Scaling Overlay Virtual Networks

Ivan Pepelnjak (ip@ipSpace.net)
Network Architect, ipSpace.net AG
Dimitri Stiliadis (dimitri@nuagenetworks.net)
CTO, Nuage Networks

This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.s@gmail.com [164.143.240.34]). More information at http://www.ipSpace.net/Webinars

Past
• CTO of IT and security ventures
• Architect of switches and routers
• Researcher with focus in systems, networking,
and security
Present
• CTO of Nuage Networks
Focus
• Large-scale SDN and cloud environments
• Distributed systems

More @ ipSpace.net/About

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
3 This material
© ipSpace.net
2014
Overlay
Virtual Networks

Past
• Kernel programmer, network OS and web developer
• Sysadmin, database admin, network engineer, CCIE
• Trainer, course developer, curriculum architect
• Team lead, CTO, business owner
Present
• Network architect, consultant, blogger, webinar and book author
• Teaching the art of Scalable Web Application Design
Focus
• Large-scale data centers, clouds and network virtualization
• Scalable application design
• Core IP routing/MPLS, IPv6, VPN
More @ ipSpace.net/About

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
4 This material
© ipSpace.net
2014
Overlay
Virtual Networks

s@gmail.240.• • • • • • • Fully distributed data plane Scale-out control plane Availability zones Hardware gateways Large-scale microsegmentation Scaling stateful services Service chaining is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace. More information at http://www.143.net 2014 Overlay Virtual Networks .com [164.net/Webinars 5 This material © ipSpace.34]).

s@gmail.240.ipSpace. More information at http://www.com [164.143.34]).This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.net/Webinars .

ipSpace.240.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.net/Webinars .34]).s@gmail. More information at http://www.com [164.143.

s@gmail.ipSpace. More information at http://www.PHP Web server Web server Web server App server App server Web server Apache MySQL Linux Cache Cache Primary DB Single VM (LAMP stack) • Typical SMB deployment • Simple web hosting Slave DB Multi-layer application architecture • Multiple security zones • Load balancing and firewalling is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.143.34]).net/Webinars 8 This material © ipSpace.240.net 2014 Overlay Virtual Networks .

com [164.s@gmail.net 2014 Overlay Virtual Networks .Outside Web servers • • • • • App servers DB servers Multiple logical segments IP (sometimes MAC) connectivity within a segment Routing.34]). load balancing and/or firewalling between segments Baseline firewalling within a segment Connectivity to the outside world is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.240.143. More information at http://www.net/Webinars 9 This material © ipSpace.

net/Webinars 10This material © ipSpace.240.com [164.s@gmail. More information at http://www.IP packet MAC unicast VNI Encapsulation VNI Overlay module TEP Kernel IP stack IP packet Overlay module TEP Kernel IP stack Hypervisor/Rtr MAC IP packet IP transport (underlay) network • All overlay virtual networking solutions use distributed L2 forwarding • Scalability is limited by the control plane (distribution of VM MAC-to-VTEP IP mappings) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).143.ipSpace.net 2014 Overlay Virtual Networks .

s@gmail.ipSpace.com [164.240. VMware NSX is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).net/Webinars 11This material © ipSpace.net 2014 Overlay Virtual Networks . Microsoft Hyper-V.143.Overlay Virtual Network Outside Network Centralized (sometimes VM-based) inter-subnet forwarding doesn’t scale • Virtual router (L3 agent) becomes a chokepoint • VM-based forwarding has limited performance • Avoid this architecture for east-west traffic forwarding Use architecture with distributed layer-3 forwarding • Prefer dedicated in-kernel implementation over Linux Kernel TCP/IP stack with namespaces or VM-based implementations • Sample products: Juniper Contrail. More information at http://www. Nuage VSP.

s@gmail.A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).240.com [164. More information at http://www.ipSpace.143.net/Webinars © ipSpace.net 2014 Overlay Virtual Networks +12This material .

More information at http://www.240.ARP: C D MAC: C  bcast A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic Example: ARP request C  D is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.143.com [164.34]).net .s@gmail.net/Webinars 13This © 2014 Overlay Virtual Networks 1 ofmaterial 6ipSpace.

More information at http://www.ipSpace.143.240.net .com [164.34]).ARP: C D MAC: C  bcast A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic Example: ARP request C  D • Intercepted by local L3 forwarding module is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.net/Webinars 14This © 2014 Overlay Virtual Networks 2 ofmaterial 6ipSpace.

net .net/Webinars 15This © 2014 Overlay Virtual Networks 3 ofmaterial 6ipSpace.240. More information at http://www.com [164.ARP: C D MAC: C  bcast ARP: D = MAC-D MAC: GW  C A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic Example: ARP request C  D • Intercepted by local L3 forwarding module • Replied from local ARP cache is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).s@gmail.143.ipSpace.

net/Webinars 16This © 2014 Overlay Virtual Networks 4 ofmaterial 6ipSpace.com [164.ipSpace.net .s@gmail.ARP: C D MAC: C  bcast ARP: D = MAC-D MAC: GW  C A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic Example: ARP request C  D • Intercepted by local L3 forwarding module • Replied from local ARP cache • Controller is contacted on ARP cache miss is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.240.34]).143.

com [164.34]).ARP: C D MAC: C  bcast ARP: D = MAC-D MAC: GW  C A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic Example: ARP request C  D • Intercepted by local L3 forwarding module • Replied from local ARP cache • Controller is contacted on ARP cache miss • Controller can reply with authoritative information or flood ARP request is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net .240.143.net/Webinars 17This © 2014 Overlay Virtual Networks 5 ofmaterial 6ipSpace.ipSpace.s@gmail. More information at http://www.

s@gmail.240.net/Webinars 18This © 2014 Overlay Virtual Networks 6 ofmaterial 6ipSpace.net . Nuage Networks VSP is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.34]).com [164.ARP: C D MAC: C  bcast ARP: D = MAC-D MAC: GW  C A VNI: 1 B C D VNI: 2 VNI: 2 Overlay Module E F VNI: 3 Overlay Module GW IP (layer-3) transport network Some overlay virtual networking solutions implement combined L2+L3 forwarding model • Intra-subnet ARP caching significantly reduces overlay broadcast traffic Example: ARP request C  D • Intercepted by local L3 forwarding module • Replied from local ARP cache • Controller is contacted on ARP cache miss • Controller can reply with authoritative information or flood ARP request Available in VMware NSX for vSphere. More information at http://www.143.

