Flexible deployment options have always been a focus for us at Sinefa. Our probe software can be deployed on purpose built or BYOD physical hardware, as a virtual appliance using various hypervisors, directly onto Linux servers as packages and even onto some embedded devices. Our probe software also runs on public and private clouds including Amazon AWS, Microsoft Azure and OpenStack environments.
We recently conducted a trial where the customer was refreshing the technology at their branch locations and wanted a solution that provided full layer 7 visibility and control but also included core network services such as routing, firewall and VPN. Oh, and all on a low cost, small form-factor, solid state device.
We’ve installed our software probes in many different environments, both physical and virtual, so these requirements were easily achieved. We found a suitable COTS device capable of running both the router, firewall, VPN product (VyOS) as well as the Sinefa probe as 2 separate virtual machines. The idea was to run the 2 virtual machines in series (e.g. service chaining them), effectively replicating a physical in-path deployment, like this:
The problem we faced here though was that the cost of the commercial virtualization solution we’d usually suggest exceeded the cost of the hardware we were proposing and it all become cost prohibitive.
As an experiment, we installed a minimal Linux distribution (with KVM and libvirt) on our hardware and deployed our 2 virtual machines. We used the prebuilt Sinefa probe KVM image for the Sinefa VM and the VyOS ISO to install the VyOS image for the VyOS VM. Then it was a matter of configuring some bridges to service chain the 2 VMs, and voila, in less than 4 hours we had a fully functional solution.
Managing the VMs is a breeze with a host of free libvirt based management tools. We tested mist.io and that worked quite well. Performance was good too, we pushed over 100Mbps through our setup, even using low-end hardware (both the VMs we deployed make use of virtio drivers which helps).
While a little extra work would be required to make this a production ready solution we were surprised how quickly we could spin up multiple virtual network functions (VNFs) and service chain them to effectively build a working vCPE solution. What ultimately made it so easy though was using software that we've designed to be run this way. Having KVM ready images, virtio drivers and working out of the box as a VNF was made it so straight forward.
For more details or a hand to get this going, shoot us an email.