Your entire virtual network stack. One Scale.
The Networking Scale provides a complete virtual networking stack for east-west traffic, microsegmentation, and internal routing. It handles everything between your workloads — this is not a replacement for your physical switches and routers, but it eliminates every virtual network appliance you’re currently running.
| Feature | Description | Status |
|---|---|---|
| Virtual Bridges | L2 bridging with VLAN tagging, trunk ports, and access ports. | Stable |
| Virtual Switching | Distributed virtual switch spanning multiple nodes. Single management plane. | Beta |
| Virtual Routing | L3 routing between virtual networks. Static routes, BGP peering with physical infrastructure. | Beta |
| Firewall | Stateful packet filtering with zone-based policy. Rules defined per-VM, per-network, or cluster-wide. | Beta |
| VPN Mesh | WireGuard-based mesh networking between nodes. Automatic key rotation. | Beta |
| Flow Control | QoS, traffic shaping, and bandwidth guarantees per workload. | Planned |
| Load Balancing | L4/L7 load balancing for services. Health checks, session persistence, weighted routing. | Planned |
| DNS / DHCP | Integrated DNS and DHCP for virtual networks. Automatic registration, split-horizon. | Beta |
| IDS / IPS | Inline intrusion detection and prevention. Integrates with the Security Scale for correlation. | Planned |
| Packet Capture | On-demand packet capture on any virtual interface. Export to pcap. | Beta |
| Microsegmentation | Every workload is isolated by default. Communication requires explicit policy. | Beta |
| NAT | Source and destination NAT. 1:1, many:1, and port forwarding. | Stable |
| IPv6 | Full dual-stack support. Native IPv6, not tunnelled. | Beta |
Traditional network security draws perimeters — inside is trusted, outside is not. This model fails the moment anything inside the perimeter is compromised.
Tophan’s Networking Scale inverts this. Every workload starts fully isolated. You define explicit policies for which workloads can communicate, on which ports, using which protocols. Everything else is denied.
This means a compromised VM cannot scan the network, cannot reach adjacent workloads, and cannot exfiltrate data through unexpected channels. The blast radius of any breach is contained to exactly the permissions you granted.
The Networking Scale runs as a system-level service on every Tophan node. Virtual switches, routers, and firewalls are implemented using kernel-level primitives (nftables, network namespaces, veth pairs) — no userspace forwarding overhead.
┌───────────────────────────────────┐
│ Policy Engine │ Cluster-wide rules
├───────────────────────────────────┤
│ Networking Scale API │ Configuration
├──────────┬──────────┬─────────────┤
│ vSwitch │ vRouter │ Firewall │ Per-node instances
├──────────┴──────────┴─────────────┤
│ Linux Network Stack │ nftables, namespaces
└───────────────────────────────────┘
Policy is defined centrally and distributed to every node. Each node enforces policy locally with zero dependency on a central controller at runtime — if the management plane goes down, existing policy continues to enforce.
Full software-defined switching with OVS at the core
BGP, OSPF, and policy routing without dedicated hardware
Stateful nftables firewall with per-VM policy enforcement
Auto-mesh WireGuard tunnels between every node and site
Real-time bandwidth visualization and traffic shaping from the dashboard
L4/L7 load balancing with health checks and automatic failover
Built-in name resolution, address management, and PXE boot
Suricata-powered intrusion detection with 49K+ rules and auto-blocking
Full packet recording, replay, and forensic analysis