Nitin Mishra, Senior VP, Product Management, Netmagic
Business and IT leaders have been demanding an IT infrastructure, which is more dynamic and responsive to the quick pace of business while being less costly. By dynamic they mean the ability to deliver new applications at the speed in which to be responsive to market dynamics while creating competitive differentiation.
For many, IT expenditures as a percentage of revenue are to be managed down. To address these industry requirements IT suppliers have offered virtualization technology and services. Network virtualization represents a new IT paradigm, which challenges existing assumptions and IT deployment models.
This article explores network virtualization as a strategy to make corporations more agile and IT expenditure efficient. Network virtualization is presented as a new approach to network design and IT service delivery. Its main four building blocks are presented along with guiding deployment principals.
The new IT management model
All IT leaders balance expense reduction with business growth initiatives as part of their annual plans. New business growth initiatives usually bring with them funded IT programs designed to seize opportunities. Expense reduction is a business reality independent of the financial condition of the concern, albeit expense reduction projects are ramped up during financially challenging times. This give and take of growth and expense reduction was born out of the fact that IT has been procured as a fixed asset, meaning that most IT leaders were forced to design IT resources for peak traffic/consumption utilization. This design requirement led IT to over design their infrastructures, which remain idle during off-peak periods. Over the past few, years business and IT leaders have explored a new model for IT service delivery, which is more agile or flexible and strives to scale resources up and down based upon demand. In short, business and IT leaders have been seeking a more responsive IT infrastructure to business initiatives and one that will remove inefficiencies. This would change the current management mantra of balance expense reduction with business growth initiatives to provision services when needed. The technology to deliver this new dynamic IT infrastructure is called virtualization.
Data center design has been the focus of most virtualization projects as data centers consume the bulk of IT budget spend and exhibit wide utilization swings. Virtualization delivers two main benefits: expand single IT assets available to many or to manage/pool many IT assets as a single resource. For example, a rack of blade servers can be managed as a single server.
An application can be virtualized so that its image is available as a logical entity on many servers, increasing its availability.
Storage area networks are virtualized in an attempt to more efficiently allocate compute storage making storage available to many servers. Certain aspects of networking have been virtualized for nearly ten years, such as Virtual Local Area Networks
(VLANs) which divide broadcast domains to service many applications, thus increasing performance.
Virtualization is being extended well beyond the data center to the entire enterprise now that virtualization projects have proven their value. In particular a new generation of network virtualization technologies is available which are becoming the new building blocks of network design. Local Area Networking (LAN) -based physical networking will remain constant, that being the typical three-tier network structure of edge, distribution and core. Wide area networking (WAN)’s physical structure will too remain constant where a router interfaces to a WAN service such as frame relay, MPLS, broadband connection, private line, etc. What is becoming virtualized is network services such as network security, management, routing, switching, broadcast domains, application intelligence, et al.
With many network virtualization technologies available deployment scenarios are as varied as business needs. For example, network virtualization is delivering unique network attributes to each application to the point where each application believes it has a dedicated network to service its needs, thus increasing application performance. Another important attribute to network virtualization is auto provisioning, which is the auto configuration of network devices based upon application demand.
Network virtualization will detect the application initiation and configure VLANs, quality of service and other network attributes to support the application by scaling network assets both up and down without operator intervention. The benefits of network virtualization are many, ranging from revenue generation, expense reduction and increased customer satisfaction to name a few. For those who have deployed network virtualization the returns have been large and the experiences mostly positive. This has prompted many business and IT leaders to demand that virtualization be included in annual IT plans.
What is network virtualization?
Network virtualization delivers increased application performance by dynamically maximizing network asset utilization while reducing operational requirements. There are many aspects of network virtualization such as virtualized dual backbones, virtualized networks, network service virtualization, virtual service orchestration, network I/O virtualization, network hosted storage virtualization, etc. All of these network virtualization technologies can be thought of as building blocks as network virtualization represents a new way to design corporate networks and allocate resources within them.
These building blocks can be deployed one at a time or layered to add value based upon business need. In fact each building block satisfies specific business needs; this will be discussed below. Network virtualization bridges the gap between networks as a hardware-based connectivity service to a business platform delivering a wide range of IT services and corporate value. The following section details four building blocks and highlights the business value delivered to business and IT management.
