With VMware pushing Software Defined Datacenter, and with a host of network vendors developing technology around
Virtual Extensible LAN (VXLAN), which was introduced last year by Cisco and VMware at VMworld (along with support from Arista, Brocade and Broadcom), is a Layer 3 encapsulation protocol that overcomes the limitations of virtual LANs (VLANS) in virtual environments and in multi-tenant networks. With VXLAN, engineers can spin up thousands more virtual networks that can stretch longer distances across data centers.
This year, VXLAN gained the spotlight at VMWorld, with vendors launching a slew of third-party services such as load balancing and traffic QoS for virtual networks, but very little of this technology addressed the need for VXLAN monitoring and visibility.
The VXLAN visibility challenge
VXLAN introduces the same visibility challenges as most encapsulation methods. Essentially, end-to-end traffic is hidden inside the tunnel, so you must be able to strip away the encapsulation for sustained monitoring and troubleshooting. This is crucial for viewing traffic traversing the backbone, or between data centers where VXLAN will most likely show up.
VXLAN monitoring tools: What's available?
Most network management vendors have yet to implement specific support for VXLAN, but there are a few options out there that can help today:
Flow analysis. Riverbed's Cascade team announced it would support the IPFIX records produced by VMware's vSphere Distributed Virtual Switch (VDS), which provide intra-VXLAN flow details. This is the first flow-analysis vendor to step up to support VXLAN. Others may follow but will lag in availability. Also, we have yet to see other infrastructure vendors add support for the new IPFIX templates that will be important for checking VXLAN traffic outside of the virtual distributed switch. Additionally, in theory, sFlow supports VXLAN today, though vendors will need to build or extend an sFlow analysis tool to reveal the details therein.
Wireshark and deep troubleshooting. Wireshark already had VXLAN decodes in place, which were added in November 2011 and have been part of the mainline code since version 1.8.0. Other packet analysis tools can still be used but may not have a formalized decode yet. Check with your favorite vendor to find out for sure.
More on VXLAN and virtual network management
VXLAN primer: Extended VLANs and long-distance VM migration
Integrate physical and virtual network services with VXLAN gateways
Cisco Nexus 1000v: A different tack on VXLAN
In wake of tepid adoption, Cisco sweetens Nexus 1000v deal
Packet-based monitoring. Looks like we are all out of luck here until the packet-inspection monitoring vendors add this. The good news is that it won't be difficult for them, because they already support looking inside other tunnelling protocols such as Generic Routing Encapsulation (GRE) and GPRS Tunneling Protocol (GTP); this is just an adaption. Make sure you make a point of asking your tools vendor for this feature -- they commonly prioritize enhancements based on customer requests.
Network monitoring switches. Some of these monitoring access devices can strip VLAN headers so that monitoring can proceed based on actual packet contents. Being able to strip both VXLAN and VLAN headers would be especially useful for preconditioning traffic for analysis. None of the network monitoring switch providers has added VXLAN stripping yet, though several have told me that this is on their roadmaps.
NCCM needed for VXLAN environments
Network managers will also need Network Change and Configuration Management (NCCM) to manage multivendor configuration of VXLANs. Today, this can only be defined or configured on an element-by-element basis outside of vSphere. While many NCCM vendors have stated plans to support VXLAN in the future, none currently offers much more than backup and restore services for device configurations that have already been set up using element management tools.
If VMware's bets pay off and VXLAN becomes commonplace, you can bet that more support will be forthcoming among network management vendors. In the meantime, make the best of what you have and keep pressing your vendors to add VXLAN support if they don't offer it today.
This was first published in October 2012