Outline Network Virtualization and Data Center Networks 263-3825-00 DC Virtualization Basics Part 2 Qin Yin Fall Semester 2013 More words about VLAN Virtual Routing and Forwarding (VRF) The use of load balancers Load balancer proliferation in the data center ACE virtual contexts 1 2 VLAN Inter-VLAN communication VLANS are Ethernet broadcast domains Connecting VLANs Access ports: interfaces whose transmitted and received frames belong to a single VLAN VLAN trunks: transport multiple VLANs over a single Ethernet interface (VLAN tag) Inter-VLAN communication Router-on-a-Stick design Layer-3 switches Spanning tree protocol and VLANs Private VLAN Router Delicate one interface (0/0) connected to a switch trunk port Two sub-interfaces 0/0.101 0/0.201 Each sub-interface has an IP configured as the default gateway on the servers Router-on-a-Stick: VLAN-aware router can route IP packets between host located in different VLANs through a single Ethernet connection 3 4 Layer-3 Switches Spanning Tree Protocol Recap Switch Virtual Interface (SVI) Logical virtual interface Used to route IP packets from its associated VLAN Assign IP address to an SVI Use it as the default gateway for the servers belonging to the VLAN No need for an external router Misconception: Layer-3 VLAN Layer-3 switches: Network equipment that can implement hardware-based L2 switching and L3 forwarding STP algoryhme poem: I think that I shall never see A graph more lovely than a tree. A tree whose crucial property Is a loop-free connectivity. A tree that must be sure to span So packets can reach every LAN. First, the root must be selected. By ID, it is selected. Least-cost paths from root are traced. In the tree, these paths are placed. A mesh is made by folks like me, Then bridges find a spanning tree. Problem: loops Reason: Always forward a broadcast frame to every Ethernet interface except the one that received it Solution: spanning tree protocol Benefits: loopless topologies & path availability 5 6
Spanning Tree Protocol and VLANs Two solutions A single STP instance for all VLANs (CST) Different STP instances per VLAN (or group of VLANs) Benefits multiple instances Traffic from and to C can be statically load balanced A failure in segment A-C A failure in switch A With ST instances, VLANs can achieve virtualization in the control plan Private VLAN Three types of interfaces with a VLAN Promiscuous ports Isolated ports Community ports Two types of VLANs Primary VLAN Secondary VLAN Benefits Broadcast subdomains within a VLAN Improve partitioning scalability 7 8 Concepts From the Routing World (I) In DC, two classes of devices perform IP routing Layer 3 switches: routing between internal IP subnets Edge routers: connecting DC to external networks (Internet, corporate WAN, other DCs) Routing table (Routing Information Base - RIB) Control plane element Defines how to direct a received IP packet based on its destination address Can be controlled through Manual configuration (static routes) Routing protocols (OSPF, EIGRP, RIP, IS-IS, BGP) IP routing protocols assume all forwarding is destinationbased Concepts From the Routing World (II) Forwarding table (Forwarding Information Base FIB) Data plane element Effectively receives, stores, analyzes and forwards IP packets IP forwarding process Remove a packet from an input queue Check for sanity, decrement TTL Match packet s destination to a table entry field Place packet on correct output queue 9 10 VRF (Virtual Routing and Forwarding) VRF (Virtual Routing and Forwarding) In the same routing equipment Default routing instance: global routing table VRF virtual routing instances VRF is an independent router Interfaces and IP subnets Routing protocols Routing and forwarding table VRF natively virtualize both data and control planes In the same routing equipment Default routing instance: global routing table VRF virtual routing instances VRF is an independent router Interfaces and IP subnets Routing protocols Routing and forwarding table VRF natively virtualize both data and control planes A1 and A2 exchange routes through OSPF B1 and B2 exchange routes through EIGRP 11 12
VRF (Virtual Routing and Forwarding) VRFs In the same routing equipment Default routing instance: global routing table VRF virtual routing instances VRF is an independent router Interfaces and IP subnets Routing protocols Routing and forwarding table VRF natively virtualize both data and control planes Two common VLANs: VLAN 1100 and 1200 Used for L3 comm. between other subnets (called Transit VLANs) Provide isolated paths for VRFs in the same device (an SVI cannot belong to multiple VRFs) Were created to allow MPLS Layer 3 VPN deployment Each VRF represents a portion of a service provider router responsible for VPN customer routes In campus and DC networks, VRF Allows the creation of independent virtual routing instances that do not deploy MPLS (VRF-lite) Provides the partitioning of routing and forwarding tables within existing networking equipment 13 14 Use Case DC Network Segmentation Use Case DC Network Segmentation Logical topology Three distinct environments Corporate Internet Partner Logical topology Global routing tables for corporate environment An Internet VRF A partner VRF VRFs on the edge router use physical interfaces VRFs on the switch use SVIs Logical topology Physical topology 15 16 Application Networking Services Network services A set of repetitive operations that application servers or client devices would normally deploy Examples: load balancing, security, monitoring, acceleration, etc. Can be implemented by specialized network equipment Network service devices Grant services that save capital and operational investments Bring simplicity to the data center operations Avoiding multiple software configurations on servers and client devices Examples Security firewalls Performance monitor tools Accelerators Load balancer Very common in data centers today Will explore virtualization on one network service: app load balancing Network Service Device Challenges How to isolate these devices according to the company policies? How to correctly size these devices Trade-off Hardware budget Resource utilization Virtual contexts Allow the creation of abstract instances of network equipment inside a single physical device Support enhanced resource allocation control and management isolation 17 18
DNS Server Load Balancing Hardware-based load balancers To improve the server load-balancing solution that DNS servers provide Forwarding decisions are based on Layers 4 to 7 parameters TCP/UDP destination port, HTTP URL,HTTP session cookie, etc. Usage Application scaling, Traffic engineering tools Challenge 1: DNS servers are not aware of the application state in the balanced servers Challenge 2: DNS servers are not aware of the load information from the balanced servers Challenge 3: DNS request does not specify which type of traffic, or the type of device 19 20 Load Balancer Comparison Load-Balancing Elements Platform dependency Management complexity Resource guarantee Server-based software solution LB configuration depends on the OS or app installed on the servers Be configured and managed in every server Shares server resources with the main application - can affect application performance Hardware-based load balancer No dependency One hardware Specialized hardware - Predictable performance Real Servers A server farm A set of real servers that share the same application Probes Check application availability on a real server (ICMP or HTTP GET) The virtual IP Internal address LB uses to receive client connections The stickiness table Store client info during its first access A predictor Method of load distribution among real servers in a farm 21 22 Round-robin Predictor Next available server in an ordered list created for the server farm Application traffic characteristics Homogeneous user connections (in duration and data exchange) Unknown behavior Least-connections Predictor Directs to the server with the lowest number of existing connections in the server farm Application traffic characteristics Heterogeneous user connections (in duration and data exchange) Known maximum connections inflection point on servers 23 24
Hashing Predictor Perform a hashing operation on a predefined parameter like IP address, HTTP cookie, or URL Another connection with the same parameter will always reach the same server Application traffic characteristics Single-server selection since the first connection Cache or firewall load balancing Parameters that are wellspread among clients Least-loaded Predictor Measure the current utilization (or load) of the real servers Application traffic characteristics Server has SNMP agent MIB variable value can be used to define the server load 25 26 Server Response Time Predictor Load balancing fine-tuning Directs to the server with the lowest average response time in a server farm Server response time is the time interval between A SYN sent to a server and a SYN/ACK received by the load balancer (Layer 4) An HTTP GET to a server and its response The establishment and explicit termination of a connection The choice depends on the switching operation type the load balancer is configured to perform Weights Define the proportion of connections each server will receive Round-robin predictor Percentage of all connections that are distributed to each server Least-connection predictor Percentage of current connections that are distributed to each server Limitation of connections Consider as nonoperational if real server reaches its max number of configured connections Until it lowers its value below min connections 27 28 Layer 4 Switching Parameters considered IP addresses, IP protocols, TCP/UDP ports Contained in TCP SYN or first UDP datagram Load balancer Coordinates rewrites on Ethernet, IP, TCP/UDP Layer 7 Switching Parameters Obtained from Layer 5-7 (session, presentation, app) Load balancer Becomes a TCP proxy Establishes connection with client on behalf of real server Control two completely different connections (distinct checksum and sequence no.) The spoofing process is called delayed binding or proxy connection 29 30
Connection Management Symmetric All packets always reach the load balancer Load balancer is aware of the entire communication More popular Asymmetric Dispatching traffic to a server and not participating in the communication from the server back to the client Pros: not overloading LB from excessive return traffic from servers Cons: not supporting some features like address translation; timeout Address Translation and Load Balancing Several mode of address and port translation Server NAT Dual NAT Port redirection Transparent 31 32 Server NAT Dual NAT LB protects servers that are on private networks not reachable by clients Connection symmetry is mandatory LB interface is the default gateway for the real server Static or dynamic routing forwards traffic from the servers to the LB Network Address Translation (NAT) and Port Address Translation (PAT) 33 34 Port Redirection Transparent Mode Enables static translation of destination TCP & UDP port addresses Hide from the client the internal complexity of the servers that might receive connections from nontraditional ports No change on source or destination addresses Deploy in load-balancing scenarios of devices other than servers VIP is configured for all destination IP addresses or for a specific subnet 35 36
