Overlay networks in a reference implementation of Neutron are ones that use either VXLAN or GRE to encapsulate virtual instance traffic between hosts. Instances connected to an overlay network are attached to the integration bridge and use a local VLAN mapped to that network, just like the other network types we have discussed so far. All instances on the same host are connected to the same local VLAN.
In this example, an overlay network has been created with Neutron auto-assigning a segmentation ID of 39.
No changes are needed on the physical switching infrastructure to support this network, as the traffic will be encapsulated and forwarded through the overlay network interface, eth1.
An instance has been spun up on the network MyOverlayNetwork, which results in the following virtual switch configuration:
Notice that the port associated with the instance has been assigned a local VLAN ID of 4, even though it is an overlay network. When an instance sends traffic to another instance or device in the same network, the integration bridge forwards the traffic out toward the tunnel bridge, br-tun, where the following flow rules are consulted:
The flows rules implemented on the tunnel bridge are unique, in that they specify a virtual tunnel endpoint, or VTEP, for every destination MAC address, including other instances and routers that are connected to the network. This behavior ensures that traffic is forwarded directly to the compute or network node where the destination resides and is not forwarded out on all ports of the bridge. Traffic that does not match is dropped.
In this example, traffic to destination MAC address fa:16:3e:f1:b0:49 is forwarded out to port vxlan0a140064, which, as we can see here, is mapped to a tunnel endpoint:
The address 10.20.0.100 is the VXLAN tunnel endpoint for controller01, and the MAC address fa:16:3e:f1:b0:49 belongs to the DHCP server in the MyOverlayNetwork network.
Return traffic to the instance is first processed by flow rules on the tunnel bridge and then forwarded to the integration bridge, where it is then forwarded to the instance.