A slew of vendors are rolling out VXLAN gateways that will bridge network services between software-based network...
overlays and underlying physical infrastructure.
It's a nice dream, but network overlays don't replace the physical environment; they just abstract it. The physical network still exists, and it needs to be managed. What's more, many network overlays will be deployed within hybrid environments where much of the data center is still ruled by legacy architecture, and network services, such as firewalling and load balancing, are still implemented in hardware. As a result, enterprises will need a VXLAN gateway to extend services and management across both physical and virtual networks. VMware Inc. offers VXLAN gateways in software, but hardware support will scale better.
"VXLAN is likely the simplest implementation of the traditional-network-to-virtualization bridge, getting from legacy networking to fully virtualized networking," said Mike Spanbauer, service director at Current Analysis Inc. VXLAN instrumented in physical hardware will "optimize and control" network virtualization.
More on VXLAN and VXLAN gateways
Cisco's software-based VXLAN gateway in Nexus 1000v
Solving VLAN shortages with VXLAN and NVGRE
The IETF specs for network overlays
Enabling VXLAN in existing platforms lets vendors tell a hybrid story with regard to legacy and virtualized compute. "Ultimately these are going to cohabit, much the same as OpenFlow and traditional Layer 2 and Layer 3 networks," Spanbauer said.
At VMworld, VMware positioned VXLAN as the foundation of the network stack in its newly assembled vCloud software suite. Meanwhile, other vendors demonstrated VXLAN gateway support that will extend such network services as load balancing and firewalling into VXLAN traffic.
"[Some vendors] talk about VXLAN saying you don't have to reconfigure your network, but everything you want to do around policy, security and acceleration requires that you see into it at Layer 4 to Layer 7," said Andre Kindness, senior analyst at Forrester Research Inc. "So, you have to do de-encapsulation and re-encapsulation. From data center to the cloud, you have to go through WAN optimization, application delivery controllers, firewalls, intrusion prevention and intrusion detection. No one can see anything that's going on [in VXLAN traffic], so you have to create all these gateways everywhere."
VXLAN gateway merchant silicon support
Going beyond basic network services, network silicon maker Broadcom Corp. debuted its Trident II series chip with as much as 1280 Gbps of capacity on a single platform that comes with support for VXLAN and NVGRE [network virtualization using generic routing encapsulation] built directly in.
The Smart-NV feature on the chip will allow more advanced applications of VXLAN and NVGRE than simple network overlays within a data center. For instance, with the Trident II silicon switch, enterprises will be able to use VXLAN to tunnel Layer 2 traffic across a public network, linking data centers and enabling the migration of virtual workloads from one location to another.
"This allows guys who are implementing VXLAN or NVGRE at the hypervisor level to extend that visibility out into the [physical] network," said John Mui, Broadcom senior product line manager for networking and infrastructure.
VXLAN gateway hardware demos abound at VMworld
Several networking vendors demonstrated proof-of-concept VXLAN gateway support at VMworld. Brocade Communications Systems Inc. showed VXLAN tunnel endpoint capabilities in its ADX line of application delivery controllers; Avaya Inc. showed support for VXLAN in its Shortest Path Bridging implementation and Virtual Enterprise Network Architecture, or VENA; and Arista Networks Inc. demonstrated VXLAN to its 7000 switch series.
"VXLAN enables a workload to move from one routed network to another, or one subnet to another, while preserving the IP address. And it allows networks to be scaled about by increasing the number of network segments [VLANs] to 16 million," said Doug Gourlay, vice president of marketing at Arista. "But [previously] VXLAN didn't address how to connect physical to virtual together seamlessly. Adding hardware VXLAN abilities to Arista 7000 switches allows customers to have seamless interoperability with any workload, physical or virtual or cloud, anywhere in the infrastructure. All the virtualization is programmable and provisioned in software."
Now any port, or any port-plus-VLAN, can be mapped to any VXLAN network identifier [VNI], Gourlay explained. "Any VNI can map to any available network service that is connected through one of our switches. You can connect to an F5 load balancer, Riverbed WAN optimization, Isilon storage or Coraid storage," he said.
VXLAN visibility emerges
Because VXLAN uses MAC [message authentication code]-over-UDP [User Datagram Protocol] encapsulation, traditional network management tools lack visibility into VXLAN traffic. This encapsulation makes network performance management tools blind to the payload within VXLAN frames because they cannot parse the extra headers VXLAN encapsulation adds.
"If you want to send a ton of traffic across a VLAN, you have to make decisions on priority as the traffic goes up and down. You have 4,000 VLANs that all have classes of services of their own. And inside each of those 4,000 VLANs are a bunch of virtual VLANs. You have 16 million different types of traffic but only eight control points. No one is talking about the monitoring aspect of VXLAN. You can monitor your [VXLAN] traffic, but you wouldn't know individually what applications are causing issues," Kindness said.
To address that issue, Riverbed Technology and VMware have co-developed an IPFIX [Internet Protocol Flow Information Export] template that will allow Riverbed's Cascade network performance management solution to extract application-level performance data from VXLAN-encapsulated flows, according to Venugopal Pai, vice president of alliances at Riverbed. This template allows Cascade to understand the performance of individual applications within a VXLAN tunnel and allows the platform to provide application performance data by network tenant.
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.