presentation title here - dia.uniroma3.itrimondin/courses/rcng1011/slides/rcng_07_virtuali... ·...

NETWORK VIRTUALIZATION

Fabio Bellini

Systems Engineer

[email protected]

2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

VIRTUALIZATION TECHNOLOGIES

Server Virtualization Segmentation of physical servers into multiple OS instances.

Vmware, XenSource, Microsoft Hyper-V, Oracle OVM, IBM Power-V, RedHat KVM

Desktop Virtualization

• Complete management of offline user desktops with remote access and local use modes

• Vmware View, Microsoft TermServ NG (Kidaro), Citrix Presentation Server, RingCube

vDesk, MokaFive

Application Virtualization

• Autonomous execution of application sharing common libraries for easier maintenance

and lower risk

• Microsoft SoftGrid, Vmware ThinApp, Altiris, XenApp, AnandTech

Storage Virtualization

• Abstraction of physical storage from logical storage, enables quick data replication, and

lower data loss risk

• Netapp, EMC, Stor…

I/O Virtualization

• Consolidation of IO Interface types into fewer high capacity interfaces

• Xsigo, Brocade…NextIO

Network Virtualization



Network Virtualization Across Data Center

Strategy and Solution for Server Virtualization

Securing the Virtual Data Center

1

2

3


AGENDA

1. How to achieve L2/L3 network virtualization

2. Customer Deployment Scenarios

• Inter-Data Center L2 VLAN stretch connectivity

• Multi-Tiered Enterprise Application design

• L3VPN Network Segmentation for applications, business partners, regulatory compliance


DRIVER FOR “NETWORK VIRTUALIZATION”

• Establish traffic segmentation and improve privacy

• Increase network resiliency

• Improve network scalability and performance

• Improve security

• Rapidly deploy new services and applications

• Improve end user application performance

• Adhere to regulatory compliance


NETWORK VIRTUALIZATION COMPONENTS

Device

Partitioning

1 : N

VLAN

VRF

IRB

Virtual Routers

Virtual Bridging

Logical Systems

JCS1200Logical Systems

Device

Aggregation

N : 1

Virtual Chassis

Multi-Chassis LAG

TX Matrix

JCS 1200

Virtual Chassis

Virtualization with MPLS

Network

Communication

N : M

L3 VPN (MPLS, GRE, IPsec)

L2 VPN (VPLS, Pseudo-wires, 802.1q)

Circuit to Packet (TDM, Serial, etc. to IP)

VLANVLAN

VLAN

MPLS


VIRTUALIZATION ATTRIBUTES

High-Performance

MX Series Cloud

Scalable

Resilient

Transparent

Secure

Flexible

Adapt easily

to changing

business

needs

Hardware and

software

resiliency i.e.

NSR and ISSU

Traffic

Segmentation

Application

Security

Allow

separation of

Applications

and

Architecture

Rapidly

increase

throughput

and ports


NETWORK VIRTUALIZATION TECHNOLOGIES

Device

Virtualization

(One-to-Many)

Virtual Router Bridge GroupLogical Systems

Simplifies

Configuration

Routing and

Management

Separation

Scalable Routing

Separation

VRF lite Virtual Switch

Routing

Separation

Scalable

Switching

Separation

Improves device

utilization and

manageability

Link

Virtualization

VLAN LAG GRE MPLS LSP

Traffic

Segmentation

Priority

Scale

Bandwidth

Resiliency

Traffic

Segmentation

Priority

Tunnel

non-IP

traffic

Improves Link

utilization,

scalability and

resiliency

Service

Virtualization

Improves layering

of services

using secure

virtual connectivity

L2VPN L3VPN VPLS

L2 Point-to-Point L2 Point-to-Multipoint L3 Multipoint-to Multipoint

Privacy ResiliencyTraffic Engineering

MPLS

Scalability

System

Virtualization

(Many-to-One)

Virtual Chassis

Resiliency Simplifies

Configuration

Service Scalability Physical Port

Scalability

Improves resiliency,

scalability and

manageability


THE MPLS NETWORK VIRTUALIZATION SOLUTION

MPLS enables one physical network to be configured and operate as many separate virtual networks L2 or L3 VPN services

