Cisco’s Nexus vACE One-ARM S(not) magic
It’s widley known that Cisco is using VPath magic in many of its new virtual network devices.
Here’s my explanation of VPath –
VPath is a Netflow like protocol used to direct individual traffic flows within an ESX host.
VPath can detect traffic flows and direct them based on predefined ACLs on the application using the protocol.
The Cisco VSG uses VPath to intercept traffic destined to a VM and compare it to an ACL. If the ACL allows the traffic, then the flow is ok to be directed to the VM until complete. This works the same way outbound from the VM.
Now take the vACE – Cisco’s virtual load balancer. Cisco uses VPath to remove the source NAT (SNAT) requirement for One-ARM mode configurations! Any who have configured One-ARM only to have to redesign later for source IP info can see that this new feature rocks. One-ARM on hardware appliances was great – easy to install into a network whenever you felt like it and it could load balance traffic for subnets anywhere……..
Assuming your sercurity folks and application folks agreed on SNAT (they rarely do). Sure there were somtimes ways to fix SNAT – ie rewriting HTTP headers. But that was a hassle, especially if SSL was terminated on the server. And this did not work for non-HTTP flows. You could also set the default gateway for the balanced servers to the OneARM ACE but that opened up many security holes and also was beside the point of One-ARM (conserving bandwidth).
The vACE uses VPath to direct load balanced traffic back to the ACE instead of the default gateway without having to configure SNAT or set the ACE as the default gateway for ‘some’ servers within the same VLAN. This is absolutley crucial to a VM based load balancer. Two-ARM and Transparent are just not feasible in such shared bandwidcth environements.
So – vACE uses VPath to circumvent the SNAT requirement of ONE-ARM configurations by directing traffic that needs to be load balanced to the ACE (instead of by IP routing – snat). This will facilitate ease of deployment for any virtual load balancer deployment.
Now just have to get over my wariness of my expectations of the Hyper-Bugginess of this new VPath protocol
Read more about the vACE at ciscolive.com and download “deploying-services-in-a-virtualized-environment” brief.