More information at http://www.Scaling network services • Scale-out load balancing is mission impossible (shared state tied to outside IP address) • Scale-out firewalls are common (state tied to a single VM) • Scale-out NAT is an interesting challenge Hypervisor Implement traffic filters with VM NIC firewalls Outside • Stateful firewalls or reflexive ACLs Network • Reflexive ACLs might be good enough for well-designed applications • VM-based solutions severely limit performance  use in-kernel filters • Sample solutions: Nuage VSP.ipSpace. VMware vSphere.34]).com [164.143. VMware NSX.s@gmail. OpenStack/CloudStack on KVM • ACL-only solutions: Microsoft Hyper-V.240.net/Webinars 19This material © ipSpace. Cisco Nexus 1000V is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net 2014 Overlay Virtual Networks .

34]).Requirements for scalable data plane • Distributed L3 forwarding • Local ARP handling (ARP caching or pure L3 solution) • Distributed security groups implemented in hypervisors is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net 2014 Overlay Virtual Networks .s@gmail.ipSpace.143.240.net/Webinars 20This material © ipSpace.com [164. More information at http://www.

com [164.net/Webinars .This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.240.34]).ipSpace. More information at http://www.s@gmail.143.

143.com [164. VMware NSX is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. Juniper Contrail.net 2014 Overlay Virtual Networks . Nuage VSP.ipSpace. More information at http://www.Cloud Management Overlay VTEP Kernel IP stack SDN Controller Overlay VTEP Kernel IP stack IP transport network Crucial overlay virtual network challenge: VM-MAC-to-VTEP-IP mappings • Initial implementations used IP multicast and Ethernet-like learning • Modern solutions use network controllers in combination with orchestration systems Sample solutions: Cisco Nexus 1000V.240.s@gmail.34]).net/Webinars 22This material © ipSpace.

More information at http://www.240.com [164.net 2014 Overlay Virtual Networks .ipSpace.143.s@gmail.34]).Some overlay networking solutions lack SDN controller element • Cloud management platform programs virtual switches directly • Hard to integrate with the physical network: static routes/MAC learning or VM-based solutions CMP Federation SDN SDN controller enables inter-cloud federation • Reachability data exchanged between controllers • Most SDN controllers use BGP for easy integration with existing hardware is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 23This material © ipSpace.

240.34]).net/Webinars 24This material © ipSpace. More information at http://www.s@gmail.com [164.143.Overlay VTEP Kernel IP stack Controller Overlay VTEP Kernel IP stack IP transport network • Network controller becomes the scalability bottleneck • Control-plane-only controllers scale much better than controllers participating in data plane (hint: use CMP to get MAC and IP address information) • Every controller implementation eventually hits its limits  scale-out is the only answer is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.net 2014 Overlay Virtual Networks .

net 2014 Overlay Virtual Networks .143.s@gmail. More information at http://www.ipSpace.net/Webinars 25This material © ipSpace.34]).com [164.BGP Scale-out architecture is the only viable way forward • Requirement: Synchronization of policy and reachability information between controllers Typical solution: multi-protocol BGP (MP-BGP) • L3VPN for IP routing (sometimes using host routes for VM IP addresses) • EVPN for layer-2 forwarding • Easy integration with existing hardware gateways Additional benefits: • Clean failure domain separation (availability zones) • Adjustable size of failure domains to meet scalability and convergence requirements is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.

ipSpace.s@gmail.143. More information at http://www.net/Webinars 26This material © ipSpace.net 2014 Overlay Virtual Networks .com [164.240.Terminology: • VSP: Virtual Services Platform • CMP: Cloud Management Platform • VSD: Virtual Services Directory • VSC: Virtual Services Controller • VRS: Virtual Routing & Switching Plane of operation • VSD: Management/Policy • VSC: Control plane • VRS: Data plane REST VSD XMPP CMP BGP BGP VSC VRS VSC VRS VRS VSG/PE VRS Scale-out architecture • Single VSD per CMP • Multiple VSC per VSD (scale-out within CMP) • VSC confederation via MP-BGP (scale-out across CMP) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).

This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.s@gmail.com [164.143.240.34]). More information at http://www.ipSpace.net/Webinars

Failure Domain: area impacted when a key device or service experiences
problems

Sample failure domains
• VLAN (broadcast storms)
• OSPF area (LSA flooding)
• Controller-based network
(controller failure)
• Cloud instance
(cloud management system failure)

REST
VSD

XMPP

CMP

BGP
VSC

VRS

VSC

VRS

VRS

VRS

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
28This material
© ipSpace.net
2014
Overlay
Virtual Networks

Regions: cloud instances with separate API endpoints
• Separate instances of cloud management systems

REST
CMP

VSD

XMPP

Availability zone: logical group that provides a
form of physical isolation and redundancy
from other availability zones (OpenStack)
• Common cloud management
• Isolated compute/storage/networking
failure domains
• Each availability zone SHOULD have a
different network services controller

BGP
VSC

VRS

VSC

VRS

VRS

VRS

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
29This material
© ipSpace.net
2014
Overlay
Virtual Networks

no topology change CMP CMP Federation SDN Each availability zone SHOULD have an independent SDN controller is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace. adds or changes • Overlay virtual networking topology is frozen • High-availability clusters cannot recover SDN controller fails? • Controllers involved in data plane (MAC learning or ARP replies)  total failure • Control-plane controllers  loss of reachability information • Controllers without external control plane  no visibility.240. More information at http://www.net 2014 Overlay Virtual Networks .net/Webinars 30This material © ipSpace.34]).com [164.s@gmail.Cloud management platform fails? • No moves.143.

ipSpace.Underlying infrastructure • Each availability zone = independent L3 forwarding domain VRS XMPP Controller/orchestration infrastructure • Single CMP/VSD per region • VSD works on policy plane  VSD failure is similar to CMP failure • VSC per availability zone  VSC failure does not spread across zones • BGP information exchange through a set of route reflectors  use BGP security mechanisms to protect availability zones REST • Pair of VSGs per availability zone CMP VSD (when needed) BGP BGP VSC VSC VRS VRS VSG/PE VRS is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 31This material © ipSpace.34]).240.com [164. More information at http://www.s@gmail.143.net 2014 Overlay Virtual Networks .

