Using virtualization to consolidate data traffic on a single network appliance - Embedded.com

Using virtualization to consolidate data traffic on a single network appliance

For network routers, servers, and switches the jobs of monitoring, analyzing, and securing computing resources have never been more important. We have already seen a marked increase in data traffic but some are warning of a traffic explosion. According to a report from ABI Research, the volume of global annual data traffic will exceed 60,000 petabytes in 2016, over seven times more than the 8,000 petabytes expected in 2011. ABI has also predicted that the fastest year-on-year growth will occur in 2012, at 58 percent. Others are predicting that traffic could grow even faster as cloud computing centralizes more computing resources and more devices are used to exchange data, such as mobile phones, tablets, TVs, etc.

To handle this increased traffic without blowing the budget organizations will need more server power and storage capacity in their data centers. If they’re to succeed they have to stop looking at bringing in additional resources and instead use what they’ve got in a smarter way.

Open the door to virtualization
Today, network appliances are typically single server implementations, with few providing more than one application. It is common for several network appliances to be accessing a single monitoring location. For example, a typical scenario could be three appliances monitoring the same connection, with one monitoring specific flows, another providing performance analysis, and a third providing intrusion detection functionality.

Since cost, space, and power are major issues for data centers, reducing the footprint of network appliances also becomes a major consideration. Many network appliances require all the processing power they can get and thus cannot share processing resources with other applications. Examples are 10 GbE Intrusion Prevention Systems or Application Performance Monitoring systems. But there are also a large number of monitoring, analysis, and security appliances that run at lower speeds or do not require as many processing resources. Here, there are opportunities to consolidate these appliances into a single server solution.

If all appliances are based on the same operating system, it is possible to consolidate them using intelligent network adapters that can distribute data and share data between multiple applications. Such solutions exist today. If the appliances are based on different operating systems or environments, or expect to have full control over available hardware resources, then an alternative solution is required. In such instances, virtualization can be used to consolidate these different applications. It will depend on your data sharing and distribution needs as to which solution provides the best possible outcome. The following describes various options based on VMware that can be used to consolidate multiple network appliances onto a single physical platform.
VMware Direct Path allows a virtual machine to control a physicalnetwork adapter. This allows existing network appliance applications tobe transferred to a virtual environment:

Figure 1 Existing network appliance applications can be transferred to a virtual environment using VMware Direct Path

This is the first step in consolidation. To the network applianceapplication software, it still appears as if it is running on its ownserver with full control of the intelligent network adapter. The driversoftware has been updated to support VMware Direct Path, but otherwise,no changes need to be made.
With this solution, a consolidation can be performed for multiple network appliances:

Figure 2 Multiple network appliances can be consolidated using VMware Direct Path

As this model shows, each network appliance can be based on a differentoperating system and execution environment, yet still be supported onthe same physical server. The only restriction is that each virtualmachine needs its own network adapter. This is because only one virtualmachine can control a given network adapter at one time.

Sharing network adapters
While the above implementation works, it still requires a dedicatednetwork adapter for each virtual client. This limits the number ofapplications to the number of slots in the server. If all the virtualclients need to access the same point in the network, a separate loadbalancer would be required to distribute the data between the networkadapters.
By distributing data within VMware, we can eliminate the load balancer and reduce the number of network adapters required.

Figure 3 Data can be distributed and replicated to multiplevirtual machine clients using VMware’s Virtual Machine CommunicationInterface

By using a data distribution virtual machine as a server virtual machinebased on VMware’s VMCI (Virtual Machine Communication Interface), it ispossible to distribute and replicate data to multiple virtual machineclients. The data distribution virtual machine can thus distribute orreplicate data captured by a single intelligent network adapter tomultiple client virtual machines each supporting a separate networkappliance.

