the event of IPv4 address exhaustion, carriers or enterprise customers may raise
requirements for deploying IPv6 VMs. The system supports VM configuration on the service
plane and supports VM communication using IPv6 addresses. VMs can support an IPv6
single-stack network, IPv4 single-stack network, or both.
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
Huawei FusionSphere 5.1
Technical White Paper on Distributed Virtual Switch
6 Glossary
6
Glossary
6.1 Acronyms and Abbreviations
Abbreviation
Full Name
ACL
Access control list
ARP
Address Resolution Protocol
DAI
Dynamic ARP Inspection
DHCP
Dynamic Host Configuration Protocol
DVS
Distributed Virtual Switch
DVSM
Distributed Virtual Switch Management
IDC
Internet Data Center
iNIC
Intelligence network interface card
PF
Physical Function
SR-IOV
Single-Root I/O Virtualization
VDI
Virtual Desktop Infrastructure
VEB
Virtual Ethernet Bridge
VEPA
Virtual Ethernet Port Aggregator
VF
Virtual Function
VMDq
Virtual Machine Device Queues
VSP
Virtual Switch Port
Issue V1.0 (2015-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
Related documents
IPv6 Site Renumbering Gap Analysis
IPv6 Site Renumbering Gap Analysis
Simple Blue Template
Simple Blue Template
Session5-Group4-Networking
Session5-Group4-Networking
Comprehensive Security Protection for
Comprehensive Security Protection for
Availability
Availability
Chapter 1: Protocols and Layers
Chapter 1: Protocols and Layers
Title: ISPs ignore IP timebomb
Title: ISPs ignore IP timebomb
Hardware Architecture Modeling for Massively Parallel Real
Hardware Architecture Modeling for Massively Parallel Real
AR530 Industrial Switching Router Datasheet
AR530 Industrial Switching Router Datasheet
Course code Course name
Course code Course name
The Value of Future Data Center Transformation TextStart Today
The Value of Future Data Center Transformation TextStart Today
Taking the correct “route” TextStart By Chole Jian Ma Multiple
Taking the correct “route” TextStart By Chole Jian Ma Multiple