FusionCompute

FusionCompute
Network Virtualization
www.huawei.com
Copyright © 2014 Huawei Technologies Co., Ltd. All rights reserved.

Objective
 Upon completion of this course, you will understand:
 Background information about the network virtualization technology
and Huawei's implementation plan
 Key technologies and the way that distributed virtual switches

(DVSs) are used by FusionCompute
 Key technologies and the way that the network passthrough

technologies are used by FusionCompute
Copyright © 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 2
Contents
1. Introduction to Network Virtualization
1) Development of Virtual Networks
2) Current Status of Virtual Switching
3) Huawei DVS
2. DVS
3. NIC Passthrough
Development of Virtual Networks
The computing virtualization technology is driving the development of network virtualization. In a

traditional data center, a server runs an operating system (OS), connects to a switch through
physical cables, and implements data exchange with different hosts, traffic control, security
control, and monitoring using the switch. Upon completion of virtualization, one server is
converted into multiple virtual hosts, and each virtual host has its own CPU, memory, and
network interface card (NIC). It is important for virtual servers located on a single server to
maintain communication. The sharing of physical equipment has revealed a greater need for new
security isolation and traffic control.
Contents
3) Huawei DVS
2. DVS
3. NIC Passthrough
Current Status of Virtual Switching
Control Control Control
domain domain VM VM domain VM VM
VM VM
VIF VIF
bridge bridge PF driver VF VF
driver driver
queue queue queue

PF …
Common vNIC VMDq-enabled NIC SR-IOV
• Independent VM package • Address translation implemented by the

• Domain 0 bridge queue
queue SR-IOV technology
Difference • One address translation

• The hypervisor does not need to
implemented by the hypervisor,
• One-time data copy implement address translation, which
which consumes little
reduces computation consumption.
computing resources
• High CPU overhead and low

• Little CPU overhead • Little CPU overhead
VM density
• Smooth live migration, • Limitation: no smooth VM live migration
• Smooth VM live migration
Characteristics snapshot, and IP-MAC binding and snapshot functions
and snapshot
NIC throughput: 9.1 Gbit/s (TCP) NIC throughput: 9.15 Gbit/s (TCP) NIC throughput: 9.5 Gbit/s (TCP)
Contents
3) Huawei DVS
2. DVS
3. NIC Passthrough
Huawei DVS Implementation
1. EVS-based common NIC
2. VMDq-enabled iNIC, which is the only passthrough
plan that supports hot migration in the industry
3. SR-IOV-enabled NIC passthrough plan
VM VM VM Management Storage
Distributed port
vNIC
group
Production Test environment Management Storage
DVS System interface
Uplink 0 Uplink 1 Uplink 2

Features
Unified portal and centralized management simplify user
management and configuration.
Production Test environment
Manage
Storage Production Test environment
Manage
Storage The open vSwitches are integrated to make full use of and
ment ment
inherit virtual switching capabilities of open source
communities.
Uplink port 0 Uplink port 1 Uplink port 2 Uplink port 0 Uplink port 1 Uplink port 2 iNICs are used to take over the virtual switching functions of
CPUs, and VM network passthrough capacities are provided
to enhance VM network performance and reduce CPU usage.
FusionCompute and Huawei iNICs provide a combined force to
enable passthrough and VM hot migration capacities and allow all
DVS features to be compatible with each other.
Physical switch
Rich virtual switching features, including switching, QoS,
security isolation, monitoring, and maintenance, are
provided.
Contents
2. DVS
1 ) DVS Working Principle
2) Working Principle and Configuration of Virtual Switching Security Control

(ARP Broadcast Suppression and IP Broadcast Suppression)
3) Working Principle and Configuration of Static IP-MAC Binding
4) Working Principle and Configuration of Virtual Switch Traffic Shaping
5) Working Principle and Configuration of Port Mirroring (SPAN)
6) Working Principle and Configuration of Trunk Port Supported vNIC
3. NIC Passthrough
Virtual Switching Implementation Principle
Port group (ports VM VM 2 VM 3 VM 4 VM 5
of the same vNIC NIC NIC NIC
attributes, such as
1NIC NIC
VLAN)
Port Port Port

