Upload
hp-enterprise
View
571
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Paul Congdon talks about the benefits of VEPA for network-server edge virtualization.
Citation preview
Demo: The benefits of VEPA for network-server edge virtualization
Paul Congdon8/23/2010
2 V1.2
Agenda
– Customer Challenges– Solution Proposed/definition of VEPA/VEB– Description of demo and configuration– Benefits– Conclusion
Who Manages The Server/Network Edge?
VM
VM Edge
PhysicalSwitchEdge
Physical Server Edge
Embe
dded
vSw
itch
Physical Server RunningHypervisor
VM
VM
VM
Edge Module(Blade or TOR)
Data CenterSwitch
L2Networks
L2/L3Networks
Enclosureor Rack
Edge
The Server Administrator?
or the Network Administrator?
4 V1.24
Challenges at the Virtual Edge– Visibility & Control
• System admins own the physical end stations
• Lack of network admin control can mean inadequate:−Control of network access−Visibility of networking traffic−Support for debugging network issues
– Limited Embedded Capability • Software vSwitches take away from application CPU cycles• NICs have cost & complexity constraints (no TCAMs, no learning)• End-stations and bridges evolve independently
The Road toVirtualization
5 V1.2
Traditional NetworkingThe end-station and bridge
MAC
MAC Client
Higher Layers
( )MAC Relay
( ) ( )
MACMAC
Higher Layers(Bridge Protocol)
swhw
5
6 V1.2
Modern NetworkingThe end-station and bridge
MAC Relay
( ) ( )
MACMAC
Higher Layers(Bridge Protocol)
MACSec MACSec
Port MirroringTraffic MonitoringAccess Control Lists
Routing Protocols, Storage Protocols,Availability Protocols, IDS/IPS, etc
PAE MVRPLLDP SPB/MSTP
MAC
MAC Client( )
Higher Layers
MAC Client
Higher Layers
Virtual Machine
MAC Client
Higher Layers
Virtual Machine
MAC Relaysw
hw
6
7 V1.2
Requirements in the Virtual Edge
7
• Within the Server− Low cost− Low complexity− Low computational requirements
• At the Physical Network Edge− Seamless integration with the rest of the Fabric− Easily provisioned and managed− Resilient and Available− Consistent policy enforcement and traffic visibility
Approaches (vSwitch, VEB, VEPA)
VM A
VM B
VM C
VM D
L2Networks
Polic
ies
Enfo
rced
Softw
are
vSw
itch
NIC
VM A
VM B
VM C
VM D
L2Networks
Bypa
ss w
ithVE
B
Polic
ies
Enfo
rcedLimited visibility &
policy enforcement with Virtual Ethernet Bridge (VEB) in the NIC.
VM A
VM B
VM C
VM D
L2Networks
Bypa
ss w
ithVE
PA
Polic
ies
Enfo
rcedFull visibility &
policy enforcement at edge using Virtual Ethernet Port Aggregation (VEPA) mode.
Performance Bottleneck with vSwitch in software
NetworkPolicy
Demo Set-up
athos
porthos
aramis
L2NetworksIn
tel
VEB/
VEPA
HP
A61
20 B
lade
Sw
itch
(Hai
rpin
Mod
e &
Pol
icy
Enfo
rcem
ent)
• 3 VMs on a singleserver running Xen
• Intel 82599 SR-IOVNIC with VEPAcapability
• HPN A6120 switchwith hairpin modeenabled
• ACLs and sFlowavailable on A6120edge switch
10 V1.2
Demonstrated Benefits
–Multi-vendor, standards based solution
–Hardware implementation
–Minor changes to existing low cost equipment
–Easy migration between VEB/VEPA modes
–Consistent external switch based policy enforcement for intra-host VM to VM traffic
Conclusion
– VEPA provides a standard policy enforcement solution for VM to VM communication that allows for centralized network management without a performance penalty, and does not require HW upgrades
– Have your cake and eat it too
Backup
13 V1.2
Limitations of VEBs (today)
– Limited feature set compared to external switches
• Limited or no packet processing (TCAMs, ACLs, etc.)
• Limited support for security features (e.g., DHCP guard, ARP monitoring, source port filtering, dynamic ARP protection/inspection, etc.)
– Limited monitoring capabilities
• Limited support for statistics and switch MIBs
• No NetFlow, sFlow, rmon, port mirroring, etc.
– Limited integration with external network management systems
– Limited support for promiscuous ports (typically no learning)
– Limited support for 802.1 protocols (e.g., STP, 802.1X, LLDP)
14 V1.2
Benefits of VEB/VEPA Solution
– VEPA is a simple extension to VEB• Similar port configuration• Similar address table• Minor changes to frame forwarding behavior
– VEPA solves nearly all of the limitations with VEBs• Exposes traffic to external switch• Eliminates unnecessary flooding to promiscuous VMs
– Allows easy migration between VEB and VEPA modes• allows simultaneous operation of VEB and VEPA
– Requires minimal 802.1 standards effort• Configuration of hair-pin mode
– Basic mode is easiest to implement• Can be implemented in many existing switches with a firmware update• Simple extension to existing vSwitches/VEBs
15 V1.2
VEPA Open Source Implementation
– Patches available for VEPA and hairpin mode:• net/bridge: base 2.6.30 kernel, Xen’s 2.6.18.8 Dom0• bridge-utils: brctl commands to enable/disable modes• tools: Xen tools equivalent
– Very minor changes required• 37 lines of code in VEPA data path• 2 lines of code for hairpin mode
– Tested in KVM and Xen
– Tested against 3rd party switch with hairpin mode
16 V1.2
internal external internal external
VEB configurations VEPA configurations
Software VEB/VEPA Comparison
0.00
10.00
20.00
30.00
40.00
50.00
60.00
Internal External
CPU Utilization(top)
VEB
VEPA
VEB + FW
VEPA + FW
0.00
100.00
200.00
300.00
400.00
500.00
600.00
700.00
800.00
900.00
Internal External
Throughput (Mbps)
VEB
VEPA
VEB + FW
VEPA + FW
0.00
1.00
2.00
3.00
4.00
5.00
6.00
Internal External
RTT Latency (ms)
VEB
VEPA
VEB + FW
VEPA + FW
17 V1.2
internal external external firewall
Software VM Appliance Comparison Topologies
0.00
10.00
20.00
30.00
40.00
50.00
60.00
Internal External
CPU Utilization(top)
VEPA
VEB + VM FW
VEB + Extern FW
0.00
100.00
200.00
300.00
400.00
500.00
600.00
700.00
800.00
Internal External
Throughput (Mbps)
VEPA
VEB + VM FW
VEB + XFW
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
Internal External
RTT Latency (ms)
VEPA
VEB + VM FW
VEB + XFW