Virtualized Dual Backbone
One of the first building blocks is the virtualized dual backbone. The virtualized dual backbone increases performance and reduces administration. A dual backbone is a completely redundant backbone network design. Building and campus networks utilize a dual backbone design to ensure that paths between end-points, data centers, plus wide area and Internet connections are always available. The dual backbone design is a near total redundant backbone based upon redundancy at the edge, distribution and core tiers of a network. At the network edge both wireless LANs as well as dual wired LAN connections provide alternative paths between end-points and network access.
There are redundant edge, distribution and core LAN switches along with their interconnections, which eliminate a single point of failure. The dual backbone network is common in large corporations and provides high network availability operation. While dual backbones provide high reliability the design can be improved upon. For example, there are multiple devices and control protocols to manage and trouble shoot such as spanning tree and VRRP (Virtual Router Redundancy Protocol). To recover from a distribution switch or link failure, failover convergence times can be long measured in the second range, which can interrupt application flow and performance. Further, redundant links between switches, which use spanning tree protocol, are used only in standby mode, which underutilizes these expensive resources.
Further, the fact that dual backbones provide redundant switches is both a high availability feature and an operational chore requiring network operations to manage each switch separately.
Virtualizing switches and links can optimize the dual backbone network. New switch virtualization modules allow switches to be pooled and managed as one virtual system, simplifying network operations. In short, multiple switches are managed as one. Further, inter-switch links utilizing multi chassis Ether channel eliminates spanning tree and/or VRRP, reducing convergence time to below 200ms while preserving network state information. These two virtualization aspects eliminate application distribution in the event of a switch failure, thus increasing performance. In addition to increased network reliability and simplified network operations a virtualized dual backbone fully utilizes network capacity by activating all available bandwidth plus enabling link aggregation for server NIC (Network Interface Card) teaming across redundant datacenter switches. The figure below illustrates the virtual dual backbone network.
The value of the virtualized dual backbone to business and IT leaders is three fold. First, network operations are simplified during configuration and ongoing management as network devices are managed as a pooled entity; plus the number of control protocols is reduced. Second, overall network and application uptime is improved by the fact that virtualized switches are connected so that in the event one device fails there will be nearly no down time. Third, network capacity is increased as all inter-switch and server links are utilized and maximized.
Network Service Virtualization
Another building block is network service virtualization. While all of the building blocks can be deployed in isolation, network service virtualization is an excellent strategy to consolidate multiple appliances into one, simplifying network operations and acquisition cost. Network Service Virtualization (NSV) virtualizes a network service, for example, a firewall module or IPS software instance, by dividing the software image so that it may be accessed independently among different applications all from a common hardware base. NSV negates the need to acquire separate devices every time the network service is required by utilizing the software instance off the same physical hardware.
NSV is the natural evolution of network service delivery and packaging. Network security provides an excellent example of this trend. To protect networks and systems from attack or to minimize their effects, adaptive threat defense technology is evolving in two complementary directions: vertically and virtualization. The vertical movement toward adaptive threat defense is increasingly integrating firewalls, IPS systems, VPNs (both IPSec and SSL), etc., into one appliance. This integration allows for greater software collaboration between security elements, lowers cost of acquisition and streamlines operations. For example, alarms stemming from the IPS function inspecting VPN flows could cause the firewall software to take action and change its rules to block this VPN flow.
In addition to network security software collaboration, virtualizing network security software extends its reach and an IT organization’s defenses.
The value of NSV to business and IT leaders is three fold. First, management interfaces are more flexible as network operations has the option to manage many network service instances as one or each instance may have its own and separate management interface. The latter is useful as network operations processes; procedures and management interface familiarity remain the same even though the network service has been virtualized. Second, acquisition cost is reduced as network services delivery is removed from a physical device to a software image extending its access without the need to deploy specialized hardware for every instance the network service is required.
Third, alluded to in one and two above, a network service can be extended more easily and effectively as a virtualized entity, thus increasing application performance.
Virtualized Networks
The Virtualized Networks (VN) building block partitions a network into multiple isolated logical networks with unique attributes such as routing, switching, independent polices, quality of service, bandwidth, security, etc. VN is a one-to-many class of virtualization, by dividing a common network into many different logical partitions. These logical network partitions are as varied as the businesses they support. For example, users may be segmented into corporate employees, contractors/consultants and/or guests. These classes of users are associated further into logical partitions which may be segmented into departments, partners, suppliers, a new merged corporate entity, a department segregated from an organization due to regulatory compliance requirements or even based upon specific applications.
