The VEPA standard -- a potential game changer?

Interesting IEEE effort could help align virtualization, networking, and security

I recently spoke with Extreme Networks about its data center networking strategy. One of the highlights for me was Extreme's plan to embrace the Virtual Ethernet Port Aggregator (VEPA) standard being developed in the IEEE. In simple terms, VEPA off-loads all switching activities from today's hypervisor-based virtual switches to actual physical switches. There is a bit of debate between HP and Cisco whether this switching should occur at an edge or aggregation switch (note: I like HP's approach), but suffice it to say that each vendor's goal is similar. What's the big deal about VEPA? According to ESG Research, most enterprises run between 5 and 10 VMs across one virtual switch on each physical server. Pretty elementary stuff, but moving forward it is likely that the VM to server ratio will increase and as it does, server-based networking will have to become more sophisticated. Imagine a physical server running 30 VMs for example. This might require several virtual switches, VLANs, QoS tags, security zones, etc. This network processing will add a lot of overhead to Intel-based servers and require a lot more networking functionality for hypervisors. VEPA proposes an alternative approach where servers remain servers (i.e. for application processing), provide hypervisor visibility to the network, and simply delegate switching tasks to physical switches. To me, this makes a ton of sense from a security and networking perspective. If next-generation switches support VEPA, it should make the whole virtual data center/cloud migration a lot more straight forward. My one suggestion would be some type of alignment between VEPA and OVF (i.e. Open Virtualization Format). OVF is a proposed meta data standard to describe the properties of a VM. When a VM moves from one server to another local, remote, or cloud-based server, OVF could provide VM tags that describe networking properties to other VEPA switches (VLAN tags for example). Combined, VEPA and OVF could help automate networking and security operations associated with virtualization and cloud. If virtualization is really the road to true cloud computing, virtualization intelligence sharing is critical for network engineering and security. VEPA is a step in the right direction toward this goal.

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)