Network Virtualization - vsb.czwh.cs.vsb.cz/sps/images/0/05/Virtualization.pdf · © 2010 Petr Grygarek, Advanced Computer Networks Technologies 3 Network Virtualization •Implementation

© 2010 Petr Grygarek, Advanced Computer Networks Technologies 1

Network Virtualization

Petr Grygárek

Traditional Virtualization Techniques

3© 2010 Petr Grygarek, Advanced Computer Networks Technologies

Network Virtualization • Implementation of separate logical network

environments (Virtual Networks, VNs) for multiple groups on shared physical infrastructure• Total separation between groups have to be guaranteed

• assignment of user to VN may depend on authentication

• Independent address spaces and routing domains

• Well-defined and controllable ingress/egress points for data transport

• Methods of controlled collaboration between VNs or between VN and shared resources (e.g. Internet connection) may be defined

• May be potentially extended over (virtualized) WAN


What can/have to be Virtualized ?• Network devices

• Control plane, data plane, management plane

• Including virtual devices in capacity hosts

• Network transport (links)• L2/L3 VPN technologies

• Network services • DHCP, AAA, …

• including handling of security policies• Servers (workload)

● Virtualized access links


Policies in Traditional Networks

• Security (and other) policies implied by physical location • location in the (logical) network topology with regard

to physical firewall interfaces

• applicable only if user groups are physically separated• or using widespread VLANs


Today’s Policy Requirements (1)

• Users from different groups coexists on the same physical location• employees + in-house consultants in employee premises

• employees+guests+3rd party staff in physical meeting room

• isolated intelligent building subsystem

• User’s policies independent on user’s current location• network attachment policy “roams” with user

• Operation of virtual teams• shared (temporary) virtual networking environment

accessible to virtual team members only


Today’s Policy Requirements (2)

• The same (shared) physical device may get different privileges depending on actual user that logged in and OS status

• Policy assignment/configuration based on result of authentication process (authorization)

• Quarantine subnet for infected/non-patched/policy-non-compliant computers

• Restriction of network resources access to fulfill legal regulations

• Health and insurance data, financial data, …

• Service centralization (for multiple customers)

• Firewall, anti-spam, anti-virus, IDS/IPS, load-balencer, …


Traditional Transport Separation Methods

• Traffic filtering (access lists)• Have to be implemented (consistently) in all network

parts

• Non-uniform – locally significant information (addresses) used as filtering criterion

• Policy-based routing• Static routing with additional constraints

• Source interface, source address etc.


Transport Virtualization

• 802.1q, QinQ

• “Colored” routed packets (DSCP, etc.)

• MPLS, MPLS VPN

• L2TPv3

• PseudoWires, VPLS

• GRE

• IPSec

• …


Device Virtualization (1)

• Management plane virtualization• Multiple logical partitions separated from administration

perspective

• Common data plane (HW)

• Common/separated control plane (if any)


Device Virtualization (2)

• Control plane structures/forwarding table virtualization• VRFs – virtual routers

• + VRF-aware routing protocols / multi-topology routing

• VLANs/VFIs – virtual switches


Device Virtualization (3)• Virtual device contexts (VDCs)

• Process-level (para)virtualization• often Linux-kernel-based

• virtual device contexts (VDCs) acts as failure domain• Process crash cannot influence other VDCs

• Resource virtualization (hypervisor level)• CPU, memory, TCAMs, peripherials, …

• VDC resource consumption limits should be defined for shared resources (e.g. memory)

• Dedicated resources (e.g. physical ports) have to be assigned to particular VDC

• Global resources (e.g. HW-assisted broadcast storm control)


Device Pooling/Clustering• Multiple routers with FHRP

• VRRP, HSRP, GLBP

• Normally on “user” side only

• Sometimes also for returning traffic– Datacenter “ladder”

• Device Stacking

• Solution like Cisco VSS, vPC etc.• Uses Multichassis EtherChannel

• No special config on subordinate device side

• Reduces STP complexity

• Limits number of routing adjacencies


An example: Fully overlaid VNs using VLANs and VRFs

• Pros and cons from configuration & operation perspectives


Advantages of Network Virtualization• Lower number of physical devices

• Lower cost, less space consumption, lower power/cooling requirements

• Multiple (virtualized) devices with separate roles and simpler configurations• Possibility to keep “known good” scalable, stable

and secure designs (e.g. 3-tier model)• Better predictable data paths

• Limits security concerns

• Less risk of unexpected software behaviour because of unusual or too complicated config

• Easier to manage

Virtualizing complete network infrastructures

Virtualizing network infrastructures- one kind of SDN

• Instant deployment

• Operation flexibility, easy upgradeability

• Same advantages as apply for generic workload VMs

• Server and application admins are not dependent on stupid networking guys anymore ;-))

● … and may start to create their own uncontrolled and very inefficient mess...


