NETWORK VIRTUALIZATION. Fabio Bellini Systems Engineer

Transcription

1 NETWORK VIRTUALIZATION Fabio Bellini Systems Engineer

2 VIRTUALIZATION TECHNOLOGIES Server Virtualization Segmentation of physical servers into multiple OS instances. Vmware, XenSource, Microsoft Hyper-V, Oracle OVM, IBM Power-V, RedHat KVM Desktop Virtualization Complete management of offline user desktops with remote access and local use modes Vmware View, Microsoft TermServ NG (Kidaro), Citrix Presentation Server, RingCube vdesk, MokaFive Application Virtualization Autonomous execution of application sharing common libraries for easier maintenance and lower risk Microsoft SoftGrid, Vmware ThinApp, Altiris, XenApp, AnandTech Storage Virtualization Abstraction of physical storage from logical storage, enables quick data replication, and lower data loss risk Netapp, EMC, Stor I/O Virtualization Consolidation of IO Interface types into fewer high capacity interfaces Xsigo, Brocade NextIO Network Virtualization 2 Copyright 2009 Juniper Networks, Inc.

3 NETWORK VIRTUALIZATION 1 Network Virtualization Across Data Center 2 Strategy and Solution for Server Virtualization 3 Securing the Virtual Data Center 3 Copyright 2009 Juniper Networks, Inc.

4 NETWORK VIRTUALIZATION 4 Copyright 2009 Juniper Networks, Inc.

5 AGENDA 1. How to achieve L2/L3 network virtualization 2. Customer Deployment Scenarios Inter-Data Center L2 VLAN stretch connectivity Multi-Tiered Enterprise Application design L3VPN Network Segmentation for applications, business partners, regulatory compliance 5 Copyright 2009 Juniper Networks, Inc.

6 DRIVER FOR NETWORK VIRTUALIZATION Establish traffic segmentation and improve privacy Increase network resiliency Improve network scalability and performance Improve security Rapidly deploy new services and applications Improve end user application performance Adhere to regulatory compliance 6 Copyright 2009 Juniper Networks, Inc.

7 NETWORK VIRTUALIZATION COMPONENTS Device Partitioning 1 : N Network Communication N : M Logical Systems VLAN VLAN VLAN MPLS Virtualization with MPLS VLAN VRF IRB Virtual Routers Virtual Bridging Logical Systems JCS1200 L3 VPN (MPLS, GRE, IPsec) L2 VPN (VPLS, Pseudo-wires, 802.1q) Circuit to Packet (TDM, Serial, etc. to IP) Device Aggregation N : 1 Virtual Chassis Virtual Chassis Multi-Chassis LAG TX Matrix JCS Copyright 2009 Juniper Networks, Inc.

8 VIRTUALIZATION ATTRIBUTES Adapt easily to changing business needs Scalable Rapidly increase throughput and ports Allow separation of Applications and Architecture Flexible Transparent High-Performance MX Series Cloud Hardware and software resiliency i.e. NSR and ISSU Resilient Secure Traffic Segmentation Application Security 8 Copyright 2009 Juniper Networks, Inc.

9 NETWORK VIRTUALIZATION TECHNOLOGIES Service Virtualization L2VPN L3VPN VPLS L2 Point-to-Point Privacy L3 Multipoint-to Multipoint MPLS Traffic Engineering Scalability L2 Point-to-Multipoint Resiliency Improves layering of services using secure virtual connectivity System Virtualization (Many-to-One) Resiliency Simplifies Configuration Virtual Chassis Service Scalability Physical Port Scalability Improves resiliency, scalability and manageability Device Virtualization (One-to-Many) Virtual Router Scalable Routing Separation VRF lite Routing Separation Logical Systems Routing and Management Separation Bridge Group Simplifies Configuration Virtual Switch Scalable Switching Separation Improves device utilization and manageability Link Virtualization VLAN LAG GRE MPLS LSP Traffic Segmentation Priority Scale Bandwidth Resiliency Tunnel non-ip traffic Traffic Segmentation Priority Improves Link utilization, scalability and resiliency 9 Copyright 2009 Juniper Networks, Inc.

