1 WHITE PAPER SOLUTIONS FOR DEPLOYING SERVER VIRTUALIZATION IN DATA CENTER NETWORKS Copyright 2010, Juniper Networks, Inc. 1
2 Table of Contents Executive Summary Introduction What is Server Virtualization? Why Is Server Virtualization Growing? Network Problems Attributed to Server Virtualization Speed Scale Security Switching Simplified Management Juniper Networks Comprehensive Solutions for Server Virtualization Environments Speed: Collapsing Layers and Reducing Complexity with Virtual Chassis Technology Scalability: Using Virtual Chassis Technology to Support Live Server Migration Security: Consistent Policies for the Physical and Virtual Network Switching: Reducing Demands on Physical Servers How Does VEPA Work? How Does Junos Space Virtual Control Work? Conclusion endix A: Juniper Virtual Server Networking Solution in a Nutshell About Juniper Networks 14 Table of Figures Figure 1: Virtualized server Figure 2: Network view of virtual machines Figure 3: Multi-tenancy breaks the one server, one OS, one application rule Figure 4: VM mobility means that applications and their operating systems are no longer persistently bound to a single physical server Figure 5: The 5 Ss required for supporting server virtualization Figure 6: EX4200 Virtual Chassis technology eliminates the need for an extra hop Figure 7: Scaling VM motion across any two servers Figure 8: Altor VF (virtual firewall) and the SRX Series secure the VMs inside the physical server and when VMs move within the network Figure 9: VEPA components Figure 10: Consistent management of the physical and virtual network from Junos Space Virtual Control Figure 11: Junos Space Virtual Control Copyright 2010, Juniper Networks, Inc.
3 Executive Summary Server virtualization has become one of the most deployed technologies in data centers today due to its ability to reduce costs, increase resource utilization, and improve IT responsiveness and flexibility without making significant infrastructure changes. In spite of its benefits, however, server virtualization also imposes certain requirements on the data center network. These can be summarized as the need for improvement in five key areas: speed, scalability, security, switching, and management simplification. Introduction This white paper discusses the challenges facing IT organizations planning to deploy server virtualization technology in data center networks, and it describes how to address these challenges with solutions from Juniper Networks. What is Server Virtualization? Server virtualization is a method of running multiple independent virtual operating systems on a single physical server. The server administrator uses a software application called a hypervisor to divide one physical server into multiple isolated virtual environments called virtual machines, or VMs. Each VM shares the physical resources of the host system, including the CPU, memory, network interface card (NIC), and disk, as shown in Figure 1. lication lication Operating System Operating System Hypervisor Virtualization Layer Intel Architecture CPU Memory NIC Disk Figure 1: Virtualized server From a network perspective, virtualized servers look exactly like multiple servers connected to a single physical port. Each VM gets assigned a virtual media access control (MAC) address, and traffic from each VM appears to emanate from a different virtual NIC (VNIC) card (see Figure 2). To manage intra-server traffic between VMs, the hypervisor includes a software-based switch called a virtual switch. A virtual switch works much like a physical Ethernet switch; it detects which VMs are logically connected to each of its virtual ports and uses that information to forward traffic to the correct destination. A virtual switch can be connected to physical switches using Ethernet adapters, also referred to as uplink adapters, to merge virtual networks with physical networks. This is similar to connecting physical switches to create a larger network. However, although virtual switches work much like physical switches, they do not have the same level of advanced functionality. Copyright 2010, Juniper Networks, Inc. 3
4 Virtual Machine 1 System Virtual Machine 2 Virtual Machine 3 VNIC 1 VNIC 2 VNIC 3 Virtual Switch Physical NIC External Switch Internet Figure 2: Network view of virtual machines Why Is Server Virtualization Growing? Server virtualization delivers a rapid ROI, and is by far the most popular and widely deployed of all virtualization technologies. According to IDC, 39 percent of businesses surveyed have already deployed server virtualization technology, while 54 percent are in the process and another 5 percent are in the evaluation stage. In a survey of 2,600 technology decision makers in the U.S. and Europe, Forrester Consulting found that 53 percent of enterprises and 54 percent of small and medium-sized businesses have either implemented x86 