NETWORKING SOLUTIONS FOR A SERVER VIRTUALIZATION ENVIRONMENT Nico Siebelink Technical Director Juniper Networks

2

WHY SERVER VIRTUALIZATION..

Saves money Saves space

Save the environment

Improve build time/ time to market

Redundancy without purchasing additional hardware

Business Agility

3

THE EVOLUTION OF SERVER VIRTUALIZATION

Server Consolidation

Guiding Principle: Improve utilization of physical resources

Driver:  Savings in CAPEX  Power and space   Improvements in server utilization

Network had no role

Business Agility

Guiding Principle: : Improve utilization of a pool of resources

Driver:  Adapt quickly to new demands  Heightened compliance & security  Better disaster management  Cloud Based Computing Models

Network has a huge role

4

LEGACY DC NETWORKS RESTRICT AGILITY MODELLED AFTER LAN LIKE DESIGN

VM2 VM3

SERVER 1

NIC

VM2 VM3 VM1

SERVER 2

NIC

VM1

Too Many Devices to Manage

Additional virtual switches

POOR PERFORMANCE Multiple layers Across North-South path. Not Adequate for SOA / mashup architecture

PROPRIETARY: Pre-standard protocols Interoperability Lock-in

MOBILITY: North-south path Scale & scope of L2 adjacencies Across sites

SECURITY: Silo’ed , unavailable across domains Intra-VM traffic

MANAGEABILITY: Orchestration between the physical and virtual network . Unclear responsibilities

5

JUNIPER’S STRATEGY FOR SUPPORTING SERVER VIRTUALIZATION

VM2 VM3

SERVER 1

NIC

VM2 VM3 VM1

SERVER 2

NIC

VM1

6

BEFORE AFTER

Fewer devices: 44 -> 14 Fewer devices to manage: 44 -> 4

7

Based on open standards

8

VM2 VM1

NIC

VM3 VM2 VM1

NIC

VM3 VM2 VM1

NIC

COMMUNICATION BETWEEN THE VIRTUAL MACHINES THE BIG DEBATE CONTINUES

1.  In the hypervisor vendor’s switch(e.g. VM Ware vSwitch)

2. In the NIC 3. In the existing external physical switch (VEPA)

4.  Third party vSwitch as add on to hypervisor

5. Proprietary new type external switch (eg VN-Tag)

VM3

P

P

9

COMPARISON OF OPTIONS

1 2 3 4 5

Switching done in Software Hardware Hardware Software Hardware

Feature Richness Very Low Low High Low High

Customer’s Time to adopt solution

Low – comes in- built with hypervisor

Unknown Low - simple

software upgrade

Very high – need to qualify new virtual switch

High - need to qualify new switch(es)

Latency for switching Very Low Very Low Low Low High

vSwitch NIC VEPA TP vSwitch VNTag

Industry support (standards based) NA Unknown Yes None Unknown

Virtual switching managed by Server admin Unknown Network

Admin Network Admin Network Admin

Customers’ Cost to adopt

Low – comes with hypervisor Unknown Free - software

upgrade High – additional

license High - needs new

hardware

Compatibility with any existing network Yes Unknown Yes NONE –

proprietary solution NONE –

proprietary solution

10

VEPA

  Virtual Ethernet Port Aggregator   Uses external physical network for intra-

server VM to VM communication   It’s an evolving open standard IEEE

802.1Qbg   Supported by almost all the major IT

vendors   For more information

http://www.ieee802.org/1/files/public/docs2009/new-bg-thaler-par-1109.pdf)

VEPA brings the evolved Ethernet functionality to virtual networking

VM2 VM1

NIC

VM3

11

TOP 3 BENEFITS OF VEPA

Features & Scale

Switching where it belongs – on the switches

Elegant

VEPA is a non-disruptive and cost-effective

Open

Server and hypervisor agnostic, maximum flexibility.

12

Performance

13

LATENCY WITH LEGACY NETWORK

 Every hop adds additional latency

  Increases load on uplinks

 Requires VLANs to span multiple access switches to support VM migration

B A

14

VIRTUALIZATION WITH VIRTUAL CHASSIS

EX4200

10x latency improvement by eliminating trip to upper layers

  Single-point lookup model

  EX 4200 VC – 480 1GbE servers

  Works with any Hypervisor

B A

15

Juniper’s data center fabric 1. Juniper two-tier

data center 2.

JUNIPER’S 3-2-1 IS DESIGNED FOR SERVER VIRTUALIZATION

Legacy three-tier data center 3.

~480 servers 1 hop   Latency <10µs

~10,000 servers 2 hops   Latency <100µs

~100,000 servers 1 hop Multiple hops.   Latency in ms

16

Mobility

17

VM MIGRATION SCENARIOS

Within Same Data Center

Rack A

Layer 2 domain across racks

Scenario #1

Virtual Chassis EX4200

Rack A

Data Centers in the same City - two different locations

Layer 2 domain across fiber connected data centers

Scenario #2

Virtual Chassis EX4200

Data Center Data Center

Layer 2 domain across virtual private LAN

Scenario #3

Virtual Chassis

MX SERIES

EX4200

Data Center Data Center

VPLS

Data Centers in different Cities

18

EX4200/EX4500 Virtual Chassis

RACK TO RACK RACK 1 RACK 2

  Managed as a single device

  10switches = Up to 480 servers

  Automatic VLAN update propagation.