VN builds upon network switching and routing features and delivers attributes not attainable previously with the same hardware devices. In short, VN provides secure logical isolation for users, applications and/or departments on an end-to-end basis throughout a corporate network. VN’s logical isolation of networks allows business and IT leaders to protect assets, consolidate infrastructure, and adhere to regulatory requirements.
The VN Architecture
The VN architecture is made up of three major components. The first VN component is controlling network access and segmenting classes of users. Users are authenticated with authorization, either being allowed or denied into a logical partition. Users are segmented into employees,contractors/consultants and/or guests with respective access to IT assets. In short, this component identifies users, which are authorized to access the network, then places them into the appropriate logical partition. The second architectural component is isolating paths within the network, which preserves network isolation across the entire enterprise from edge-to-campus-to-WAN-to-back again.
This component maintains traffic partitioned over a routed infrastructure as well as transports traffic over and between isolated partitions.
The function of mapping isolated paths to virtual LANs and to virtual services is also performed in component two. The third and last component is called virtual services which provides access to shared or dedicated network services such as DHCP, DNS, IP telephony call management, etc., plus applying policy per partition and isolating application environments, if required. There are multiple business applications for VN, which cross the economy. For e.g., by consolidating multiple WAN networks into one VN, retail companies are able to not only significantly reduce their WAN charges but also in fact turn them into profit centers. In addition to this, retailers are able to experiment with new services and add those most promising quickly, measured in days versus many months.
Virtual Service Orchestration
As services become virtual with the goal of businesses to scale IT capacity both up and down to meet demand, orchestration of resource provisioning becomes central to this goal. The above three building blocks address network infrastructure virtualization, which improve network behavior and cost to existing applications. Virtual Service Orchestration (VSO) redefines
IT service delivery by virtualizing the relationship between computing, storage and networking.
VSO provides an abstraction between the physical infrastructure and the applications running on that infrastructure. VSO will ultimately allow much greater flexibility in the choice, management, and provisioning of resources to better support changing business applications. One of the requirements for end-to-end service orchestration is the creation of virtual service elements.Each service element is an abstraction of the physical element that has the entire relevant configuration for a particular application service.
The benefits of this approach are that physical resources can be pooled and used on an as-needed basis.Physical infrastructure need no longer be over-provisioned to meet peak demand or 1:1 High Availability requirements. Thesame physical resources can be used across all application services, thereby reducing capital expenditures.
For example, when a physical server fails, VSO is able to detect it and pick another server from a spare server pool and replacethe failed server. The storage and network configurations that are required to bring in the new server are done automatically.Some VSO implementations follow a remote boot model, the OS image of theoriginal server is applied to the new server – this way to the outside world the new server appears exactly identical to the failedserver.
The Drivers for Network Virtualization
While organizations may have initially considered deploying network virtualization to garner cost savings (associated with the adoption of off-the-shelf hardware), the adoption has been ramping due to the need of the network to support the fast pace and scale of today’s environments.
The demands on the network are growing exponentially, with the explosion of users, devices and apps requiring resources. Network virtualization gives organizations a way to keep up. The ability to quickly deploy, change and move network resources allows organizations to scale their networks to meet changing demands. It also provides the flexibility required by the underlying infrastructure to support applications as they move from legacy client-server models to being delivered in the cloud as software as a service (SaaS) offering.
Overall, network virtualization helps the network better integrate and align with the highly virtualized storage and compute resources it is connecting, delivering quick provisioning, improved resource utilization and operational efficiencies.
Benefits of Network Virtualization
In a recent survey conducted by SDxCentral on network virtualization, an overwhelming 77% of respondents surveyed picked flexibility as the main reason for opting for network virtualization, 68% picked Scalability, 52% picked operational cost savings and 31% picked cost savings.
The survey also found that, the data center continues to be where organizations (48%) deploy network virtualization solutions, followed by private clouds (21%), hybrid clouds (16%) and public clouds (9%).
Network virtualization solves a lot of the networking challenges in today’s data centers, helping organizations centrally program and provision the network, on-demand, without having to physically touch the underlying infrastructure.
Flexibility
With NV, organizations can quickly provision (in a matter of minutes versus hours/days), move and scale the network to meet the ever-changing needs of the highly virtualized compute and storage infrastructures. In a world where agility is critical to being competitive, the ability to quickly make adjustments to support the business and optimize the overall experience improves the network’s time-to-value.
