Network Virtualization
Network Virtualization
•
Implementation of separate logical network
environments (Virtual Networks, VNs) for multiple
groups on shared physical infrastructure
•
Total privacy between groups have to be guaranteed•
assignment of user to VN depends on successful authentication•
Independent address spaces and routing domains•
Well-defined and controllable ingress/egress points for data transport•
Methods of controlled collaboration between VNs or between VNs and shared resources (e.g. Internetconnection) may be defined
What can/have to be Virtualized ?
•
Network devices
•
Control plane, data plane, management plane•
Network transport (links)
•
L2/L3 VPN technologies•
Network services
•
DHCP, AAA, …Security Policies in Traditional Networks
•
Security implied by physical location
•
location in the (logical) network topology with regard to physical firewall interfaces•
applicable only if user groups are physically separatedToday’s Security Policy Requirements (1)
•
Users from different groups coexists on the same
physical location
•
employees + in-house consultants in employee premises•
employees+guests+3rd party staff in physical meeting room•
isolated intelligent building subsystem•
User’s policies independent on user’s current location
•
Operation of virtual teams
•
shared (temporary) virtual networking environment accessible to virtual team members onlyToday’s Security Policy Requirements (2)
•
The same (shared) physical device may get different privileges based on actual user that logged in and OS status•
Policy assignment/configuration based on result of authentication process (authorization)•
Quarantine subnet for infected/non-patched/policy-non-compliant computers•
Restriction of network resources access to fullfil legal regulations•
Health and insurance data, financial data, …•
Service centralization (for multiple customers)Traditional Transport Separation
Methods
•
Traffic filtering (access lists)
•
Have to be implemented (consistently) in all network parts•
Non-uniform – locally significant information (addressess) used as filtering criterion•
Policy-based routing
•
Static routing with additional constraintsTransport Virtualization
•
802.1q, QinQ
•
“Colored” routed packets (DSCP, etc.)
•
MPLS, MPLS VPN
•
L2TPv3
•
PseudoWires, VPLS
•
GRE
•
IPSec
Device Virtualization (1)
•
Management plane virtualization
•
Multiple logical “contexts” separated from administration perspective•
Common data planeDevice Virtualization (2)
•
Control plane structures/forwarding table
virtualization
•
VRFs – virtual routers•
+ VRF-aware routing protocols / multi-topology routingDevice Virtualization (3)
•
Virtual device contexts (VDCs)
•
Process-level (para)virtualization
•
often Linux-kernel-based•
virtual device contexts (VDCs) acts as failure domain•
Process crash cannot influence other VDCs•
Resource virtualization (hypervisor level)
•
CPU, memory, TCAMs, peripherials, …•
VDC resource consumption limits should be defined for shared resources (e.g. memory)•
Dedicated resources (e.g. physical ports) have to be assigned to particular VDCDevice Pooling
•
Multiple routers with FHRP
•
VRRP, HSRP, GLBP•
Normally on “user” side only•
Sometimes also for returning traffic•
Device Stacking
•
Solution like Cisco VSS, vPC etc.
•
Uses Multichassis EtherChannel•
No special config on subordinate device side•
Reduces STP complexityAn example: Fully overlaid VNs
using VLANs and VRFs
•
Pros and cons from configuration & operation
Advantages of Network Virtualization
•
Lower number of physical devices
•
Lower cost, less space consumption, lower power/cooling requirements•
Multiple (virtualized) devices with separate roles
and simpler configurations
•
Possibility to keep “known good” scalable, stable and secure designs (e.g. 3-tier model)•
Better predictable data paths•
Limits security concerns•
Less risk of unexpected software behaviour because of unusual or too complicated configInterconnection with Virtualized Hosts
•
VMWare servers hosting multiple virtual machines
(VMs)
•
Servers often act as “capacities” for VMs that may
migrate between hosting servers
•
VM migration based on human command or automatic load-balancing and power-saving mechanisms•
Network connectivity and security policies have to be “moved” with VM as needed•
Results in requirement to span all (user) VLANs over the whole datacenter access/aggregation layer•
ALS/DLS platforms have to have reasonable limits on numbers of supported VLANs and STP instancesVirtualized Switches on VM-Hosting Platforms
•
Associate VMs’ virtual NICs with VLANs•
Accomplishes local switching + provides external connectivity (trunk)•
Multiple trunk lines may act separately by “pinpointing” each virtual NIC to one particular line•
One or multiple vSwitch instances per hypervisor•
also 3rd party vSwitches implemented using VMWare vSwitch API• may also implement vendor-specific function which is useful for consistent capabilities over all network devices