server virtualization technology or will within the next 12 months. Several issues are driving the rapid adoption of server virtualization in today s enterprise and small and medium-sized businesses. Low server utilization: Most workloads today run anywhere from 5 to 25 percent of capacity. By grouping several of these workloads on a single server, more efficient resource utilization can be achieved. Business continuity: Because it inherently increases high availability, fault tolerance, and disaster recovery, server virtualization improves business continuity. Performance improvements of x86 servers: The performance of x86-based systems has improved dramatically over the past several years, making these solutions which have largely replaced mainframes in the data center due to their low upfront costs a viable choice for server virtualization. Dynamic resource scheduling: Server virtualization enables workloads to be automatically redistributed in real time to avoid load spikes. Using the live migration feature of the hypervisor, resource scheduling software can move a running VM (without interruption) to a server with more available resources, or it can spin up additional instances to assist with the load, allowing business processes to complete uninterrupted. 4 Copyright 2010, Juniper Networks, Inc.
5 Network Problems Attributed to Server Virtualization While server virtualization clearly has its benefits, it also poses some unique challenges by introducing two new concepts to the data center network: multi-tenancy and VM mobility. Multi-tenancy: Until recently, data center networks were designed under the assumption that each end node was connected to an access port on a switch which in turn connected to a server running a single image that is, a single instance of an operating system and a single instance of a given application. With server virtualization, however, this is no longer true, since a single server can run multiple VMs with different operating systems and support multiple applications. This introduces the need for more sophisticated traffic isolation, policy management, and network configuration capabilities on a per VM basis (see Figure 3). OS Hardware OS Hardware Hypervisor GUEST OS GUEST OS Hypervisor OS Hardware Hypervisor GUEST OS Hypervisor Hardware BEFORE AFTER Figure 3: Multi-tenancy breaks the one server, one OS, one application rule. VM mobility: In legacy data centers, applications and operating systems are installed on, and typically remain associated with, a single physical device. With server virtualization and live server migration (for example, vmotion for VMware), applications and their associated operating systems are no longer persistently bound to a specific physical server (see Figure 4). Virtual Infrastructure Figure 4: VM mobility means that applications and their operating systems are no longer persistently bound to a single physical server. Copyright 2010, Juniper Networks, Inc. 5
6 To overcome the issues posed by multi-tenancy and VM mobility, networks must address five specific challenges in order to support server virtualization (summarized as 5 Ss ): speed, scale, security, switching, and simplified management (see Figure 5). Each of these challenges is described below. Networking requirements for supporting Server Virtualization: Speed Security Scale Switching Simplified Management Figure 5: The 5 Ss required for supporting server virtualization Speed When VMs migrate to a different server location, their network and security profiles must move along with them. To achieve this without interrupting business operations, the network must deliver very high performance and sufficient cross-sectional bandwidth. Scale Traffic for a particular application is usually carried on a certain VLAN. Server virtualization, however, complicates matters in terms of scalability. As the number of VMs multiplies, and as the frequency of VM migration increases, the network needs to support scalability in two different ways: 1. It must be able to support more VLANs and their associated tables (such as for VLAN-based security, quality of service, etc.) in the networking devices. 2. Since VM migration requires Layer 2 adjacency between the source and destination servers, the larger the L2 adjacency pool, the larger the number of servers that can participate in live server migration. Since Layer 2 adjacency requires the same VLAN to be present at the source and destination, the network must allow VLANs to span multiple servers in a single data center, or even span multiple data centers. In an ideal network, the physical location of the server should be irrelevant to the server administrator whether the VM is moving to an adjacent rack, to the end of a row, or to a completely different data center, the VM migration should be seamless and transparent. 6 Copyright 2010, Juniper Networks, Inc.