Distributing data on a per physical or virtual port basis
One method of distributing data to multiple client virtual machines is by physical port:

Figure 4  Data on each port of the network adapter is mapped to a separate client virtual machine

In the example above, data on each port of the network adapter is mappedto a separate client virtual machine. However, this limits the solutionby the number of physical ports on the network adapter.
A more interesting solution is to use logical ports:

Figure 5  Logical ports can be mapped to VMCI ports

Some intelligent network adapters are capable of identifying flows andthus defining logical ports providing specific flow data. These logicalports can be mapped to VMCI ports, allowing specific data to bedistributed to dedicated network appliances running on client virtualmachines. The number of virtual ports that can be supported is limitedby the implementation on the network adapter, but can be up to 32.As mentioned earlier, it is not uncommon for multiple network appliancesto need to access the same data at the same point in the network at thesame time. The captured data needs to be shared and replicated tomultiple network appliances.


Figure 6
 Data captured by the intelligent network adapter can be replicated to each virtual machine

The data distribution virtual machine can be used to replicate the datacaptured by the intelligent network adapter to each virtual machine thatrequires that data. The only limitation is the bandwidth of the VMCIinterface itself, which is dependent on the processing power of thesupported CPU chipset.

Performance expectations
Implementations of the solutions described above have been made,providing a benchmark for expected performance. Napatech hassuccessfully demonstrated that the VMCI interface can support up to 30Gbps of data replication and distribution to multiple virtual machines.This allows any combination of port speeds and number of virtual clientsto be implemented as long as the total consumed VMCI bandwidth does notexceed 30 Gbps.

Benefits of network appliance virtualization
As stated previously, not all network appliances can be virtualized,especially high-speed, high-performance appliances that require all theprocessing resources available. However, for less processing intensiveappliance applications, there is an opportunity for consolidation thatis compelling.

One of the advantages of using virtualization for consolidation is thateach network appliance can be re-used to a large extent with the sameoperating system and environment. This also means it is possible toupgrade the physical hardware without needing to upgrade the supportednetwork appliance virtual machines. As physical servers continue toincrease in power and performance, even more appliances can beconsolidated onto a single physical server.

As network interface speeds change, it is possible to upgrade theintelligent network adapter to support a higher speed interface withouthaving to change the support network appliance virtual machines. Thispossibility can also be used to upgrade existing network appliances tosupport higher speed interfaces in a fast and effective way.

For example, a 10 Gbps network appliance can be upgraded to support 40Gbps by porting four instances of the network appliance software to fourvirtual machines running on a single server supported by a single 40Gbps intelligent network adapter. Four logical ports are created todistribute the data between the four virtual machines, making sure thatnone of the virtual machines receive more than the expected 10 Gbps ofdata. Thus, a 10 Gbps network appliance becomes a 40 Gbps networkappliance without having to re-haul the network appliance applicationsoftware.

This approach can also be used to upgrade older network appliancessupporting legacy operating systems or where resources to update thenetwork appliance application software no longer are available.

Virtualization enables consolidation of network appliances
Cost, space and power demands require that network appliances are aseffectively and efficiently utilized as their application servercounterparts. Therefore, it would be true to say that withoutvirtualization, data centers would have faced a serious powerconsumption dilemma. Consolidation of network appliances is the lastfrontier of virtualization in the data center as it has transformed andcontinues to transform the economics of running data centers. There are anumber of opportunities for network appliance consolidation that can beexploited, especially as we move to higher network speeds and ever morepowerful physical servers, making more efficient use of physicalresources, and thereby space and power consumption. If it also leads tocost savings then that’s a win win.

Daniel Joseph Barry is VP of Marketing at Napatech(www.napatech.com) and has over 17 years experience in the IT andTelecom industry. Prior to joining Napatech in 2009, Dan Joe wasMarketing Director at TPACK, a leading supplier of transport chipsolutions to the Telecom sector. From 2001 to 2005, he was Director ofSales and Business Development at optical component vendor NKTIntegration (now Ignis Photonyx) following various positions in productdevelopment, business development, and product management at Ericsson.Dan Joe joined Ericsson in 1995 from a position in the R&Ddepartment of Jutland Telecom (now TDC). He has an MBA and a BS degreein Electronic Engineering from Trinity College Dublin.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.