Usually one would have a firewall between Web->App and App->DB server or it makes no sense to have them in different subnets.
With a firewall between app stack layers, L3VPN buys you almost nothing - the traffic has to go through the firewall anyway. The other option is a hypervisor-embedded firewall sitting in front of a VM - yet again, having VMs in different subnets is a cosmetic exercise. Alternatively, one could install per-flow shortcut entries after a flow is inspected by a traditional firewall (ex: Cisco VSG, although it's not an inter-subnet FW), for example through OpenFlow, but that's (in my opinion) way beyond simple L3VPN. Ivan > -----Original Message----- > From: Robert Raszuk [mailto:[email protected]] > Sent: Friday, July 27, 2012 5:59 PM > To: Paul Unbehagen > Cc: David Allan I; Ivan Pepelnjak; [email protected]; [email protected]; > Lucy yong; NAPIERALA, MARIA H; Luyuan Fang (lufang) > Subject: Re: [nvo3] Role of ARP/RARP > > Paul, > > > Many web apps require cross VM communications, eg Web server to App > > server to DB server back to App server back to web server then > finally > back to user browser. Thus cross fabric flows are typical in > many > applications > > Absolutely. > > That's why avoiding creation of VLANs in the first place in any part of > the DC network where East-West traffic is of non negligible amount is > highly recommended. > > L3VPN over no service aware pure IP transport works very nicely and > addresses the above application model pretty well. > > Best, > R. > > > Many web apps require cross VM communications, eg Web server to App > > server to DB server back to App server back to web server then finally > > back to user browser. Thus cross fabric flows are typical in many > > applications > > > > Size, scale, and design may affect this a bit, but that's a general > > app flow commonality that exists. This is why interVLAN routing is > > used heavily in DC's of many different sizes. > > > > -- > > Paul Unbehagen _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