NV makes easy to support micro-segmentation and multi-tenancy that gives organizations ultimate flexibility, in terms of how they organize and manage their environment. Organizations can have multiple silos and virtual networks, even using the same IP space, running over the same physical links. The benefits span from operations (allowing networks to be managed independently from a centralized location) to security (keeping resources separate, applying controls (e.g. firewalls) for each and every application in a data center, and helping contain attacks).
Modifications to the network’s topology or how traffic is handled can be tried in different ways, without having to modify the existing physical networks. For example, the endpoints can all run a modified networking stack, with new protocols tunneled through existing physical legacy networks, without impacting existing networks.
Scalability
Current network topologies are rigid and prone to all kinds of problems. Overlay networks can help organizations avoid the limitations that come with VLANs, which can only support 4096 isolated networks, providing a 24-bit virtual network interface (VNI) that supports 16 million virtual networks.
Network virtualization ensures organizations can deploy the network resources whenever and wherever they need them. In addition, they can add capacity to make sure the network delivers the performance and reliability demanded of their environment. There is the ability to save and restore network topologies and configurations, via snapshots, check pointing, and rollbacks, to support faster recovery from both bad configuration decisions and equipment failures in disaster recovery situations.
Operational Efficiencies/Costs Savings
Being able to centrally manage the distributed network has a lot of inherent benefits. In the future, as we see even more convergence between virtualization and cloud management, we can expect the benefits to compound. One of the main reasons NV is so efficient is that any changes made to the physical underlay network do not impact the virtual overlay, removing a lot of the time and complexity required to deploy, manage and maintain traditional networks. Virtual machines (VMs) can be moved around without impacting the flow of traffic; there is no need to manually reconfigure physical links or endpoint settings.
In addition, organizations can take advantage of “templateized” deployments of standard application stacks, with built-in networking topologies, enabling error-free, fast roll outs, as well as pre-checks to ensure the deployment supports compliance efforts uses networking best practices. Organizations can also save significant time by automating the set-up of service chains, within both Layer 3 and Layer 4-7 services, and accelerating the roll out of services, such as firewalls, IPS, etc. (particularly as the network is increasingly micro-segmented).
Cost Savings
In addition to the capital savings associated with replacing costly, proprietary solutions with off-the-shelf, general-purpose hardware, organizations can benefit from overall improved resource utilization. The higher density of multiple virtual networks improves utilization, without running into IP subnet or VLAN conflicts. It also delivers subsequent operational cost efficiencies, associated with less real estate, power, cooling, etc.
Network Virtualization Use Cases
Some of the most common deployment scenarios and use cases for network virtualization can be found in the data center and campus/branch virtual networks:
Data Center Virtual Networks
Organizations are looking to create and manage multiple, isolated virtualized networks to support the needs of their different customers/clients, lines of business and/or departments. These virtualized networks can simultaneously handle multiple tenants, while keeping traffic and management controls separate between tenants.
Micro-Segmentation of the Data Center
With NV, organizations can deploy controls (firewall functionality) that segment the network and manage access to resources across different tenants within the data center network. Organizations can even segment the network to control access to individual apps.
Data Center Refreshes
As organizations look to upgrade their infrastructure to support new, more agile business models, they are looking to deploy NV solutions that can help them spin up and scale virtual workloads.
Centralized Management of the Distributed Network
Organizations are looking to create an overlay that spans all their branch locations to give them centralized visibility and control over network traffic. The overlay streamlines the organizations ability to apply unified policies, automate campus and branch network operations, and maximize the utility of network resources.
Infrastructure as a Service
Cloud and service providers are offering on-demand network function services (e.g. virtual routers or virtual L4-7 functions) that customers can scale up or down as needed to move workloads to the cloud.
Approaches to Network Virtualization
The market is still early, marking a critical evolutionary step for the communications infrastructure that is relied on by almost everyone and everything. There are a number of vendors, new and old, who are each working to deliver what they see as the optimal network virtualization (NV) offerings. There are some that believe changes should be driven by the network, itself, while others feel the applications should be the main influencing factor. It is too early to tell which approach will win, which will lose or which will morph into something yet to be defined.
The approaches that vendors are taking are heavily dependent on where the NV solutions are going to be deployed.As noted earlier, many organizations are deploying NV solutions within their data center environments, followed byprivate, hybrid and public cloud environments. In addition, there are vendors specializing in offering solutions for infrastructure as a service (IaaS) or WAN deployments.
