Mu gihe cyo gukoresha ikoranabuhanga rya "cloud computing" na "network virtualization", VXLAN (Virtual Extensible LAN) yabaye ikoranabuhanga ry'ingenzi mu kubaka imiyoboro ya "overlay" ishobora kwaguka kandi yoroshye. Mu rufatiro rw'imiterere ya VXLAN hari VTEP (VXLAN Tunnel Endpoint), igice cy'ingenzi gifasha kohereza neza imiyoboro ya "layer 2" mu miyoboro ya "layer 3". Uko imiyoboro ya "network" igenda irushaho kuba ingorabahizi bitewe na porogaramu zitandukanye zo gufunga, uruhare rwa Network Packet Brokers (NPBs) hamwe n'ubushobozi bwa "Tunnel Encapsulation Stripping" rwabaye ingenzi mu kunoza imikorere ya VTEP. Iyi blog isuzuma iby'ibanze bya VTEP n'isano ifitanye na VXLAN, hanyuma ikagenzura uburyo imikorere ya "tunnel encapsulation stripping" ya NPBs yongera imikorere ya VTEP no kugaragara kwa "network".
Gusobanukirwa VTEP n'isano ifitanye na VXLAN
Ubwa mbere, reka dusobanure ingingo z'ingenzi: VTEP, mu magambo ahinnye ya VXLAN Tunnel Endpoint, ni ikigo cy’umuyoboro gishinzwe gufunga no gukuramo uduce twa VXLAN mu muyoboro wa VXLAN. Ikora nk'aho VXLAN tunnels zitangirira n'aho zisozwa, ikora nk'"irembo" rihuza umuyoboro wa virtual overlay na physical underlay network. VTEPs zishobora gushyirwa mu bikorwa nk'ibikoresho bifatika (nk'amaswichi cyangwa routers bishoboye VXLAN) cyangwa ibikoresho bya porogaramu (nk'amaswichi, amakontena, cyangwa amaproxies kuri mashini zisanzwe).
Isano iri hagati ya VTEP na VXLAN irahuza—VXLAN yishingikiriza kuri VTEP kugira ngo igere ku mikorere yayo y'ibanze, mu gihe VTEPs ibereyeho gushyigikira ibikorwa bya VXLAN gusa. Agaciro k'ibanze ka VXLAN ni ugukora umuyoboro wa virtual layer 2 hejuru y'umuyoboro wa IP wa layer 3 binyuze muri MAC-in-UDP encapsulation, ikarenga imipaka yo kwaguka kwa VLAN gakondo (ishyigikira gusa VLAN ID 4096) hamwe na VXLAN Network Identifier ya 24-bit (VNI) ituma imiyoboro ya virtual igera kuri miliyoni 16. Dore uko VTEPs ibikora: Iyo imashini ikora virtual (VM) yohereje abantu benshi, VTEP yo mu gace ikora ifata frame ya Ethernet ya layer 2 y'umwimerere yongeraho umutwe wa VXLAN (urimo VNI), umutwe wa UDP (ukoresheje port 4789 nk'uko bisanzwe), umutwe wa IP wo hanze (urimo IP ya VTEP y'isoko na IP ya VTEP y'aho uherereye), n'umutwe wa Ethernet wo hanze. Hanyuma paki ifunze yoherezwa binyuze mu muyoboro wa 3 underlay network ijya kuri VTEP, iyi paki ikuraho imitwe yose yo hanze, igafata frame ya Ethernet y'umwimerere, hanyuma ikayohereza kuri VM ishingiye kuri VNI.
Byongeye kandi, VTEP zikora imirimo y'ingenzi nko kwiga aderesi za MAC (gushushanya aderesi za MAC z'abashyitsi bo mu gace n'aba kure kuri VTEP IPs) no gutunganya itumanaho rya Broadcast, Unicast itazwi, na Multicast (BUM) - haba binyuze mu matsinda ya multicast cyangwa replication ya head-end muri unicast-only. Muri make, VTEP ni inkingi z'ubwubatsi zituma VXLAN ishobora gukoresha virtualization ya network no kwitandukanya n'abakodesha benshi.
Ikibazo cy'imodoka zigendanwa zikoreshwa na VTEP
Mu bidukikije bya none by’amakuru, urujya n’uruza rwa VTEP rukunze kugaragara gusa kuri VXLAN. Urujya n’uruza rw’amakuru runyura muri VTEP rukunze kuba rufite imirongo myinshi y’amakuru akoreshwa mu gukwirakwiza amakuru, harimo VLAN, GRE, GTP, MPLS, cyangwa IPIP, hiyongereyeho VXLAN. Ubu buryo bwo gukwirakwiza amakuru butera imbogamizi zikomeye ku mikorere ya VTEP no gukurikirana, gusesengura no kubahiriza umutekano nyuma yaho:
○ - Kugabanuka k'ubushobozi bwo kugaragara: Ibikoresho byinshi byo kugenzura no kurinda umuyoboro (nka IDS/IPS, flow analyzers, na packet sniffers) byagenewe gutunganya traffic y’urwego rwa 2/urwego rwa 3. Imitwe ifunze ipfukirana umutwaro w’umwimerere, bigatuma ibi bikoresho bidashobora gusesengura neza ibikubiye mu traffic cyangwa kubona ibitagenda neza.