34]).143.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.net/Webinars .ipSpace. More information at http://www.240.s@gmail.com [164.

net/Webinars 33This material © ipSpace.net 2014 Overlay Virtual Networks .s@gmail.240.com [164.34]).VMs within an overlay virtual network must interact with the physical world L2 gateways (VNI-to-VLAN) • P2V migrations • Integration with legacy equipment L3 gateways • Multiple VNIs routed to a VLAN • Simple P2V or WAN integration Network services gateway • Firewalls and load balancers is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace. More information at http://www.143.

net/Webinars 34This material © ipSpace.com [164.143.Deployment format • VM-based • Hypervisor kernel module • Bare-metal x86 server • Hardware VTEP Design and deployment considerations • Performance • Control-plane integration with overlay fabric • Management plane integration with overlay network controller and orchestration system • Integration with existing network infrastructure (example: MPLS/VPN) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.34]). More information at http://www.ipSpace.net 2014 Overlay Virtual Networks .s@gmail.

34]).net 2014 Overlay Virtual Networks .240.net/Webinars 35This material © ipSpace.143.s@gmail.IP packet VM IP packet Appliance MAC VLAN tag VXLAN Next-hop MAC VNI UDP VNI VXLAN VTEP Kernel IP stack IP multicast VXLAN VTEP Kernel IP stack MAC multicast VLAN IP packet IP transport network • • • • Outside Gateway function implemented in a VM with multiple virtual NICs VM performs traditional bridging/routing/network services functionality Use any product available in VM format (including Linux instances) Forwarded traffic goes through a VM  performance usually limited to few Gbps is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.ipSpace. More information at http://www.

net 2014 Overlay Virtual Networks .ipSpace.Typical gateway deployment scenarios • Integrate overlay networks with outside world  maximum performance = WAN link speed • Integrate overlay networks with legacy hardware  maximum performance = legacy hardware network I/O performance Software gateway performance • Few Gbps for VM-based solutions • ~10Gbps for kernel-based and bare-metal gateways Hardware gateways offer the performance needed in large-scale deployments is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143. More information at http://www.s@gmail.240.net/Webinars 36This material © ipSpace.34]).com [164.

com [164.ipSpace. More information at http://www. Nuage VSP) • EVPN (Nuage VSP.Hardware Gateway needs the following information • Mapping between VXLAN VNI and external VLANs • VM-MAC-to-VTEP-IP mappings • VXLAN flooding information (IP MC address or VTEP list) Solutions • Do-it-yourself • OVSDB (VMware NSX.240.143.net 2014 Overlay Virtual Networks . Juniper Contrail) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.net/Webinars 37This material © ipSpace.34]).

net 2014 Overlay Virtual Networks .143. More information at http://www.240.OVSDB • Lightweight JSON-RPC-based database query/update protocol • OVSDB database table schema defines the actual data Hardware VTEP schema • Physical switch + ports • Logical switch + router • Local and remote MAC mappings SDN controller uses OVSDB to • Configure VXLAN-to-VLAN mappings • Push MAC mappings to VTEP • Receive physical MAC addresses from VTEP OVSDB MPLS/VPN integration through VLANs (Inter-AS Option A) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.com [164.34]).ipSpace.net/Webinars 38This material © ipSpace.

net 2014 Overlay Virtual Networks .s@gmail.com [164.143.ipSpace.• Network virtualization controller and hardware gateway use EVPN and L3VPN to exchange forwarding data • EVPN provides MAC-to-VTEP mappings • L3VPN provides integrates overlay virtual networks with MPLS/VPN • Gateway provisioning uses a different protocol (ex: NETCONF) EVPN L3VPN EVPN forwarding information • VTEP flood list (Inclusive Multicast Ethernet Tag route) • MAC-to-VTEP mapping (MAC/IP Address Advertisement route) • Propagation of IP addresses enables proxy ARP functionality MPLS/VPN integration through MP-BGP (same domain or inter-AS Option B/C) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 39This material © ipSpace. More information at http://www.34]).240.

MPLS/VPN GW VSC PE Nuage VRS Underlay IP transport network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.ipSpace.s@gmail.com [164.net/Webinars © ipSpace.143. More information at http://www.net 2014 Overlay Virtual Networks +40This material .34]).

ipSpace.net/Webinars 41This © 2014 Overlay Virtual Networks 1 ofmaterial 7ipSpace.34]). More information at http://www.net .240.com [164.143.s@gmail.MPLS/VPN MP-BGP GW VSC PE Nuage VRS Underlay IP transport network • PE-router sends VPNv4 or EVPN update to Nuage VSC is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

s@gmail.OpenFlow GW MPLS/VPN MP-BGP VSC PE Nuage VRS Underlay IP transport network • PE-router sends VPNv4 or EVPN update to Nuage VSC • VSC installs forwarding entries with BGP next hop + label in VRS is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.net .net/Webinars 42This © 2014 Overlay Virtual Networks 2 ofmaterial 7ipSpace.ipSpace.240.34]).143.com [164.

143.34]).net/Webinars 43This © 2014 Overlay Virtual Networks 3 ofmaterial 7ipSpace.240.net .s@gmail.com [164. More information at http://www.ipSpace.IP: A  S MAC: A  GW OpenFlow GW MPLS/VPN MP-BGP VSC PE Nuage VRS Underlay IP transport network • PE-router sends VPNv4 or EVPN • VM sends IP packet to server (and GW MAC) update to Nuage VSC • VSC installs forwarding entries with BGP next hop + label in VRS is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

com [164. More information at http://www.240.IP: A  S MAC: A  GW OpenFlow GW MPLS/VPN MP-BGP VSC PE Nuage VRS Underlay IP transport network • PE-router sends VPNv4 or EVPN update to Nuage VSC • VSC installs forwarding entries with BGP next hop + label in VRS • VM sends IP packet to server (and GW MAC) • IP router in VRS performs L3 lookup is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.net/Webinars 44This © 2014 Overlay Virtual Networks 4 ofmaterial 7ipSpace.34]).net .143.ipSpace.