Interconnection with Virtualized Hosts• VMWare servers hosting multiple virtual machines

• Servers often act as “capacities” for VMs that may migrate between hosting servers• VM migration based on human command or automatic

load-balancing and power-saving mechanisms– Manual operation: capacity server maintenance, disaster recovery, ...

• Network connectivity and security policies have to be “moved” with VM as needed

• Results in requirement to span all (user) VLANs over the whole datacenter access/aggregation layer• ALS/DLS platforms have to have reasonable limits on

numbers of supported VLANs and STP instances


Virtualized Switches on VM-Hosting Platforms

• Associate VMs’ virtual NICs with VLANs

• Accomplishes local switching + provides external connectivity (trunk)• Multiple trunk lines may act separately by “pinpointing” each virtual NIC to one particular

line or link aggregation may be used– Virtualized SW resides between VM and physical uplink

• One or multiple vSwitch instances per hypervisor• also 3rd party vSwitches implemented using VMWare vSwitch API

• may also implement vendor-specific function which is useful for consistent capabilities over all network devices

• Additional tier in traditional tiered DC model

• Managed either by server management personnel or NOC (need to be in cooperation)

• May support EtherChannel (LACP), (R)STP, CDP, …

• Configured from hosting server console or externally• Using various vendor’s CLI (e.g. Cisco Nexus 1000V virtual switch)


Distributed Virtual Switch(e.g. Nexus1000V by VMWare + Cisco)

• Avoids a need to configure dozens of separate vSwitches

• Separate data planes (virtual switch modules), common control plane (virtual switch controller + VMWare VCenter)

• Network connectivity managed on ESX cluster level

• Support for datapaths shortcut and diverting traffic to virtualized services

● vPath technology


Cisco Virtual Network Link (VN-Link)

• Logical link between vNIC on VM and VN-Link enabled physical switch

• Logical equivalent to cable between NIC and ALS port

• ALS Virtual Ethernet (vEth) interfaces that corresponds to connections to individual vNICs are dynamically created

• vEth maintain network configuration and state for a given virtual interface even if VM moves between servers

• port statistics, 802.1x state, ACLs, NetFlow, SPAN sessions, …


Network Interface Virtualization

• Extends vNICs to external hardware switch • No local switching

• Virtual hosts handled the same way as physical ones

• vSwitch replaced by “interface virtualizer”

• Attached VNTag uniquely identifies individual vNIC

• NIV standard proposal:• http://www.ieee802.org/1/files/public/docs2008/new-

dcb-pelissier-NIC-Virtualization-0908.pdf.


VxLANs• 4k of traditional VLANs is not sufficient for

multitenant DC implementations

• VxLANs = virtualization of VLANs using L3 overlay

● UDP tunnels between VxLAN-capable hypervisors

● Extended VLAN ID

• VxLAN GW to traditional network translated to legacy VLANs

• Some solution use some sort of GRE instead


Virtualization Cons• Maintaining separate networks may increase availability

• in some cases, if there are no other production-process-oriented dependencies

• Tighter coordination between server and network teams have to be set up

• More complex system operation• more difficult to troubleshoot


Virtualization and Network Resiliency

• Virtualization is NOT a method to increase network resiliency• although having redundant virtualized device context

on different physical devices can be a way to do it

• Care must be taken not to compose redundant solutions from (virtual) components virtualized on the same physical resource• network processor, cable, …

Documents

Network Virtualization - vsb.czwh.cs.vsb.cz/sps/images/0/05/Virtualization.pdf · © 2010 Petr Grygarek, Advanced Computer Networks Technologies 3 Network Virtualization •Implementation