7 Security While there are tools that provide visibility into traffic carried over physical networking devices, the virtual ports inside servers remain mysterious and invisible, with virtually no way to identify interactions between VMs. This lack of visibility makes securing the virtual environment a huge challenge. Say, for example, a VM workload controlled by Health Insurance Portability and Accountability Act (HIPAA) is communicating with a non-hipaa VM workload. While this would create severe compliance issues, the network or security administrator would never know, since the traffic may not exit the physical server. Furthermore, since VM-to-VM traffic inside the host effectively occurs on a private LAN, it is virtually impossible to inspect or protect traffic inside this dead zone. Securing mobile VMs is a tremendous challenge, since there is no guarantee of where information may reside at any given time. What s needed is a set of virtualized security controls such as virtual sniffers and virtual firewalls essentially the same types of tools available to secure physical servers, but designed for monitoring and securing the invisible virtual networks that exist within servers. Switching Since server virtualization requires local switching between different VMs within the same server, it effectively pushes the network access layer inside the servers themselves. To provide this functionality, hypervisor vendors currently include a software-based virtual switch along with their hypervisor software. However, there are two specific problems with this implementation: 1. Since the virtual switch is implemented in software, it lacks the performance, features, and scalability of physical switches attributes that are increasingly important as server virtualization grows in popularity. 2. When a VM is moved, administrators must manually ensure that the virtual switches on both originating and target hosts, as well as the upstream physical access-layer ports, are consistently configured so that the migration can take place without breaking network policies or basic connectivity. In order to keep pace with the demands imposed by server virtualization, what s required is an open (hypervisor and server agnostic) method for equipping virtual switches with the same features available on physical switches for scalable, highperformance VM-to-VM communications. Simplified Management Server virtualization blurs the lines between storage, network, and security technologies, causing a shift in traditional roles and responsibilities for IT departments. For instance, server administrators need to manage the virtual network while network administrators manage the physical network. The introduction of virtual switches adds a new set of network elements to configure and manage, and since network administrators often lack access to the virtual switch itself, maintaining a consistent view of the network becomes a tremendous challenge. Since VMs move between servers, this limits the agility and automation required to dynamically provision a network. Different tools are needed to manage different parts of the network and provide a consistent view of the entire data center network, both physical and virtual. Copyright 2010, Juniper Networks, Inc. 7
8 Juniper Networks Comprehensive Solutions for Server Virtualization Environments Juniper Networks delivers solutions today that address the challenges of speed, scalability, security, switching, and simplified management in virtualized server environments. Speed: Collapsing Layers and Reducing Complexity with Virtual Chassis Technology Juniper Networks Data Center Infrastructure Solutions simplify data center network and security design in a fundamental way by collapsing the multiple switching tiers present in traditional architectures. This simplified network design requires fewer devices and interconnections, leading to improved efficiencies in space, power, and cooling. Above all, this simplified network architecture significantly improves the performance of the data center network with server virtualization. Juniper s unique Virtual Chassis technology, in which up to 10 Juniper Networks EX4200 Ethernet Switch devices can be interconnected and managed as a single, logical device supporting up to 480 ports, is just one such example of how Juniper solutions can consolidate network tiers while improving performance. A high capacity, 128 gigabits per second (Gbps) Virtual Chassis backplane connects the physical switches. This configuration significantly reduces the number of links required to ensure network connection redundancy, while reducing or eliminating the need for Spanning Tree Protocol (STP) in the data center access layer. Server-to-server traffic as well as VM migration is carried over this same high-speed Virtual Chassis path. A single EX4200 Virtual Chassis instance would allow literally thousands of VMs to move freely over the Virtual Chassis backplane, rather than traveling through the aggregation or core layers in the network (see Figure 6). Routers/Switches Virtual Chassis EX Gbps link EX4200 Server 1 Rack 1 Server 2 Rack 2 Hypervisor Hypervisor O/S O/S 1 2 U n u s e d Figure 6: EX4200 Virtual Chassis technology eliminates the need for an extra hop. O/S O/S 4 5 O/S 3 VM VM VM VM VM U n u s e d Juniper also has two platforms for providing 10GbE access in a top-of-rack form factor: the Juniper Networks EX2500 Ethernet Switch and EX4500 Ethernet Switch. These two switch lines feature extremely low latency to facilitate communication between VMs in two different servers, as well as for VM migration. In addition, the EX4500 platform is designed to support the Virtual Chassis technology available on the EX4200 switches, bringing the same highly scalable, low latency performance to 10GbE servers. 8 Copyright 2010, Juniper Networks, Inc.
