Cisco Systems and HP ProCurve are actually working together (sort of) to help network administrators gain more visibility and control over the virtual network switches embedded within the hypervisors that server administrators install by the thousands in data centers every day.
"Working together" might be too strongly worded. Both networking vendors brought competing proposals for new standards to IEEE's 802.1 Working Group this year. Cisco's original proposal, VN-Tagging, also known as port extension, includes some changes to frame formats, which in turn would require hardware upgrades in order to work. ProCurve's proposal,
Cisco and ProCurve actually came together and created something of a joint proposal with a spectrum of standards that include both VEPA and VN-Tagging, dubbed 802.1qbg and 802.1gbh respectively. Both are on the verge of being accepted as new standards projects by the IEEE. Based on how the standards have evolved, VEPA will serve as something of a foundation for Cisco's more ambitious VN-Tagging approach.
Last week, Extreme Networks threw in its lot with ProCurve's approach, becoming the first networking vendor to officially promise to support VEPA once it is ratified.
If VEPA is ratified by the IEEE, Extreme will update XOS, the operating system on its switches, so that Extreme customers can manage switching between virtual machines directly from top-of-rack switches, according to Gordon Stitt, chairman and co-founder of Extreme Networks.
The problem with virtual server networking
For network administrators, virtual server networking has been an endless source of headaches in the data center. Every hypervisor on the market comes with an embedded virtual network switch that manages the traffic of network frames within the physical host server, and for the most part, these virtual switches are invisible to network administrators' tools.
With virtual network switches mostly invisible to them, network administrators struggle to apply to those virtual switches critical network and security policies such as access control lists (ACLs), virtual LANs (VLANs) and quality of service (QoS).
"In a virtualized environment, there are multiple software implementations of servers in a physical server, and then there's a virtual switch on that server that does the switching between those virtual machines. It adds complexity to the network because security and configuration [of virtual switches] need to be consistent with physical switches," Stitt said. "You have a situation now where part of the network is run on the server and is being managed by a server team. This can result in inconsistencies in how servers and the network are configured."
How the IEEE standards for virtual server networking will work
Cisco took a step toward solving this problem with its Nexus 1000v, a software-based switch that replaces a hypervisor's virtual switch and gives networking pros a familiar interface for managing virtual switching, but only in an environment that uses VMware virtualization software.
However, the standards Cisco and ProCurve are developing with IEEE will take a more universal approach to solving these problems.
VEPA, as envisioned by ProCurve, is the foundation of the proposed standard. It creates a series of "port profiles" with relevant security and network policy settings that can apply to various types of virtual machines provisioned by server administrators. When the virtual machine is instantiated, network frames are forwarded to an adjacent physical network switch, most likely the top-of-rack switch. That switch can then apply the appropriate port profile to the virtual machine and, depending on the preference of the enterprise, then send the profile back to the virtual network switch or replace it altogether.
"There is broad support across a large number of vendors for VEPA because it brings value, and it does it in a very non-disruptive, cost-effective way. And because of the simplicity of it, it takes only about 120 lines of code [in a switch's operating system] to implement it," said Joe Skorupa, research vice president at Gartner. "Assuming no one tries to be obstructionist and tries to block the standard, this one should be able to go ahead relatively quickly. And if it can be implemented in just a software update, that's very good."
In addition to improved visibility and control for networking pros, VEPA should also improve performance, Skorupa said. A hypervisor's virtual switch consumes processing power and memory inside a physical switch, which affects performance. By pulling virtual switching out of the server, enterprises can improve server performance and even increase the number of virtual machines on each box.
"I have heard some arguments – I haven't seen the numbers yet – that pulling [virtual switching] out of the server, even if you have to go down the wire all the way to the top-of-rack switch and back again, you'd actually have higher performance and lower latency than you would get switching between two virtual machines on the same server," Skorupa said.
Multicasting: Connecting physical and virtual switches
The pending VEPA standard also contains a critical feature, known as multicasting, which is something of a hybrid of the proposals ProCurve and Cisco originally brought forward, said Joe Pelissier, principal engineer at Cisco.
Since many virtual servers contain more than one virtual network switch, physical switches need to be able to identify which virtual switch traffic is coming from. The multicasting element of VEPA will perform that task and allow physical switches to directly connect to those virtual switches. This more advanced feature will require some hardware upgrades, but the basic VEPA technology can be supported with a simple software upgrade.
The Cisco approach: Port extension to bring QoS and security to virtual machines
Finally, Cisco's VN-Tagging approach is based on the notion that not all physical switches will have the advanced features that network administrators want to apply to virtual machines, such as QoS and security. While VEPA concerns itself only with connections between virtual machines and adjacent switches, Cisco's VN-Tagging introduces port-extender technology, allowing the traffic from a virtual machine to move up the network hierarchy to the switch that does have the needed features.
"Port extension allows you to replace a back-of-blade rack switch, for instance, with a device called a port extender, and the next-higher-up switch in the network becomes the adjacent switch," Pelissier said. "From the Cisco perspective, we were looking at it as a problem of how you manage large networks, especially networks with lots of embedded virtual switches in each switch."
The notion of port extension will require hardware upgrades, however, since many existing switches just won't recognize the changes to packet formats that VN-Tagging will require, according to Paul Congdon, CTO of ProCurve and vice-chairman of the 802.1 Working Group.
"Cisco's approach was, we are 100% of the time going to bypass the hypervisor and force things out into the network," Congdon said. "We believe that there are situations [when] having local switching on the NIC for performance reasons is going to be important. Our approach with VEPA enables you to have both choices."
As both standards move toward ratification, vendors will have a choice of whether they want to embrace VEPA or go a step further and follow Cisco's lead. Extreme has publicly embraced ProCurve's approach, Congdon said, while ProCurve is undecided about adopting VN-Tagging.
"We will upgrade our silicon to support the multichannel scheme so that we can support both VEPA and virtual switches downstream," he said. "Whether we will fully support the port-expansion model of Cisco is another question. We're not convinced that it is compelling for customers to add that cost and complexity into switches."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor