Tip of the Day: Demystifying Software Defined Networking Terms - Network Isolation, Encapsulation, and Addressing

Today’s Tip…

n today’s installment of the Demystifying… series, we look at network isolation, encapsulation, and addressing terms.

Part 4: The Technologies

Terms in this tip include:

  • Network Isolation
  • VLANS
  • PVLANS
  • Tagging Methods
  • VxLAN
  • NVGRE
  • Provider Address (PA)
  • Customer Address (CA)
  • Virtual IPs (VIPs)
  • Dynamic IPs (DIPs)

Network Isolation, Encapsulation, and Addressing

Network Isolation – Network Isolation (not to be confused with Domain/Network Isolation using IPsec security policies) allows you to segment and run multiple networks on the same physical datacenter fabric with identical or overlapping IP address spaces without conflict.  Numerous methods are available to achieve network isolation including simple frame-tagging methods such as VLANs, or newer technologies such as NVGRE that use more advanced encapsulation methods. 

Routing can be configured to allow communication between isolated networks, but you must be careful to implement measures to avoid conflict should overlapping address spaces exist. 

Virtual LAN (VLAN) – Virtual LANs (VLANs), perhaps the most familiar method for providing network segmentation, works by creating a logical port-groupings on a switch and assigning a VLAN Identifier (VLAN ID).  These grouping are identified by a ‘tagging’ process, where a VLAN ID is inserted into the frame.  A side effect of this process is that the extra information extends the frame length, potentially exceeding the MTU (maximum transmission unit) on network devices.  VLANs are not typically used in modern software-defined datacenters due to limitations (by today’s standards) of scale.

PVLANS – Private VLANs (PVLANS) are an extension of the VLAN specification that allows you to further restrict ports assignments within a VLAN.  Essentially a group within a group, PVLANs allow you to control communications between sub-VLANs.

VLAN Tagging Methods – The Tagging methods used in VLANs support the partitioning of networks by inserting identifying information (tags) into a frame as it traverses the switch fabric.  Two common VLAN tagging methods include IEEE 802.1Q, which inserts a four-byte tag into the frame, and Cisco’s proprietary Inter-Switch Link protocol (ISL), which adds 32 bytes by encapsulating the original frame into a header and FCS (frame check sequence) trailer. 

The Hyper-V virtual switch supports the IEEE 802.1Q standard.

Virtual Extensible LAN (VXLAN) - Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to improve the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate MAC-based OSI layer 2 Ethernet frames within layer 4 UDP packets, using 4789 as the default IANA-assigned destination UDP port number.

NVGRE - Hyper-V Network Virtualization supports Network Virtualization using Generic Routing Encapsulation (NVGRE) as the mechanism to virtualize IP addresses. In NVGRE, the virtual machine's packet is encapsulated inside another packet. The header of this new, NVGRE-formatted packet has the appropriate source and destination provider area (PA) IP addresses. In addition, it has a 24-bit Virtual Subnet ID (VSID), which is stored in the GRE header of the new packet.

The following figure shows a GRE-encapsulated packet. On the wire, NVGRE-encapsulated packets look like IP-over-Ethernet packets, except that the payload of the outer IP header is a GRE-encapsulated IP packet (including the Ethernet header).

clip_image001

Figure: NVGRE Packet Encapsulation

Provider Address (PA) – A Provider Address (PA) is an IP address that is assigned to the Hyper-V host by the hoster or the datacenter administrators based on their physical network infrastructure. The PA appears in the packets on the network that are exchanged with the server running Hyper-V that is hosting the virtual machine. The PA is visible on the physical network, but not to the virtual machine.

Customer Address (CA) – A Customer Address (CA) is an IP address that is assigned to a virtual machine by the customer, based on their intranet infrastructure. This address enables the customer to exchange network traffic with the virtual machine as if it had not been moved to a public or private cloud. The CA is visible to the virtual machine and reachable by the customer.

clip_image002

Figure: CA/PA Example

Routing Domain Identifier (RDID) – In network virtualization, VM networks form an isolation boundary wherein the virtual machines are able to communicate with one another.  Each VM network is identified by a Routing Domain ID (RDID), which is assigned by datacenter administrators or datacenter management software, such as System Center Virtual Machine Manager (VMM). The RDID is a Windows GUID — for example, “{11111111-2222-3333-4444-000000000000}”.

Virtual Subnet ID (VSID) –Each VM network (see RDIDs) consists of one or more virtual subnets identified by a unique Virtual Subnet ID (VSID).  Each virtual subnet belongs to a single VM network (RDID).  VSIDs allow hosts to identify the customer virtual machine for any given packet, even though the PA’s and the CA’s on the packets may be identical.

In tomorrow’s tip, Demystifying Software Defined Networking Terms – Part 5: The Hardware