Port group 1
Uplink
DVS Port Port
Virtual VRM Port group 2

Port Port
switch port
Port Port Port Port Port

EVS EVS EVS
Port Port Port
Host 1 Host 2
Host NIC
NIC NIC NIC
Switch port
Port Port Port
Physical switch
1. The vNICs of VM 1 and VM 2 belong to port group 1 and are connected to the same elastic virtual switch (EVS). The traffic between
them is forwarded by the EVS, as illustrated by the red line.
2. The vNICs of VM 1 and VM 2 belong to port group 1 and are connected to different EVSs. The traffic between them is forwarded by the
physical switch, as illustrated by the blue line.
3. The vNICs of VM 1 and VM 2 belong to different port groups and are connected to different EVSs. The traffic between them is
forwarded by the physical switch, as illustrated by the purple line.
DVS Is the Foundation of Network Virtualization
VM VM VM VM VM VM VM VM VM VM VM VM
EVS / iNIC EVS / iNIC EVS / iNIC
Server Server Server
DVSM
 EVS/OVS built-in servers implements complete layer-2 switching functions, including virtual switching,
virtual security isolation, and VM QoS.
 Layer-2 monitoring and maintenance
 Huawei-proprietary iNICs offload virtual switching functions from CPUs, which improve VM network
performance and reduce CPU usage.
 Centralized management of EVS/iNICs across multiple servers, simplifying management and
maintenance
Dual Virtual Switching Engines: Huawei-Proprietary iNIC
and OVS
Domain 0
 Provides an open-source
OVS OVS/EVS virtual switch
Back-end
VM VM VM VM forwarding engine
ACL ASPF L2 Security
Back-end
driver
 Huawei-proprietary iNIC
driver
Switch provides high-performance and
low-latency switching
VXLAN
VLAN capabilities.
 iNICs are used in the network
Bonding/LACP SHAPING virtualization scenarios where
high network switching
Passthrough capabilities are required.
Native driver
Front driver driver
Hypervisor
PCIE PCIE
iNIC
Commercial NIC
VMDQ/SR-IOV
Intel/BCM
/Emulex… ACL ASPF L2 Security
Switch
VLAN VXLAN
Bonding/LACP SHAPING
Decoupling System Interfaces and Physical Interfaces
Supports Flexible Configurations
Scenario:
1. The first NIC is selected as the management interface during
System management interface: CNA booting. This is based on the default settings of the file
management and storage being loaded.
2. Users can add or change system interfaces based on the actual
Mgnt iSCSI requirement.
3. For a created system interface, users can add or change its
uplink port and the load balancing port.
4. Users can check the configurations and running status of a
system management interface.
NIC1
Benefit:
Uplink port
1. Decouples management interfaces and physical interfaces
and supports flexible configurations.
2. Visualized interfaces, improving maintainability
3. Heterogenous servers, supporting 1GE/10GE/iNIC
DVS Management
vNIC server server
VM VM VM VM VM VM DHCP FW
Network1（Web ）
Virtual
switch port Network2（App）
(VSP)
Virtual switch
Scenario:
1. Users want to configure servers in a cluster to run different services. Each service has its own network
attributes.
2. Users want to consolidate network attributes, such as physical interfaces, virtual interfaces, security,
and QoS using the DVS.
Benefit:
1. Centralized configuration and management portal. Support for heterogeneous switching types:
common switches, passthrough switches, and SR-IOV.
2. Easily comprehendible for users
3. Network maintainability. Users configure the physical network based on the VLAN and server
information of the DVS.
Contents
2. DVS
1) Working Principle of DVS
2) Working Principle and Configuration of Virtual Switching Security Control (ARP

Broadcast Suppression and IP Broadcast Suppression)
3. NIC Passthrough
Implementation Principles of ARP and IP Broadcast
Suppression
Flood attack scenario: VM 1 initiates flood attacks.