com [164.240.ipSpace.s@gmail.net .34]). More information at http://www.OpenFlow IP: A  S GW Nuage VRS MPLS label MPLS/VPN MP-BGP VSC PE GRE header IP to PE Underlay IP transport network • PE-router sends VPNv4 or EVPN update to Nuage VSC • VSC installs forwarding entries with BGP next hop + label in VRS • VM sends IP packet to server (and GW MAC) • IP router in VRS performs L3 lookup • IP packet is encapsulated in MPLS-GRE-IP or VXLAN-UDP-IP envelope is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.net/Webinars 45This © 2014 Overlay Virtual Networks 5 ofmaterial 7ipSpace.

com [164.s@gmail.OpenFlow GW MPLS/VPN MP-BGP VSC PE Nuage VRS IP to PE VTEP Underlay IP transport network • PE-router sends VPNv4 or EVPN update to Nuage VSC • VSC installs forwarding entries with BGP next hop + label in VRS • VM sends IP packet to server (and GW MAC) • IP router in VRS performs L3 lookup • IP packet is encapsulated in MPLS-GRE-IP or VXLAN-UDP-IP envelope • PE router receives MPLS/VPN or VXLAN packet is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.240.34]).143. More information at http://www.net .net/Webinars 46This © 2014 Overlay Virtual Networks 6 ofmaterial 7ipSpace.

ipSpace.34]).OpenFlow GW Nuage VRS MPLS/VPN MP-BGP VSC PE IP/MPLS to S Underlay IP transport network • PE-router sends VPNv4 or EVPN update to Nuage VSC • VSC installs forwarding entries with BGP next hop + label in VRS • VM sends IP packet to server (and GW MAC) • IP router in VRS performs L3 lookup • IP packet is encapsulated in MPLS-GRE-IP or VXLAN-UDP-IP envelope • PE router receives MPLS/VPN or VXLAN packet • PE router forwards VPN IP packet is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 47This © 2014 Overlay Virtual Networks 7 ofmaterial 7ipSpace. More information at http://www.240.143.com [164.net .s@gmail.

net 2014 Overlay Virtual Networks .net/Webinars 48This material © ipSpace. More information at http://www.Deployment format • Low bandwidth  VM • High bandwidth  hardware VTEP Integration requirements • Physical VLANs  OVSDB or EVPN • MPLS/VPN WAN  EVPN + L3VPN Choose an SDN controller that supports all the options you need is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.ipSpace.s@gmail.34]).240.com [164.

143.net/Webinars .240.ipSpace.34]).s@gmail.com [164. More information at http://www.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.

ipSpace. More information at http://www.s@gmail.34]). no traffic tromboning • No subnets  no addressing limitations Implementations • CloudStack (on Linux-based hypervisors) • OpenStack (Neutron plugin extension) • VMware vCD/vCAC with vShield Edge or VMware NSX Outside Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.com [164.net 2014 Overlay Virtual Networks .240.Security Groups Concepts • Replace subnet-level firewalls (or ACLs) with per-VM firewalls/ACLs • Increased intra-subnet security due to microsegmentation • No chokepoint.net/Webinars 50This material © ipSpace.

143.High-level view • Assign VMs to groups • Specify filtering rules between groups From To Any Web 80 Any Web 443 Typical implementations • Packet filter (OVS or Linux iptables) • Each group exploded into a list of IP addresses • ACL = Cartesian product of source-destination IP addresses Web App 9000 App DB 3306 Mgmt All-VM Port 22 Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 51This material © ipSpace.s@gmail.com [164.34]).ipSpace. More information at http://www.240.net 2014 Overlay Virtual Networks .

s@gmail.34]). More information at http://www.ipSpace.com [164.240.net/Webinars 52This material © ipSpace.net 2014 Overlay Virtual Networks .From To Any Web Any From To 80 Any W1 80 Web 443 Any W2 80 Web App 9000 Any W3 80 App DB 3306 Any W1 443 Mgmt All-VM 22 Any W2 443 Any W3 443 W1 A1 9000 W1 A2 9000 W2 A1 9000 W2 A2 9000 W3 A1 9000 W3 A2 9000 W1 W2 Port W3 A1 D1 Outside A2 D2 Port … is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.

net 2014 Overlay Virtual Networks . More information at http://www.143.Security group ACL = Cartesian product of IP addresses • Long ACLs (performance usually degrades linearly with the ACL length) • Whole ACL deployed on all VM NICs  even further performance degradation • Any change in security group membership (VM adds or removals) propagates to all hypevisors running tenant’s VMs SDN Hypervisor Outside Network From To Port Any Web 80 Any Web 443 Web App 9000 App DB 3306 Mgmt All-VM 22 is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 53This material © ipSpace.s@gmail.com [164.ipSpace.240.34]).

ipSpace.143. More information at http://www.Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.34]).com [164.net/Webinars © ipSpace.net 2014 Overlay Virtual Networks +54This material .s@gmail.

s@gmail.com [164.240. More information at http://www.143.net/Webinars 55This © 2014 Overlay Virtual Networks 1 ofmaterial 6ipSpace.net .34]).Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD Typical sequence of events • New VM is started on a hypervisor VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.

s@gmail. More information at http://www.net/Webinars 56This © 2014 Overlay Virtual Networks 2 ofmaterial 6ipSpace.Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.34]).143.ipSpace.com [164.net .

net .com [164. More information at http://www.143.s@gmail.240.34]).ipSpace.net/Webinars 57This © 2014 Overlay Virtual Networks 3 ofmaterial 6ipSpace.Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.34]). More information at http://www.net .143.ipSpace.com [164.240.net/Webinars 58This © 2014 Overlay Virtual Networks 4 ofmaterial 6ipSpace.

More information at http://www.34]).com [164.ipSpace.Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl.s@gmail.net/Webinars 59This © 2014 Overlay Virtual Networks 5 ofmaterial 6ipSpace.240.143.net . security group) VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

143.net/Webinars 60This © 2014 Overlay Virtual Networks 6 ofmaterial 6ipSpace. More information at http://www.s@gmail.34]).ipSpace. security group) • ACL is not changed VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.Security group membership = BGP community • Remote VM security group attached to IP or MAC route • Local VM security group attached to VM port VSD Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl.net .240.

