Scribd
Upload
44 views88 pages

Virtualization Technologies in Networking: ITP4111 Open Standards Networking

Uploaded by

dielo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
44 views88 pages

Virtualization Technologies in Networking: ITP4111 Open Standards Networking

Uploaded by

dielo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 88

Chapter 6:

Virtualization Technologies in Networking

ITP4111
Open Standards Networking

© VTC 2013 ILO 6


What is Network
Virtualization?

© VTC 2013 ILO 6


Server Virtualization

• Creating multiple logical server OSs (Virtual Machines –


VMs) instances on one physical piece of hardware

© VTC 2012 ILO 6 3


Network Virtualization
• What is network virtualization ?

© VTC 2012 ILO 6 4


Network Virtualization

Implementation of separate logical network environments


(Virtual Networks, VNs) for multiple groups on shared
physical infrastructure.
• Ensure isolation between coexisting VNs
• Independent address spaces and routing domains
• Well-defined and controllable ingress/egress points for
data transport
• Methods of controlled collaboration between VNs or
between VNs and shared resources (e.g. Internet
connection) may be defined.

© VTC 2012 ILO 6 5


Virtual Network (VN)

• A virtual network is a collection of virtual


nodes (devices) connected together by a set
of virtual links to form a virtual topology,
which is essentially a subset of the
underlying physical topology.

Ref: [Chowdhury & Boutaba]

© VTC 2012 ILO 6 6


Network Virtualization – One to Many
• One network supports many virtual networks

Outsourced Merged New Segregated Department


IT Department Company (Regulatory Compliance)

Virtual Virtual Virtual

Data Center Front-End Network/LAN

© VTC 2012 ILO 6 7


Network Virtualization – Many to One
• One network consolidates many physical networks

Security Network

Guest/Partner Network

Backup Network

Out-of-Band Management Network

Data Center Network

© VTC 2012 ILO 6 8


Network Virtualization Environment
(NVE)

© VTC 2012 ILO 6 9


Network Virtualization Framework

• In order to provide network virtualization services, Cisco subdivides them into


three logical functional areas :

© VTC 2012 ILO 6 10


Access Control

• The access control functional area identifies the users or


devices logging into the network so they can be successfully
assigned to the corresponding groups.
• When identified, the endpoints must be authorized onto the
network. To achieve this, the enterprise LAN edge port on
which an endpoint connects is activated and configured with
certain characteristics and policies.
• Examples of authorization include the configuration of the
VLAN membership of a port based on the results of an
authentication process, and the dynamic configuration of port
ACLs based on the authentication.

© VTC 2012 ILO 6 11


Dynamic VLAN

© VTC 2012 ILO 6 12


© VTC 2012 ILO 6 13
Downloadable ACL

© VTC 2012 ILO 6 14


Path Isolation
• Path isolation refers to the creation of independent logical traffic paths over a
shared physical network infrastructure. This involves the creation of VPNs with
various mechanisms as well as the mapping between various VPN technologies,
Layer 2 segments, and transport circuits to provide end-to-end isolated
connectivity between various groups of users.
• The main goal when segmenting the network is to preserve and in many cases
improve scalability, resiliency, and security services available in a non-segmented
network.
• A hierarchical IP network is a combination of Layer 3 (routed) and Layer 2
(switched) domains. Both types of domains must be virtualized and the virtual
domains must be mapped to each other to keep traffic segmented. This can be
achieved when combining the virtualization of the network devices (also
referred to as “device virtualization”) with the virtualization of their
interconnections (known as “data path virtualization”).