9 Scalability: Using Virtual Chassis Technology to Support Live Server Migration Juniper s data center architecture is scalable, capable of covering the world s smallest data centers to the largest with tens of thousands of applications and virtual machines. Juniper offers a variety of switches to support data center top-of-rack, endof-rack, or middle-of- row aggregation and backbone/core deployments. As shown in Figure 7, Juniper s solutions are location agnostic, since they enable VM migration in each of the following scenarios. VPLS Virtual Chassis Virtual Chassis Extension Data Center Data Center Cloud Center Cloud Center Rack A Rack B Layer 2 domain across racks and across data center Layer 2 domain across fiber connected data centers Layer 2 domain across virtual private LAN Rack to Rack Site to Site Cloud to Cloud Figure 7: Scaling VM motion across any two servers Scenario 1 and 2: Virtual Chassis technology supports low latency, server live migration from server to server in completely different racks within a data center, and from server to server between data centers in a flat Layer 2 network when these data centers are within reasonably close proximity. Scenario 3: Virtual Chassis technology, working in conjunction with standards-based and field-proven technologies such as MPLS and virtual private LAN service (VPLS), allows the Layer 2 domain to extend across data centers to support VM migration even if the data centers are separated by significant distances as shown in Figure 8. VPLS can be set up to allow specific VLANs to be distributed across two separate data centers. Since VPLS leverages the advantages of MPLS, traffic engineering can be used to optimally allocate bandwidth for the different departments without the need for dedicated Layer 2 links. Besides traffic engineering, MPLS also offers logical separation between different departments providing the same level of privacy that is achieved by using physically separate links. Security: Consistent Policies for the Physical and Virtual Network Juniper Networks and Altor Networks have partnered to deliver an integrated solution that combines Juniper s security platforms with Altor s virtual firewall (Altor VF) to secure the end-to-end network. The Altor VF provides visibility and control over VM traffic and enforces policies at the VM level, while Juniper s security platforms including the Juniper Networks SRX Series Services Gateways, Juniper Networks STRM Series Security Threat Response Managers, and Juniper Networks Network and Security Manager secure the physical network. Altor VF also supports rule-based mirroring of virtual network traffic to the SRX Series devices for consistent policy enforcement. Integration with NSM and the SRX Series: The integration of Altor VF management server and reporting module available with Juniper Networks Network and Security Manager enables customers to perform unified management of their physical and virtual infrastructure within the data center. For example, customers can use NSM to define one set of security policies that are enforced by both the Altor VF and the SRX Series devices. Copyright 2010, Juniper Networks, Inc. 9
10 VM1 VM2 VM3 ALTOR VF Hypervisor NSM Network EX Series STRM SRX Series Figure 8: Altor VF (virtual firewall) and the SRX Series secure the VMs inside the physical server and when VMs move within the network. Integration with STRM: In addition, Juniper imports analyzer output and logs from the Altor VF into the STRM Series, allowing consolidated application usage monitoring and compliance reporting, centralized log/event management, and network-wide threat detection across both the physical and virtual infrastructure. Switching: Reducing Demands on Physical Servers As the ratio of VMs to physical servers continues to grow, server-based networking the software-based virtual switches embedded in hypervisors for inter-vm communication are unable to scale sufficiently to keep up with demands. A server running 30 VMs, for example, would require several virtual switches, VLANs, quality of service (QoS) tags, security zones, etc., and all of this processing would impose significant overhead and require a lot more networking functionality for hypervisors. There are a number of ways to overcome the limitations of the embedded virtual software switch. The simplest and most promising approach, endorsed by Juniper, is an emerging IEEE standard called VEPA (Virtual Ethernet Port Adaptor), which specifies that switching between VMs be handled by an external physical switch connected to the server. Once approved, the VEPA standard will be supported on all Juniper Networks switches through a simple software upgrade. How Does VEPA Work? VEPA creates a series of port profiles with relevant security and network policy settings that can be applied to VMs. When a VM is instantiated, network frames are forwarded to an adjacent physical network switch, which then applies the appropriate port profile, either sending the frames back to the virtual network switch or replacing the port profile altogether (see Figure 10). 10 Copyright 2010, Juniper Networks, Inc.
