The present invention relates to data center infrastructure, and more particularly, this invention relates to enabling Virtual Ethernet Port Aggregation (VEPA) in a multi-tenant overlay network.
VEPA is a mechanism that offloads checking and enabling inter virtual machine (VM) traffic (access control) from servers hosting the VMs to physical networking elements, such as switches, routers, etc., to which the servers are connected.
In an overlay network environment, traffic originating from VMs is encapsulated in a tunneled packet. Due to this constraint, physical networking elements in the overlay network may not be able to enforce client defined forwarding rules on a VM's traffic since the data needed for sanity checking is not available at standard offsets within the complete tunneled packet.
Note that in VEPA, a sender and receiver of traffic reside on the same server, but have different identification information, such as different media access control (MAC) addresses, internet protocol (IP) addresses, etc. Hence for a tunnel header, the source and destination information will represent the same server. The tunnel headers however, comprise tenant information which is used to perform access control operations. Additionally, the tunnel headers may be built as a User Datagram Protocol (UDP) over IP datagram.
Physical networking elements today do not have the ability to remove the tunnel headers while retaining tenant specific information, perform access control operations on the native virtual machine traffic, reattach the tunnel header (while modifying certain destination addressing information), and then send the packet back to the originating server. However, physical networking elements have very sophisticated access control mechanisms available to perform deep packet inspection operations at higher speeds than would be possible on servers. Accordingly, it would be beneficial to have a solution where VEPA is provided to tunneled packets in an overlay network environment.