© VTC 2012 ILO 6 15


Service Edge

• The services edge portion of the overall network


virtualization process is where a large part of
policy enforcement and traffic manipulation is
done.
• The services edge functionalities may be
physically deployed in different areas of the
enterprise network: the data center, the Internet
edge, a dedicated services block connected to the
campus core, etc.
© VTC 2012 ILO 6 16
Areas of Network Virtualization

It involves the following three areas:

• Device virtualization
• Data path virtualization
• Network service virtualization

© VTC 2012 ILO 6 17


Virtualization of
Network Devices

© VTC 2013 ILO 6


• The Control Plane, Data
Plane and Forwarding
Plane in Networks is the
core in today’s
networking hardware to
move an IP packet from a
source to its destination.
• The Management plane
is another component for
user to hardware
interaction. 

© VTC 2012 ILO 6 19


Routing and Forwarding

Control plane: run routing


protocols, STPs, link aggregation:
(RIP, OSPF, BGP, MSTP, LACP)

Data plane: forwarding


packets from incoming to
outgoing interface

© VTC 2012 ILO 6 20


© VTC 2012 ILO 6 21
Device Virtualization

• Management plane virtualization


– Virtual device contexts (~ server virtualization)
• Control plane virtualization [one physical network
to many virtual networks]
– VLAN (Layer 2 – LAN)
– VRF (Layer 3 - virtual router)
• Control plane virtualization [many physical
networks to one virtual network]
– IRF, VSS, vPC

© VTC 2012 ILO 6 22


Virtual Device Contexts (VDC)
• VDC provides virtualization at the device level allowing multiple instances of the device to operate on the same physical

switch at the same time

L2 Protocols L3 Protocols L2 Protocols L3 Protocols

VLAN Mgr UDLD OSPF GLBP VLAN Mgr UDLD OSPF GLBP
VLAN Mgr UDLD BGP HSRP VLAN Mgr UDLD BGP HSRP
LACP CTS EIGRP VRRP LACP CTS EIGRP VRRP

IGMP 802.1x PIM SNMP IGMP 802.1x PIM SNMP

RIB RIB RIB RIB

Protocol Stack (IPv4/IPv6/L2) Protocol Stack (IPv4/IPv6/L2)


VDC1 VDCn

Infrastructure
Kernel

Nexus 7000 Physical Switch

© VTC 2012 ILO 6 23


Control Plane Virtualization –
One to Many
• Layer 2 solution
– Divide physical switch into multiple logical switches.
Each VLAN consists of its MAC address table.

© VTC 2012 ILO 6 24


Control Plane Virtualization –
One to Many
Layer 3 Solution
• Typically all route processes and
Global Routing Table
static routes are populating one
routing table
• All interfaces are part of the
global routing table
router eigrp 1
network 10.1.1.0 0.0.0.255
!
router ospf 1
network 10.2.1.0 0.0.0.255 area 0
!
router bgp 65000
neighbor 192.168.1.1 remote-as 65000
!
ip route 0.0.0.0 0.0.0.0 140.75.138.114

© VTC 2012 ILO 6 25


What Is a VRF (Virtual Routing and Forwarding)?

Global Routing Table

• VRFs allow dividing up your routing table into multiple virtual routing tables
• Routing protocol extensions allow binding a process/address family to
a VRF
• Interfaces are bound to a VRF using
ip vrf forwarding <vrf-name>
router eigrp 1
network 10.1.1.0 0.0.0.255
!
router ospf 1 vrf orange
network 10.2.1.0 0.0.0.255 area 0
!
router bgp 65000
address-family ipv4 vrf blue

ip route vrf green 0.0.0.0 0.0.0.0 …

VRF is a technology that allows multiple instances of a routing


© VTC 2012 table to co-exist within the same ILO
router
6 at the same time. 26
Common-Router(config)#ip vrf SALES
Common-Router(config)#ip vrf ENG

Common-Router(config)#int fa0/0 <same for fa1/0>


Common-Router(config-if)#ip vrf forwarding SALES
Common-Router(config-if)#ip add 10.0.0.5 255.255.255.0

Common-Router(config)#int fa1/0 <same for fa2/0>


Common-Router(config-if)#ip vrf forwarding ENG
Common-Router(config-if)#ip add 30.0.0.5 255.255.255.0
© VTC 2012 ILO 6 27
Common-Router(config)#router rip
Common-Router(config-router)#address-family ipv4 vrf SALES
...

