Network Virtualization - vsb.czwh.cs.vsb.cz/sps/images/0/05/Virtualization.pdf · © 2010 Petr...
Transcript of Network Virtualization - vsb.czwh.cs.vsb.cz/sps/images/0/05/Virtualization.pdf · © 2010 Petr...
© 2010 Petr Grygarek, Advanced Computer Networks Technologies 1
Network Virtualization
Petr Grygárek
3© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Network Virtualization • Implementation of separate logical network
environments (Virtual Networks, VNs) for multiple groups on shared physical infrastructure• Total separation between groups have to be guaranteed
• assignment of user to VN may depend on authentication
• Independent address spaces and routing domains
• Well-defined and controllable ingress/egress points for data transport
• Methods of controlled collaboration between VNs or between VN and shared resources (e.g. Internet connection) may be defined
• May be potentially extended over (virtualized) WAN
4© 2010 Petr Grygarek, Advanced Computer Networks Technologies
What can/have to be Virtualized ?• Network devices
• Control plane, data plane, management plane
• Including virtual devices in capacity hosts
• Network transport (links)• L2/L3 VPN technologies
• Network services • DHCP, AAA, …
• including handling of security policies• Servers (workload)
● Virtualized access links
5© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Policies in Traditional Networks
• Security (and other) policies implied by physical location • location in the (logical) network topology with regard
to physical firewall interfaces
• applicable only if user groups are physically separated• or using widespread VLANs
6© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Today’s Policy Requirements (1)
• Users from different groups coexists on the same physical location• employees + in-house consultants in employee premises
• employees+guests+3rd party staff in physical meeting room
• isolated intelligent building subsystem
• User’s policies independent on user’s current location• network attachment policy “roams” with user
• Operation of virtual teams• shared (temporary) virtual networking environment
accessible to virtual team members only
7© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Today’s Policy Requirements (2)
• The same (shared) physical device may get different privileges depending on actual user that logged in and OS status
• Policy assignment/configuration based on result of authentication process (authorization)
• Quarantine subnet for infected/non-patched/policy-non-compliant computers
• Restriction of network resources access to fulfill legal regulations
• Health and insurance data, financial data, …
• Service centralization (for multiple customers)
• Firewall, anti-spam, anti-virus, IDS/IPS, load-balencer, …
8© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Traditional Transport Separation Methods
• Traffic filtering (access lists)• Have to be implemented (consistently) in all network
parts
• Non-uniform – locally significant information (addresses) used as filtering criterion
• Policy-based routing• Static routing with additional constraints
• Source interface, source address etc.
9© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Transport Virtualization
• 802.1q, QinQ
• “Colored” routed packets (DSCP, etc.)
• MPLS, MPLS VPN
• L2TPv3
• PseudoWires, VPLS
• GRE
• IPSec
• …
10© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Device Virtualization (1)
• Management plane virtualization• Multiple logical partitions separated from administration
perspective
• Common data plane (HW)
• Common/separated control plane (if any)
11© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Device Virtualization (2)
• Control plane structures/forwarding table virtualization• VRFs – virtual routers
• + VRF-aware routing protocols / multi-topology routing
• VLANs/VFIs – virtual switches
12© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Device Virtualization (3)• Virtual device contexts (VDCs)
• Process-level (para)virtualization• often Linux-kernel-based
• virtual device contexts (VDCs) acts as failure domain• Process crash cannot influence other VDCs
• Resource virtualization (hypervisor level)• CPU, memory, TCAMs, peripherials, …
• VDC resource consumption limits should be defined for shared resources (e.g. memory)
• Dedicated resources (e.g. physical ports) have to be assigned to particular VDC
• Global resources (e.g. HW-assisted broadcast storm control)
13© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Device Pooling/Clustering• Multiple routers with FHRP
• VRRP, HSRP, GLBP
• Normally on “user” side only
• Sometimes also for returning traffic– Datacenter “ladder”
• Device Stacking
• Solution like Cisco VSS, vPC etc.• Uses Multichassis EtherChannel
• No special config on subordinate device side
• Reduces STP complexity
• Limits number of routing adjacencies
14© 2010 Petr Grygarek, Advanced Computer Networks Technologies
An example: Fully overlaid VNs using VLANs and VRFs
• Pros and cons from configuration & operation perspectives
15© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Advantages of Network Virtualization• Lower number of physical devices
• Lower cost, less space consumption, lower power/cooling requirements
• Multiple (virtualized) devices with separate roles and simpler configurations• Possibility to keep “known good” scalable, stable
and secure designs (e.g. 3-tier model)• Better predictable data paths
• Limits security concerns
• Less risk of unexpected software behaviour because of unusual or too complicated config
• Easier to manage
Virtualizing network infrastructures- one kind of SDN
• Instant deployment
• Operation flexibility, easy upgradeability
• Same advantages as apply for generic workload VMs
• Server and application admins are not dependent on stupid networking guys anymore ;-))
● … and may start to create their own uncontrolled and very inefficient mess...
18© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Interconnection with Virtualized Hosts• VMWare servers hosting multiple virtual machines
• Servers often act as “capacities” for VMs that may migrate between hosting servers• VM migration based on human command or automatic
load-balancing and power-saving mechanisms– Manual operation: capacity server maintenance, disaster recovery, ...
• Network connectivity and security policies have to be “moved” with VM as needed
• Results in requirement to span all (user) VLANs over the whole datacenter access/aggregation layer• ALS/DLS platforms have to have reasonable limits on
numbers of supported VLANs and STP instances
19© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Virtualized Switches on VM-Hosting Platforms
• Associate VMs’ virtual NICs with VLANs
• Accomplishes local switching + provides external connectivity (trunk)• Multiple trunk lines may act separately by “pinpointing” each virtual NIC to one particular
line or link aggregation may be used– Virtualized SW resides between VM and physical uplink
• One or multiple vSwitch instances per hypervisor• also 3rd party vSwitches implemented using VMWare vSwitch API
• may also implement vendor-specific function which is useful for consistent capabilities over all network devices
• Additional tier in traditional tiered DC model
• Managed either by server management personnel or NOC (need to be in cooperation)
• May support EtherChannel (LACP), (R)STP, CDP, …
• Configured from hosting server console or externally• Using various vendor’s CLI (e.g. Cisco Nexus 1000V virtual switch)
20© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Distributed Virtual Switch(e.g. Nexus1000V by VMWare + Cisco)
• Avoids a need to configure dozens of separate vSwitches
• Separate data planes (virtual switch modules), common control plane (virtual switch controller + VMWare VCenter)
• Network connectivity managed on ESX cluster level
• Support for datapaths shortcut and diverting traffic to virtualized services
● vPath technology
21© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Cisco Virtual Network Link (VN-Link)
• Logical link between vNIC on VM and VN-Link enabled physical switch
• Logical equivalent to cable between NIC and ALS port
• ALS Virtual Ethernet (vEth) interfaces that corresponds to connections to individual vNICs are dynamically created
• vEth maintain network configuration and state for a given virtual interface even if VM moves between servers
• port statistics, 802.1x state, ACLs, NetFlow, SPAN sessions, …
22© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Network Interface Virtualization
• Extends vNICs to external hardware switch • No local switching
• Virtual hosts handled the same way as physical ones
• vSwitch replaced by “interface virtualizer”
• Attached VNTag uniquely identifies individual vNIC
• NIV standard proposal:• http://www.ieee802.org/1/files/public/docs2008/new-
dcb-pelissier-NIC-Virtualization-0908.pdf.
23© 2010 Petr Grygarek, Advanced Computer Networks Technologies
VxLANs• 4k of traditional VLANs is not sufficient for
multitenant DC implementations
• VxLANs = virtualization of VLANs using L3 overlay
● UDP tunnels between VxLAN-capable hypervisors
● Extended VLAN ID
• VxLAN GW to traditional network translated to legacy VLANs
• Some solution use some sort of GRE instead
24© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Virtualization Cons• Maintaining separate networks may increase availability
• in some cases, if there are no other production-process-oriented dependencies
• Tighter coordination between server and network teams have to be set up
• More complex system operation• more difficult to troubleshoot
25© 2010 Petr Grygarek, Advanced Computer Networks Technologies
Virtualization and Network Resiliency
• Virtualization is NOT a method to increase network resiliency• although having redundant virtualized device context
on different physical devices can be a way to do it
• Care must be taken not to compose redundant solutions from (virtual) components virtualized on the same physical resource• network processor, cable, …