The present invention relates to data center infrastructure, and more particularly, this invention relates to providing deep packet inspection services to virtual overlay network traffic in a data center.
While the need for elasticity of data center infrastructure has been debated in great length and the industry has already imagined multiple competitive ideas on how to make data centers more agile, there has been less emphasis on virtualizing security and services. Some security features include firewall, intrusion prevention system (IPS), intrusion detection system (IDS), etc., and some services include accelerator, virtual private network (VPN) termination, load balancing, traffic compression, intelligent shaping, rate limiting, etc. Sharing infrastructure across multiple applications and clients is becoming increasingly common with server virtualization and distributed application architecture and recent trends indicate that an exponential increase in server-to-server communications (termed as east-west traffic in a data center) as applications become more and more distributive is likely.
Virtual Overlay Networks, such as virtual extensible local area network (VXLAN) and others, use protocol headers that are encapsulated in packets on top of the original network packet to create location transparency. Due to the additional encapsulation protocol headers, it is not possible for existing or legacy Inter-Networking Elements (INEs), such as physical infrastructure routers and switches, among others, to determine information from within the original packet. This is because the original packet inside of the overlay protocol headers is encapsulated as a traditional data payload to the legacy INEs. Furthermore, this lack of visibility of the original packet prevents INEs from implementing sophisticated network security and services. Protocols like Virtual eXtensible Local Area Network (VXLAN) use User Datagram Protocol/Internet Protocol (UDP/IP) to encapsulate the original Ethernet packet for transmission over physical networks. The original Ethernet packets are tunneled through the network from an originator to a nearest VXLAN gateway. VXLAN gateways connect virtual networks to non-virtual networks (legacy networks having physical components). Since VXLAN gateways understand (are capable of processing) VXLAN protocol and tunnels, they have the capability to identify the encapsulated packets. However, currently, these gateways are not capable of applying services or security to traffic flowing therethrough.