VIRTUAL MACHINE SNOOPING ON ALCATEL-LUCENT OMNISWITCH 6900 AND 10K APPLICATION NOTE

Virtual machine snooping on Alcatel-Lucent OmniSwitch 6900 and 10KALCATEL-LUCENT ENTERPRISE APPLICATION NOTE

2

INTRODUCTIONVirtual extensible LAN (VXLAN) is a virtual network overlay technology that is currently widely used in data centers and other networks, because it allows building private networks without changing the core of the network. However, when using VXLAN, the network itself only sees the outer IP header and has no visibility to the traffic from the virtual machines (VMs) inside the VXLAN network. The network can only use the outer header data when making quality of service (QoS) policy decisions. This effectively limits QoS policy application to the tunnel itself, not to the VM, or virtual-network-specific traffic. Additionally, if there are problems within the network, the administrators cannot identify the correlation between the real and virtual network topologies. These issues are especially acute in a cloud orchestration environment such as OpenStack®, where multiple virtual (tenant) networks with numerous VMs (and their associated traffic flows) are all contained within one VXLAN tunnel.

Alcatel-Lucent Enterprise has addressed these issues with the new feature on the OmniSwitch® 6900 and 10K platforms: virtual machine snooping. VM snooping allows OmniSwitch to see and act on the VXLAN-specific header information, as well as the embedded VM-specific addresses and header fields. Having this information, OmniSwitch can not only monitor and record the presence and actual traffic patterns of VM, but also apply QoS policies to specific VXLAN virtual networks or to specific virtual machines.

This feature can be very useful when combined with cloud orchestration environments (like OpenStack), because it allows the network operator to apply QoS policies that are attached to specific tenant networks and specific operator-identified VM flows within a tenant network.

Figure 1: VXLAN network

VM1.0 1.1.1.1

VM1.1 1.1.1.2

VM6.0 6.6.6.1

VXLAN

VM Host172.16.222.27

VM Host172.16.222.28

VM host172.16.222.25

Snooping enables visibility to the individual VM

traffic flows

Only the aggregate traffic from

172.16.222.27 is visible

VM5.0 5.5.5.1

enterprise.alcatel-lucent.com Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein. (April 2015)

KEY FEATURES OF VM SNOOPING• The operator is able to see VM-specific flow data within a VXLAN tunnel: VXLAN

Network Identifier (VNI), VM source MAC address, and VM source IP address. The traffic flow details include flow statistics that can be used to identify and track flows which may require further investigation (or require QoS-policy-based actions).

• Tracking of multiple tunnels based on the outer User Datagram Protocol (UDP) destination port allows configurations using non-standard tunnel definitions, or multiple tunnels that use different outer UDP destination ports.

• Snooping is enabled on a port basis (single port or multiple ports, link aggregates can be included). This allows the operator to target the specific physical devices or paths of interest.

• QoS profiles can be applied to combinations of inner packet VM header fields, which makes it possible to target very specific flows. The flow data may be based on the flows discovered through VM snooping, or on specific characteristics known by the operator. The profile can contain and enforce any currently supported QoS policy action.

• QoS policies may be static or dynamic. Dynamic policies maximize the available policy actions by loading only those associated with active (detected) flows.

• Advanced policy mode allows the use of IPv6 addresses, Layer 4 source and destination ports, as well as IP protocol data in profile definitions at the expense of the number of policies allowed.

• OmniVista® aggregates VM Snooping data from multiple OmniSwitches, allowing a network-wide view of VM traffic. The operator can then create global profiles within OmniVista, and these profiles can be applied to one or more OmniSwitches.

• When provisioning tenant VMs using an orchestration system (like OpenStack), the operator can use VM-specific data (such as source and destination MAC address) that is generated by the system to manually define QoS profiles for use within OmniVista.

CONCLUSION

The VM snooping feature provides visibility and tracking of the virtual network traffic flows within a VXLAN topology. This allows network operators to identify, monitor and target specific VM traffic flows or entire virtual networks for special QoS handling, which in turn makes network optimization possible also for traffic that was previously untraceable. The QoS policies can be general — any flow in a specific virtual network — or targeted to a specific protocol from a specific VM.

Benefits

• VM snooping provides a view of the traffic flow inside the VXLAN tunnel, making it possible for network operators to identify and understand VM traffic flows.

• QoS profiles can be associated to the VXLAN tunnel that applies policies affecting specific VM traffic, or all traffic within a virtual network in the tunnel. This allows the network operator to optimize VM traffic as needed.

• VM snooping can be used in conjunction with cloud orchestration tools (like OpenStack) to provide QoS for the tenant network (based on VNI alone, or in combination with VM-specific data, such as inner source IP).