Posts Tagged 'Vyatta Network'

October 14, 2014

Enterprise Customers See Benefits of Direct Link with GRE Tunnels

We’ve had an overwhelming response to our Direct Link product launch over the past few months and with good reason. Customers can cross connect into the SoftLayer global private network with a direct link in any of our 22 points of presence (POPs) providing fast, secure, and unmetered access to their SoftLayer infrastructure from their remote data center locations.

Many of our enterprise customers who’ve set up a Direct Link want to balance the simplicity of a layer three cross connection with their sophisticated routing and access control list (ACL) requirements. To achieve this balance, many are using GRE tunnels from their on-premises routers to their SoftLayer Vyatta Gateway Appliance.

In previous blogs about Vyatta Gateway Appliance, we’ve described some typical use cases as well as highlighted the differences between the Vyatta OS and the Vyatta Appliance. So we’ll focus specifically on using GRE tunnels here.

What is GRE?
Generic Routing Encapsulation (GRE) is a protocol for packet encapsulation to facilitate routing other protocols over IP networks (RFC 2784). Customers typically create two endpoints for the tunnel; one on their remote router and the other on their Vyatta Gateway Appliance at SoftLayer.
How does GRE work?
GRE encapsulates a payload, an inner packet that needs to be delivered to a destination network, within an outer IP packet. Between two GRE endpoints all routers will look at the outer IP packet and forward it towards the endpoint where the inner packet is parsed and routed to the ultimate destination.
Why use GRE tunnels?
If a customer has multiple subnets at SoftLayer that need routing to, these would need multiple tunnels to each if they were not encapsulating with GRE. Since GRE encapsulates traffic within an outer packet, customers are able to route other protocols within the tunnel and route multiple subnets without multiple tunnels. A GRE endpoint on Vyatta will parse the packets and route them, eliminating that challenge.

Many of our enterprise customers have complex rules governing what servers and networks can communicate with each other. They typically build ACLs on their routers to enforce those rules. Having a GRE endpoint on a Vyatta Gateway Appliance allows customers to route and manage internal packets based on specific rules so that security models stay intact.

GRE tunnels can allow customers to keep their networking scheme; meaning customers can add IP addresses to their SoftLayer servers and directly access them eliminating any routing problems that could occur.

And, because GRE tunnels can run inside a VPN tunnel, customers can put the GRE inside of an IPSec tunnel to make it more secure.

Learn More on KnowledgeLayer

If you are considering Direct Link to achieve fast and unmetered access with the help of GRE tunnels and Vyatta Gateway Appliance but need more information, the SoftLayer KnowledgeLayer is continually updated with new information and best practices. Be sure to check out the entire section devoted to the Vyatta Gateway Appliance.

- Seth

Categories: 
July 16, 2014

Vyatta Gateway Appliance vs Vyatta Network OS

I hear this question almost daily: “What’s the difference between the Vyatta Network OS offered by SoftLayer and the SoftLayer Vyatta Gateway Appliance?” The honest answer is, from a software perspective, nothing. However from a deployment perspective, there are a couple fundamental differences.

Vyatta Network OS on the SoftLayer Platform

SoftLayer offers customers the ability to spin up different bare metal or virtual server configurations, and choose either the community or subscription edition of the Vyatta Network operating system. The server is deployed like any other host on the SoftLayer platform with a public and private interface placed in the VLANs selected while ordering. Once online, you can route traffic through the Vyatta Network server by changing the default gateway on your hosts to use the Vyatta Network server IP rather than the default gateway. You have the option to configure ingress and egress ACLs for your bare metal or virtual servers that route through the Vyatta Network server. The Vyatta Network server can also be configured as a VPN end point to terminate Internet Protocol Security (IPSEC), Generic Routing Encapsulation (GRE), or OpenSSL VPN connections, and securely connect to the SoftLayer Private Network. Sounds great right?

So, how is a Vyatta Network OS server different from a SoftLayer Vyatta Gateway Appliance?

A True Gateway

While it’s true that the Vyatta Gateway Appliance has the same functionality as a server running the Vyatta Network operating system, one of the primary differences is that the Vyatta Gateway Appliance is delivered as a true gateway. You may be asking yourself what that means. It means that the Vyatta Gateway Appliance is the only entry and exit point for traffic on VLANs you associate with it. When you place an order for the Vyatta Gateway Appliance and select your public and private VLANs, the Vyatta Gateway Appliance comes online with its native VLAN for its public and private interfaces in a transit VLAN. The VLANs you selected are trunked to the gateway appliance’s public and private interfaces via an 802.1q trunk setup on the server’s interface switch ports. These VLANs will show up in the customer portal as associated VLANs for the Vyatta Gateway Appliance.

This configuration allows SoftLayer to create an outside, unprotected interface (in the transit VLAN) and an inside, protected interface (on your bare metal server or virtual server VLAN). As part of the configuration, we set up SoftLayer routers to static route all IP space that belongs to the associated VLANs to the Vyatta Gateway Appliance transit VLAN IP address. The servers you have in a VLAN associated with gateway appliance can no longer use the SoftLayer default gateway to route in and out of the VLAN. All traffic must be filtered through the Gateway Appliance, making it a true gateway.

This differs from a server deployed with the Vyatta Network OS because hosts behind the Vyatta Network OS server can route around it by simply changing their default gateway back to the SoftLayer default gateway.

N-Tier Architecture

Another difference is that the gateway appliance gives customers the option to route multiple public and private VLANs in the same pod (delineated by an FCR/BCR pair) through the device. This allows you to use the gateway appliance to create granular segmentation between different VLANs within your environment, and set up a traditional tiered infrastructure environment with ingress and egress rules between the tiers.

A server running Vyatta Network OS cannot be configured this way. The Vyatta Network OS server is placed in a single public and private VLAN, and there is no option to associate different VLANs with the server.

I hope this helps clear up the confusion around Vyatta on the SoftLayer platform. As always, if you have any questions or concerns about any of SoftLayer’s products or services, the sales and sales engineering teams are happy to help.

-Kelly

Subscribe to vyatta-network