Wired Intelligent Edge

What are you thoughts about the new VXLAN GBP feature?

We're currently doing UBT with 6300 and 2930F access switches and our aggregation switches are other vendors MPLS capable switches so we can do segmentation with MPLS VPNs too and terminate those on our DC firewalls. Though with UBT you just need to have the management VLAN to every access switch and that's all, all the other VLANs are in the DC on controllers. Currently we have 7220 controllers. So it is quite simple setup in the end.

In theory it would be possible for us to just switch to 6400/6300 everywhere and do VNBT and have policies locally on the switches. But as the UBT configuration is so simple and all the complexities are just on the gateway clusters, I'm wondering what would be the benefit of using VXLAN GBP?

I guess if we had high throughput requirements between access switches that might be one case. 7220 can do 40Gbps each so that's quite a lot for our need though...

Other than that only reason I see is to get rid of controllers. But I guess most people still would like to tunnel traffic to controllers from APs anyways, or they would need to get 6300 switches with VXLAN GBP. With controllers you can do with 6200/2930F that can do UBT and use the saved money to get the controllers :)

So in theory nice addition to features but I am not sure if it's going to be that useful?

If UBT fits traffic profiles, policy inspection &  segmentation requirements and controllers are available to scale, then I do agree that there is little value in implementing VNBT using VXLAN with GBP, no added value if the existing solution is an excellent fit.

However, not all traffic profiles/security policy segmentation & requirements are identical and this will drive different use cases and this where VNBT GBP is likely to fit, specifically around east-West traffic profiles.

Some customer networks may not have a comprehensive Wi-Fi deployment ( financial institutions as an example) thus lack of available controllers to fit traffic profiles and scale for UBT.

VXLAN VNBT with GPO provides micro and macro segmentation and  is complimentary to UBT offering flexibility to customers to select the best fit for apps and services matched to security policies. 

And like all design(s) , there is rarely an exact fit for use cases, only a better match. Good to have a choice I think :)

Regards, Steve


------------------------------
Steve Bartlett
------------------------------

Original Message:
Sent: Aug 31, 2021 01:39 PM
From: Jukka Aaltonen
Subject: VXLAN BGP VNBT vs. UBT

What are you thoughts about the new VXLAN GBP feature?

We're currently doing UBT with 6300 and 2930F access switches and our aggregation switches are other vendors MPLS capable switches so we can do segmentation with MPLS VPNs too and terminate those on our DC firewalls. Though with UBT you just need to have the management VLAN to every access switch and that's all, all the other VLANs are in the DC on controllers. Currently we have 7220 controllers. So it is quite simple setup in the end.

In theory it would be possible for us to just switch to 6400/6300 everywhere and do VNBT and have policies locally on the switches. But as the UBT configuration is so simple and all the complexities are just on the gateway clusters, I'm wondering what would be the benefit of using VXLAN GBP?

I guess if we had high throughput requirements between access switches that might be one case. 7220 can do 40Gbps each so that's quite a lot for our need though...

Other than that only reason I see is to get rid of controllers. But I guess most people still would like to tunnel traffic to controllers from APs anyways, or they would need to get 6300 switches with VXLAN GBP. With controllers you can do with 6200/2930F that can do UBT and use the saved money to get the controllers :)

So in theory nice addition to features but I am not sure if it's going to be that useful?