10 THE MPLS NETWORK VIRTUALIZATION SOLUTION Shared physical network No compromises MPLS enables one physical network to be configured and operate as many separate virtual networks L2 or L3 VPN services RELIA Easily BLE add new applications or networks SECU RE Simply manage bandwidth needs New acquisitions and various applications can be added to the network via MPLS VPNs Each subsidiary or application is allowed to operate as though each has a private network over a cost effective shared infrastructure MPLS allows for optimal utilization of network bandwidth Allocation per service/application while maintaining latency requirements for critical applications The Result: Diverse needs of business units are satisfied with virtualized networks that cost less and effectively scale to support the largest enterprises 10 Copyright 2009 Juniper Networks, Inc.

11 DATA CENTER SERVICES EDGE WITH MPLS MX & M Series MX Series Powerful, reliable routers for the edge L2/L3 Boundary Low latency and scalable multicast Network Virtualization Boundary MX in Core & WAN FW #3 IPS #3 NAT #3 FW #2 IPS #2 FW #1 SRX5800 EX8216 VRF#3 VRF #2 VRF#3 VRF #2 VRF #1 VRF #1 VLANs (mapped into VRFs) Enterprise Services Edge: Cloud/Application Segments - L3 VPN VLAN extensions VPLS TDM replacements over IP WAN Regulatory compliance MPLS, VPLS extend VLANs enabling mobility EX Copyright 2009 Juniper Networks, Inc.

12 NETWORK VIRTUALIZATION TRANSLATION Service ID (MPLS Label) Application / Service Network Communication Network Characteristics Network Technology L Storage Network L2 Stretch RSVP-TE VPLS L VMotion POD1 L2 Stretch Low Latency VPLS L VMotion POD2 L2 Stretch Low Latency VPLS L L L Primary Application Production Primary Application Pre-Production Primary Application Compliance L3 Unicast IP L3 Unicast IP L3 Unicast IP L Business Partner Access L3 Unicast IP Policy map to Services (SRX) Policy map to Services (SRX) Policy map to Services (SRX) Policy map to Services (SRX) L3VPN L3VPN L3VPN L3VPN Hub and Spoke M Multicast Application L3 Multicast BW constrained P2MP Simple example of how customers might track application/services to VPLS, L3VPN or Multicast VPN from within a Data Center management system. 12 Copyright 2009 Juniper Networks, Inc.

13 NETWORK VIRTUALIZATION ADVANTAGES Enables new services/applications onto the network in a matter of minutes Configuration changes add segmented applications without disrupting production services Supports network segmentation and privacy Regional-, departmental-, and project-oriented groups have control over their network assets and configurations for M&A, and Divestitures Privacy Scalable MPLS Architecture Enhance User Experience Enhances end-user application experience Traffic Engineering enables a fine-tuning of the network to deliver appropriate levels of services Improve network resiliency With features like Fast Re-Route Enabling sub-50 msec reroute to maintain real-time traffic during a node or link failure Boost network scalability and performance Scales for future growth Fast and Secure New Service Creation Improve Network Resiliency Seamless Network Connectivity 13 Copyright 2009 Juniper Networks, Inc.

14 AGENDA 1. How to achieve L2/L3 network virtualization 2. Customer Deployment Scenarios Inter-Data Center L2 VLAN stretch connectivity Multi-Tiered Enterprise Application design L3VPN Network Segmentation for applications, business partners, regulatory compliance 14 Copyright 2009 Juniper Networks, Inc.

15 NETWORK VIRTUALIZATION DEPLOYMENT EXAMPLES WITH MPLS Inter-DC L2 Stretch Multi-Tier Applications VPLS over MPLS Core MX Series MPLS SRX Series MX Series MX Series SRX Series VLAN EX 4200 Network Virtualization Layer VM1 VM2 DB1 DB1 VM1 VM2 Data Center 1 Data Center 2 AA DMZ Exnet Web Apps DB NOC NAS A MPLS Services Edge Architecture Regulatory Compliance Transmission Distribution Power Generation Stations Internet Juniper Router SCADA/Control System VPN Network Utility Provider Administrative VPN Network Converged MPLS-based Network Consumer Smart Meter Juniper Router 15 Copyright 2009 Juniper Networks, Inc.

16 INTER-DATA CENTER L2 STRETCH CONNECTIVITY 16 Copyright 2009 Juniper Networks, Inc.

17 SERVER LIVE MIGRATION AND MIRRORING SERVICES VPLS over MPLS Core L2 stretch between Data Centers VMotion services DB/Storage mirroring VLAN to VPLS mapping at Service Edge boundary MX Series MX Series MPLS Service Edge Boundary MX Series VLAN MX Series EX Series EX Series VM1 VM2 DB1 DB1 VM1 VM2 Data Center 1 Data Center 2 DB1 VLAN VM1 VLAN DB1 VPLS VM1 VPLS 17 Copyright 2009 Juniper Networks, Inc.

18 MIXED PRIVATE/PUBLIC TRANSPORT WITH PRIVATE MPLS CONFIGURATIONS Core WAN Plane A Private WAN (Leased Circuits) Suitable for Large Data Center Inter/Intra-data center transport over an MPLS super core With comprehensive MPLS L2/L3 VPN and VPLS feature-set Core WAN Plane B VPLS Service or L2VPN Data Center Core/Aggregation Layer MX Series with 16 Port 10GE Line Card Data Center 1 Data Center 2 18 Copyright 2009 Juniper Networks, Inc.

19 ENTERPRISE DEPLOYMENT APPLICATIONS Small Data Center Corp Core LAN/WAN WAN Edge MX80s WAN Edge MX80s Small Campus WAN Edge M or MX Series INTERNET/Private IP/MPLS WAN WAN Edge MX80s MPLS Virtualization in the Data Center Access Layer MX80s Optimized for Ethernet Connectivity: For Corporate, Small Campus and Small Data Center WAN Ethernet Edge Top of Rack Router in Large DCs bringing the power of MPLS Virtualization & L3 to the Access Layer 19 Copyright 2009 Juniper Networks, Inc.

20 COMPLETE INTRA- AND INTER-DATA CENTER VIRTUALIZATION SCENARIO 23 Copyright 2009 Juniper Networks, Inc.

21 DATA CENTER MPLS / VPLS VLAN/VPLS 10GE LAG Optional Internet Access Internet WAN Inter-DC RSVP / TE MPLS Core or SuperCore SRX5800 MX Series LDP [RSVP] MPLS Service Edge VPLS or L3VPN (L2/L3 Boundary) POD 1 VLAN Access L2 Agg VLANs SRX5800 Dom N Dom 3 Dom 2 Dom 1 2 TORs 2 TORs 2 TORs TOR 24 Copyright 2009 Juniper Networks, Inc.

22 SCALING DATA CENTER MPLS / VPLS VLAN/VPLS 10GE LAG Internet WAN Inter-DC RSVP / TE MPLS Core or SuperCore SRX5800 LDP MX Series LDP [RSVP] MPLS Service Edge VPLS or L3VPN (L2/L3 Boundary) POD N POD 1 SRX5800 L2 Agg VLANs VLAN Access L2 Agg VLANs SRX5800 Dom N Dom 3 Dom 2 Dom 1 Dom N Dom 3 Dom 2 Dom 1 2 TORs 2 TORs 2 TORs TOR 2 TORs 2 TORs 2 TORs TOR 25 Copyright 2009 Juniper Networks, Inc.

