Insider of LAN SDN hard core technology 22 Kang long regrets -- Specifications and restrictions (Part 2)

First , Let's review yesterday and The day before yesterday The content of ：

In the data center , With large-scale virtualization and containerization , In the worst case ,TOR Theoretically, switches may need to learn about the whole network VM Of MAC or FIB Table item . therefore , If one POD There are many servers in ,MAC or FIB Table items may become the bottleneck of specifications , We need to plan the physical location of the tenant virtual machine reasonably , To avoid over specification .

In the park , There is no such large-scale user access , The main limitation is configured for wireless roaming users AC mouth , And what needs to be configured to control access between user groups ACL.

Two questions left yesterday ：

1. Try not to go through the switch ACL Implement access control ; The answer is obvious . In the use of ACL In the case of access control ,ACL The resource consumption of is proportional to the square of the number of security groups . When there are many security groups , Need to use ACL Switches with higher specifications , And increase the overall cost ;
2. Try not to use multiple box stacks , And the use of box switches ; Because after stacking , Will make the stack group ( Logic system ) Double the number of physical ports , Because of static VXLAN AC The number of physical ports * Number of security groups , The number of stacks exceeds 4 It's easy to switch the VXLAN AC Exhausted resources . Why doesn't a box switch have such restrictions ？ actually , This proposition is not entirely correct .

Implementation of frame switch , There are centralized and distributed .

Centralized frame switch , With Catalyst 9400,Catalyst 9600 As a representative , In exchange for ASIC On the master engine , Line card only phy chip , All forwarding needs to be hosted ASIC engine . As shown in the figure below ：

In this case , Frame switch VXLAN AC The number of ports is also controlled by the master exchange engine ASIC The limitation of .

And then H3C Distributed design is used for the representative mainstream switch manufacturers , The architecture is shown in the following figure ：

In the figure ,Fabric Module It can be integrated into the main control , It can also be provided in the form of an independent switching network board . Because each line card has Ethernet switching ASIC, Yes n A line card switch theoretically VXLAN The number of resources is per ASIC Of n times .

therefore , Strictly speaking , Only the frame switch with distributed forwarding , This feature can be used , Assume more security groups + Wireless forwarding .

that , If there are no conditions or based on cost considerations , Do not use high-end box switches or box switches with high costs as convergence ？

We have one last move —— Wireless centralized forwarding .

Remember us The first 19 The article of Last picture ：

If we adopt centralized forwarding , Is it equivalent to wireless users “ The universe moves ” When you get there, hang it on the core wireless controller ？

actually , Because all wireless users roam anyway , We only need to connect the physical interface between the core switch and the wireless controller , Configure... For all security groups where wireless users are located VXLAN AC That's all right. ！ in other words , If you use 2 individual 40G The Ethernet physical port is connected to the wireless controller , stay 80 In the case of security groups , We only need to consume on the core switch 160 individual VXLAN AC Resources are enough ！

Next , What we need to solve is ACL The question of resources .

We know , In the actual deployment of the park network , The vast majority of users' business is to access the data center and internal servers in the park , However, there are very few mutual visits between park users .

therefore , We can configure the default policy on all convergence switches as deny any, Only businesses that allow mutual visits are ACL Medium release . Because there are few mutual visits between park users , The access matrix is actually a sparse matrix , This can greatly save ACL resources .

Of course , This evasive measure , There is a cost . Centralized forwarding will increase the delay of wireless users , The throughput of the wireless controller may also limit the total bandwidth of all wireless users . But in most scenarios, it can meet the needs of customers .

Tomorrow, , We will introduce LAN SDN The future development of Technology , Coming soon ！