Shared physical network – No compromises

The Result: Diverse needs of business units are satisfied with virtualized networks

that cost less and effectively scale to support the largest enterprises

SECURE

Simply manage bandwidth

needs

MPLS allows for optimal utilization of network bandwidth

Allocation per service/application while maintaining latency

requirements for critical applications

RELIABLEEasily add new

applications or networks

New acquisitions and various applications can be added to the network via MPLS VPNs Each subsidiary or application is allowed to operate as

though each has a private network…over a cost effective shared infrastructure


DATA CENTER SERVICES EDGE WITH MPLS

MX Series

EX4200

EX8216

MX & M Series

Powerful, reliable routers for the edge

Low latency and scalable multicast

Network Virtualization Boundary

MX in Core & WAN

MPLS, VPLS extend VLANs enabling mobility

SRX5800

L2/L3 Boundary

MX Series

Enterprise Services Edge:

• Cloud/Application Segments - L3 VPN

• VLAN extensions – VPLS

• TDM replacements over IP WAN

• Regulatory compliance

IPS #2

FW #2NAT #3

IPS #3FW #3

FW #1

VRF #2VRF #2

VRF#3VRF#3

VLANs(mapped into VRFs)

VRF #1 VRF #1


NETWORK VIRTUALIZATION TRANSLATION

Service ID

(MPLS Label)Application / Service

Network

Communication

Network

Characteristics

Network

Technology

L2-0001 Storage Network L2 Stretch RSVP-TE VPLS

L2-0101 VMotion POD1 L2 Stretch Low Latency VPLS

L2-0102 VMotion POD2 L2 Stretch Low Latency VPLS

L3-0001Primary Application

ProductionL3 Unicast IP

Policy map to

Services (SRX)L3VPN


Pre-ProductionL3 Unicast IP

Policy map to

Services (SRX)L3VPN


ComplianceL3 Unicast IP

Policy map to

Services (SRX)L3VPN

L3-1001 Business Partner Access L3 Unicast IPPolicy map to

Services (SRX)

L3VPN

Hub and Spoke

M3-0001 Multicast Application L3 Multicast BW constrained P2MP

Simple example of how customers might track application/services to VPLS, L3VPN or

Multicast VPN from within a Data Center management system.


NETWORK VIRTUALIZATION ADVANTAGES

Enables new services/applications onto the

network in a matter of minutes

Configuration changes add segmented applications

without disrupting production services

Supports network segmentation and privacy

Regional-, departmental-, and project-oriented

groups have control over their network assets and

configurations for M&A, and Divestitures

Enhances end-user application experience

Traffic Engineering enables a fine-tuning of the

network to deliver appropriate levels of services

Improve network resiliency

With features like Fast Re-Route – Enabling sub-50

msec reroute to maintain real-time traffic during a

node or link failure

Boost network scalability and performance

Scales for future growth

Seamless Network Connectivity

MPLS

Architecture

Scalable

Enhance User

Experience

Improve Network

Resiliency

Fast and Secure

New Service

Creation

Privacy


AGENDA

1. How to achieve L2/L3 network virtualization

2. Customer Deployment Scenarios

• Inter-Data Center L2 VLAN stretch connectivity

• Multi-Tiered Enterprise Application design

• L3VPN Network Segmentation for applications, business partners, regulatory compliance


NETWORK VIRTUALIZATION DEPLOYMENT EXAMPLES WITH MPLS

Inter-DC L2 Stretch Multi-Tier Applications

Power Generation

Stations

Transmission Distribution

Consumer

Internet

Smart Meter

Converged MPLS-based Network

Juniper Router

Utility Provider

Administrative VPN Network

SCADA/Control System

VPN Network

Juniper Router

Regulatory Compliance

VM1 DB1 DB1 VM2VM2 VM1

VPLS over

MPLS Core

Data Center 1 Data Center 2

MPLS

VLAN

Network Virtualization Layer

MX Series

MX Series

EX 4200

SRX SeriesSRX Series MX Series

DMZ Exnet Web Apps NOC NASAAA

DB

MPLS Services Edge Architecture


INTER-DATA CENTER L2 STRETCH CONNECTIVITY


SERVER LIVE MIGRATION AND MIRRORING SERVICES

VM1 DB1 DB1 VM2VM2 VM1

VPLS over

MPLS Core


DB1 VLAN

VM1 VLAN

DB1 VPLS

VM1 VPLS

MPLS

VLAN

Service Edge Boundary

L2 stretch between Data Centers

VMotion services

DB/Storage mirroring

VLAN to VPLS mapping at

Service Edge boundary

MX Series

MX Series

MX Series

MX Series

EX Series EX Series


MIXED PRIVATE/PUBLIC TRANSPORT WITH PRIVATE MPLS CONFIGURATIONS

Private WAN(Leased Circuits)