Common-Router(config)#router eigrp 1
Common-Router(config-router)#address-family ipv4 vrf ENG
Common-Router(config-router)#autonomous-system 1
...

© VTC 2012 ILO 6 28


© VTC 2012 ILO 6 29
• Layer 2 virtualization - each virtual switch can
be mapped to one Virtual LAN (VLAN) and
each VLAN consists of its MAC address table.

• Layer 3 virtualization - each virtual router can


be mapped to one Virtual Routing and
Forwarding (VRF) instance and each instance
consists of its routing table.
© VTC 2012 ILO 6 30
Control Plane Virtualization –
Many to One

• Stackable switches are designed to appear as a


single switch to the network, even when
connected in multiples.
• It could add a second, third, or even tenth
stackable switch, and the network will still think
you are only using one switch on the network
• In these stacked switches, only one control plane is
active, another one is passive, but all data planes
are active.
© VTC 2012 ILO 6 31
Examples of Stackable Switches

© VTC 2012 ILO 6 32


Multi-Chassis Link Aggregation (MLAG)

Normal
Link Aggregation

© VTC 2012 ILO 6 33


Juniper Virtual Chassis Technology

• An EX2200 Virtual Chassis, composed of up to four EX2200 switches


• An EX3300 Virtual Chassis, composed of up to ten EX3300 switches
• An EX4200 Virtual Chassis, composed of up to ten EX4200 switches
• An EX4500 Virtual Chassis, composed of up to ten EX4500 switches
• An EX4550 Virtual Chassis, composed of up to ten EX4550 switches

© VTC 2012 ILO 6 34


H3C Stacking Technologies –
Intelligent Resilient Framework (IRF)

© VTC 2012 ILO 6 35


Cisco Stacking / Multi-Chassis Link
Aggregation (MLAG)

Unified data plane, unified configuration and


single IP address management
– Catalyst 3750 StackWise, StackWise Plus
– Catalyst 6500 Virtual Switching System (VSS)
– Catalyst 2960-S FlexStack
– Cisco Nexus 7000 - virtual port channel (vPC)

© VTC 2012 ILO 6 36


Virtualized Dual Backbone

© VTC 2012 ILO 6 37


Virtualization of
Network Transports

© VTC 2013 ILO 6


• The VRF achieves the virtualization of the networking
devices at Layer 3. When the devices are virtualized, the
virtual instances in the various devices must be
interconnected to form a VPN. Thus, a VPN is a group of
interconnected VRFs.
• The type of data path virtualization varies depending on how
far the VRFs are from each other.
– If the virtualized devices are directly connected to each other
(single hop), link or circuit virtualization is necessary.
– If the virtualized devices are connected through multiple hops
over an IP network, a tunneling mechanism is necessary.

© VTC 2012 ILO 6 39


Data path virtualization
• Hop-to-hop case
– Consider the
virtualization applied on
a single hop data-path.

• Hop-to-cloud case
– Consider the
virtualization tunnels
allow multi-hop data-
path.

© VTC 2012 ILO 6 40


Network Virtualization
• Protocol approach
– Protocols usually used to approach data-path
virtualization.
– Three implementations
• 802.1Q – implement hop to hop data-path virtualization
• MPLS ( Multiprotocol Label Switch ) VPNv4 –
implement router and switch layer virtualization
• GRE (Generic Routing Encapsulation ) – implement
virtualization among wide variety of networks with
tunneling technique.