11 Basic VEPA Anatomy and Terms Virtual Machine, Virtual End Station Virtual NIC, Virtual Machine NIC VEPA Port Physical NIC Physical Server s OS s OS s OS s OS VEPA s s OS OS Software VEPA expander VEPA Uplink VEPA-enabled Port Physical Switch Figure 9: VEPA components. Why VEPA? VEPA is a nondisruptive and cost-effective solution to inter-vm communications. Implementation requires minimal changes to the software running on the physical switch, not wholesale replacement of the existing networking infrastructure. VEPA allows virtual switching to be pulled out of the server, improving server performance and increasing the number of VMs that run on each box. Finally, because VEPA is based on open standards and is server and hypervisor agnostic, customers have maximum flexibility in deploying server virtualization. VEPA will enable rapid innovation in services for users, as well as operational consistency, simplicity, and efficiency. The pending VEPA standard also contains a critical feature known as multicasting. Since many virtual servers contain more than one virtual network switch, physical switches must be able to identify the virtual switch that routed traffic. While new hardware may be required to support this advanced feature, the basic VEPA technology can be supported through a simple software upgrade on the Juniper Networks EX Series Ethernet Switches. The following table compares the different options available for inter-vm switching. Table 1: Inter-VM Switching Options SOFTWARE SWITCH EMBEDDED IN HYPERVISOR SOFTWARE SWITCH AS AN ADD-ON NIC-BASED INTER-VM COMMUNICATION VEPA BASIC* VEPA ADVANCED (PORT EXTENDER)** Who does the switching Where switching is done Hypervisor vendor Network vendor NIC vendor Network vendor Network vendor Software Software Hardware Hardware Hardware Feature richness Low High Low High High Customer time required to adopt solution Low comes with hypervisor Very high need to qualify new virtual switch High need to qualify NIC capabilities Low simple software upgrade High need to qualify new switch(es) Customer cost to adopt Low comes with hypervisor High additional license Unknown Free software upgrade High needs new hardware Existing network compatibility Latency for switching Industry support (standards-based) Yes Yes Yes Yes Unknown Low Low Low Medium Medium Yes Yes * Proposal referred to as 802.1qbg ** Proposal referred to as 802.1qbh Copyright 2010, Juniper Networks, Inc. 11
12 Simplified Management: Consistent Orchestration of Virtual and Physical Networks To enable consistent configuration and visibility of the virtual and physical network, Juniper s chosen solution is a web-based software application called Junos Space Virtual Control. Residing on Juniper Networks Junos Space Juniper s Orchestration Software platform, the Virtual Control application enables end-to-end network topology, configuration, and policy management from a single pane of glass. Junos Space Virtual Control dramatically simplifies data center management, reducing total cost of ownership (TCO) by providing operational consistency and visibility throughout the network. Physical Network Junos Space Virtual Control Virtual Network VM VM VM VM Figure 10: Consistent management of the physical and virtual network from Junos Space Virtual Control Junos Space Virtual Control allows network operators to discover, configure, provision, and monitor a VMware vnetwork Distributed Switch (vds) such as a Juniper switch platform. Initially working with VMware hypervisor, Junos Space Virtual Control is based on an open architecture that will allow easy integration of other hypervisors such as Xen, PowerVM, Hyper-V, and others in future releases. For more information on Junos Space, please visit How Does Junos Space Virtual Control Work? 1. vnetwork Distributed Switch (vds) is created. 2. This is visible from VMware s centralized management platform called vcenter. 3. VMware provides Web Services APIs to talk to vcenter. 4. Junos Space Virtual Control communicates with vds using VMware APIs. 5. Junos Space Virtual Control orchestrates between virtual and physical network. 12 Copyright 2010, Juniper Networks, Inc.
