posted

2 Comments

In this post I am going to address a common question about the security and performance impact when multiple logical Layer 2 networks are mapped to one multicast group address.

As mentioned in earlier post here, vCloud Networking and Security (vCNS) Manager is responsible for mapping the logical Layer 2 networks to multicast group addresses. If you provide less number of multicast group addresses than the logical layer 2 networks, vCNS manager will assign the logical layer 2 networks to multicast addresses in a round robin fashion. For example, if there are 4 logical L2 networks (A1,A2,A3,A4) and 2 multicast group addresses (M1, M2), Logical networks A1 and A3 will be mapped to multicast group address M1 while A2 and A4 are mapped to M2.

Let’s take a look at the packet flows to understand any security or performance impact of mapping multiple logical networks on one multicast group. To simplify the drawing, as shown below, we will use a two logical Layer 2 network deployment with one multicast group address.

Example – Two logical networks mapped to one multicast group address

As shown in the diagram above, both logical networks have virtual machines connected. Virtual machine MAC1 and MAC2 are on VXLAN 5001 (green vwire) and virtual machines MAC3 and MAC4 are on VXLAN 5002 (red vwire). When the virtual machines are powered on, IGMP join requests to multicast group address 239.1.1.100 are sent out by the respective VTEPs on the host.

IGMP packet flows

The diagram above shows the packet flows

  1. Virtual Machine MAC1 connected to VXLAN 5001 is powered on
  2. IGMP join message to multicast group address 239.1.1.100 is sent out by VTEP on Host 1
  3. Virtual Machine MAC 4 connected to VXLAN 5002 is powered on
  4. IGMP join message to multicast group address 239.1.1.100 is sent out by VTEP on Host 3

To show the security implication in such deployment, we will take an example of broadcast traffic generated by virtual machine MAC 1. The virtual machine is connected to the logical network VXLAN 5001 (green vwire). The broadcast packet generated by this virtual machine should only be received by other virtual machines connected to VXLAN 5001 and not by virtual machines on VXLAN 5002.

Broadcast packet flows

As shown in the diagram above the packets flow as follows

  1. Virtual Machine MAC1 sends a broadcast packet
  2. VTEP on Host 1 encapsulates the packet in UDP header with destination IP address as the multicast group address 239.1.1.100.
  3. The physical network delivers the packet to all the hosts that joined the multicast group 239.1.1.100.
  4. The VTEP on the Host 4, after receiving the packet, checks if the VXLAN ID matches “5001” or “5002”. In this case the packet is sent from the virtual machine connected to the logical network with VXLAN 5001 (green vwire), and thus the packet will be only delivered to the virtual machine (MAC2) connected on that network.
  5. The VTEPs on Host 2 and Host 3 will also receive the packet, because those hosts had also joined the multicast group 239.1.1.100. However, after VTEP checks that the packet is only destined to virtual machines connected to VXLAN 5001 (green vwire) the packets are dropped.

Even if the physical network delivers the broadcast packet from one logical network to all VTEPs, the individual VTEP on the Host do not forward packets unless they are destined to a logical network identified by the encapsulation header, and virtual machines are connected to the logical network on that Host. In this example, the VTEPs on Host 2 and Host 3 don’t have any virtual machines connected to logical network VXLAN 5001, and thus broadcast packet is not forwarded. The broadcast traffic on one logical network is not seen on the other logical network, even if the multicast group address is the same. So, there shouldn’t be any additional security concerns because of mapping multiple logical Layer2 networks to one multicast group address.

In terms of performance though, multicast traffic is suboptimal in such deployments. As we see in this example, Host 2 and Host 3 don’t have any virtual machines connected to logical network VXLAN 5001, but they still receive the broadcast traffic. This is because those hosts have virtual machines connected to logical network VXLAN 5002, and that logical network is associated with same multicast group address as VXLAN 5001. The physical network only knows that Host 2 and Host 3 are interested in listening to the same conversation as Host 1 and Host 4.

I hope this post clarifies the impact of mapping multiple logical networks to same multicast group address.

In the next post I will cover how VTEPs build forwarding table with virtual machine MAC address and associated VTEP IP address entries.

Here are the links to Part 1, Part 2, Part 3, Part 5

Get notification of these blogs postings and more VMware Networking information by following me on Twitter:  @VMWNetworking