VM1 VM2 VM3
The large amount of APR packages sent continuously
by VM1 results in network communication failures.
ARP req ARP rsp ARP rsp
 Value
In the scenario where an elastic host has been leased, a hacker can initiate broadcast attacks on other
hosts through an elastic host. Consequently, this can interrupt network communication. The broadcast
suppression function, provided by FusionSphere, can effectively prevent broadcast attacks orchestrated
by hackers.
In server consolidation and desktop cloud scenarios, the probability of internal attacks is low. Therefore,
broadcast suppression is disabled for virtual switches by default to avoid network performance
deterioration. If the network is susceptible to viruses and attacks, the administrator can enable
broadcast suppression.
 ARP and IP attack prevention:
ARP flood attack: a type of DDoS attacks, continuous sending of ARP packages
IP attack: flood attack
 Versions that support this function:
V100R003C10 supports ARP and IP broadcast attack prevention capabilities.
Working Principles of ARP and IP Broadcast Suppression
VM 1 VM 2 VM 3
vSwitch
The port group
provides the
suppression control
function.
 Firewalls can be used to prevent broadcast attacks from external networks. FusionCompute also
provides broadcast suppression for VM NIC outbound traffic to prevent broadcast attacks from
internet networks.
 The ARP broadcast suppression, IP broadcast suppression, and suppression bandwidth threshold
for VM outbound traffic can be configured on virtual switches. The suppression can be configured
based on port group to reduce layer 2 network bandwidth consumption caused by broadcast storms.
Implementation Principles of ARP and IP Broadcast
Suppression
 On the Network Settings page, configure ARP broadcast suppression and IP broadcast
suppression for a port group of a DVS.
If a suppression function is enabled, you must also configure the suppression bandwidth.
Contents
2. DVS

3. NIC Passthrough
Working Principle of Static IP-MAC Binding
Layer 2 network security policies are in place to prevent IP or MAC address spoofing and DHCP
server spoofing for user VMs.
IP-MAC binding prevents users from initiating IP or MAC address spoof attacks after the IP or
MAC address of a VM has been changed, this enhances the network security of user VMs. The
enforcement of this policy binds an IP address to an MAC address using the DHCP snooping
feature.
Packets from unknown sources are filtered through the IP Source Guard and dynamic ARP
inspection (DAI).
DHCP quarantine blocks users from unintentionally or maliciously enabling the DHCP server
service for a VM, ensuring common VM IP address assignment.
Working Principle of Static IP-MAC Binding
The system already supports the binding between the DHCP IP address and the
MAC address.
The new static IP-MAC binding function allows users to bind the VM vNIC IP address
with the MAC address. The connection between the vNIC and the network will
disconnect if the IP address or MAC address of a VM vNIC is changed after this
function has been activated.
FusionCompute only supports the REST interface-based IP-MAC binding
configuration. It does not support static IP address allocation and management.
IP-MAC Address Binding Configuration
 On the Network Settings page, configure DHCP quarantine and IP-MAC address
binding functions for a port group of a DVS.
Contents
2. DVS

3. NIC Passthrough
Working Principle of Network Traffic Shaping
Token
categorizing
256 Kbit/s 128 Kbit/s
Traffic
Queue 128 Kbit/s
bucket
Token
FR
This is an enhanced function.

VM:
1. QoS control for inbound traffic;
2. Traffic shaping, instead of traffic limiting, is implemented for outbound traffic.
Management interfaces and storage interfaces:
Traffic shaping, instead of traffic limiting, is implemented for outbound traffic. Traffic shaping for inbound traffic is not
supported.
Benefit:
1. QoS control on inbound traffic for VMs avoids resource contention caused by inbound traffic and ensures traffic fairness.
2. The burst size and average bandwidth can be configured to allow a burst when the system has a lot of idle resources.
3. Traffic shaping avoids the packet loss, network jitter, and impact on services caused by rate limiting.
Working Principle of Traffic Shaping
Working Principle of Traffic Shaping