240.net/Webinars © ipSpace.s@gmail.net 2014 Overlay Virtual Networks +61This material .ipSpace.com [164. More information at http://www.34]).143.Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC VSD VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl.143. More information at http://www.34]).s@gmail.net/Webinars 62This © 2014 Overlay Virtual Networks 1 ofmaterial 5ipSpace.net .com [164.240. security group) VSD VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.

More information at http://www.34]).143.s@gmail.com [164.net/Webinars 63This © 2014 Overlay Virtual Networks 2 ofmaterial 5ipSpace.Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. security group) • VSC originates new EVPN and IPVPN route (security group = BGP community) VSD VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.net .240.

net .240. security group) • VSC originates new EVPN and IPVPN route (security group = BGP community) • VSC sends BGP update to its BGP peers VSD VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.34]).s@gmail.Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl. More information at http://www.143.net/Webinars 64This © 2014 Overlay Virtual Networks 3 ofmaterial 5ipSpace.ipSpace.

net .34]).ipSpace.com [164.143.240.Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl.net/Webinars 65This © 2014 Overlay Virtual Networks 4 ofmaterial 5ipSpace.s@gmail. security group) • VSC originates new EVPN and IPVPN route (security group = BGP community) • VSC sends BGP update to its BGP peers • Remote VSC updates forwarding VRS entries in remote VRS VSD VSC VSC VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.

143. More information at http://www.s@gmail.ipSpace. security group) • VSC originates new EVPN and IPVPN route (security group = BGP community) • VSC sends BGP update to its BGP peers • Remote VSC updates forwarding VRS entries in remote VRS • ACL is not changed VSD VSC VSC VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.Typical sequence of events • New VM is started on a hypervisor • VRS notifies VSC • VSC notifies VSD • VSD assigns VM into a security group and replies to VSC • VSC updates MAC-to-VTEP and IP-to-VTEP forwarding entries (incl.34]).com [164.net/Webinars 66This © 2014 Overlay Virtual Networks 5 ofmaterial 5ipSpace.net .

VSD

VSC

VSC

VRS

VRS
Transport Network

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
© ipSpace.net
2014
Overlay
Virtual Networks
+67This material

VM sends an IP packet

VSD

VSC

VSC

VRS

VRS
Transport Network

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
68This
©
2014
Overlay
Virtual Networks
1
ofmaterial
5ipSpace.net

VM sends an IP packet
Ingress ACL check on ingress VRS
• From security group = VM NIC group
• To security group = BGP community
VSD

VSC

VSC

VRS

VRS
Transport Network

is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
69This
©
2014
Overlay
Virtual Networks
2
ofmaterial
5ipSpace.net

com [164.net .240.net/Webinars 70This © 2014 Overlay Virtual Networks 3 ofmaterial 5ipSpace.ipSpace.s@gmail. More information at http://www.34]).143.VM sends an IP packet Ingress ACL check on ingress VRS • From security group = VM NIC group • To security group = BGP community Encapsulated VM frame is sent across the transport network VSD VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

net/Webinars 71This © 2014 Overlay Virtual Networks 4 ofmaterial 5ipSpace.VM sends an IP packet Ingress ACL check on ingress VRS • From security group = VM NIC group • To security group = BGP community Encapsulated VM frame is sent across the transport network Egress ACL check on egress VRS • From security group = BGP community • To security group = VM NIC group VSD VSC VSC VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).143. More information at http://www.net .ipSpace.240.s@gmail.com [164.

net .34]).VM sends an IP packet Ingress ACL check on ingress VRS • From security group = VM NIC group • To security group = BGP community Encapsulated VM frame is sent across the transport network Egress ACL check on egress VRS • From security group = BGP community • To security group = VM NIC group VSD VSC VSC Packet is delivered to target VM VRS VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.net/Webinars 72This © 2014 Overlay Virtual Networks 5 ofmaterial 5ipSpace.ipSpace.s@gmail. More information at http://www.240.com [164.

net 2014 Overlay Virtual Networks +73This material .143.Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.34]). More information at http://www.s@gmail.240.net/Webinars © ipSpace.ipSpace.

net/Webinars 74This © 2014 Overlay Virtual Networks 1 ofmaterial 8ipSpace.com [164.Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.34]). More information at http://www.143.240.ipSpace.net .

com [164.net/Webinars 75This © 2014 Overlay Virtual Networks 2 ofmaterial 8ipSpace. More information at http://www.net .ipSpace.240.34]).Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • Packet delivered to VM VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.s@gmail.

com [164. More information at http://www.240.net/Webinars 76This © 2014 Overlay Virtual Networks 3 ofmaterial 8ipSpace.143.ipSpace.Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • IP packet sent from VRS to PE-router • Packet delivered to VM VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net .34]).s@gmail.

143.ipSpace.240. More information at http://www.Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • IP packet sent from VRS to PE-router • IP packet delivered to remote host • Packet delivered to VM VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net .s@gmail.com [164.34]).net/Webinars 77This © 2014 Overlay Virtual Networks 4 ofmaterial 8ipSpace.

com [164.net/Webinars 78This © 2014 Overlay Virtual Networks 5 ofmaterial 8ipSpace.34]). More information at http://www.240.s@gmail.ipSpace.net .Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • IP packet sent from VRS to PE-router • IP packet delivered to remote host Remote host to VM: • IP packet received by PE-router • Packet delivered to VM VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.

34]).Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • IP packet sent from VRS to PE-router • IP packet delivered to remote host Remote host to VM: • IP packet received by PE-router • IP packet delivered to VRS • Packet delivered to VM VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 79This © 2014 Overlay Virtual Networks 6 ofmaterial 8ipSpace.com [164.240.ipSpace. More information at http://www.net .143.s@gmail.

com [164.ipSpace.Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • IP packet sent from VRS to PE-router • IP packet delivered to remote host Remote host to VM: • IP packet received by PE-router • IP packet delivered to VRS • Egress ACL on VRS VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).net . More information at http://www.s@gmail.net/Webinars 80This © 2014 Overlay Virtual Networks 7 ofmaterial 8ipSpace.240.143.

