L2 and L3 VPN (Virtual Private Networks) are common networking constructs in today's networking deployments focused on extending reachable network beyond the traditional datacenter boundaries in a secure fashion. As the evolution of a distributed multi-site Datacenter becomes a reality and as the capacity of services offered increases, the traditional appliance based choked point L2 and L3 encryption services fail to meet the scale characteristics desired by such deployments. As multi-site datacenters become more prevalent, the need to stitch the secure traffic moving across these sites in a more seamless and scalable way is becoming critical.
For example, a VPN gateway installed on the perimeter of an enterprise internal network facing the Internet allows for external networks (or devices) to connect into the network via a tunneling mechanism over SSL/DTLS or IKE/IPSec. All traffic between such networks has to go through tunnel endpoints. The tunneling endpoints encrypt the traffic for forwarding and decrypt the incoming packet and feed it into their respective networks. Routing and policy based forwarding (PBF) directs the relevant traffic from the internal network to a local tunnel end point for forwarding, wherein it is further processed using bridging or PBF to find the right tunnel to the remote network.
In addition to tunneling operations, an enterprise network also has to perform crypto operations at its perimeter when providing VPN services. Crypto operations are fairly heavy weight in terms of resources, apart from PBF and bridging lookups. As the traffic demand increases at the perimeter, often the only solution is to invest in more dedicated and specialized hardware for running VPN services.
With overlays like VXLAN being used within the datacenter boundaries to facilitate network virtualization, the topology of the remote network is also not visible to the local network, and hence the perimeter edge has to strip the overlay header on its way out and attach it on its way in. Hence a seamless stitching of a multisite datacenter becomes more burdensome on the edge device doing this task.