© VTC 2012 ILO 6 41


Network Virtualization

• 802.1Qin802.1Q (QinQ)
– Standard by IEEE 802.1
– Not encapsulate the original frame
– Add a 32-bit field between MAC address and
EtherTypes field
• ETYPE(2B): Protocol identifier
• Dot1Q Tag(2B): VLAN number, Priority code

CE: Customer Edge router


PE: Provider Edge router
© VTC 2012 ILO 6 42
Network Virtualization
• Example of QinQ, Layer 2 Virtualization

Ethernet network

© VTC 2012 ILO 6 43


Network Virtualization

• MPLS ( Multiprotocol Label Switch )


– Also classified as layer 2.5 virtualization
– Add one or more labels into package
– Need Label Switch Router(LSR) to read MPLS header

© VTC 2012 ILO 6 44


Network Virtualization
• Example of MPLS VPNv4, Layer 3 Virtualization

© VTC 2012 ILO 6 45


Network Virtualization

• GRE ( Generic Routing Encapsulation )


– GRE is a tunnel protocol developed by CISCO
– Encapsulate a wide variety of network layer protocol
– Stateless property
• This means end-point doesn't keep information about the state

Built Tunnel

© VTC 2012 ILO 6 46


Service Edge
Virtualization

© VTC 2013 ILO 6


Unprotected Services Access

• Unprotected services access means allowing


communication to shared services without
subjecting the traffic to any type of security check.
• An unprotected service is reachable from one or
more VPNs without having a policy enforcement
point between the service and the requesting host.
• The technical solution to implement unprotected
services access consists in leaking prefixes between
the routing tables associated to each defined VPN. 

© VTC 2012 ILO 6 48


• Unprotect Service Access is inherently
unsecured and should be deployed carefully to
avoid opening undesired back doors between
VPNs. This implies that route leaking should
not be used to provide peer-to-peer (inter-
VPN) connectivity.
• The recommendation is to deploy unprotected
services sharing in a limited fashion, for
example to provide access to DHCP or DNS
services to the various VPNs without adding
an unnecessary load to the firewalls that are
being used to control access to other shared
services that must be protected.
© VTC 2012 ILO 6 49
Protected Services Access

• Protected services must be accessible from the


VPNs, but only after specific security policies
are enforced.
• Thus, all traffic reaching the services must be
routed through a common point of policy
enforcement.
• In cases where VPNs must communicate with
each other in a controlled manner, the policies
at the VPN perimeter can be changed to
provide such access.

© VTC 2012 ILO 6 50


Network Services in a NVE

© VTC 2013 ILO 6


Network Service Virtualization

• Network Service Virtualization (NSV) virtualizes a network service, for


example, a firewall module or IPS software instance, by dividing the
software image so that it may be accessed independently among different
applications all from a common hardware base.
• NSV negates the need to acquire separate devices every time the network
service is required by utilizing the software instance off the same physical
hardware.
• Network security products were first brought to market as single purpose
appliances. These appliances are now bundled as a set of security
functions within one appliance. For example, firewalls were offered on
special purpose hardware as were IPS (Intrusion Protection System), VPN
(Virtual Private Network), NBAD (Network-Based Anomaly Detection) and
other security products.

© VTC 2012 ILO 6 52


Network Functions Virtualization (NFV) 

• A VNF involves the implementation of


network functions such as firewalls, load
balancers and etc. in software that can run
on standard server hardware, and that can
be moved to, or instantiated in, various
locations in the network as required, without
the need for installation of new equipment.

© VTC 2012 ILO 6 53


© VTC 2012 ILO 6 54
NFV of Amazon AWS

© VTC 2012 ILO 6 55


© VTC 2012 ILO 6 56
Software Defined Networking (SDN)

• Software defined networking (SDN) is a form


of network virtualization in which the control
plane is separated from the data plane and
implemented in a software application.
• This allows for a single controller to configure
or manage the complete network, as opposed
to each device managing its own functionality
and being programmed individually.