Network Virtualization in the Data Center
There are really two main approaches to data center deployments:
Directly programming the fabric
This approach takes explicit control over the switches, creating andcoordinating the virtual networks by directly programming the virtual switch and physical switches. Typically this approach requires customers to upgrade all their physical switches to support the appropriate protocols; a flow-control protocol, or a vendor’s proprietary protocol, will be used to manage the network.
Developing a network overlay
There are a variety of ways in which an overlay network is accomplished; themost common is to modify or replace the virtual switch. In some cases, kernel modules are inserted into thehypervisor (most commonly with KVM as the hypervisor). In situations where the virtual switch cannot bereplaced and the hypervisor is proprietary, vendors may choose to use a VM running a virtualswitch instance as the terminating point for virtual networks.
In the overlay approach, multiple encapsulation protocols are available, ranging from straight GRE and IPsec, toNVGRE, STT and VXLAN, among others. Currently, VXLAN is dominant in the market, with support within manyphysical switches and hardware-based Layer 4-7 devices. The Generic Network Virtualization Encapsulation(GENEVE), which was proposed in February 2014 as the uber-encapsulation protocol, had some uptake initially and interestwaned after. It is the key encapsulation protocol in the new OVN (network virtualization on Open vSwitch) project andthat may drive renewed interest.
Laying down the principle for the building blocks to work for your organization
Network virtualization puts powerful tools in the hands of business and IT leaders to create a dynamic and agile IT infrastructure that responds and scales to business needs. The network virtualization deployment cycle will be deliberate and staged over time regulated by business requirements. The IT industry is at the beginning of a long virtualization cycle with many IT suppliers adding network virtualization building blocks over time. The four building blocks mentioned above can be independently deployed based upon business need and operational staff ability.
Network architecture is the bridge between business strategy and evolution. The best way to think about the new design rules for network virtualization is through the use of guiding principals. The following seven design principals are offered which will transform your network into a network business platform:
Principal One: Re-Think IT Service Delivery
During application development meetings and initiatives, review the service delivery process and explore how VSO and the other building blocks may be applied to the task at hand. IT executives should strive to move away from the laborious processof traditional service delivery which over designs IT infrastructure for peak traffic toward a dynamic IT infrastructure. An infrastructure, which is responsive to business, needs in near real time. A dynamic IT infrastructure, which can bring upapplications in days versus months, thanks to network virtualization.
Principal Two: Think Dynamic Auto-Provisioning
Network virtualization delivers auto-provisioning of services via template based solutions and rules, which accelerate application delivery and management. The key here is to think about how all the parts of an application, compute, storage, networking,security, load balancing, etc., can be dynamically provisioned via rules and allocated based upon demand versus the status quo of tweaking, configuring, and optimizing infrastructure.
Principal Three: Question New Appliance Deployments
During times of network service requirement needs, consider virtualized network services first before the deployment of another physical appliance. This will reduce dependence on appliances over time and its associated high total cost of ownership cost while allowing IT to implement NSV on an as needed, event basis.
Principal Four: Look to Pool Network Device Management
IT leaders should consider opportunities where pool network devices can be configured, monitored and troubleshot as one.This will reduce operational cost and workload as well as increase network availability. Principal four strives to reduce thenumber of physical devices to be managed by virtualizing their image for network operations.
Principal Five: Consolidate Multiple Networks Into a Common Network Separated by Logical Isolation
For scenarios where multiple wide area networks exist, principal five and VN in particular offer an attractive alternative. That alternative is the consolidation of multiple networks and their associated cost into a common network, which logically isolatesthe collapsed networks. It is not uncommon that in retail scenarios, revenue generation is created while network cost isreduced and service cost avoided. Principal five recommends logical isolation versus the deployment of a new network.
Principal Six: Utilize all Network Resources
Before upgrading inter-switch links and overall network and backplane capacity consider the deployment of the virtual dual backbone to capture unused and static network capacity while in the process providing a more flexible and reliable network.
Principal Seven: Think Network Virtualization
As many corporations are in the process of a network refresh, now is the time to consider the various network virtualization building blocks. The value of network virtualization will be realized on many fronts including financial payback accounting, butmore importantly from an overall corporate value perspective by enabling an organization to be more responsive to businesspressures and opportunities. For every IT project, which includes a network component, network virtualization should beincluded in the agenda for consideration.
IT leaders try to balance expense reduction with business growth initiatives as part of their annual plans.Network virtualization offers the promise to decrease the slope of IT expenditures, which would be favorable when comparedto increasing revenue. Network virtualization is a new organizing principal for business and IT leaders that will have material effect on corporate operations.