Oh mighty appliance that shines at the Top of Rack
Thou acronym be spoken in awe
Protect us from intruders with your dynamic policies
Your form factor may be small, but your features are great
When all else fails, your lights remain
From now until eternity, at layer 2 and layer 3
My one and only… 7850 Virtualized Services Gateway
— jvb —
The growing popularity of VXLAN as an overlay networking protocol has given rise to a number of hardware gateway products. Many vendors use the Broadcom Trident II chipset as the basis for their design, with vendor specific differences in software capabilities. In contrast with traditional data center designs, these devices are targeted at workloads with significant amounts of so-called “east-west” traffic: Traffic between servers, as opposed to traffic from outside.
The Nuage Networks 7850 Virtualized Services Gateway (VSG) is an example of such a next generation data center gateway. Unlike other products in the market, it uniquely offers support for L3 services in both the underlay and the overlay. This means it can perform a route table lookup based on the destination IP of a packet coming in on a VLAN, update the destination MAC with the next hop address and forward the packet on the corresponding VLAN or VXLAN segment, at line rate. It also supports a Virtual Chassis (VC) mode to allow the use of a redundant pair of active/active links to each server, providing doubled throughput with automatic sub-second failover in case of failures or during gateway upgrades.
Figure 1 Sample redundant VXLAN gateway deployment
Consider the sample deployment configuration in Figure 1, which shows a redundant pair of VXLAN gateways delivering packets to virtual machines (VMs) running on two servers. Packets coming in on a given VLAN from the data center network are forwarded over VXLAN ( VNID=1 ) to a first VM (e.g. a web server), which then sends packets to a second VM on a different subnet ( e.g. a database server ) using VXLAN ( VNID=2 ). Each server has 2 active 10Gbps links, using IEEE 802.3ad Link Aggregation (LAG) for redundancy (with or without LACP).
Figure 2 L2-only (left) versus L2+L3 overlay network design (right)
With an L2-only gateway, VM1 would require 2 logical network interfaces ( vNICs ) – associated with the different VXLAN segments – to build the required network topology. Its routing table would have to be configured for any other subnets in the L3 domain “behind” VM1, and all application traffic must pass through this single VM before reaching other application VMs.
The 7850 VSG with L3 support enables a much simpler topology as illustrated on the right side in Figure 2. Routing is performed at 2x10Gbps line rate in hardware ( instead of VM1 ), with full redundancy in case of link or gateway failures / upgrades. L3 domain features such as Floating IPs (an additional IP address with 1:1 NAT ) and Forwarding Policies ( L3 redirect with optional active/standby redundancy ) can be used directly, without having to go through a VM first. Hardware ACLs can be leveraged to drop unwanted traffic early, before it consumes processing cycles at the servers.
In summary, the unique benefits of the Nuage Networks 7850 VSG:
- Allows for simpler overlay network topologies with higher throughput, lower latency and no single point of failure – critical for building robust high performance cloud applications with zero downtime during upgrades
- Provides an additional level of security for VMs and appliances through hardware ACLs, provisioned automatically through a single programmable policy management interface ( and automatically cleaned up when no longer in use )
- No need to pass packets through a physical or virtual server first ( single point of failure, limited throughput, added latency ) in order to use L3 features such as Floating IPs and Forwarding Policies (with active/standby redundancy), at line rate ( nx10Gbps, can even use 40Gbps ports )
- No traffic interruption in case of link or power failures, or during software upgrades (when used in virtual chassis mode )
- Based on the same operating system (SR-OS) as the rest of the Alcatel-Lucent routing portfolio: Evolved through years of experience in Internet scale networks around the world, robust and proven, consistent CLI and all the features you need for real world network deployments
How could you not love it? 🙂