Load-balancing Applications Application on other service devices Firewall load balancing To scale out firewall capacity Reverse proxy load balancing Reverse proxy: a proxy server placed as a front-end service for clients coming from outside network Offloading servers Secure Socket Layer (SSL) offload TCP offload HTTP compression SSL Termination Total offload of encryption from the servers Layer 5-7 awareness for Layer 7 switching in SSL connections Savings on public certificates because only the load balancer requires one 37 38 SSL Initiation Performs SSL negotiation and encryption on behalf of the SSL client (can be a local server) Useful for SSL servers accessible through the Internet Avoid spending on unnecessary public certificates End-to-End SSL Can deploy a less intensive encryption on the servers Allows Layer 7 switching without losing the connection security Only the load balancer needs a public certificate No exchange of business traffic in clear text 39 40 Load Balancer Proliferation in DC Load Balancer Performance Load balancers are typically connected to the aggregation layer of a data center network Provide network service on VLANs accessible to servers Reality: load balancer proliferation Reasons Load balancer performance Security policies Suboptimal traffic avoidance Application environment independency Performance parameters Bandwidth How many bits per second can go through a load balancer Concurrent connections How many user connection the device can serve simultaneously New connections per second How fast a load balancer can absorb new client connections To deal with saturation Scaling up Scaling out 41 42
Security Policies No sharing of network devices among different application environment Separate LBs for security zones or app importance Configuration complexity grows when there is LB sharing among firewall security zones Every DMZ needs separate LBs These devices are underutilized Load balancer balances: - DMX servers (for Internet users) - Intranet servers (for employees) Suboptimal Traffic Sometime DC network topology justifies the decision to acquire another pair of load balancers Example: Load balancer shared among servers distributed on different aggregation switches Data packets from 2&3 must traverse the core switches twice Harms the uplink usage Increases application response time 43 44 Application Environment Independency Reasons Company policies might restrict the level of device sharing among different tiers (managed by different teams). Multitenant data center with independent customers Virtual Contexts Introduced to address Load balancer proliferation Low utilization of the devices ACE (Cisco Application Control Engine) virtual context An abstraction of an independent load balancer with its own Interfaces Configuration Policies Administrators 45 46 Overview of ACE Virtual Contexts Creating and Allocating resources to Virtual Contexts Memory resources Access list entries Buffers for syslog messages and TCP out-of-order segments Concurrent connections through the context Management connections to the context Proxy connections for Layer 7 switching Regular expression for operations such as URL switching Stickiness table entries Address translation Rate resources Bandwidth through the context Connections per second Inspected connection from special protocols HTTP compression performance MAC misses for frames for which ACE does not have an ARP entry Management connections per second to the context SSL connections per second Syslog messages per second 47 48
Resource Allocation Resource class Defines how the physical resources are allocated to a virtual context Configures the min and max for each resource independently (refer to the total physical device capacity) Total min allocated resource & physical resources <: Shared area of unallocated resources >: Error message all resources in use Load Balance Virtualization Increases efficiency in application rollouts No dependency on an acquisition and physical installation Resource allocation for virtual contexts Increases hardware utilization Performance customization - tailored for application environment performance Easy provision and fast deployment Easily change virtual context performance parameters 49 50 Integrating ACE Virtual Context Three main designs for ACE virtual context networking Routed design Bridged design One-armed design Routed Design VC performs the function of a router, connecting different IP subnets ACE VC has SVIs as interfaces Symmetric connection ACE VC only supports static routing 51 52 Bridged Design One-Armed Design VC acts similarly to a transparent bridge ACE VC has BVIs as interfaces Enables symmetric connection management without routing tweaks Permits VLANs to be mapped to a single subnet Only load-balanced connections are sent to the VC VC is relieved from direct traffic from or to the servers Avoiding unnecessary user of ACE resources For symmetric load balancing Policy based routing Dual NAT 53 54
Configuring ACE Virtual Context (I) By default, VC does not allow any management, control, or data plane communication Allowing management traffic to a Virtual Context Management class map Defines the management protocols ACE will allow (ICMP, telnet, SSH, etc.) Policy map Actually permits these protocols Apply the policy map to an interface, to a group of interfaces Configuring ACE Virtual Context (II) Allowing load balancing traffic through a virtual context Using access lists, a VC permits traffic to be processed by the ACE data plane Load balancing configuration steps Real servers and probe configuration Server farms (predictor and probes) (optional) Layer 7 class maps Enables Layer 7 switching (optional) Policy maps Links classes of traffic with server farms Virtual IP class map Multimatch policy map Links the VIP and policy map Service policy Multimatch policy can be applied to an interface, or a group of interfaces 55 56