Virtual Machine in Data Center Switches Huawei Virtual System

Transcription

1 Virtual Machine in Data Center Switches Huawei Virtual System

2 Contents 1 Introduction VS: From the Aspect of Virtualization Technology VS: From the Aspect of Market Driving VS: From the Aspect of Architecture VS Software Architecture VS System Resources VS Management and O&M VS: From the Aspect of Application Scenario Summary Huawei confidential. No spreading without permission. Page 2 of 12

3 1 Introduction Virtualized applications of servers are emerging in the cloud computing era. Virtual machines (VMs) have increased the use efficiency of physical computing resources while reducing IT system operation and maintenance (O&M) costs. In addition, VM dynamic migration enhances system reliability, flexibility, and scalability. Virtual machines can be used on many network devices that function as critical network elements. This article describes the necessity of virtualizing one physical device into multiple virtual devices. Specifically, this article takes the next-generation Huawei Virtual System (VS) as an example to describe the virtual machine's architecture, application scenarios, and benefits for customers. 2 VS: From the Aspect of Virtualization Technology Cloud computing technologies virtualize IT resources. The virtualized IT resources have become similar to other household utilities such as electricity. Users can obtain the virtualized IT resources on demand. Virtualization is one of the critical cloud computing technologies. Virtualization on different layers abstracts physical resources using the virtualization technology to share or isolate cloud resources. According to analysis from International Data Corporation (IDC), after virtualization is introduced into cloud computing, resource use efficiency is increased from 15% to 80%. Various universal hardware devices are used. In addition, IT resource O&M costs are reduced by tens of times. Virtualization in the cloud computing era consists of computing virtualization, storage virtualization, and network virtualization. Similar to server virtualization and desktop virtualization, network virtualization allows users to obtain network resources on demand. Network virtualization also implements flexible service deployment and isolation, bringing great advantages for cloud network users. There are two types of network virtualization: N-to-1 and 1-to-N. In N-to-1 virtualization, multiple physical network resources are virtualized as a logical resource such as the stacking and cluster technology. In 1-to-N virtualization, one physical resource is virtualized into multiple logical resources. Typical examples of 1-to-N are channel virtualization and service virtualization. Channel virtualization has been widely used in traditional networks. Logical channels are provided over the network so that user traffic can be isolated, Huawei confidential. No spreading without permission. Page 3 of 12

4 controlled, and processed using various VPN, VLAN, and QinQ technologies. Multi-instance services are logically isolated using MSTP multi-process or virtual firewalls. Channel virtualization and service virtualization are partial virtualization technologies that apply to certain application scenarios. In many scenarios, network administrators have to integrate multiple virtualization technologies. Such technology integration makes network deployment and O&M complicated. To simplify virtualization, a system-level virtualization technology is required, that is, network device virtualization. This technology virtualizes the entire network device, but is not limited to certain services or channels. 1-to-N virtualization uses the same mechanism as virtual machines in data centers. 3 VS: From the Aspect of Market Driving The continuous expansion of information and communications technology (ICT) networks, particularly the data center network, has enriched network services but complicated network management. Accordingly, the ICT networks pose high requirements on network attributes such as service isolation, security, and reliability. As hardware capabilities on networks are greatly improved, multi-chassis, cluster, and distributed routing and switching system are rapidly developing. Service processing capabilities of a single physical network device continue to reach unprecedented high levels. Effectively utilizing these high levels of service processing can meet current service requirements and implement seamless network migration? The following network problems and concerns are key aspects customers face: (1) Contradiction Between High Device Investment Costs and Low Device Resource Use Efficiency The rapid development of data centers and expanded ICT infrastructure have resulted in the following disadvantages: The maintenance cost is considerably increased. The number of network devices continuously grows. The network investment cost surges. O&M costs, power consumption of devices, and space in equipment rooms keep rising. Network construction can be a slow process. To effectively cope with sharp increases in data center services during this time, customers generally select network devices with higher capacity than services actually require. As a result, the workload of current network devices is inevitably imbalanced, and in some cases the use efficiency of these devices is lowered. (2) Contradiction Between Centralized Multi-User Processing on Network Devices and Simplified Network Management, Isolation, and O&M The large expansion and centralized evolution of data centers have spurred customers to integrate services from various interior and exterior user clusters at different departments. These services are processed on data center networks in a centralized manner. Services from various user groups are often processed on the same network device. These user groups are distributed in production, R&D, and marketing departments. There are significant differences in service security, performance, and reliability of these user clusters. Each user group must have high management and isolation capabilities, and each department needs to deploy, manage, and maintain its own services independently from others. Network management personnel are challenged by how to effectively Huawei confidential. No spreading without permission. Page 4 of 12