© VTC 2012 ILO 6 57


Typical Enterprise Network Devices

• The basic job of a network


device is to make a
forwarding decision (control
plane) and subsequently
forward the data toward a
destination (data plane).
• The control plane is typically
a collection of software
local to a router or switch
that programs flows.

© VTC 2012 ILO 6 58


Separate Control Plane 
from Data Plane

• The controller knows the topology, L2 or L3, and


knows the devices attached to the topology and
their identities (IP/MAC addresses). 

© VTC 2012 ILO 6 59


Benefits of SDN

1. Service provisioning speed and agility ( 敏捷 )


2. Network flexibility and holistic ( 综合 )
management
3. Better and more granular ( 更細緻的 ) security
4. Provide virtual network services, lowered capital
expenses (capex)

© VTC 2012 ILO 6 60


Three critical components to a building
an SDN

1. The infrastructure - it includes the underlying ports and forwarding


hardware that move data across the network. It should support
programmatic access to its data and control plane via Application
Programming Interfaces (APIs).
2. The control element – it resides in a central controller. This control
presents an abstracted view of the infrastructure, allowing the network
administrator to apply one or more policies across the network.
3. SDN applications - they are presented a view of the entire network,
allowing them to focus on optimizing business applications and
providing a true end-to-end SLA comprising performance, quality of
service, and security. SDN applications will be responsible for tasks
such as path computation, loop avoidance, and routing.

© VTC 2012 ILO 6 61


Three critical components to build an
SDN

© VTC 2012 ILO 6 62


API directionality in SDN

© VTC 2012 ILO 6 63


API directionality in SDN

The APIs used to communicate between the layers of the SDN


stack are grouped based on their function in an SDN
architecture:
• Northbound APIs
Communicate between controllers and applications
• Southbound APIs
Communicate between controller to infrastructure
• East/Westbound APIs
Communicate between groups or federations of controllers
to synchronize state for high availability

© VTC 2012 ILO 6 64


Virtual Cloud Networks application use
case

© VTC 2012 ILO 6 65


© VTC 2012 ILO 6 66
Southbound Open Standard API -
OpenFlow

• The OpenFlow protocol is a key enabler for software-


defined networks and is a standardized SDN protocol that
allows direct manipulation of the forwarding plane of
network devices.
• It allows the path of network packets through a network of
switches to be determined by software in a controller. This
separation of the control from the forwarding allows for
more sophisticated traffic management.

© VTC 2012 ILO 6 67


OpenFlow Example
Cluster of
Controllers
PC
Software
OpenFlow Client (e.g., OVS) PC
Layer OpenFlow
protocol
Flow Table
MAC MAC IP IP TCP TCP
Action
src dst Src Dst sport dport
Hardware
* * * 5.6.7.8 * * port 1
Layer Software
Hardware
OpenFlow-enabled hardware OpenFlow-enabled hardware
port 1 port 2 port 3 port 4

5.6.7.8 1.2.3.4

© VTC 2012 ILO 6 68


OpenFlow Basics
Flow Table Entries

Rule Action Stats

Packet + byte counters


1. Forward packet to zero or more ports
2. Encapsulate and forward to controller
3. Send to normal processing pipeline
4. Modify Fields
5. Any extensions you add!

Switch VLAN VLAN MAC MAC Eth IP IP IP IP L4 L4


Port ID pcp src dst type Src Dst ToS Prot sport dport
+ mask what fields to match
+ priority
© VTC 2012 ILO 6 69
+ timeout (idle and hard)
Examples
IP Routing service

Switch MAC MAC Eth VLAN IP IP IP TCP TCP


Action
Port src dst type ID Src Dst Prot sport dport
* * * * * * 5.6.7.8 * * * port6
VLAN multicast service

Switch MAC MAC Eth VLAN IP IP IP TCP TCP


Action
Port src dst type ID Src Dst Prot sport dport
port6,
* * 00:1f.. * vlan1 * * * * * port7,
port9