Core WAN

Plane A

VPLS Serviceor L2VPN

Core WAN

Plane B

Data Center

Core/Aggregation Layer

MX Series with 16 Port 10GE

Line Card

Suitable for Large Data Center

Inter/Intra-data center transport

over an MPLS super core

With comprehensive MPLS L2/L3

VPN and VPLS feature-set


ENTERPRISE DEPLOYMENT APPLICATIONS

INTERNET/Private IP/MPLS WAN

Corp Core

LAN/WAN

Small

Campus

Optimized for Ethernet Connectivity:

For Corporate, Small Campus and Small

Data Center WAN Ethernet Edge

Top of Rack Router in Large DCs

bringing the power of MPLS

Virtualization & L3 to the Access Layer

Small Data

Center

MPLS Virtualization in the Data Center

WAN Edge

MX80s

WAN Edge

MX80s

WAN Edge

MX80s

Access Layer

MX80s

WAN Edge

M or MX Series


COMPLETE INTRA- AND INTER-DATA CENTER VIRTUALIZATION SCENARIO


L2 Agg

Dom 1Dom 2Dom 3Dom N

VLANs

TOR2 TORs2 TORs2 TORs

VLANAccess

MX SeriesLDP [RSVP]

MPLS Service EdgeVPLS or L3VPN(L2/L3 Boundary)

POD 1

SRX5800

SRX5800

InternetOptional Internet Access

DATA CENTER MPLS / VPLS

10GE LAG

VLAN/VPLS WANInter-DC

MPLS Core or SuperCore

RSVP / TE


SCALING DATA CENTER MPLS / VPLS

SRX5800MX Series

10GE LAG

VLAN/VPLS WANInter-DCInternet

L2 Agg


RSVP / TE

VLANs

LDP

LDP [RSVP]


SRX5800


VLANs


L2 Agg



VLANAccess

POD 1POD N

SRX5800


DATA CENTER MPLS / VPLS WITH VIRTUAL CHASSIS ON MX

SRX5800MX Series

10GE LAG

VLAN/VPLS WANInter-DCInternet

L2 Agg


RSVP / TE

VLANs

LDP

LDP [RSVP]


SRX5800


VLANs


L2 Agg



VLANAccess

POD 1POD N

SRX5800


SUMMARY

Network Virtualization in the Data

Center with MPLS

Enables new services/applications

onto the network in a matter of minutes

Supports network segmentation and

privacy

Enhances end-user application

experience

Improve network resiliency

Boost network scalability and

performance Seamless Network Connectivity

MPLS

Architecture

Scalable

Enhance User

Experience

Improve Network

Resiliency

Fast and Secure

New Service

Creation

Privacy


STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION


Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08

MARKET DRIVERS

Installed Base Grows 10x

YE 2012 (58M)YE 2008 (5.8M)VM Penetration of Installed Workloads

Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013

Gartner Dataquest Insight January 09

43% of enterprises with 500+ employees and 26% of SMBs100-499 employees are using server virtualization

Yankee July 09


JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION

Server Virtualization – Before and After

Impact on Networking

Network for Virtualized DC

Feature rich Virtual Switching – VEPA

1

2

3

5


SERVER VIRTUALIZATION – BEFORE

Server

Application

O/S

NIC NIC

Network

Switch

Network

Switch

Application

O/S

NIC NIC

Network

endpoint


Application

Network

Switch

Network

Switch

VM 1 VM 2 VM 3

SERVER VIRTUALIZATION - AFTER

NIC NIC

VEB

Application

1

O/S

Virtual Port

Application

2

O/S

Virtual Port

Application

3

O/S

Virtual Port

Server

Application

O/S

NIC NIC

Network

virtual endpoint

Hypervisor







1

2

3

5


Virtualized

vSwitch

Virtualized

vSwitch

Virtualized

vSwitch

Virtualized

vSwitch

Virtualized

vSwitch

Virtualized

vSwitch

Virtualized

vSwitch

SERVER VIRTUALIZATION: NEW ACCESS LAYER

New challenges

Too many switching elements

Additional switching tiers

Different management tools

for physical and virtual

Change from traditional roles and

responsibilities

VM network state and

policy migration

Unpredictable performance

with software implementations

Virtualized

vSwitch

Control Plane+

Data Plane

New Access Layer (Server admin)

Old access Layer (Network Operator)

Not virtualized


SERVER VIRTUALIZATION - IMPACT ON NETWORKING

Large number of end

points

VM live migration, flexible

VM placement

VM clusters –

Mobility, Fault tolerance,

HA

Additional switching tiers,

switching elements

Change from traditional

roles and responsibilities

Fragmented networks –

lack of network and

security policies

Different management

tools

Feature inconsistency

between physical and

virtual

Unpredictable

performance with

software Vswitches

Lack of “Standards

based” solutions; vendor

lock-ins

NETWORK MANAGEMENT FEATURES







1

2

3

5


NETWORK FOR VIRTUALIZED DATA CENTER

Support Scale

Enable Ubiquitous Resource Pools

Any to any connectivity

Low latency, High speed

Provide flat L2 network

Spanning Tree Protocol (STP)

free design

Simplify network design

Collapse tiers, reduce number of

switching elements

Switching platforms

EX Virtual Chassis

Stratus

Inter-DC L2 Domain Span

MX – VPLS and MAC

VPNs

Security in the DC

SRX and Altor Virtual

Firewall

NETWORK







1

2

3

5


VIRTUAL ETHERNET PORT AGGREGATOR –VEPA-


FEATURE RICH VIRTUAL SWITCHING

VEPA

Virtual Ethernet Port Aggregator

Gains access to external switch

features

− Packet processing (TCAMs,

ACLs, etc.)

− Security features such as: DHCP

guard, ARP monitoring, source

port filtering, dynamic ARP

protection/inspection, etc.

• Enhances monitoring capabilities

− Statistics

− NetFlow, sFlow, rmon, port

mirroring, etc.

Standards Based and

Interoperable Solutions

Built to fully realize the ubiquitous

resource pools and flexible VM

placement

VM state and policy migration

FEATURES


FEATURE RICH VIRTUAL SWITCHING - VEPA

VM1 VM2 VM3

Vswitch

Pswitch

VM1 VM2 VM3

VEPA

Pswitch

Access

Access

Access

VEB / vSwitch VEPA

Evolving open standard IEEE 802.1Qbg

Simple - Bypasses “virtual switches” and

additional tiers in the network. Co-existence

possible.

Open – any server, hypervisor and switch

Scalable – span of VM mobility

Business agility – automated policy

provisioning & migration

Currently deployed

Multiple implementations

No clean, standard handoffs for

signaling VM mobility


BASIC VEPA OPERATION –UNICAST TRAFFIC-


BASIC VEPA OPERATION –MULTICAST TRAFFIC-


CURRENT STATUS OF VEPA

IEEE Atlanta plenary meeting in November 2009 approved two new PARs1. 802.1Qbg – Virtual Bridged Local Area Networks Amendment: Edge Virtual

Bridging (http://www.ieee802.org/1/files/public/docs2009/new-bg-thaler-par-1109.pdf) - includes simple VEPA, multi-channel VEPA and AMPP

2. 802.1Qbh – Virtual Bridged Local Area Network Amendment: Bridge Port Extension (http://www.ieee802.org/1/files/public/docs2009/new-bh-thaler-par-1109-v2.pdf) - covers the original Cisco proposal of VN_Tag or port extender

Juniper will support 802.1Qbg

802.1Qbh - Cisco is currently the proposer and sole supporter!

Control plane signaling in 802.1Qbg is called VDP Juniper is working very closely with industry leading server, NIC and

network equipment vendors to develop a VDP standard by 2H 2010.

http://www.ieee802.org/1/files/public/docs2009/new-bg-thaler-par-1109.pdf









http://www.ieee802.org/1/files/public/docs2009/new-bh-thaler-par-1109-v2.pdf












JUNIPER’S SOLUTIONS LANDSCAPE

Switching within

the server (VEB) ?

VMware Vswitch

vDS

Replace

VMware's

Vswitch

Nexus 1000v

Junos Space

application to

manage vDS

Junos Space

Virtual Control

( Shipping)

Standards

based?

Industry Wide

support?

VEPA

IEEE 802.1Qbg

(2H 2011)

Port Extender

IEEE 802.1Qbh

VNTag

Nexus (1K + 5K)

Integrate virtual

appliances e.g.

Altor firewall

yes no

no yes

yesno


SECURING THE VIRTUAL DATA CENTER


SECURING THE VIRTUAL DATA CENTER

Market Drivers

Security Implications of Virtual Servers

Introducing Altor Virtual Firewall (VF)

What Juniper’s strategy ?