13 4 SPACE Virtual Control 5 VMware API 3 2 vcenter Server (VMware) 1 vnetwork Distributed Switch (VMware) Figure 11: Junos Space Virtual Control Conclusion Server virtualization imposes incredible demands on the data center network. First, it creates a new virtual network with an embedded software switch that manages traffic between VMs residing within the physical host servers, adding complexity and creating disparities between the virtual network and the physical networking devices. Secondly, securing this virtual environment is a considerable challenge since virtual switches are largely invisible to network and security administrators. Finally, since VMs are not persistently bound to a specific physical server, scalability of the network infrastructure becomes an issue. To satisfy growing demands, the network needs to improve on the five Ss speed, scalability, security, switching, and simplified management. Juniper offers hypervisor and server agnostic solutions that address each of these attributes by embracing open standards like VEPA, while delivering the simplest possible solution for customers. These Juniper solutions help to clearly define the roles and responsibilities of different IT groups such as server and network administrators, security architects, and network managers, preventing issues from slipping through the cracks and minimizing errors caused by poor communication. Juniper Networks MX Series 3D Universal Edge Routers, EX Series Ethernet Switches, and SRX Series Services Gateways interoperate with all major hypervisors. And, Juniper innovations like Virtual Chassis technology on the EX Series switches and VPLS on the MX Series routers represent a distinct advantage that allows seamless migration of virtual machines. By partnering with best-in-class third-party companies, including hypervisor vendors like VMware and security vendors like Altor Networks, Juniper can now extend the true value of its proven enterprise solutions beyond the physical network and into the virtual network. Juniper solutions also offer low latency, high performance, scalability, high availability, and a consistent orchestration of the physical and virtual network all of which contribute to making Juniper Networks a leading provider of solutions for data center server virtualization environments. Copyright 2010, Juniper Networks, Inc. 13
14 endix A: Juniper Virtual Server Networking Solution in a Nutshell Table 2: Juniper Virtual Server Networking Solution AREA (5 SS) KEY PROBLEM JUNIPER SOLUTION Speed Scale Security Switching (inter-vm) Simplified management Lower latency for inter-vm communication and VM migration Making VLANs and VLAN-based services omnipresent Securing the VM-VM traffic inside a physical server Overcoming limitations of software-based virtual switches Blurred responsibilities between server and network administrators Consistent management of the physical and virtual network to reduce errors and accelerate deployment Virtual Chassis on all access switches includes new 10GbE solutions that reduce latency. STP free designs increase cross-sectional bandwidth. Software Combination of SRX Series platforms and Altor Network s VF (virtual firewall) to secure traffic inside a physical server and also during VM migration. By implementing VEPA standard on all Juniper switches, the inter-vm switching is handled by the physical switch (instead of the software virtual switch). This increases performance and features available for the virtual network. Junos Space Virtual Control, a web-based application, provides end-to-end orchestration between the physical and virtual network. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN April 2010 Printed on recycled paper 14 Copyright 2010, Juniper Networks, Inc.