23 DATA CENTER MPLS / VPLS WITH VIRTUAL CHASSIS ON MX VLAN/VPLS 10GE LAG Internet WAN Inter-DC RSVP / TE MPLS Core or SuperCore SRX5800 LDP MX Series LDP [RSVP] MPLS Service Edge VPLS or L3VPN (L2/L3 Boundary) POD N POD 1 SRX5800 L2 Agg VLANs VLAN Access L2 Agg VLANs SRX5800 Dom N Dom 3 Dom 2 Dom 1 Dom N Dom 3 Dom 2 Dom 1 2 TORs 2 TORs 2 TORs TOR 2 TORs 2 TORs 2 TORs TOR 26 Copyright 2009 Juniper Networks, Inc.

24 SUMMARY Network Virtualization in the Data Center with MPLS Enables new services/applications onto the network in a matter of minutes Supports network segmentation and privacy Privacy Scalable MPLS Architecture Enhance User Experience Enhances end-user application experience Improve network resiliency Fast and Secure New Service Creation Improve Network Resiliency Boost network scalability and performance Seamless Network Connectivity 27 Copyright 2009 Juniper Networks, Inc.

25 STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION 28 Copyright 2009 Juniper Networks, Inc.

26 MARKET DRIVERS Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08 Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013 Gartner Dataquest Insight January 09 43% of enterprises with 500+ employees and 26% of SMBs employees are using server virtualization Yankee July 09 Installed Base Grows 10x VM Penetration of Installed Workloads YE 2008 (5.8M) YE 2012 (58M) 29 Copyright 2009 Juniper Networks, Inc.

27 JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 30 Copyright 2009 Juniper Networks, Inc.

28 SERVER VIRTUALIZATION BEFORE NIC NIC O/S Application Network Switch Network Switch NIC NIC Network endpoint O/S Application Server 31 Copyright 2009 Juniper Networks, Inc.

29 SERVER VIRTUALIZATION - AFTER NIC NIC O/S Application Network Switch Network Switch NIC NIC Network virtual endpoint VEB Hypervisor Virtual Port Virtual Port Virtual Port O/S O/S Application O/S Server Application 1 Application 2 Application 3 32 Copyright 2009 Juniper Networks, Inc. VM 1 VM 2 VM 3

30 JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 33 Copyright 2009 Juniper Networks, Inc.

31 SERVER VIRTUALIZATION: NEW ACCESS LAYER Virtualized Virtualized Virtualized Virtualized Virtualized Virtualized Virtualized Not Virtualized virtualized vswitch vswitch vswitch vswitch vswitch vswitch vswitch vswitch New Access Layer (Server admin) Control Plane + Data Plane New challenges Too many switching elements Additional switching tiers Different management tools for physical and virtual Change from traditional roles and responsibilities VM network state and policy migration Unpredictable performance with software implementations Old access Layer (Network Operator) 35 Copyright 2009 Juniper Networks, Inc.

32 SERVER VIRTUALIZATION - IMPACT ON NETWORKING NETWORK MANAGEMENT FEATURES Large number of end points VM live migration, flexible VM placement VM clusters Mobility, Fault tolerance, HA Additional switching tiers, switching elements Change from traditional roles and responsibilities Fragmented networks lack of network and security policies Different management tools Feature inconsistency between physical and virtual Unpredictable performance with software Vswitches Lack of Standards based solutions; vendor lock-ins 36 Copyright 2009 Juniper Networks, Inc.

33 JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 37 Copyright 2009 Juniper Networks, Inc.

34 NETWORK FOR VIRTUALIZED DATA CENTER NETWORK Support Scale Enable Ubiquitous Resource Pools Any to any connectivity Low latency, High speed Provide flat L2 network Spanning Tree Protocol (STP) free design Simplify network design Collapse tiers, reduce number of switching elements Switching platforms EX Virtual Chassis Stratus Inter-DC L2 Domain Span MX VPLS and MAC VPNs Security in the DC SRX and Altor Virtual Firewall 38 Copyright 2009 Juniper Networks, Inc.

35 JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 39 Copyright 2009 Juniper Networks, Inc.

36 VIRTUAL ETHERNET PORT AGGREGATOR VEPA- 40 Copyright 2009 Juniper Networks, Inc.

37 FEATURE RICH VIRTUAL SWITCHING FEATURES Standards Based and Interoperable Solutions Built to fully realize the ubiquitous resource pools and flexible VM placement VM state and policy migration VEPA Virtual Ethernet Port Aggregator Gains access to external switch features Packet processing (TCAMs, ACLs, etc.) Security features such as: DHCP guard, ARP monitoring, source port filtering, dynamic ARP protection/inspection, etc. Enhances monitoring capabilities Statistics NetFlow, sflow, rmon, port mirroring, etc. 41 Copyright 2009 Juniper Networks, Inc.

38 FEATURE RICH VIRTUAL SWITCHING - VEPA VEB / vswitch VEPA VM1 VM2 VM3 VM1 VM2 VM3 Vswitch Access VEPA Access Pswitch Pswitch Access Currently deployed Multiple implementations No clean, standard handoffs for signaling VM mobility Evolving open standard IEEE 802.1Qbg Simple - Bypasses virtual switches and additional tiers in the network. Co-existence possible. Open any server, hypervisor and switch Scalable span of VM mobility Business agility automated policy provisioning & migration 42 Copyright 2009 Juniper Networks, Inc.

39 BASIC VEPA OPERATION UNICAST TRAFFIC- 43 Copyright 2009 Juniper Networks, Inc.

40 BASIC VEPA OPERATION MULTICAST TRAFFIC- 44 Copyright 2009 Juniper Networks, Inc.

41 CURRENT STATUS OF VEPA IEEE Atlanta plenary meeting in November 2009 approved two new PARs Qbg Virtual Bridged Local Area Networks Amendment: Edge Virtual Bridging ( - includes simple VEPA, multi-channel VEPA and AMPP Qbh Virtual Bridged Local Area Network Amendment: Bridge Port Extension ( - covers the original Cisco proposal of VN_Tag or port extender Juniper will support 802.1Qbg 802.1Qbh - Cisco is currently the proposer and sole supporter! Control plane signaling in 802.1Qbg is called VDP Juniper is working very closely with industry leading server, NIC and network equipment vendors to develop a VDP standard by 2H Copyright 2009 Juniper Networks, Inc.

42 JUNIPER S SOLUTIONS LANDSCAPE yes Switching within the server (VEB)? no VMware Vswitch Standards based? no yes vds Integrate virtual appliances e.g. Altor firewall no Industry Wide support? yes Junos Space application to manage vds Junos Space Virtual Control ( Shipping) Replace VMware's Vswitch Nexus 1000v VNTag Nexus (1K + 5K) Port Extender IEEE 802.1Qbh VEPA IEEE 802.1Qbg (2H 2011) 46 Copyright 2009 Juniper Networks, Inc.

43 SECURING THE VIRTUAL DATA CENTER 47 Copyright 2009 Juniper Networks, Inc.

44 SECURING THE VIRTUAL DATA CENTER 1 Market Drivers 2 Security Implications of Virtual Servers 3 Introducing Altor Virtual Firewall (VF) What Juniper s strategy? 48 Copyright 2009 Juniper Networks, Inc.

45 MARKET DRIVERS Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08 Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013 Gartner Dataquest Insight January 09 43% of enterprises with 500+ employees and 26% of SMBs employees are using server virtualization Yankee July 09 Installed Base Grows 10x VM Penetration of Installed Workloads YE 2008 (5.8M) YE 2012 (58M) 49 Copyright 2009 Juniper Networks, Inc.

46 SECURITY IMPLICATIONS OF VIRTUAL SERVERS PHYSICAL NETWORK VIRTUAL NETWORK VM1 VM2 VM3 ESX Host HYPERVISOR Firewall/IPS Inspects All Traffic Between Servers Physical Security is Blind to Traffic Between Virtual Machines 50 Copyright 2009 Juniper Networks, Inc.

