I am Viral Vimawala, Technical Marketing Engineer in the Datacenter IP Product Management group. I primarily focus on the Ethernet Fabrics (VDX products). As overlay technologies are the talk of the town these days I thought it will be a good topic to discuss our capability around these new emerging technologies.
VXLAN is probably one of the most talked-about networking technologies today, as it can provide a means of solving three common challenges: multi-tenancy, VM mobility across subnets and scalability beyond 4K VLANs.
There are tons of articles already on the web explaining VXLAN and how it works, such as this article by Joe Onisick,VXLAN Deep Dive — Define The Cloud. My motive is not to repeat the basics of VXLAN in this article but to emphasize something very unique that our VDX 8770 switch ASICs have to offer to complement the VXLAN tunneling protocol. For that matter, it could be NVGRE or any other tunneling technique—our technology is protocol-agnostic.
The downside of creating tunnels is that the physical network loses visibility into the tunneled packet unless you have a tunnel endpoint in the network. creating tunnels with endpoints on the host blocks visibility for other kinds of third-party management and security tools which use packet scanning and analysis.
In addition, as Greg Ferro has observed, “Overlay networks are not free.” Overlays consume a portion of every packet header, and your network devices must be intelligent enough to be able to parse the entirety of the header in order to manage the overlay effectively. The ASICs in the VDX 8770 can read frame formats up to 52-56 bytes into the packet header, where the VXLAN / Tenant ID is stored. The benefit of this capability is that now you have regained network visibility and control of tunneled traffic. Line-rate services could be applied consistently, regardless of protocol type.
A lot of network services like firewalls and load balancers reside on a stick model or inline at the aggregation layer. Now with the visibility into the tenant ID, you can have the power to apply policies based on routing schemes, rate-limit the traffic and also enforce ACLs, all at line rate. Typically you may not want every node to be a tunnel endpoint. Some nodes could mere be a VXLAN transit which could potentially apply these policies.
Since there is no way for a VXLAN host to find out another MAC address on the segment, VXLAN depends on multicast to learn the end points. This causes a direct impact to the performance of the network. With the ability to read into the packet and apply relevant policy to it, the VDX 8770 has the potential to improve network performance by applying features like BUM storm control and rate-limit the traffic.
I believe that the emerging overlay technologies are a good solution to some of the current network problems we are facing. However there needs to be enough visibility into the tunnel from the network admin standpoint. The tunnel cannot be a mere pass-through. This functionality is hardware ready. It will be a complementary solution to any tunneling technology.