Demo: The benefits of VEPA for network-server edge virtualization

Paul Congdon8/23/2010

2 V1.2

Agenda

– Customer Challenges– Solution Proposed/definition of VEPA/VEB– Description of demo and configuration– Benefits– Conclusion

Who Manages The Server/Network Edge?

VM

VM Edge

PhysicalSwitchEdge

Physical Server Edge

Embe

dded

vSw

itch

Physical Server RunningHypervisor

VM

VM

VM

Edge Module(Blade or TOR)

Data CenterSwitch

L2Networks

L2/L3Networks

Enclosureor Rack

Edge

The Server Administrator?

or the Network Administrator?

4 V1.24

Challenges at the Virtual Edge– Visibility & Control

• System admins own the physical end stations

• Lack of network admin control can mean inadequate:−Control of network access−Visibility of networking traffic−Support for debugging network issues

– Limited Embedded Capability • Software vSwitches take away from application CPU cycles• NICs have cost & complexity constraints (no TCAMs, no learning)• End-stations and bridges evolve independently

The Road toVirtualization

5 V1.2

Traditional NetworkingThe end-station and bridge

MAC

MAC Client

Higher Layers

( )MAC Relay

( ) ( )

MACMAC

Higher Layers(Bridge Protocol)

swhw

5

6 V1.2

Modern NetworkingThe end-station and bridge

MAC Relay

( ) ( )

MACMAC

Higher Layers(Bridge Protocol)

MACSec MACSec

Port MirroringTraffic MonitoringAccess Control Lists

Routing Protocols, Storage Protocols,Availability Protocols, IDS/IPS, etc

PAE MVRPLLDP SPB/MSTP

MAC

MAC Client( )

Higher Layers

MAC Client

Higher Layers

Virtual Machine

MAC Client

Higher Layers

Virtual Machine

MAC Relaysw

hw

6

7 V1.2

Requirements in the Virtual Edge

7

• Within the Server− Low cost− Low complexity− Low computational requirements

• At the Physical Network Edge− Seamless integration with the rest of the Fabric− Easily provisioned and managed− Resilient and Available− Consistent policy enforcement and traffic visibility

Approaches (vSwitch, VEB, VEPA)

VM A

VM B

VM C

VM D

L2Networks

Polic

ies

Enfo

rced

Softw

are

vSw

itch

NIC

VM A

VM B

VM C

VM D

L2Networks

Bypa

ss w

ithVE

B

Polic

ies

Enfo

rcedLimited visibility &

policy enforcement with Virtual Ethernet Bridge (VEB) in the NIC.

VM A

VM B

VM C

VM D

L2Networks

Bypa

ss w

ithVE

PA

Polic

ies

Enfo

rcedFull visibility &

policy enforcement at edge using Virtual Ethernet Port Aggregation (VEPA) mode.

Performance Bottleneck with vSwitch in software

NetworkPolicy

Demo Set-up

athos

porthos

aramis

L2NetworksIn

tel

VEB/

VEPA

HP

A61

20 B

lade

Sw

itch

(Hai

rpin

Mod

e &

Pol

icy

Enfo

rcem

ent)

• 3 VMs on a singleserver running Xen

• Intel 82599 SR-IOVNIC with VEPAcapability

• HPN A6120 switchwith hairpin modeenabled

• ACLs and sFlowavailable on A6120edge switch

10 V1.2

Demonstrated Benefits

–Multi-vendor, standards based solution

–Hardware implementation

–Minor changes to existing low cost equipment

–Easy migration between VEB/VEPA modes

–Consistent external switch based policy enforcement for intra-host VM to VM traffic

Conclusion

– VEPA provides a standard policy enforcement solution for VM to VM communication that allows for centralized network management without a performance penalty, and does not require HW upgrades

– Have your cake and eat it too

Backup

13 V1.2

Limitations of VEBs (today)

– Limited feature set compared to external switches

• Limited or no packet processing (TCAMs, ACLs, etc.)

• Limited support for security features (e.g., DHCP guard, ARP monitoring, source port filtering, dynamic ARP protection/inspection, etc.)

– Limited monitoring capabilities

• Limited support for statistics and switch MIBs

• No NetFlow, sFlow, rmon, port mirroring, etc.

– Limited integration with external network management systems

– Limited support for promiscuous ports (typically no learning)

– Limited support for 802.1 protocols (e.g., STP, 802.1X, LLDP)

14 V1.2

Benefits of VEB/VEPA Solution

– VEPA is a simple extension to VEB• Similar port configuration• Similar address table• Minor changes to frame forwarding behavior

– VEPA solves nearly all of the limitations with VEBs• Exposes traffic to external switch• Eliminates unnecessary flooding to promiscuous VMs

– Allows easy migration between VEB and VEPA modes• allows simultaneous operation of VEB and VEPA

– Requires minimal 802.1 standards effort• Configuration of hair-pin mode

– Basic mode is easiest to implement• Can be implemented in many existing switches with a firmware update• Simple extension to existing vSwitches/VEBs

15 V1.2

VEPA Open Source Implementation

– Patches available for VEPA and hairpin mode:• net/bridge: base 2.6.30 kernel, Xen’s 2.6.18.8 Dom0• bridge-utils: brctl commands to enable/disable modes• tools: Xen tools equivalent

– Very minor changes required• 37 lines of code in VEPA data path• 2 lines of code for hairpin mode

– Tested in KVM and Xen

– Tested against 3rd party switch with hairpin mode

16 V1.2

internal external internal external

VEB configurations VEPA configurations

Software VEB/VEPA Comparison

0.00

10.00

20.00

30.00

40.00

50.00

60.00

Internal External

CPU Utilization(top)

VEB

VEPA

VEB + FW

VEPA + FW

0.00

100.00

200.00

300.00

400.00

500.00

600.00

700.00

800.00

900.00

Internal External

Throughput (Mbps)

VEB

VEPA

VEB + FW

VEPA + FW

0.00

1.00

2.00

3.00

4.00

5.00

6.00

Internal External

RTT Latency (ms)

VEB

VEPA

VEB + FW

VEPA + FW

17 V1.2

internal external external firewall

Software VM Appliance Comparison Topologies

0.00

10.00

20.00

30.00

40.00

50.00

60.00

Internal External

CPU Utilization(top)

VEPA

VEB + VM FW

VEB + Extern FW

0.00

100.00

200.00

300.00

400.00

500.00

600.00

700.00

800.00

Internal External

Throughput (Mbps)

VEPA

VEB + VM FW

VEB + XFW

0.00

10.00

20.00

30.00

40.00

50.00

60.00

70.00

Internal External

RTT Latency (ms)

VEPA

VEB + VM FW

VEB + XFW