○ - Kongera imikorere y'ibikoresho: VTEPs ubwazo zigomba gukoresha amafaranga y'inyongera mu gukora porogaramu zikozwe mu byiciro byinshi, cyane cyane mu duce dukunze kugaragaramo urujya n'uruza rw'abantu benshi. Ibi bishobora gutuma habaho gutinda kwiyongera, kugabanuka k'umusaruro, ndetse no kubangamira imikorere.
○ - Ibibazo by'imikoranire: Ibice bitandukanye by'urusobe rw'amakuru cyangwa ahantu hagurishirizwa ibicuruzwa byinshi bishobora gukoresha uburyo butandukanye bwo gufunga amakuru. Hatabayeho gucapa neza umutwe, abantu bashobora kunanirwa koherezwa cyangwa gutunganywa neza mu gihe cyo kunyura muri VTEP, bigatera ibibazo byo gukorana.
Uburyo Gukuraho Ingufu mu Muyoboro wa NPBs Byongera Imbaraga ku Banyabiziga ba VTEP
Mylinking™ Network Packet Brokers (NPBs) ifite ubushobozi bwo gusimbuza amakuru mu buryo bwa Tunnel Encapsulation Stripping ikemura ibi bibazo ikora nk'"Traffic pre-processor" kuri VTEP. NPB zishobora gukuraho imitwe itandukanye ya encapsulation (harimo VXLAN, VLAN, GRE, GTP, MPLS, na IPIP) uhereye ku mapaki y'amakuru y'umwimerere mbere yo kohereza urujya n'uruza rw'abantu kuri VTEP cyangwa ibikoresho byo kugenzura/kurinda umutekano. Iyi mikorere itanga inyungu eshatu z'ingenzi ku bikorwa bya VTEP:
1. Kongera ubushobozi bwo kugaragara no kurinda umuyoboro wa interineti
Mu gukuraho imitwe ya encapsulation, NPB zigaragaza umubare w’ibikoresho by’ibanze by’amapaki, bigatuma ibikoresho byo kugenzura no kurinda umutekano "bibona" ibikubiye mu muhanda nyawo. Urugero, iyo abantu ba VTEP boherejwe kuri IDS/IPS, NPB ibanza gukuraho imitwe ya VXLAN na MPLS, bigatuma IDS/IPS ibona ibikorwa bibi (nk'ibya malware cyangwa kugerageza kwinjira mu buryo butemewe) mu ishusho y’umwimerere. Ibi ni ingenzi cyane mu bidukikije by’abakodesha benshi aho VTEP igenzura urujya n’uruza rw’abakodesha benshi—NPB zizeza ko ibikoresho by’umutekano bishobora kugenzura urujya n’uruza rw’abakodesha nta mbogamizi ziterwa no gufunga.
Byongeye kandi, NPB zishobora gukuraho imitwe y'amakuru hakurikijwe ubwoko bw'abagenda cyangwa VNI, bigatanga uburyo bwo kubona amakuru mu miyoboro yihariye ya virtual. Ibi bifasha abayobozi b'imiyoboro gukemura ibibazo (nk'ibura rya pakiti cyangwa gutinda) binyuze mu gusesengura neza abagenda mu bice bya VXLAN.
2. Imikorere myiza ya VTEP
NPB zikuramo akazi ko gukuraho umutwe w’amakuru muri VTEP, bigabanyiriza amafaranga yo gutunganya ibikoresho bya VTEP. Aho kugira ngo VTEP ikoreshe umutungo wa CPU mu gukuraho imitwe myinshi (urugero, VLAN + GRE + VXLAN), NPB zikora iyi ntambwe yo gutunganya mbere, zituma VTEP yibanda ku nshingano zazo z’ingenzi: gufunga/gukuraho uduce twa VXLAN no gucunga imiyoboro. Ibi bituma habaho gutinda guke, umusaruro mwinshi, no kunoza imikorere ya VXLAN overlay network - cyane cyane mu bidukikije bifite ubucucike bwinshi hamwe na VM ibihumbi n’imitwaro myinshi y’imodoka.
