- Multiple tenants on a network
- Networks can't see/talk to each other
- Transparency to the cloud machine
- An extension to ethernet frames
- 12 bits of VLAN ID, only 4096 (tenant)
- Requires physical switch participation
- Lots of different hardware to configure
- Hard to do quickly on-demand
- Conclusion: Built for a different era
- You want a private L2 network between VMs
- You already have working IP between the members of the network
- Use that "underlay" IP network and overlay an L2 on top
+----------------------+ +----------------------+
| +--+ +-------+---+ | | +---+-------+ +--+ |
| |VM|---| | | | | | | |---|VM| |
| +--+ |Virtual|NIC|--- Underlay --- |NIC|Virtual| +--+ |
| +--+ |Switch | | | Network | | |Switch | +--+ |
| |VM|---| | | | | | | |---|VM| |
| +--+ +-------+---+ | | +---+-------+ +--+ |
+----------------------+ +----------------------+
()===============================()
Switch-Switch tunnel
- Encapsulates in a UDP packet
- 24 bits of tenant space (16 million)
- http://tools.ietf.org/id/draft-mahalingam-dutt-dcops-vxlan-02.txt
- Uses the GRE which
- 24 bits of tenant space (16 million)
- http://tools.ietf.org/id/draft-sridharan-virtualization-nvgre-01.txt
- Uses a "cute" hack to get performance from network gear
- Use the TCP header "syntax"
- Take advantage of hardware TCP offload on existing server hardware
- 24 bits of tenant space (16 million)
- http://tools.ietf.org/id/draft-davie-stt-02.txt
- Open vSwitch implements GRE already
- STT is implemented in vSwitch but closed source (Nicira)
- VXLAN is not in open vSwitch but is being worked on
- L2 in L3 is probably here to stay in the cloud
- Give a level of privacy but not real security
- You should still use SSL/IPSec/etc between backend services