Network Virtualization Petr Grygárek 1
Network Virtualization Implementation of separate logical network environments (Virtual Networks, VNs) for multiple groups on shared physical infrastructure Total privacy between groups have to be guaranteed assignment of user to VN depends on successful authentication Independent address spaces and routing domains Well-defined and controllable ingress/egress points for data transport Methods of controlled collaboration between VNs or between VNs and shared resources (e.g. Internet connection) may be defined Possible to be extended over (virtualized) WAN 2
What can/have to be Virtualized? Network devices Control plane, data plane, management plane Network transport (links) L2/L3 VPN technologies Network services DHCP, AAA, including handling of security policies 3
Security Policies in Traditional Networks Security implied by physical location location in the (logical) network topology with regard to physical firewall interfaces applicable only if user groups are physically separated or using widespread VLANs 4
Today s Security Policy Requirements (1) Users from different groups coexists on the same physical location employees + in-house consultants in employee premises employees+guests+3rd party staff in physical meeting room isolated intelligent building subsystem User s policies independent on user s current location Operation of virtual teams shared (temporary) virtual networking environment accessible to virtual team members only 5
Today s Security Policy Requirements (2) The same (shared) physical device may get different privileges based on actual user that logged in and OS status Policy assignment/configuration based on result of authentication process (authorization) Quarantine subnet for infected/non-patched/policy-noncompliant computers Restriction of network resources access to fullfil legal regulations Health and insurance data, financial data, Service centralization (for multiple customers) Firewall, anti-spam, anti-virus, 6
Traditional Transport Separation Methods Traffic filtering (access lists) Have to be implemented (consistently) in all network parts Non-uniform locally significant information (addressess) used as filtering criterion Policy-based routing Static routing with additional constraints Source interface, source address etc. 7
Transport Virtualization 802.1q, QinQ Colored routed packets (DSCP, etc.) MPLS, MPLS VPN L2TPv3 PseudoWires, VPLS GRE IPSec 8
Device Virtualization (1) Management plane virtualization Multiple logical contexts separated from administration perspective Common data plane Common control plane (if any) 9
Device Virtualization (2) Control plane structures/forwarding table virtualization VRFs virtual routers + VRF-aware routing protocols / multi-topology routing VFIs virtual switches 10
Device Virtualization (3) Virtual device contexts (VDCs) Process-level (para)virtualization often Linux-kernel-based virtual device contexts (VDCs) acts as failure domain Process crash cannot influence other VDCs Resource virtualization (hypervisor level) CPU, memory, TCAMs, peripherials, VDC resource consumption limits should be defined for shared resources (e.g. memory) Dedicated resources (e.g. physical ports) have to be assigned to particular VDC Global resources (e.g. HW-assisted broadcast storm control) 11
Device Pooling Multiple routers with FHRP VRRP, HSRP, GLBP Normally on user side only Sometimes also for returning traffic Device Stacking Solution like Cisco VSS, vpc etc. Uses Multichassis EtherChannel No special config on subordinate device side Reduces STP complexity Limits number of routing adjacencies 12
An example: Fully overlaid VNs using VLANs and VRFs Pros and cons from configuration & operation perspectives 13
Advantages of Network Virtualization Lower number of physical devices Lower cost, less space consumption, lower power/cooling requirements Multiple (virtualized) devices with separate roles and simpler configurations Possibility to keep known good scalable, stable and secure designs (e.g. 3-tier model) Better predictable data paths Limits security concerns Less risk of unexpected software behaviour because of unusual or too complicated config Easier to manage 14
Interconnection with Virtualized Hosts VMWare servers hosting multiple virtual machines (VMs) Servers often act as capacities for VMs that may migrate between hosting servers VM migration based on human command or automatic load-balancing and power-saving mechanisms Network connectivity and security policies have to be moved with VM as needed Results in requirement to span all (user) VLANs over the whole datacenter access/aggregation layer ALS/DLS platforms have to have reasonable limits on numbers of supported VLANs and STP instances 15
Virtualized Switches on VM-Hosting Platforms Associate VMs virtual NICs with VLANs Accomplishes local switching + provides external connectivity (trunk) Multiple trunk lines may act separately by pinpointing each virtual NIC to one particular line One or multiple vswitch instances per hypervisor also 3rd party vswitches implemented using VMWare vswitch API may also implement vendor-specific function which is useful for consistent capabilities over all network devices Managed either by server management personnel or NOC (need to be in cooperation) May support EtherChannel (LACP), (R)STP, CDP, Configured from hosting server console or externally Using various vendor s CLI (e.g. Cisco Nexus 1000V virtual switch) 16
Distributed Virtual Switch (VMWare + Cisco) Avoids a need to configure dozens of separate vswitches Separate data planes, common control plane (VMWare VCenter) Network connectivity managed on ESX cluster level 17
Cisco Virtual Network Link (VN-Link) Logical link between vnic on VM and VN-Link enabled physical switch Logical equivalent to cable between NIC and ALS port ALS Virtual Ethernet (veth) interfaces that corresponds to connections to individual vnics are dynamically created veth maintain network configuration and state for a given virtual interface even if VM moves between servers port statistics, 802.1x state, ACLs, NetFlow, SPAN sessions, 18
Network Interface Virtualization Alternative approach to extend vnics to external hardware switch ( virtual interface switch ) No local switching Virtual hosts handled the same way as physical ones vswitch replaced by interface virtualizer Attached VNTag uniquely identifies individual vnic NIV standard proposal: http://www.ieee802.org/1/files/public/docs2008/newdcb-pelissier-nic-virtualization-0908.pdf. 19
Virtualization Cons Maintaining separate networks may increase availability in some cases, if there are no other production-processoriented dependencies Tighter coordination between server and network teams have to be set up More complex system operation more difficult to troubleshoot 20
Virtualization and Network Resiliency Virtualization is NOT a method to increase network resiliency although having redundant virtualized device context on different physical devices can be a way to do it Care must be taken not to compose redundant solutions from (virtual) components virtualized on the same physical resource network processor, cable, 21