Urugero, mu kigo cy’amakuru gifite NPB na Switches bikora nka VTEP, NPB (nka Mylinking™ Network Packet Brokers) ishobora gukuraho imitwe ya VLAN na MPLS ku muhanda winjira mbere yuko igera kuri VTEP. Ibi bigabanya umubare w’ibikorwa byo gutunganya imitwe VTEP zigomba gukora, bigatuma zishobora guhangana n’imihanda myinshi hamwe n’urujya n’uruza rw’imodoka.
3. Guteza imbere imikoranire hagati y'amahuriro atandukanye
Mu miyoboro y’abacuruzi benshi cyangwa iy’ibice byinshi, ibice bitandukanye by’ibikorwa remezo bishobora gukoresha protocole zitandukanye zo gukusanya amakuru. Urugero, urujya n’uruza rw’abantu baturutse ahantu hatandukanye hakoreshwa amakuru (data center) rushobora kugera kuri VTEP yo mu gace hamwe na GRE encapsulation, mu gihe urujya n’uruza rw’abantu bo mu gace rukoresha VXLAN. NPB ishobora gukuraho utu duce dutandukanye (GRE, VXLAN, IPIP, nibindi) hanyuma ikajyana urujya n’uruza rw’abantu basanzwe kuri VTEP, bigakuraho ibibazo byo gukorana. Ibi ni ingenzi cyane mu bidukikije by’ibicu bivanze, aho urujya n’uruza rw’abantu baturutse kuri serivisi za ...
Byongeye kandi, NPB zishobora kohereza imitwe yakuweho nk'amakuru arambuye ku bikoresho byo gukurikirana, zikareba ko abayobozi bagumana amakuru yerekeye uburyo bwakoreshejwe mu gusesengura (nk'ikirango cya VNI cyangwa MPLS) mu gihe bagishoboye gusesengura umutwaro w'umwimerere. Ubu buryo buri hagati yo gusesengura imitwe no kubungabunga imiterere ni ingenzi mu gucunga neza imiyoboro y'itumanaho.
Ni gute washyira mu bikorwa imikorere ya tunnel package stripping muri VTEP?
Gushyira mu bikorwa uburyo bwo gukurura imiyoboro ya tunnel muri VTEP bishobora gushyirwa mu bikorwa binyuze mu gushyiraho ibikoresho, politiki zishingiye kuri porogaramu, no gukorana n'abagenzuzi ba SDN, aho logique y'ibanze yibanda ku kumenya imitwe ya tunnel → gushyira mu bikorwa ibikorwa byo gukuramo imiyoboro → kohereza imitwaro y'umwimerere. Uburyo bwihariye bwo gushyira mu bikorwa buratandukanye gato bitewe n'ubwoko bwa VTEP (ifatika/porogaramu), kandi uburyo bw'ingenzi ni ubu bukurikira:
Ubu, turimo kuvuga ku ishyirwa mu bikorwa rya VTEPs zifatika (urugero,Abahuza ba Network Packet ba Mylinking™ VXLAN) hano.
VTEP zifatika (nk'abakoresha Network Packet Brokers ba Mylinking™ VXLAN) zikoresha chips za hardware n'amabwiriza yihariye yo gushyiraho kugira ngo zigere ku buryo bworoshye bwo gusohora amakuru ajyanye n'itumanaho, kandi zikwiriye urubuga rw'amakuru rukoresha abantu benshi:
Guhuza uburyo bwo gukurura amakuru bushingiye ku miterere: Kora uburyo bwo gukurura amakuru ku miyoboro ya VTEPs kandi ushyireho ubwoko bwo gukurura amakuru kugira ngo buhuze kandi bukureho imitwe yihariye ya tunnel. Urugero, kuri Mylinking™ VXLAN-capable Network Packet Brokers, shyiraho uburyo bwo gukurura amakuru bwa Layer 2 kugira ngo umenye tagi za VLAN za 802.1Q cyangwa amafuremu adashyizweho tagi, hanyuma ukureho imitwe ya VLAN mbere yo kohereza abantu kuri tunnel ya VXLAN. Ku bijyanye n'uburyo bwo gukurura amakuru bwa GRE/MPLS, shyiramo uburyo bwo gusesengura protocole ijyanye na bwo kuri ubu buryo kugira ngo ukureho imitwe yo hanze.
Gukuraho umutwe bishingiye kuri politiki: Koresha ACL (Urutonde rw'Igenzura ry'Access) cyangwa politiki y'umuhanda kugira ngo usobanure amategeko ajyanye (urugero, guhuza UDP port 4789 kuri VXLAN, protocol type 47 kuri GRE) no gufata ibikorwa byo gukuramo. Iyo traffic ihuye n'amategeko, chip ya VTEP hardware ihita ikuraho imitwe ya tunnel yagenwe (VXLAN/UDP/IP outer headers, MPLS labels, nibindi) hanyuma yohereze payload ya Layer 2 y'umwimerere.