5 manage and isolate user groups and how to reduce the Operating Expense (OPEX). Centralized processing of services streamlines network management. (3) Contradiction Between Centralized Multi-Service Processing on Network Devices and Reliable and Secure Service Isolation The development of next-generation data centers brings new network technologies, such as transparent interconnection of lots of links (TRILL), MAC in IP, Fiber Channel over Ethernet (FCoE), and various inter-data center connection technologies. Customers require the services processed on networks be diversified. As a result, the processing capabilities and services on data center networks are enriched. Next-generation data centers urgently need to allow network devices to independently process these services using various technologies. Critical services of customers are migrated to cloud data centers, so next-generation data centers put higher requirements on the reliability and security of network devices than traditional data centers. The market-driven network devices can provide capabilities similar to those of the virtual machine. After the virtual machine is introduced in data center switches, multiple virtualized devices can be deployed on a physical device. These virtualized devices manage various user groups and process various services. Accordingly, the device resource use efficiency is significantly increased. 4 VS: From the Aspect of Architecture The virtual machine in data center switches removes barriers between physical devices, changing physical device resources into manageable logical resources. These logical resources run transparently on a physical device platform, implementing isolation and on-demand distribution of resources. The Huawei VS is a key feature of Huawei Cloud Fabric Data Center Solution. The Huawei VS provides the technical architecture of network device virtualization, dividing multiple logical or virtual systems on the physical devices. Each VS is a virtual machine on a network device and can be independently configured, managed, and maintained. In addition, each VS is isolated from other VSs, running and processing network services independently. Data center networks process various services and serve various user groups using the VS on physical devices, implementing the following functions: Enables service isolation and improves network reliability and security. Increases device use efficiency. Reduces users' investment. Enables isolation between user groups and manages user groups. Simplifies network O&M Huawei confidential. No spreading without permission. Page 5 of 12

6 To put the virtualization technology into effect, devices must be abstracted, isolated, and encapsulated. The VS architecture is built into the following modes: Abstraction The software system of physical devices is abstracted into multiple virtual machines. The virtual machine has an independent and logical control and service panel, forwarding panel, and management panel. The hardware system resources are abstracted into standardized virtual hardware to meet uses' requirements. The standardized virtual hardware includes ports, boards, memory, and central processing unit (CPU) resources. Isolation Process-level isolation is implemented between multiple virtual machines that run on the same physical device. The abstracted virtual hardware is managed as a virtual machine. Moreover, VSs do not affect each other. Encapsulation The virtual machine is encapsulated independently from the virtual context on a specific physical device. Full-service and distributed capabilities and the fine-grained, multi-process mechanism of Huawei VRPv8 are used to build system-level dynamic migration capabilities. These system-level dynamic migration capabilities enable the flexible service deployment and improvement of virtual machine reliability as well as device use efficiency. 5 VS Software Architecture The VS uses a virtual, fine-grained, elastic, and distributed architecture. The entire VS is constructed based on full-service and distributed middleware of Huawei VRPv8. Similar to Hypervisor in the server virtual machine, VS control components uniformly schedule and manage multiple VSs. The control components virtualize the control and service plane, data plane, and management plane so that each VS can independently deploy services, upload configuration files, and control network management. Furthermore, the control components enable the VS to provide physical device capabilities. The VS also uses the full-service and distributed capabilities to implement fine-grained and distributed deployment of services. For example, various VS service modules can be distributed on different boards, which substantially increases the hardware resource use efficiency Huawei confidential. No spreading without permission. Page 6 of 12

7 The virtual control and service plane transmits network control protocols and processes user services. Both network reliability and secure isolation are critical. The VS can run in different processes and provides fine-grained process control. The VS uses inter-process isolation and exclusive virtual memory space to prevent control protocols and services from affecting each other. Therefore, VS service reliability and secure isolation capabilities are considerably consolidated. The fine-grained process control mechanism sharply reduces the expense of each VS, and allows a physical device to virtualize 16 VSs simultaneously. The virtual forwarding plane uses independent forwarding environments and port resources. Data traffic of each VS is separated to ensure service isolation and security. The virtual management plane sets an independent management domain for each VS. This plane ensures service isolation in user, log, and alarm management and file configuration. Each VS is able to access only its own management information, therefore ensuring the independent management capability of each VS. 6 VS System Resources Physical device hardware system resources, including ports, boards, memory, and CPU resources, are virtualized into multiple VSs. Each VS has independent hardware resources. For example, when a port is designated to a specified VS, the VS occupies the port exclusively. Such virtualization ensures isolation between VSs and simplifies VS migration in devices. To ensure system resource use efficiency, certain system resources can be shared. For example: Multiple VSs can be flexibly deployed so that they can share the same MPUs and line cards. IPv4 and IPv6 route tables as well as VLAN and VRF resources can be shared by multiple VSs. Each VS's specifications are set to ensure appropriate distribution and use of system resources Huawei confidential. No spreading without permission. Page 7 of 12

8 VLAN IDs of different VSs can overlap. Two VSs can share a physical port using logic port isolation, which saves physical links and networking costs. Therefore, each VS on a physical device can use system resources on demand. 7 VS Management and O&M Key concerns of the virtual machine in data centers involve effective management and O&M of multiple user clusters. The VS control components and the virtual management plane play a significant role in VS O&M. After a VS is created, it can be independently controlled and managed in the same way as a physical device. For example, a VS can be reset and suspended, and can switch services and allocate resources based on service requirements. Services can be deployed and configurations can be delivered independently in the VS view. Only specific network administrators can perform control and management as well as service deployment in the VS. Network administrators that have not been assigned rights to access the VS are unable to perform these tasks, allowing enterprise departments to manage their services independently. Each VS has its own file systems, configuration files, logs, alarms, and network management servers, implementing independent O&M. Each VS has exclusive network management channels and isolation rights, meeting multiple user clusters' requirements for independent management and secure isolation. This network management mode is called independent management mode. Each VS is managed as an independent network element that has its own topology. To satisfy customers' various network requirements, the VS also provides the unified management mode. In this mode, each VS is uniformly managed on a physical network element and does not have its own topology. The unified management mode is applicable to service isolation. The independent management mode integrates service isolation and network isolation, while still independently managing the network Huawei confidential. No spreading without permission. Page 8 of 12

9 8 VS: From the Aspect of Application Scenario The virtual machine brings in many new applications. This section describes the VS benefits in certain application scenarios. Market Driving 1: Contradiction Between High Device Investment Costs and Low Device Resource Use Efficiency Application Scenario 1: Network Node Virtualization The VS is divided by network node. For instance, when two longitudinal VSs are divided at the core layer and aggregation layer, a single physical device meets the networking requirement for two physical devices. When two horizontal VSs are divided, the number of virtualized network devices decreases by half. With the same logic topology, the VS provides the following benefits in this application scenario: Reduces the number of physical network devices and reduces O&M costs. Improves device use efficiency. Reduces the power consumption of devices such as power modules and fans, as well as auxiliary devices including equipment rooms and air conditioners. Provides consistent service and management experience. Core layer Core layer VS 1# VS 1# Longitudinal Aggregation layer VS 2# Aggregation layer VS 2# Latitudinal VS 1# VS 2# VS 1# VS 2# Huawei confidential. No spreading without permission. Page 9 of 12

10 Market Driving 2: Contradiction Between Multi-Service Centralized Service Processing on Network Devices and Reliable and Secure Service Isolation Application Scenario 2: Service Virtualization The VS is divided by service. There is uncertainty and risks in service pilot projects. Deploying a specific service in an independent AS can reduce possible interference with other services. As shown in the following figure, Layer 3 services are deployed in VS 1, and Trill services are deployed in VS 2. In this application scenario, after services are isolated using VS assignment, services appear to run on an independent device. In addition, service resources are protected, and isolation security is enhanced. Internet WAN Layer 3 services Trill services VS 1# VS 1# VS 2# VS 2# Layer 3 services Trill services Market Driving 3: Contradiction Between Multi-User Centralized Service Processing on Network Devices and Simplified Network Management, Isolation, and O&M Application Scenario 3: User Cluster Virtualization The VS is divided by network user cluster. For example, the VS can be divided by the following types of user clusters: User service departments including production, R&D, marketing, customer service, and network management departments User attributes including the intranet, DMZ, and extranet User types such as users in financial services, including inner office, online banking services, and credit card services. In this application scenario, the VS provides the following benefits: Network service isolation and fault isolation are enabled between user clusters, which ensures high service reliability and security. Independent network management is enabled between user clusters, which prevents information security risks Huawei confidential. No spreading without permission. Page 10 of 12

11 Application Scenario 4: Multi-Tenant Application In the public cloud, VSs are assigned by VIP tenant. VSs can be assigned at the core and aggregation layers on demand. Tenants can be divided in VLANs at layers below the VS. As shown in the following figure, VS 1 serves tenant A, and VS 2 serves tenant B. Applying the VS in multi-tenant scenarios has advantages when compared to the VRF isolation mode. These advantages include flexible service deployment, simplified O&M, streamlined management, high reliability, and secure isolation. Therefore, the VS can meet VIP customers' requirements for high-quality services Huawei confidential. No spreading without permission. Page 11 of 12

12 9 Summary Virtual Machine in Data Center Switches--Huawei Virtual System This article describes the significance and values of virtual machines in data center switches from the aspects of virtualization evolution, marketing driving, architecture technology, and application scenario. The Huawei VS uses new-generation virtualized architecture and provides the following functions: Helps customers to flexibly construct virtual machines in data center switches. Simplifies multi-user management. Improves service reliability and security. Makes full use of network device resources to lower customers' investment costs. Furthermore, the Huawei VS integrates with other virtualization technologies such as Cluster Synchronization Services (CSS) to separate or combine network devices on demand. The Huawei VS also provides flexible and scalable services to build data center networks into elastic and virtualized cloud networks, with the goal of assisting customers in boosting their services in the cloud computing era Huawei confidential. No spreading without permission. Page 12 of 12