|Cisco vPath 2.0|
I'd like to share some excitement about the Cisco vPath 2.0 technology, which seems to be key to simpler delivery of automated (and non-automated) virtual services in the datacenter. There doesn't seem to be a lot of real detail available online yet, so I'm going to pass along information gleaned from CiscoLive 2012, especially Jim French's presentation, BRKAPP-2026, "Unified Network Services". Any mistakes are completely mine.
What is vPath?
vPath 1.x is flow technology programmed into the Cisco Nexus 1000v virtual switch. The initial use was with the Virtual Security Gateway (VSG) for zone-based control over flows between virtual machines (VMs). The initial packets of a flow can be examined for permit/deny policy, and then the VEM can do forwarding or dropping of packets based on the results of the policy check. Cisco's positioning is that you use VSG for inter-VM flows, and ASA 1000v ("vASA") for outside to VM firewalling.
vPath 2 enhances the initial capability considerably. I can share with you what it is good for. I'm still looking for more information about what internally it is doing with flows, which 1000v component is doing the work (VSM or VEM), etc. There was mention of hardware offload for vPath.
A Key Concept from OpenFlow De-Mystified
Ok, that might be a little bit overly pretentious as a section title. I've been trying to track OpenFlow for a while, with thanks to the bloggers that have been writing about it. I keep coming back to thinking of it as in effect a control plane that sets up per-flow paths (for varying values of "flow"), somewhat akin to the concept that an MPLS control plane can set up Label Switch Paths (LSPs). That is, you can set up tunnels or flow paths for traffic across a bunch of devices under central control.
The other idea that resonated for me was that firewalls, load balancers, and other devices basically are applying a relatively small set of actions to flows (transmit packet, drop packet, redirect packet to box, apply QoS, etc.). Cisco somewhat recognized this with MQC, in that you have to recognize certain traffic for ACL's, QoS, ACE load balancing, packet inspection, so why not have a unified CLI for describing such flows. OpenFlow potentially combines the actions on the backend, combining all the packet handling into what the switch fabric does to packets or L2 frames.
Putting it more simply, what if you could have policies that shove packets around somehow, getting them from point A to point B. When they arrive at point B, be it a virtual appliance or physical appliance, it doesn't care how the L2 frame or L3 packet got there, it processes it. And that's the connection to vPath 2.0, it shoves frames around within the 1000v code, to the sequence of virtual devices you specify.
vPath 2.0 adds support for:
Let's take a look at these in turn.
Here's my version of a key diagram in the CiscoLive presentation.
The point is we can program a list of virtual services into our 1000v / vPath 2.0. Packets entering the 1000v will then have services applied to them (be sent to virtual appliances) in a specified order. The snaking green line indicates a packet hitting vWAAS then vASA, vACE, VSG, vNAM, a web server VM, another vASA firewall, an application server VM, and exiting to a database server, possibly a physical one.
I've been doing a writeup for a customer of how to do that sort of thing with a non-Cisco load balancer and ASA contexts. The VLAN plumbing gets ... interesting. Now think about configuring all the appliances listed above to work together to deliver an application or service. When you do it with physical devices, the green path is basically a bunch of VLANs between the various components. With vPath, all the devices just attach to the same VLAN, and vPath handles the sequencing. That's not only easier, but scales VLANs better for multi-tenant applications.
Stateful return path
Flows coming through a stateful firewall need to have replies that come back through the firewall with state. vPath 2.0 apparently does that.
Clustering for scale
If you share state across multiple firewalls in a stateful cluster, they can load balance, allowing performance scaling by addition of cluster members. Apparently vPath 2.0 may be cluster aware.
Questions: Is vPath 2.0 cluster aware, in what sense? Is the scaling linear, how many replicas can it scale to before the performance increase becomes grossly sub-linear?
The Unified Network Services presentation had a lot of other good information and thinking in it -- fodder for a future blog. It may be useful to include a list of virtualized services from one of the presentation slides, to help understand the potential of vPath 2.0. I liked the naming convention of vWhatever (versus Whatever 1000v)... So here's the list of present / future virtualized L4-7 services: vWAAS, vASA, VSG, vACE, vNAM, vWSA (Web Security Appliance), vECDS, vGSS, CSR / vIOS.
I'm not finding a lot of material online about vPath 2.0. Is that because it is basically cool Cisco technology that happens to be buried inside the code for the 1000v? It doesn't help that apparently the term "vpath" has been around in the programming community for a while. Perhaps more Cisco collateral about vPath 2.0 is in the works ... The main 1000v and vPath 2.0 page is http://www.cisco.com/en/US/products/ps9902/index.html