Hi Ivan,
> With a firewall between app stack layers, L3VPN buys you almost
> nothing - the traffic has to go through the firewall anyway.
Completely disagree.
L3VPN I have in mind is really not "traditional" L3VPN - it is just
mechanism we could be reusing.
So if the tenant requires firewall between his subnets you simply model
such tenant as two L3VPNs and with two lines of configuration
interconnect such two VPNs via firewall appliance sitting _anywhere_ in
the DC fabric.
That's the point of reusing L3VPN technology in DC .. not to provide WAN
like analogy that customer get's single VPN. (However even there as you
very well know it is pretty trivial to create arbitrary topologies by
simply playing with RTs - example full mesh vs hub and spoke)
Best,
R.
Usually one would have a firewall between Web->App and App->DB server
or it makes no sense to have them in different subnets.
With a firewall between app stack layers, L3VPN buys you almost
nothing - the traffic has to go through the firewall anyway.
The other option is a hypervisor-embedded firewall sitting in front
of a VM - yet again, having VMs in different subnets is a cosmetic
exercise.
Alternatively, one could install per-flow shortcut entries after a
flow is inspected by a traditional firewall (ex: Cisco VSG, although
it's not an inter-subnet FW), for example through OpenFlow, but
that's (in my opinion) way beyond simple L3VPN.
Ivan
-----Original Message----- From: Robert Raszuk
[mailto:[email protected]] Sent: Friday, July 27, 2012 5:59 PM To:
Paul Unbehagen Cc: David Allan I; Ivan Pepelnjak;
[email protected]; [email protected]; Lucy yong; NAPIERALA, MARIA H;
Luyuan Fang (lufang) Subject: Re: [nvo3] Role of ARP/RARP
Paul,
Many web apps require cross VM communications, eg Web server to
App >
server to DB server back to App server back to web server then >
finally back to user browser. Thus cross fabric flows are typical
in > many applications
Absolutely.
That's why avoiding creation of VLANs in the first place in any
part of the DC network where East-West traffic is of non negligible
amount is highly recommended.
L3VPN over no service aware pure IP transport works very nicely
and addresses the above application model pretty well.
Best, R.
Many web apps require cross VM communications, eg Web server to
App server to DB server back to App server back to web server
then finally back to user browser. Thus cross fabric flows are
typical in many applications
Size, scale, and design may affect this a bit, but that's a
general app flow commonality that exists. This is why interVLAN
routing is used heavily in DC's of many different sizes.
-- Paul Unbehagen
_______________________________________________
nvo3 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nvo3
