• United States



Contributing Writer

VMware VXLAN: Cloud Network Segmentation Over Layer 2.5

Aug 31, 20114 mins
Cisco SystemsCloud ComputingData and Information Security

New collaborative technology will be available on vSphere 5, vCloud Director 1.5, and Cisco Nexus 1000v

There’s no question that server virtualization has changed data center networking requirements in many ways. Multiple VMs per host has driven the need for 10Gb NICs and access switch ports. VM mobility demands integration between physical networks and virtualization management platforms. And VM proliferation is driving the need for low latency flat L2 networks driving innovations like HP’s IRF, Juniper QFabric, Arista’s M-LAG, and standards like TRILL and SPB. (Note: Read more about this in the ESG Report, “Data Center Networking In Transition,” In spite of this, many networking professionals still believe in a networking dichotomy: physical networks are “real,” virtual networks are necessary access network “toys.” While I understand where this perspective comes from, I truly believe it not only inaccurate but also obsolete. Rather than an annoying add-on, virtual networks continue to gain intelligence, virtual/cloud integration, feature/functionality, and network services capabilities. At the very least, these must work side-by-side with physical networks as they can greatly increase networking flexibility, streamline network operations, and provide a more obvious path to the cloud.This week at VMworld, VMware introduced a new technology that will help make this philosophical discussion a reality. Along with Cisco, VMware announced something called Vitrual Extensible Local Area Network or VXLAN. What is VXLAN? To me, VXLAN can be considered Layer 2.5 on the OSI stack as it combines the simplicity of L2 switching with the cross-domain connectivity of L3 routing. This is done by encapsulating Mac addresses over UDP/IP. In a simple use case, this makes it easier to move VMs from data center to data center but VXLAN goes beyond this as it sets up a new model for network segmentation somewhere between L2 VLANs and L3 subnets (this L2.5). VMware claims that VXLAN has a theoretical limit of 16m segments but a practical limit of 10k in the short term. VXLAN is perfect for cloud computing where workloads can move across multiple data centers and multiple cloud providers. It works by translating between VLAN and VXLAN tags so a workload maintains its network identity as it travels. Sort of networking middleware. This maintains the established VLAN concept inside the data center and externalizes it for ease of mobility. I know there are other ways to do this but VMware’s method: 1) Integrates networking into the “stack” for application-layer flexibility (without the networking headaches), and 2) Centralize “stack” management, in this case with vCloud Director. I asked VMware a simple question: Why not do what Amazon and Google did and simply do everything over L3? Certainly with a combination of IPv6 and IPSec, this is possible. VMware assured me that they are looking at an L3 model but enterprises today are too heavily invested in VLANing so they needed a way to bridge L2 to the cloud. Makes sense. VXLAN isn’t quite ready for prime time today but it will be part of vShield 5 and vCloud Director 1.5. It is also integrated into the Cisco Nexus 1000v (and likely other components of UCS and UNS).As always, VMware is thinking a few generations ahead from a technology perspective but I think the biggest challenge here is carbon- rather than silicon-based. Do networking professionals have the right skills to take advantage of this functionality? Will they work more closely with the server virtualization team on collaborative solutions? Will other networking vendors support VXLAN or view it as a threatening Cisco standard? Will the IEEE propose an alternative? Finally, how many organizations really need to move workloads around from data center to data center today? Yes, VMware faces some challenges pushing new concepts and technologies into the networking professional establishment but you have to give the company a ton of credit for thinking outside the switching/routing box. There will likely be some industry wrangling but VMware’s vision is spot on. Networks are cool and all but ultimately they exist to move data and application bits around. VXLAN is a new way to make sure that applications and networks can do this in a more integrated and efficient way.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author