  Sub 10us latency VM2 VM5 VM3

NIC NIC

VM4

EX4200 VC

VM1

19

VM2 VM1 VM5 VM4 VM3

NIC NIC

VM2 VM1 VM5 VM4 VM3

NIC NIC

POD TO POD

EX8200 Virtual Chassis

  Extends L2 domain across multiple Rows/Pods in a DC

  Extends L2 adjacency to over 10,000 1GbE servers

  Eliminates STP

  Core managed as a single device

VM2 VM5

NIC NIC

POD N POD 1

EX8200 VC

EX4200 VC

VM3 VM4 VM1

20

ACROSS DC/CLOUDS

  Extends L2 domain across DC /clouds

  Allows VM Motion across locations.

  VPLS can be provisioned in seconds using Junos Space Network Activate.

  VLAN to VPLS mapping

  DB/Storage mirroring VM2 VM1 VM5 VM4 VM3

NIC NIC

VM2 VM1 VM5 VM4 VM3

NIC NIC

VM2 VM5 VM4

NIC NIC

VM2 VM1 VM5 VM4 VM3

NIC NIC

VM2 VM1 VM5 VM4 VM3

NIC NIC

VM2 VM1 VM5 VM3

NIC NIC

VM6

VPLS Over MPLS Core

MX Series with VPLS

EX8200 VC

EX4200 VC

MX Series With VPLS

VM3 VM4

EX8200 VC

EX4200 VC

VM1

21

Manageability

22

Network Admin

Server Admin

DC MANAGEABILITY CHALLENGES WITH SERVER VIRTUALIZATION

1.  Blurred roles between the server and network admin.

2.  No automation/ orchestration to sync-up the 2 networks.

3.  VM Migration can fail.

4.  Proprietary products & protocols

B

A

Virtual n/w

Physical n/w

PP

VM1 VM2 VM3 VM1 VM2

A

23

SOLUTIONS WITH JUNOS SPACE VIRTUAL CONTROL

1.  Clear roles and responsibilities

2.  Automated orchestration between physical and virtual networks

3.  Scalable solution – allows VMs to move freely

4.  Open Architecture

Network Admin

Server Admin

VM1 VM2

Virtual Control

A

AA

A

Virtual n/w

Physical n/w

PPA A

VM2 VM3 VM1

24

JUNOS SPACE VIRTUAL CONTROL

Managing the physical and virtual network from a single pane of glass Mapping between the physical and virtual

switches

25

End-to-End network management: Physical and virtual from a single pane of glass

Industry’s only Web Based solution: Automated, GUI based - eliminates human errors

Open Architecture: No proprietary lock-ins – works with open API’s

Most scalable solution: Manage 100’s of hosts from a single instance

Increased application availability Reduced Errors

Available 3Q 2010

Virtual Control

VALUE PROPOSITIONS

26

Security

27

VIRTUAL NETWORK

SECURITY IMPLICATIONS OF VIRTUAL SERVERS PHYSICAL NETWORK

ESX Host

Physical Security is “Blind” to Traffic Between Virtual Machines

Firewall/IPS Inspects All Traffic Between Servers

HYPERVISOR

VM1 VM2 VM3

28

APPROACHES TO SECURING VIRTUAL SERVERS: THREE METHODS

2. Agent-based

Each VM has a software firewall

Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs

ESX Host

VM1 VM2 VM3

FW Agents

HYPERVISOR

3. Kernel-based Firewall

VMs can securely share VLANs

Inter-VM traffic always protected

High-performance from implementing firewall in the kernel

Micro-segmenting capabilities

ESX Host

FW as Kernel Module

VM1 VM2 VM3

HYPERVISOR

1. VLAN Segmentation

ESX Host

Each VM in separate VLAN

Inter-VM communications must route through the firewall

Drawback: Possibly complex VLAN networking

HYPERVISOR

VM1 VM2 VM3

29

INTEGRATION WITH JUNIPER DATA CENTER SECURITY ALTOR VM

Altor Center

Altor Virtual Firewall

VMware vSphere

Altor Integration Point Traffic Mirroring to IPS

Network

Juniper SRX with IPS Juniper Switch

Policies

STRM

Altor Integration Point Firewall Event Syslogs

Netflow for Inter-VM Traffic

Altor Integration Point Central Policy Management

NSM

VM1 VM2 VM3

30

Few Devices Fewer Devices to Manage

SUMMARY OF JUNIPER SOLUTIONS FOR SERVER VIRTUALIZATION

HIGH PERFORMANCE Few layers Virtual chassis

OPEN: VEPA Standards Based

MOBILITY: VPLS Virtual Chassis

SECURITY: Altor Networks SRX

MANAGEABILITY: VEPA Junos Space Virtual Control

MX Series

EX8200

SRX5800

EX4000

VM2 VM3

SERVER 1

NIC

VM2 VM3 VM1

SERVER 2

NIC

VM1