VXLAN Packet Forwarding
In this topic we will learn how VXLAN packet forwarding is done on same VLAN – VXLAN ( VXLAN Bridging ) or over Different VLAN (Inter VLAN) via different VXLAN ( VXLAN Routing )
Here we will classify this packet forwarding in three section.
- ARP request
- ARP Reply
- Actual Data traffic.
But for Layer 2 Broadcast, Unknown Unicast, and Multicast Traffic, VXLAN on Cisco Nexus 9000 Series Switches do the following:
- Transport broadcast, unknown unicast, and multicast traffic
- Discover remote VTEPs IP address
- Learn the remote host MAC addresses and also capture the MAC-to-VTEP mappings for each VXLAN segment
For BUM traffic types, IP multicast method is used to reduce the flooding of BUM traffic for set of hosts that are participating in the VXLAN segment.In each VXLAN segment , VNID is mapped to a particular IP multicast group in IP transport network. Once each VTEP device is configured independently they join this multicast group as an IP host by IGMP protocol. As soon as VTEP joins the multicast group , it trigger the PIM joins which further signals via Transport network for particular Multicast group and after this multicast distribution tree for the group is built through transport network.
VLAN – VXLAN Bridging packet flow:
For VLAN – VXLAN bridging packet flow we will use the following topology throughout the section to understand the VXLAN and Configuration.
Here Server 1 wants to talk to Server 2 which is same vlan 140 and is mapped to same VXLAN 50140 and multicast group 188.8.131.52.
Broadcast: ARP Request
Following are the steps for the ARP request:
- Server -1 wants to start a communication with Server -2. Because Server -2 is in the same subnet as Server -1, it sends out an ARP request for Server -2 with DMAC set to the broadcast address (ff:ff:ff:ff:ff:ff) and source 00:00:00:00:00:0a of Server -1 .
- The Leaf -1 associates the frame from Server -1 with a VNI of 50140. The Leaf -1 gets this packet and performs a layer lookup based on (VNI=50140, DMAC=ff: ff:ff:ff:ff:ff). Because this is a lookup miss in the Layer 2 table, the packet is handed off to the VTEP Leaf -1 . The VTEP Leaf -1 encapsulates the packet with an appropriate VXLAN header with SIP set to 192.168.0.8, DIP set to 184.108.40.206, and the VNI in the VXLAN header set to 50140. The UDP source port field is generated and filled based on the hash of the original packet received from Server -1. The UDP destination port is set to the well-known VXLAN port. This encapsulated multicast IP packet is now forwarded toward the upstream switch. And Leaf -1 will learn the Mac address of Server-1 on port Eth1/3 in vlan 140 and put this entry in MAC address table.
- The upstream switch Spines forwards the packet based on the outer IP header. In other words, based on the DIP being a multicast address (220.127.116.11 ), the packet is Layer 3 multicast forwarded.
- Regular multicast forwarding results in a packet being forwarded to the VTEPs Leaf 2, leaf 3, leaf 4 respectively. Recall that Leaf -3 VTEP is interested receiver for the multicast group 18.104.22.168 because they sent an IGMP join when Server -2 powered on.
- The VTEP Leaf 2 , leaf 3 , leaf 4 receive the VXLAN packet and appropriately decapsulate the packet. The well-known UDP destination port serves as the identification of the VXLAN packet. Post-decapsulation, the VTEPs are aware that this is a packet in VNI 50140 (from the VXLAN header) and first perform Layer 2 MAC learning, that is, (50140, 00:00:00:00:00:0a) -> 192.168.0.8 (the SIP in the outer VXLAN header). Subsequently, the Leafs performs a regular Layer 2 lookup on the inner packet, namely based on the key (50140 , ff:ff:ff:ff:ff:ff), and the packet is forwarded to Server -2 which is regular Ethernet broadcast frame. Here Leaf-1 also act as VXLAN Gateway as this perform VLAN – VXLAN encapsulation and decpasulation. This is because a packet with a broadcast MAC is typically sent to all end hosts within that segment where they are discarded as there is no one interested receiver is there .
- In this way, Server -2 receive the broadcast ARP request from Server -1. Because the ARP request is for 172.21.140.11 , which is the IP address of , Server -2, only , Server -2 responds to the same.
- In this way, VTEPs learn about remote 00:00:00:00:00:0a aided by IP multicast forwarding. The upstream switches that form the IP core network are completely unaware of the end host MAC addresses and forward only the packet based on the overlay header. In the next section, the packet flow for the unicast ARP response packet is described.