1

2

3


Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08

MARKET DRIVERS

Installed Base Grows 10x

YE 2012 (58M)YE 2008 (5.8M)VM Penetration of Installed Workloads

Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013

Gartner Dataquest Insight January 09

43% of enterprises with 500+ employees and 26% of SMBs100-499 employees are using server virtualization

Yankee July 09


SECURITY IMPLICATIONS OF VIRTUAL SERVERS

VIRTUAL NETWORKPHYSICAL NETWORK

VM1 VM2 VM3

ES

X H

ost

Physical Security is “Blind” toTraffic Between Virtual Machines

Firewall/IPS InspectsAll Traffic Between Servers

HYPERVISOR


3. Kernel-based Firewall

APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS

VMs can securely share VLANs

Inter-VM traffic always protected

High-performance from

implementing firewall in the kernel

Micro-segmenting capabilities

VM1 VM2 VM3

ES

X H

os

t

FW as Kernel Module

2. Agent-based1. VLAN Segmentation

VM1 VM2 VM3

ES

X H

os

t

Each VM in separate VLAN

Inter-VM communications must

route through the firewall

Drawback: Possibly complex VLAN

networking

Each VM has a software firewall

Drawback: Significant performance

implications; Huge management

overhead of maintaining software

and signature on 1000s of VMs

VM1 VM2 VM3

ES

X H

os

t

FW Agents

HYPERVISORHYPERVISOR HYPERVISOR


VM1 VM2 VM3

ES

X H

os

tALTOR VF

INTRODUCING THE ALTOR VIRTUAL FIREWALL

Hypervisor Kernel Stateful Firewall

Purpose-built virtual firewall

Secure Live-Migration (VMotion)

Security for each VM by VM ID

Fully stateful firewall

VMware “VMsafe Certified”

Tight Integration with Virtual Platform

Management, e.g. VMware vCenter

Fault-Tolerant Architecture

NSM

Juniper SRXJuniper Switch

Network

STRM


VM1 VM2 VM3ALTOR VM

Policy

Logging

Management

ALTOR KERNEL IMPLEMENTATION

Altor built a custom kernel enforcement module in ESX Hypervisor

Packets are forwarded to Altor directly from the Virtual OS

AltorVMsafeKernelModule

VMware DVFilter

VMware vSwitch

Packet / Data

Altor 3.0

Engine

SRX w/IPSPacket / Data

ESX Kernel

VM1 VM2 VM3

VS

ES

X H

os

t

ALTOR VM

Policy

Logging

Management

Altor VF


STRM

INTEGRATION WITH JUNIPER DATA CENTER SECURITY

VM1 VM2 VM3 ALTOR VM

Altor

Center

Altor Virtual Firewall

VMware vSphere

NSMAltor Integration Point

Traffic Mirroring to IPS

Altor Integration Point

Central Policy Management

Network

Juniper SRX with IPSJuniper Switch

Altor Integration Point

Firewall Event Syslogs

Netflow for Inter-VM Traffic

Policies


CUSTOMER USE CASE: VIRTUAL DESKTOPS (VDI)C

hall

en

ge

So

luti

on

Desktops can carry a lot of “dirty” apps

Malware can easily propagate in a virtual environment

from VM to VM and from VM host to host

Access control and worm suppression is

imperative for VDI deployment

Altor VF blocks worm outbreaks in the

virtual environment

Juniper IPS + Altor VF can detect and block

malware in physical and virtual environment


CUSTOMER USE CASE: COMPLIANCEC

hall

en

ge

So

luti

on

Comply with PCI, SOX, FISMA, ISO27001 etc. mandates

to enforce access control, separation of duties

Comply with requirements for reporting and

alerting on access activity

Show the effectiveness of security controls

for audits

Purpose Built Firewalling – Altor’s stateful VF sees all inter-VM traffic, enforces policy on VMs, and

produces detailed reports on traffic, traffic flows

and applied security

Virtual IPS - Altor VF integrates with STRM and NSM to send firewall events, Netflow data and

mirror traffic to Juniper IPS


CUSTOMER USE CASE: VIRTUAL DMZC

hall

en

ge

So

luti

on

DMZ resources span many applications and services

All DMZ resources share an Internet facing

network so security is critical

Partner and customer extranets must be

appropriately segmented and protected

Altor can segment each VM or group of VMs

with unique firewall policies

Security zones are maintained with

NO VLAN changes

presentation title here - dia.uniroma3.itrimondin/courses/rcng1011/slides/rcng_07_virtuali... ·...

Documents