(Part I) Network Virtualization
This is the first part in the series of posts dedicated to network virtualization and path isolation.
Virtualization is a technique of simulating a hardware device by using software, usually on standard x86 CPU based servers. Hardware devices that are being virtualized are (in the order from most common) servers, firewalls, switches and routers. Almost all devices that you can think of can be virtualized, we listed the most common ones used within network operations. By using virtualization, we are able to run multiple virtual instances (virtual contexts) of a device, in the same way like we would run “real” hardware devices. Each of these virtualized instances is, of course, running independently and usually operating with separate configuration, enabling separation by purpose. Virtual instances are usually running as multiple contexts on specialised, virtualization enabled device or as Virtual Machines (VMs) on a Hypervisor platform like VMWare of Hyper-V.
Network Virtualization is part of above explained virtualization. It is virtulization of networking devices. We are using network virtualization with VLANs on switches to enable multiple broadcast domains (LAN segments) to be connected on one single switch. We are doing the same thing on layer 3 with enabling the router to run multiple routing instances by implementing VRF configuration on it. With VRF we are splitting the router into multiple routers, with VLANs we are splitting switch into multiple switches. We are doing this with the use of software but only on specialized hardware devices that are virtualization enabled.
There are two network elements we can virtualize
Network virtualization can be as simple as running firewall on a VMWare host. In this case we are just skipping the usage of real hardware appliance for firewalling task.
Things can get more complex with requirements for path isolation. Different categories of traffic then need to use same physical devices and their interconnections and have complete data communication isolation between them. Here we are in a situation where we will need to virtualize not only the above mentioned firewall but also router forwarding plane and interconnections between network devices.
Ok that’s it! We can not only virtualize network devices but the paths between them to. Let’s see what that means.
Enabling virtualization on a switch, we are logically splitting the device into two or more devices (that share same hardware) and deciding which switch port will be used by which instance. Popularly known as VLAN or Virtual LAN.
By configuring multiple VRF (Virtual Routing and Forwarding) instances on a Router we are enabling our routing device to run multiple routing tables (separate RIB and FIB instances). Deciding which router port will forward traffic using one of the tables for decision making, we are actually running multiple routers on one hardware router. We split the router.
Virtualization of the interconnections can be done as a single-hop virtualization. The best example here is the trunk link connecting two Ethernet switches. Using trunk link to interconnect the switches means usage of 802.1q VLAN tagging of all packets getting across from one switch to another. It further means that we can expand VLANs from one switch to another and use only one interconnection to do that. Without trunk, every VLAN that needs to be expanded to another switch would need a separate interconnection with access ports dedicated to that VLAN on both sides.
Multi-hop interconnection virtualization can be done with GRE tunnel. In this case we can build a tunnel from one edge device, across the network of hundreds of nodes, to another edge device. They will logically seem to be directly connected across this GRE tunnel. GRE tunnel in this case is an isolated path for those two devices to use exclusively.
When looking at hardware, the thing is..
Networking devices are forwarding traffic with specialized chipset (ASIC network processor) which cannot be simulated with software (at least not good enough). Virtualization is enabled by software but also uses advance hardware chipset capability to be accessed and controlled directly from virtual context. In this case, hardware chipset needs to be aware of how to work with virtualization layer to make this possible. This is why virtualization is not actually powered only by software but with combination of hardware and software.
In server virtualization, the so-called hypervisor world, processor (CPU) have advanced virtualization technologies called Intel “VT-x” for Intel and “AMD-V” for AMD. They are enabling the Virtual Machines running on hypervisor to access CPU directly in some cases thus accelerating the Virtual Machine operation.
In the networking world, related to hardware, we have so called DPDK firstly supported on Inter x86 processor. It is a driver, or driver set, which enables fast packet processing in CPU effectively enabling networking operation on standard server faster.
Open vSwitch from Nicira/VMWare is doing something with smart algorithm and part with DPDK to get even better performance of packet switching from one interface to another using standard server processors.
Standard server processors are in focus as they enable us to run networking devices without specialized hardware appliance from networking vendor. In this case we just install additional software on standard server making appliance out of it or deploying a Virtual Machine on a hypervisor which supports DPDK or some kind of acceleration for packet manipulation.
In this way we get more flexibility, less power consumption and better overall resource usability with same or less in price. At this time, specialized networking appliances are still needed for high-end network devices which need cutting edge performance but more and more devices like firewalls and smaller datacenter routers are pushed into virtual environment.
Read the whole series about Path Isolation techniques: