The first virtual networking product to hit the streets with VXLAN support won’t be focused on migrating live virtual machines between data centers.
This use case for Virtual Extensible LAN (VXLAN) was talked up at VMworld in August, where the problem of VM mobility over distance was a hot topic. But today, as Cisco Systems releases a beta version of its Nexus 1000V virtual switch with support for VXLAN, Cisco officials are reluctant to emphasize virtual machine (VM) mobility as a primary usage scenario for the technology.
In networking speak, the spec, which is still in the process of Internet Engineering Task Force (IETF) ratification, routes layer 2 traffic over layer 3 networks, making the number of VLAN segments available in large environments scale beyond the existing limitation of 4,094.
At least in theory, making layer 2 traffic routable over layer 3 could also cut down on the amount of manual configuration needed at the physical network layer to direct network connections to the right place as a VM is moved live, whether within or across data centers.
With VXLAN, the primary focus is “on the networking infrastructure within the data center and the issues related to them,” according to the IETF draft. At the same time, an important requirement for virtualized environments “is having the layer 2 network scale across the entire data center or even between data centers for efficient allocation of compute, network and storage resources.”
Another take on VXLAN
But when it comes to extending networks, the idea in Cisco’s initial release of the Nexus 1000V with VXLAN support is to allow VMs on multiple infrastructure “pods” such as the Vblock or FlexPod to occupy the same VLAN segment, according to Prashant Gandhi, senior director of server access and virtualization at Cisco.
“Any time you have a layer 3 transport it could traverse [data centers], but we see that as a longer-term goal,” Gandhi said. If the VM being moved requires firewalls, load balancing or communication with an external user environment, that VM may also need to have access to VLANs, “and now things become more complex,” he said.
“I need additional things so that mobility of that workload is feasible. Therefore we think that [VM mobility between data centers] is a longer-term vision, not necessarily a day-one use case,” Gandhi said.
Some market observers question the appeal of VXLAN beyond the largest of large environments.
“When all the chatter came out about VXLAN at VMworld, there were a bunch of people running around claiming it was going to save the world,” said Michael Norwood, a systems engineer for Cisco VAR ICV Solutions Inc. in Nashville, Tenn. “I think it’s great in a service provider environment where I need a ton of different VLANs so I can have them for customers, but I think [the vendors are] catering to a single-digit percentage of…customers.”
Because encapsulation and decapsulation of VXLAN packets is performed inside the hypervisor rather than a switch, VXLAN essentially makes a VM a router, said Charles Gautreaux, a senior engineer at a large financial services company exploring stretched clusters between data centers. This in turn raises concerns about availability.
“People are not going to be too keen on using virtual machines as routers,” he said. “That’s not to say we’d never use it, but we’d be approaching it carefully.”
In the meantime, there are other standards, such as the Locator/ID Separation Protocol (LISP) that are beginning to look more interesting than VXLAN in Gautreaux’s eyes.
“Our work will probably be spent more investigating LISP than it will VXLAN,” he said. “VXLAN’s really just fancy [network address translation], and it’s actually newer than LISP, which has been evolving over the last 12 months fairly well and is implemented on the Nexus 7000 already.”
New ASA 1000V virtual edge firewall may have broader appeal
Amid a bevy of product announcements on Tuesday, Cisco also released a new virtual firewall, the ASA 1000V, a virtual version of its Adaptive Security Appliance. Like the Nexus 1000V, the ASA 1000V runs as a VM within a server. As with Cisco’s existing Virtual Security Gateway (VSG), the ASA 1000V also provides firewall capabilities, but where the VSG is used to create zones within tenants, the ASA 1000V works at the edge of the network. The two products are roughly analogous to VMware’s vShield Zones and vShield Edge.
Cisco already has competitors in the virtual firewall space, including Juniper Networks and Hewlett-Packard Co. (HP), and the ASA “is not a ground-breaking firewall,” according to ICV Solutions’ Norwood. But “I think they’re going to sell a lot of these virtual ASAs, just because they’re Cisco and they have market share and people will feel comfortable with that platform.”
Norwood says he sees some companies with Internet-facing VMs sharing infrastructure with internal-facing VMs -- a type of environment where a virtual edge router could come in handy. Moreover, “if you’re not doing [virtualization] for the bulk of your systems out there, you’re going to be doing it in the next five to 10 years,” he said. “It’s only a matter of time before [virtual security] becomes standard.”
Beth Pariseau is a senior news writer for SearchServerVirtualization.com. Write to her at firstname.lastname@example.org.