Security groups (in BGP communities) can extend across MPLS/VPN backbone • Automatic ingress/egress filters on VM NICs • Requires trust (or strict filters) between cloud and MPLS/VPN networks VM to remote host: • VM sends a packet • Ingress ACL on VRS • IP packet sent from VRS to PE-router • IP packet delivered to remote host Remote host to VM: • IP packet received by PE-router • IP packet delivered to VRS • Egress ACL on VRS • Packet delivered to VM VSC MPLS backbone VRS Transport Network is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.ipSpace.34]). More information at http://www.com [164.143.net/Webinars 81This © 2014 Overlay Virtual Networks 8 ofmaterial 8ipSpace.net .240.

net/Webinars .s@gmail.ipSpace.com [164.143.34]). More information at http://www.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.240.

Shared state Scale-out NAT is hard problem • No guarantee of symmetrical paths (Best case: rehashing after topology change) • Shared state tied to outside IP address • State must be distributed and synchronized across all NAT cluster members Maybe we’re solving the wrong problem is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).s@gmail.net/Webinars 83This material © ipSpace.240.net 2014 Overlay Virtual Networks .ipSpace. More information at http://www.com [164.143.

com [164.143.240.s@gmail.ipSpace.34]).net/Webinars . More information at http://www.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.

s@gmail.net/Webinars 85This material © ipSpace.240.34]). More information at http://www.143. outside source address is irrelevant Equivalent to Amazon VPC behavior is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.Floating IP address NAT • Virtual machines with public IP addresses (Floating IP address)  static stateless NAT • Access to outside servers  dynamic stateful NAPT.net 2014 Overlay Virtual Networks .com [164.ipSpace.

Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars © ipSpace. More information at http://www.com [164.240.ipSpace.34]).143.net 2014 Overlay Virtual Networks +86This material .s@gmail.

More information at http://www.ipSpace.net .240.s@gmail.143.net/Webinars 87This © 2014 Overlay Virtual Networks 1 ofmaterial 8ipSpace.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).com [164.

com [164.s@gmail.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 88This © 2014 Overlay Virtual Networks 2 ofmaterial 8ipSpace.240.net .ipSpace.34]). More information at http://www.143.

net/Webinars 89This © 2014 Overlay Virtual Networks 3 ofmaterial 8ipSpace.com [164.240.s@gmail.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Packet sent to IP address in public vDRS (received by hypervisor) is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).net .ipSpace.143. More information at http://www.

net/Webinars 90This © 2014 Overlay Virtual Networks 4 ofmaterial 8ipSpace. More information at http://www.net .240.143.s@gmail.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Packet sent to IP address in public vDRS (received by hypervisor) • Hypervisor translates destination IP address to VM IP address is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.com [164.34]).

Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Packet sent to IP address in public vDRS (received by hypervisor) • Hypervisor translates destination IP address to VM IP address Inside-to-outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 91This © 2014 Overlay Virtual Networks 5 ofmaterial 8ipSpace.ipSpace.s@gmail.34]). More information at http://www.240.com [164.net .143.

net .34]).net/Webinars 92This © 2014 Overlay Virtual Networks 6 ofmaterial 8ipSpace.ipSpace.com [164.240.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Packet sent to IP address in public vDRS (received by hypervisor) • Hypervisor translates destination IP address to VM IP address Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.143. More information at http://www.

com [164. More information at http://www.34]).net/Webinars 93This © 2014 Overlay Virtual Networks 7 ofmaterial 8ipSpace.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Packet sent to IP address in public vDRS (received by hypervisor) • Hypervisor translates destination IP address to VM IP address Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Per-VM default route pushes the packet through NAT rule into public vDRS is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.143.240.ipSpace.net .

More information at http://www.s@gmail.Setup • Floating IP from public vDRS is allocated to a tenant VM • 1:1 NAT rule is created on the hypervisor Tenant vDRS (VRF) F-IP Internal communication • Destination IP address is within tenant vDRS • NAT rule is not invoked Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Packet sent to IP address in public vDRS (received by hypervisor) • Hypervisor translates destination IP address to VM IP address Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Per-VM default route pushes the packet through NAT rule into public vDRS NAT rule is stateless and active on a single hypervisor is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).143.ipSpace.240.com [164.net/Webinars 94This © 2014 Overlay Virtual Networks 8 ofmaterial 8ipSpace.net .

More information at http://www.net 2014 Overlay Virtual Networks +95This material .s@gmail.net/Webinars © ipSpace.240.ipSpace.143.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor Tenant vDRS (VRF) H-IP Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.34]).

More information at http://www.net .s@gmail.com [164.240.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS Tenant vDRS (VRF) H-IP Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).ipSpace.143.net/Webinars 96This © 2014 Overlay Virtual Networks 1 ofmaterial 8ipSpace.

net/Webinars 97This © 2014 Overlay Virtual Networks 2 ofmaterial 8ipSpace.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS Tenant vDRS (VRF) H-IP Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.143.net .34]). More information at http://www.240.com [164.ipSpace.

240. More information at http://www.s@gmail.ipSpace.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor H-IP Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS • Stateful NAT entry is created in the hypervisor Tenant vDRS (VRF) Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).com [164.143.net/Webinars 98This © 2014 Overlay Virtual Networks 3 ofmaterial 8ipSpace.net .

143.240. More information at http://www.s@gmail.ipSpace.net/Webinars 99This © 2014 Overlay Virtual Networks 4 ofmaterial 8ipSpace.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor H-IP Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS • Stateful NAT entry is created in the hypervisor • Packet is delivered to the outside server Tenant vDRS (VRF) Public vDRS (VRF) Transport Network VSG/PE Outside is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).net .com [164.

s@gmail.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor H-IP Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS • Stateful NAT entry is created in the hypervisor • Packet is delivered to the outside server Tenant vDRS (VRF) Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Return packet is sent to IP address in public vDRS (received by hypervisor) This is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net .143.net/Webinars 100 © 2014 Overlay Virtual Networks 5 ofmaterial 8ipSpace.240.com [164.ipSpace.34]). More information at http://www.

net/Webinars 101 © 2014 Overlay Virtual Networks 6 ofmaterial 8ipSpace.34]).Setup • IP from public vDRS (H-IP) is allocated to each hypervisor H-IP Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS • Stateful NAT entry is created in the hypervisor • Packet is delivered to the outside server Tenant vDRS (VRF) Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Return packet is sent to IP address in public vDRS (received by hypervisor) • Hypervisor uses PNAT entry to translate destination IP address to VM IP address This is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.s@gmail.ipSpace.240.com [164.net .143.