1. Rate limiting and priority implementation in the
V100R003C10 implements rate
limiting, average bandwidth, and
burst traffic functions on the
R003C00 version
inbound traffic over the VIF for VMs. V100R003C00 implements HTB rate limiting and priority
functions for outbound traffic over the uplink for system
interface hNIC
interface hNIC
V100R003C10 implements rate

Management
limiting, average bandwidth, and burst

Storage
traffic functions on the outbound traffic

over virtual devices, which are interfaces (management interfaces and storage interfaces)
simulated by vSwitches, for VMs.
and VMs.
2. Traffic shaping function implemented in the
V100R003C10 version
Storage and management interfaces:
Back-end driver
• V100R003C10 implements HTB rate limiting on the

V100R003C10 outbound traffic over the hNIC for system interfaces.
implements HTB rate
limiting on the outbound • V100R003C10 implements HTB priority on the outbound
traffic over the hNIC for
system interfaces.
Native driver
Front-end traffic over the hNIC for system interfaces.
driver
VM:
• V100R003C10 implements rate limiting, average bandwidth,
and burst traffic functions on the inbound traffic over the
V100R003C00 implements
VIF for VMs.
V100R003C00 implements
HTB rate limiting and priority
functions on the outbound
• V100R003C10 implements rate limiting, average bandwidth,
HTB rate limiting and priority Commercial NIC
traffic over the uplink for
functions on the outbound
system interfaces and VMs. and burst traffic functions on the outbound traffic over
traffic over the uplink for
system interfaces and VMs. virtual devices, which are simulated by vSwitches, for VMs.
• V100R003C10 implements HTB priority on the outbound
traffic over the uplink VMs.
Traffic Shaping Configuration
 VM traffic shaping  System interface traffic shaping

On the Network Settings page, configure outbound and On the Connection Settings page, configure the
inbound traffic shaping for a port group of a DVS. outbound traffic shaping function for a system interface.
Contents
2. DVS

3. NIC Passthrough
Port Mirroring (SPAN)
Common network traffic
Mirroring network traffic
Port A Port B Port C
vSwitch
Port mirroring (SPAN)
Description:
Port mirroring, also known as Switched Port Analyzer (SPAN), is used to send a copy of network packages
located on one switch port (source port) to another port (destination port). At the destination port, the
package can be studied without affecting the normal package handling process to facilitate troubleshooting.
The two ports belong to the same server.
Value: Facilitates network monitoring and quick troubleshooting.
Capability:
One DVS supports a maximum of 64 monitoring sessions and 8 concurrent monitoring sessions. Only one
destination port can be set to a local port for mirroring. A maximum of four destination ports can be
configured for a local port mirroring session or a remote port mirroring session.
Port Mirroring Configuration
 To configure port mirroring, choose Network Management > DVS > Port > Port Mirroring.
The following information can be configured: Status, Normal I/O on destination ports, Mirrored
packet length, Source port, and Destination port.
Contents
2. DVS

3. NIC Passthrough
Support for Trunk Ports by vNIC
Benefit:
VM（GW） VM（GW）
VLAN 100 to VLAN 200
VLAN 100 VLAN 101 VLAN 107
vSwitch vSwitch
A VM supports a maximum of 8 vNICs. One vNIC can support multiple VLANs.

Therefore, a maximum of 8 VLANs and
8 subnets gateways are supported.
Benefit: A vNIC can support multiple VLANs that enable flexible networking and support the application of
more complicated service scenarios.
Application scenario: Multiple subinterfaces need to be created for a vNIC of a VSA VM. Each subinterface
needs a VLAN to provide the VSA VM with gateway functions.
Trunk Configuration
 On the Network Settings page, configure the port type for a port group of a DVS.
After Port type is set to Trunk, configure VLAN.
Contents
2. DVS
3. NIC Passthrough
1) iNIC Passthrough
2) SR-IOV NIC Passthrough
3) Comparison Between iNIC and SR-IOV NIC
iNIC Working Principle
控制域
VM VM
Working principle
VIF An iNIC uses multiple queues, virtual switching, QoS,
Bridge and uplink port aggregation to improve NIC I/O
performance.
iNICs improve virtual network performance by
FusionCompute integrating the following technologies:
 Virtual Machine Device Queues (VMDq): enables
iNICs to reduce the stress on hosts by decreasing