Firewall service
Switch MAC MAC Eth VLAN IP IP IP TCP TCP
Action
Port src dst type ID Src Dst Prot sport dport
* * * * * * * * * 22 drop

© VTC 2012 ILO 6 70


VMWare NSX

© VTC 2012 ILO 6 71


The Physical Infrastructure

© VTC 2012 ILO 6 72


The Overlay Network with VXLAN

© VTC 2012 ILO 6 73


• Frame encapsulation is done by an entity known as a VXLAN
Tunnel Endpoint (VTEP.) 
• A VTEP has two logical interfaces: an uplink and a downlink. 
• The uplink is responsible for receiving VXLAN frames and acts
as a tunnel endpoint with an IP address used for routing
VXLAN encapsulated frames.  These IP addresses are
infrastructure addresses and are separate from the tenant IP
addressing for the nodes using the VXLAN fabric. 
• VTEP functionality can be implemented in software such as a
virtual switch or in the form a physical switch.

© VTC 2012 ILO 6 74


© VTC 2012 ILO 6 75
Southbound API – OVSDB (Open
vSwitch Database) RFC 7047

• It is a management protocol used to


manipulate the configuration of Open
vSwitches and some vendors have begun
implementing OVSDB in their Ethernet
switches firmware. 

© VTC 2012 ILO 6 76


© VTC 2012 ILO 6 77
Juniper SDN Architecture

© VTC 2012 ILO 6 78


Southbound API - NetConf

• Network Configuration Protocol is a network


management protocol which provides mechanisms to
install, manipulate, and delete the configuration of
network devices.
• Its operations are realized on top of a simple remote
procedure call (RPC) layer. The NETCONF protocol uses
Extensible Markup Language (XML)-based data
encoding for the configuration data as well as the
protocol messages. The protocol messages are
exchanged on top of a secure transport protocol.

© VTC 2012 ILO 6 79


Juniper Contrail

© VTC 2012 ILO 6 80


Extensible Messaging and Presence
Protocol (XMPP)

• It is a communications protocol for message-


oriented middleware based on XML
(Extensible Markup Language).
• The protocol was originally named Jabber
and was developed by the Jabber open-
source community for near real-time, instant
messaging (IM).

© VTC 2012 ILO 6 81


Cisco Extensible Network Controller
(XNC)

© VTC 2012 ILO 6 82


Two Approaches to Control Systems

© VTC 2012 ILO 6 83


Declarative control 

• In a declarative control model, each object is


asked to achieve a desired state and makes a
promise to reach this state, without being
told precisely how to do so.
• The traditional imperative model employs
top-down management to specify every
element of configuration to reach the
desired state. 
© VTC 2012 ILO 6 84
Cisco Application Policy Infrastructure
Controller (APIC)

Nexus 9000

Nexus 1000v for


© VTC 2012
virtual environment ILO 6 85
Southbound API - OpFlex

© VTC 2012 ILO 6 86


SDN Controllers
Proprietary
• Cisco Application Policy Infrastructure Controller (APIC)
• Cisco Extensible Network controller (XNC)
• HP Virtual Application Networks (VAN) SDN Controller
• Juniper Contrail
• IBM Programmable Network Controller
• Huawei Protocol Oblivious Forwarding (POF)
Open Source
• NOX, C++
• POX, Python
• NodeFlow, JavaScript
• Ryu, Python
• Floodlight, Java
• OpenDaylight, Java
• Juniper OpenContrail

© VTC 2012 ILO 6 87


References

• N.M. Mosharaf Kabir Chowdhurya,1, Raouf


Boutaba, "A survey of network virtualization",
Computer Networks, vol. 54, no. 5, pp. 862-
876, 2010.
• Network Virtualization—Path Isolation Design
Guide—
http://www.cisco.com/en/US/docs/solutions/E
nterprise/Network_Virtualization/PathIsol.html

© VTC 2012 ILO 6 88

You might also like