Ihuriro ry’amarembo rikwirakwizwa: Muri gahunda za VXLAN zo mu bwoko bwa Spine-Leaf, VTEPs (amanode y’amaboko) zishobora gukorana n’amarembo ya Layer 3 kugira ngo zirangize uburyo bwo gukata amabara menshi. Urugero, nyuma y’uko amanode yo mu bwoko bwa Spine yohereza MPLS-encapsulated VXLAN kuri VTEPs zo mu bwoko bwa Leaf, VTEPs ibanza gukuraho ibirango bya MPLS, hanyuma igakora VXLAN decapsulation.
Ese ukeneye urugero rw'igenamiterere ry'igikoresho cya VTEP cy'umucuruzi runaka (nk'ikiAbahuza ba Network Packet ba Mylinking™ VXLAN) gushyira mu bikorwa uburyo bwo gukata imiyoboro ya tunnel encapsulation?
Uburyo bwo Gushyira mu Bikorwa mu Buryo Bufatika
Tekereza ku kigo kinini cy’amakuru gikoresha umuyoboro wa VXLAN hamwe na swichi za H3C nka VTEP, gishyigikira VM nyinshi z’abakodesha. Ikigo cy’amakuru gikoresha MPLS mu kohereza urujya n’uruza hagati ya swichi z’ibanze na VXLAN mu itumanaho rya VM-to-VM. Byongeye kandi, ibiro by’amashami bya kure byohereza urujya n’uruza rw’amakuru muri icyo kigo binyuze muri tunnel za GRE. Kugira ngo umutekano ugaragare neza kandi ugaragare neza, ikigo gikoresha NPB ifite Tunnel Encapsulation Stripping hagati ya network y’ibanze na VTEP.
Iyo urujya n'uruza rw'abantu rugeze mu kigo cy'amakuru:
(1) NPB ibanza gukuraho imitwe ya MPLS ku muyoboro w’itumanaho uturuka ku muyoboro w’ibanze n’imitwe ya GRE ku muyoboro w’itumanaho uturuka ku biro by’ishami.
(2) Ku bijyanye n'urujya n'uruza rwa VXLAN hagati ya VTEP, NPB ishobora gukuraho imitwe ya VXLAN yo hanze mu gihe yohereza urujya n'uruza ku bikoresho byo kugenzura, bigatuma ibikoresho bigenzura urujya n'uruza rwa VM rw'umwimerere.
(3) NPB yohereza urujya n'uruza rwakozwe mbere (rufite umutwe) kuri VTEP, zigomba gusa gucunga VXLAN encapsulation/decapsulation ku mushahara wa mbere. Iyi gahunda igabanya umutwaro wo gutunganya VTEP, ifasha isesengura ryimbitse ry’urujya n’uruza, kandi ikemeza ko habaho imikoranire myiza hagati y’ibice bya MPLS, GRE, na VXLAN.
VTEP ni inkingi y'imiyoboro ya VXLAN, ituma habaho uburyo bwo kwagura ikoranabuhanga no gutumanaho kw'abakodesha benshi. Ariko, kwiyongera kw'urujya n'uruza rw'abantu mu miyoboro igezweho bitera imbogamizi zikomeye ku mikorere ya VTEP no kugaragara neza kw'imiyoboro. Abahuza ba Network Packet bafite ubushobozi bwo gukata Tunnel Encapsulation bakemura izi mbogamizi binyuze mu gutunganya traffic mbere y'uko ikwirakwira, gukuraho imitwe itandukanye (VXLAN, VLAN, GRE, GTP, MPLS, IPIP) mbere yuko igera kuri VTEP cyangwa ibikoresho byo kugenzura. Ibi ntibinoza gusa imikorere ya VTEP binyuze mu kugabanya amafaranga akoreshwa mu gutunganya traffic ahubwo binanongera uburyo bwo kugaragara neza kw'imiyoboro, bikomeza umutekano, kandi binoza imikoranire mu bidukikije bitandukanye.
Uko imiryango ikomeza gukoresha imiterere y’ibicu n’uburyo bwo gukoresha ibicu bivanze, ubufatanye hagati ya NPB na VTEP buzarushaho kuba ingenzi. Mu gukoresha uburyo bwa NPB bwo gufunga imiyoboro ya tunnel, abayobozi b’imiyoboro bashobora gufungura ubushobozi bwose bw’imiyoboro ya VXLAN, bakareba ko ikora neza, ifite umutekano, kandi ihuzwa n’ibikenewe mu bucuruzi.
Igihe cyo kohereza: Mutarama-09-2026