the host CPU load.
Queue Queue Queue
 iNIC-based static ACL: provides layer 2 network
security.
iNIC Implementation
dom0 domU
Overall solution: The iNICs take over all of the virtualized switch
function of the CPU on the server, including the switch, security, and
Event vNIC the QoS.
channel
iNIC native driver In the direct communication scenario, messages can be directly transmitted
to domain U from the NIC, bypassing the hypervisor and domain 0. This
driver improves the performance.
Buffer
Zero- Zero-copy: Messages can be directly transmitted to the buffer on the

XEN copy VM without passing through the domain 0.
VLAN: It is configured based on the queue.

Queue
Bonding: Physical ports on the hardware are bound.
…
Queue
Tx/Rx Layer-2 isolation: Layer-2 isolation in the same VLAN is supported
and the broadcast packet suppression function is enabled.
vlan
ACL: Packet filtering based on the 5-tuple flow and status rules are
Bonding enabled. ACL is also compatible with the security group functions. It
is based on the queue and is not affected by the number of other
Isolate queue rules.
ACL QoS: QoS supports bandwidth limit, dynamic adjustment of the
QoS bandwidth proportion, and bandwidth priority; it ensures the
minimum bandwidth.
Hardware switching (MAC/VLAN)
Bridge switch: It is based on hardware switch function of the MAC
and VLAN.
iNIC Configuration
 When creating a DVS, set DVS type to VMDq-enabled or SR-IOV-

enabled.
Contents
2. DVS
3. NIC Passthrough
1) iNIC Passthrough
Working Principle of SR-IOV (Function for PK Tests)
SR-IOV is a hardware-based virtualization solution, which helps improve system performance and
scalability. With the SR-IOV technology, VMs can share the Peripheral Component Interconnect Express
(PCIe) devices, which provide high I/O performance close to a native host. The SR-IOV standard enables
VMs to be directly connected to I/O devices.
Multiple VMs can share one single I/O resource. A shared device provides dedicated resources and use
shared general resources. Therefore, each VM can access a unique resource. A PCIe device with the SR-
IOV function enabled and appropriate hardware and OS used, such as an Ethernet port, can be displayed
as multiple independent physical devices that have their own PCIe configuration space.
SR-IOV Implementation
 Performance: VMs can directly access hardware.

 Reduced operational costs:
 Energy saving
 Number of required adapters reduced
 Cable layout simplified
 Number of required switch ports reduced
SR-IOV Configuration
 To create a DVS that supports SR-IOV, set DVS type to SR-IOV-enabled.
 The live migration feature is not supported. For details, see the PK feature guide.
Contents
2. DVS
3. NIC Passthrough
1) iNIC Passthrough
Comparision Between iNIC and SR-IOV NIC
Scenario Hardware Working Principle Performance Constraint Commercial Use
Independent VM package
vNICs have high queue Little CPU Smooth live
requirements for I/O Single address translation overhead migration,
iNIC performance, for iNIC carried out by the NIC throughput: snapshot, and Yes
example, the hypervisor, which 9.15 Gbit/s IP-MAC binding
appliance scenario. consumes little computing (TCP) are supported.
resources
Address translation
NICs have high implemented by the SR- Smooth live
SR-IOV-
requirements for I/O IOV-enabled NICs Little CPU migration,
enabled
performance, for The Hypervisor does not overhead snapshot, and
SR-IOV NICs, such No
example, for require address translation. NIC throughput: IP-MAC binding
as Intel
example, the Oracle Therefore, the 9.5 Gbit/s (TCP) are not
82599
RAC scenario. computation consumption supported.
is reduced.
Appendix: Acronyms and Abbrevations
Acronym/Abbreviation Full Name
ARP Address Resolution Protocol
CNA Computing Node Agent
DHCP Dynamic Host Configuration Protocol
Dom0 Domain 0
DVS Distributed Virtual Switch
DVSM Distributed Virtual Switch Management
EVS Elastic Virtual Switch
Qos Quality of Service
OVS Open Virtual Switch
SPAN Local port mirroring
SR-IOV Single Root I/O Virtualization
UVP Unified Virtualization Platform
VMDq Virtual Machine Device Queue
vNIC Virtual Network Interface Card
VSA Virtual Switch Appliance
VSP Virtual Switch Port
Thank you
www.huawei.com

FusionCompute - V100R003C10 Network

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

FusionCompute - V100R003C10 Network

Încărcat de

Drepturi de autor:

Formate disponibile

Copyright © 2014 Huawei Technologies Co., Ltd. All rights reserved.

 Key technologies and the way that distributed virtual switches

 Key technologies and the way that the network passthrough

2) Current Status of Virtual Switching

The computing virtualization technology is driving the development of network virtualization. In a

2) Current Status of Virtual Switching

queue queue queue

Common vNIC VMDq-enabled NIC SR-IOV

• Independent VM package • Address translation implemented by the

Difference • One address translation

• High CPU overhead and low

2) Current Status of Virtual Switching

Production Test environment Management Storage

DVS System interface

Uplink 0 Uplink 1 Uplink 2

2) Working Principle and Configuration of Virtual Switching Security Control

3) Working Principle and Configuration of Static IP-MAC Binding

4) Working Principle and Configuration of Virtual Switch Traffic Shaping

5) Working Principle and Configuration of Port Mirroring (SPAN)

6) Working Principle and Configuration of Trunk Port Supported vNIC

Port Port Port

DVS Port Port

Virtual VRM Port group 2

Port Port Port Port Port

EVS / iNIC EVS / iNIC EVS / iNIC

Server Server Server

vNIC server server

2) Working Principle and Configuration of Virtual Switching Security Control (ARP

3) Working Principle and Configuration of Static IP-MAC Binding

4) Working Principle and Configuration of Virtual Switch Traffic Shaping

5) Working Principle and Configuration of Port Mirroring (SPAN)

6) Working Principle and Configuration of Trunk Port Supported vNIC

Flood attack scenario: VM 1 initiates flood attacks.

2) Working Principle and Configuration of Virtual Switching Security Control (ARP

3) Working Principle and Configuration of Static IP-MAC Binding

4) Working Principle and Configuration of Virtual Switch Traffic Shaping

5) Working Principle and Configuration of Port Mirroring (SPAN)

6) Working Principle and Configuration of Trunk Port Supported vNIC

2) Working Principle and Configuration of Virtual Switching Security Control (ARP

3) Working Principle and Configuration of Static IP-MAC Binding

4) Working Principle and Configuration of Virtual Switch Traffic Shaping

5) Working Principle and Configuration of Port Mirroring (SPAN)

6) Working Principle and Configuration of Trunk Port Supported vNIC

This is an enhanced function.

Working Principle of Traffic Shaping

V100R003C10 implements rate

limiting, average bandwidth, and burst

traffic functions on the outbound traffic

• V100R003C10 implements HTB rate limiting on the

 VM traffic shaping  System interface traffic shaping

2) Working Principle and Configuration of Virtual Switching Security Control (ARP

3) Working Principle and Configuration of Static IP-MAC Binding

4) Working Principle and Configuration of Virtual Switch Traffic Shaping

5) Working Principle and Configuration of Port Mirroring (SPAN)

6) Working Principle and Configuration of Trunk Port Supported vNIC

Mirroring network traffic

Port A Port B Port C

Port mirroring (SPAN)

Value: Facilitates network monitoring and quick troubleshooting.

2) Working Principle and Configuration of Virtual Switching Security Control (ARP

3) Working Principle and Configuration of Static IP-MAC Binding

4) Working Principle and Configuration of Virtual Switch Traffic Shaping