47 APPROACHES TO SECURING VIRTUAL SERVERS: THREE METHODS 1. VLAN Segmentation 2. Agent-based 3. Kernel-based Firewall Each VM in separate VLAN Inter-VM communications must route through the firewall Drawback: Possibly complex VLAN networking VM1 VM2 VM3 Each VM has a software firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs VM1 VM2 VM3 VMs can securely share VLANs Inter-VM traffic always protected High-performance from implementing firewall in the kernel Micro-segmenting capabilities VM1 VM2 VM3 ESX Host ESX Host FW as Kernel Module ESX Host HYPERVISOR HYPERVISOR HYPERVISOR FW Agents 51 Copyright 2009 Juniper Networks, Inc.

48 INTRODUCING THE ALTOR VIRTUAL FIREWALL VM1 VM2 VM3 ALTOR VF ESX Host Hypervisor Kernel Stateful Firewall Purpose-built virtual firewall Secure Live-Migration (VMotion) Security for each VM by VM ID Fully stateful firewall VMware VMsafe Certified Tight Integration with Virtual Platform Management, e.g. VMware vcenter Fault-Tolerant Architecture NSM Network STRM Juniper Switch Juniper SRX 52 Copyright 2009 Juniper Networks, Inc.

49 ALTOR KERNEL IMPLEMENTATION Altor built a custom kernel enforcement module in ESX Hypervisor Packets are forwarded to Altor directly from the Virtual OS ALTOR VM VM1 VM2 VM3 Policy Logging Management ALTOR VM Policy Logging Management VM1 VM2 VM3 Altor VMsafe Kernel Module Packet / Data ESX Kernel Altor 3.0 Engine Packet / Data SRX w/ips Altor VS VF VMware DVFilter ESX Host VMware vswitch 53 Copyright 2009 Juniper Networks, Inc.

50 INTEGRATION WITH JUNIPER DATA CENTER SECURITY VM1 VM2 VM3 ALTOR VM Altor Center Policies Altor Integration Point Central Policy Management Altor Virtual Firewall VMware vsphere Altor Integration Point Firewall Event Syslogs Netflow for Inter-VM Traffic Altor Integration Point Traffic Mirroring to IPS STRM NSM Network Juniper Switch Juniper SRX with IPS 54 Copyright 2009 Juniper Networks, Inc.

51 Solution Challenge CUSTOMER USE CASE: VIRTUAL DESKTOPS (VDI) Desktops can carry a lot of dirty apps Malware can easily propagate in a virtual environment from VM to VM and from VM host to host Access control and worm suppression is imperative for VDI deployment Altor VF blocks worm outbreaks in the virtual environment Juniper IPS + Altor VF can detect and block malware in physical and virtual environment 55 Copyright 2009 Juniper Networks, Inc.

52 Solution Challenge CUSTOMER USE CASE: COMPLIANCE Comply with PCI, SOX, FISMA, ISO27001 etc. mandates to enforce access control, separation of duties Comply with requirements for reporting and alerting on access activity Show the effectiveness of security controls for audits Purpose Built Firewalling Altor s stateful VF sees all inter-vm traffic, enforces policy on VMs, and produces detailed reports on traffic, traffic flows and applied security Virtual IPS - Altor VF integrates with STRM and NSM to send firewall events, Netflow data and mirror traffic to Juniper IPS 56 Copyright 2009 Juniper Networks, Inc.

53 Solution Challenge CUSTOMER USE CASE: VIRTUAL DMZ DMZ resources span many applications and services All DMZ resources share an Internet facing network so security is critical Partner and customer extranets must be appropriately segmented and protected Altor can segment each VM or group of VMs with unique firewall policies Security zones are maintained with NO VLAN changes 57 Copyright 2009 Juniper Networks, Inc.

54