net .143. More information at http://www.ipSpace.34]).Setup • IP from public vDRS (H-IP) is allocated to each hypervisor H-IP Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS • Stateful NAT entry is created in the hypervisor • Packet is delivered to the outside server Tenant vDRS (VRF) Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Return packet is sent to IP address in public vDRS (received by hypervisor) • Hypervisor uses PNAT entry to translate destination IP address to VM IP address • Translated packet is delivered to target VM This is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.240.net/Webinars 102 © 2014 Overlay Virtual Networks 7 ofmaterial 8ipSpace.s@gmail.

not specific NAT outside address This is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.s@gmail.Setup • IP from public vDRS (H-IP) is allocated to each hypervisor H-IP Inside-to-outside • VM sends packet to a destination unreachable in tenant vDRS • Default route pushes the packet through NAT rule into public vDRS • Stateful NAT entry is created in the hypervisor • Packet is delivered to the outside server Tenant vDRS (VRF) Public vDRS (VRF) Transport Network VSG/PE Outside Outside-to-inside • Return packet is sent to IP address in public vDRS (received by hypervisor) • Hypervisor uses PNAT entry to translate destination IP address to VM IP address • Translated packet is delivered to target VM The goal is connectivity.240.net . More information at http://www.ipSpace.34]).com [164.net/Webinars 103 © 2014 Overlay Virtual Networks 8 ofmaterial 8ipSpace.

s@gmail.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.com [164. More information at http://www.net/Webinars .143.34]).ipSpace.240.

com [164.s@gmail.240.34]).ipSpace.143.net/Webinars 105 © ipSpace. More information at http://www.• • • • Insert physical appliances between virtual network endpoints Insert L4-7 and security services within a subnet Create multi-tier applications without routing overhead Combine multiple services in Network Function Virtualization deployments This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net 2014 Overlay Virtual Networks .

34]).com [164.net/Webinars 106 © ipSpace.A S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.143.240. More information at http://www.net 2014 Overlay Virtual Networks + .s@gmail.

143.34]).net 2014 Overlay Virtual Networks .240.s@gmail. More information at http://www.A IP-A  IP-S MAC-A  MAC-S S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 1 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.net/Webinars 107 © ipSpace.com [164.

143.A IP-A  IP-S MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 2 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.ipSpace.com [164.240.net/Webinars 108 © ipSpace.34]).s@gmail.net 2014 Overlay Virtual Networks .

s@gmail.com [164.A IP-A  IP-S MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S S IP-B  IP-S MAC-B  MAC-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 3 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).net 2014 Overlay Virtual Networks .net/Webinars 109 © ipSpace.143.240. More information at http://www.ipSpace.

net/Webinars 110 © ipSpace.s@gmail.34]).com [164.net 2014 Overlay Virtual Networks . More information at http://www.143.ipSpace.240.A IP-A  IP-S MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S S IP-B  IP-S MAC-B  MAC-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 4 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

net/Webinars 111 © ipSpace.240.ipSpace.com [164.143.net 2014 Overlay Virtual Networks .s@gmail. More information at http://www.A IP-A  IP-S MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S S IP-B  IP-S MAC-B  MAC-S IP-B  IP-S MAC-B  MAC-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 5 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).

com [164.s@gmail.net 2014 Overlay Virtual Networks . More information at http://www.240.MAC-A  MAC-S A IP-A  IP-S S IP-B  IP-S MAC-B  MAC-S IP-B  IP-S MAC-B  MAC-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 6 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 112 © ipSpace.ipSpace.143.34]).

143.240.net 2014 Overlay Virtual Networks .net/Webinars 113 © ipSpace.34]).ipSpace.A MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S IP-A  IP-S S IP-B  IP-S MAC-B  MAC-S IP-B  IP-S MAC-B  MAC-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 7 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.com [164. More information at http://www.

com [164.net 2014 Overlay Virtual Networks .s@gmail.34]). More information at http://www.240.143.ipSpace.A MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S IP-A  IP-S S MAC-B  MAC-S IP-B  IP-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 8 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 114 © ipSpace.

More information at http://www.net 2014 Overlay Virtual Networks .com [164.143.240.A MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S IP-A  IP-S S MAC-B  MAC-S IP-B  IP-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 9 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).s@gmail.net/Webinars 115 © ipSpace.ipSpace.

34]).net/Webinars 116 © ipSpace.s@gmail.net 2014 Overlay Virtual Networks .240.A MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S IP-A  IP-S S MAC-B  MAC-S IP-B  IP-S MAC-B  MAC-S IP-B  IP-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers 10 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.ipSpace.143.com [164.

More information at http://www.s@gmail.ipSpace.143.240.A MAC-A  MAC-S IP-A  IP-S MAC-A  MAC-S IP-A  IP-S S MAC-B  MAC-S IP-B  IP-S MAC-B  MAC-S IP-B  IP-S B Layer-2 frames redirected to a transparent (bump-in-wire) appliance • Based on MAC (potentially IP) headers Typical implementation • VLAN chaining • Hard to implement for individual endpoints • Impossible to implement for individual applications • Fantastic potential for forwarding loops 11 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net 2014 Overlay Virtual Networks .com [164.34]).net/Webinars 117 © ipSpace.

240.net/Webinars 118 © ipSpace. More information at http://www.143.s@gmail.com [164.net 2014 Overlay Virtual Networks + .A S B Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.34]).ipSpace.

com [164. More information at http://www.143.s@gmail.A IP-A  IP-S MAC-A  MAC-G S B Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 1 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net 2014 Overlay Virtual Networks .240.ipSpace.net/Webinars 119 © ipSpace.34]).

com [164.net/Webinars 120 © ipSpace.240.ipSpace.34]).A IP-A  IP-S MAC-A  MAC-G IP-A  IP-S MAC-G  MAC-S S B Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 2 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail. More information at http://www.net 2014 Overlay Virtual Networks .143.

com [164.ipSpace.240.s@gmail.net 2014 Overlay Virtual Networks .143. More information at http://www.34]).net/Webinars 121 © ipSpace.A IP-A  IP-S MAC-A  MAC-G IP-A  IP-S MAC-G  MAC-S S IP-B  IP-S MAC-B  MAC-G B Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 3 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

240.s@gmail.143.net/Webinars 122 © ipSpace.com [164.A IP-A  IP-S B MAC-B  MAC-G IP-A  IP-S MAC-G  MAC-S  MAC-F IP-B  IP-S MAC-A  MAC-G S Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 4 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net 2014 Overlay Virtual Networks . More information at http://www.34]).ipSpace.

A IP-A  IP-S B MAC-B  MAC-G IP-A  IP-S  MAC-F IP-B  IP-S MAC-A  MAC-G MAC-G  MAC-S S IP-B  IP-S MAC-F  MAC-S Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 5 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143.net/Webinars 123 © ipSpace.net 2014 Overlay Virtual Networks .ipSpace.com [164. More information at http://www.240.34]).s@gmail.

com [164. More information at http://www.net 2014 Overlay Virtual Networks .143.MAC-G  MAC-S IP-A  IP-S A B MAC-B  MAC-G  MAC-F IP-B  IP-S S IP-B  IP-S MAC-F  MAC-S Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 6 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.net/Webinars 124 © ipSpace.s@gmail.240.34]).

34]).s@gmail.ipSpace.com [164.net/Webinars 125 © ipSpace.143.net 2014 Overlay Virtual Networks .A MAC-A  MAC-G IP-A  IP-S B MAC-B  MAC-G  MAC-F IP-B  IP-S MAC-G  MAC-S IP-A  IP-S S IP-B  IP-S MAC-F  MAC-S Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 7 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar. More information at http://www.240.

240.A MAC-A  MAC-G IP-A  IP-S MAC-G  MAC-S IP-A  IP-S S MAC-G  MAC-S IP-B  IP-S B Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 8 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.143. More information at http://www.net 2014 Overlay Virtual Networks .ipSpace.net/Webinars 126 © ipSpace.34]).s@gmail.com [164.

34]).A MAC-G  MAC-S IP-A  IP-S  MAC-F B MAC-A  MAC-G IP-A  IP-S S MAC-G  MAC-S IP-B  IP-S Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 9 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.com [164.net/Webinars 127 © ipSpace.s@gmail.143. More information at http://www.240.net 2014 Overlay Virtual Networks .ipSpace.

34]). More information at http://www.240.143.A MAC-A  MAC-G IP-A  IP-S B IP-B  IP-S  MAC-F MAC-B  MAC-F MAC-G  MAC-S IP-A  IP-S S MAC-G  MAC-S IP-B  IP-S Layer-3 frames redirected to a transparent or inter-subnet appliance • Based on IP headers • Might require MAC header rewrite 10 of 11 This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.net/Webinars 128 © ipSpace.com [164.ipSpace.net 2014 Overlay Virtual Networks .s@gmail.

A

MAC-A  MAC-G IP-A  IP-S

B

IP-B  IP-S

 MAC-F

MAC-B  MAC-F

MAC-G  MAC-S IP-A  IP-S

S
MAC-G  MAC-S IP-B  IP-S

Layer-3 frames redirected to a transparent or inter-subnet appliance
• Based on IP headers
• Might require MAC header rewrite
Typical implementation
• Policy-based routing (PBR)
• MAC rewrite is automatic
• Hard to implement for appliances not close to the forwarding path

11 of 11

This material
is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
129
© ipSpace.net
2014
Overlay
Virtual Networks

• Services and redirection (chaining) rules are defined in VSD Architect
• VSD downloads redirection rules to VSC
• VSC instantiates PBR entries on
virtual port (VM) activation
• Traffic redirection uses the same
scalability mechanisms as
security groups
• Multiple forwarding domains are used
to further scale the implementation

VSD

VSC

VSC

VRS

VRS
Transport Network

This material
is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
130
© ipSpace.net
2014
Overlay
Virtual Networks

• Appliances (physical or virtual) are identified by virtual port tags
• A dedicated VNI (VXLAN segment) is allocated to each appliance port
• Appliance reachability information (ESI, VNI, transport next hop) is
propagated in EVPN updates
• Information from EVPN update is used as PBR next hop

VSC

VSC
MP-BGP

VRS

VRS
Transport Network

This material
is copyrighted
and licensed for the sole use by Dimitar Scaling
Stojanovski
(dimitar.s@gmail.com
[164.143.240.34]). More information at http://www.ipSpace.net/Webinars
131
© ipSpace.net
2014
Overlay
Virtual Networks

34]). transport MP-BGP next hop) toward appliance port is propagated across MP-BGP VSC VSC routing domain • Information from L3VPN route is used as PBR next hop VRS VRS VRS Transport Network This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.s@gmail.ipSpace.143.net/Webinars 132 © ipSpace.• • • • • • GARP Appliances (physical or virtual) are identified by virtual port tags A dedicated VNI (VXLAN segment) is allocated to each appliance port L2VPN is create between appliance Active appliance IP address is detected by monitoring GARP packets A host route is created for each appliance IP address L3VPN host route (prefix. More information at http://www.240.net 2014 Overlay Virtual Networks .com [164. VNI.

com [164.ipSpace.This material is copyrighted and licensed for the sole use by Dimitar Stojanovski (dimitar.240.34]). More information at http://www.s@gmail.net/Webinars .143.

34]).240.s@gmail.net/Webinars 134 © ipSpace.Architectural elements: • Distributed forwarding plane (L2 and L3) • Control plane with scale-out architecture • Distributed L4 services (security. NAT) • Scalable security mechanisms Additional considerations: • High-performance gateways • Control.net 2014 Overlay Virtual Networks .com [164.143. More information at http://www.ipSpace.and management-plane integration with external networks This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.

net 2014 Overlay Virtual Networks .s@gmail.143.240.com [164.34]). More information at http://www.• Define the services • Define the virtual infrastructure requirements  Connectivity (L2 and/or L3)  Security  Performance  Integration with legacy infrastructure  Integration with WAN networks • Select the orchestration system • Select the hypervisor platform • Select an overlay virtual networking solution that will support the services you want to offer  Easy integration with the orchestration system  Scalable implementation of network services  Scalable integration with external networks This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.ipSpace.net/Webinars 135 © ipSpace.

net/Webinars 136 © ipSpace.34]).net 2014 Overlay Virtual Networks . More information at http://www.Questions? Send them to ip@ipSpace.ipSpace.143.net or @ioshints This material is copyrighted and licensed for the sole use by Dimitar Scaling Stojanovski (dimitar.240.s@gmail.com [164.