NETWORK VIRTUALIZATION. Fabio Bellini Systems Engineer

Similar documents
SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

THE EXPONENTIAL DATA CENTER

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

THE NETWORK AND THE CLOUD

Data Center Interconnect Solution Overview

Cisco Nexus 1000V Switch for Microsoft Hyper-V

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

VIRTUALIZING SERVER CONNECTIVITY IN THE CLOUD

Network Virtualization

Network Configuration Example

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Network Configuration Example

THE MPLS JOURNEY FROM CONNECTIVITY TO FULL SERVICE NETWORKS. Sangeeta Anand Vice President Product Management Cisco Systems.

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

Cisco HyperFlex Systems

Network+ Guide to Networks 6 th Edition

Enterprise X-Architecture 5th Generation And VMware Virtualization Solutions

VMware Join the Virtual Revolution! Brian McNeil VMware National Partner Business Manager

Security Models for Cloud

ENTERPRISE SECURITY MANAGEMENT. Frederick Verduyckt 20 September 2012

ENTERPRISE MPLS. Kireeti Kompella

Improve Existing Disaster Recovery Solutions with VMware NSX

vsphere Networking for the Network Admin Jason Nash, Varrow CTO

Routing Applications State of the Art and Disruptions

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

1V0-642.exam.30q.

The Next Opportunity in the Data Centre

Data Center Virtualization Setting the Foundation. Ed Bugnion VP/CTO, Cisco Server, Access and Virtualization Technology Group

Cloud Networking From Theory to Practice. Ivan Pepelnjak NIL Data Communications

THE OPEN DATA CENTER FABRIC FOR THE CLOUD

Improving Blade Economics with Virtualization

VIRTUAL CLUSTER SWITCHING SWITCHES AS A CLOUD FOR THE VIRTUAL DATA CENTER. Emil Kacperek Systems Engineer Brocade Communication Systems.

Virtual Security Gateway Overview

HP FlexFabric Virtual Switch 5900v Technology White Paper

BROCADE CLOUD-OPTIMIZED NETWORKING: THE BLUEPRINT FOR THE SOFTWARE-DEFINED NETWORK

Introduction to Virtualization. From NDG In partnership with VMware IT Academy

Private Cloud Public Cloud Edge. Consistent Infrastructure & Consistent Operations

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Why the cloud matters?

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Evolution with End-to-End Data Center Virtualization

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

2014 VMware Inc. All rights reserved.

DELL EMC READY BUNDLE FOR VIRTUALIZATION WITH VMWARE AND FIBRE CHANNEL INFRASTRUCTURE

Design Guide: Deploying NSX for vsphere with Cisco ACI as Underlay

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

MX MIDRANGE ROUTING SOLUTIONS Sales Guide

Juniper Networks Switching: EX & QFX Series

Cloud Networking (VITMMA02) Server Virtualization Data Center Gear

Verron Martina vspecialist. Copyright 2012 EMC Corporation. All rights reserved.

Network Configuration Example

Customer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Cloud-Enable Your District s Network For Digital Learning

VMware vsphere Beginner s Guide

Xen and CloudStack. Ewan Mellor. Director, Engineering, Open-source Cloud Platforms Citrix Systems

Potpuna virtualizacija od servera do desktopa. Saša Hederić Senior Systems Engineer VMware Inc.

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Converged Platforms and Solutions. Business Update and Portfolio Overview

Network Virtualisation at 1&1 Matthias Müller

Cisco SDN 解决方案 ACI 的基本概念

Virtualized Access Layer. Petr Grygárek

Midrange Routing Solutions

70-414: Implementing an Advanced Server Infrastructure Course 01 - Creating the Virtualization Infrastructure

Agenda Registration & Coffee

Protecting Physical and Virtual Workloads

Integrating Juniper Networks QFX5100 Switches and Junos Space into VMware NSX Environments

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Service Oriented Virtual DC Design

Exam Name: VMware Certified Associate Network Virtualization

The threat landscape is constantly

Q&As DCID Designing Cisco Data Center Infrastructure

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMware vsphere 4.0 The best platform for building cloud infrastructures

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

The vsphere 6.0 Advantages Over Hyper- V

Extreme Networks How to Build Scalable and Resilient Fabric Networks

DEPLOYING A VMWARE VCLOUD DIRECTOR INFRASTRUCTURE-AS-A-SERVICE (IAAS) SOLUTION WITH VMWARE CLOUD FOUNDATION : ARCHITECTURAL GUIDELINES

Table of Contents HOL-PRT-1305

Segmentation. Threat Defense. Visibility

Extending Enterprise Security to Multicloud and Public Cloud

Survey of ETSI NFV standardization documents BY ABHISHEK GUPTA FRIDAY GROUP MEETING FEBRUARY 26, 2016

Building Private Cloud Infrastructure

The Impact of Hyper- converged Infrastructure on the IT Landscape

MX ALS DATACENTER EDGE

OPEN CONTRAIL ARCHITECTURE GEORGIA TECH SDN EVENT

Features. HDX WAN optimization. QoS

BUILD A BUSINESS CASE

Cisco Exam Questions & Answers

vsan Remote Office Deployment January 09, 2018

Unity EdgeConnect SP SD-WAN Solution

Cisco Nexus 4000 Series Switches for IBM BladeCenter

DELL EMC READY BUNDLE FOR VIRTUALIZATION WITH VMWARE AND ISCSI INFRASTRUCTURE

Frequently Asked Questions for HP EVI and MDC

VMware Validated Design for NetApp HCI

Architecture and Design. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Management and Workload Consolidation 4.

IT Infrastructure: Poised for Change

CAMPUS AND BRANCH RECAP. Ralph Wanders Consulting Systems Engineer

Transcription:

NETWORK VIRTUALIZATION Fabio Bellini Systems Engineer fbellini@juniper.net

VIRTUALIZATION TECHNOLOGIES Server Virtualization Segmentation of physical servers into multiple OS instances. Vmware, XenSource, Microsoft Hyper-V, Oracle OVM, IBM Power-V, RedHat KVM Desktop Virtualization Complete management of offline user desktops with remote access and local use modes Vmware View, Microsoft TermServ NG (Kidaro), Citrix Presentation Server, RingCube vdesk, MokaFive Application Virtualization Autonomous execution of application sharing common libraries for easier maintenance and lower risk Microsoft SoftGrid, Vmware ThinApp, Altiris, XenApp, AnandTech Storage Virtualization Abstraction of physical storage from logical storage, enables quick data replication, and lower data loss risk Netapp, EMC, Stor I/O Virtualization Consolidation of IO Interface types into fewer high capacity interfaces Xsigo, Brocade NextIO Network Virtualization 2 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION 1 Network Virtualization Across Data Center 2 Strategy and Solution for Server Virtualization 3 Securing the Virtual Data Center 3 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION 4 Copyright 2009 Juniper Networks, Inc. www.juniper.net

AGENDA 1. How to achieve L2/L3 network virtualization 2. Customer Deployment Scenarios Inter-Data Center L2 VLAN stretch connectivity Multi-Tiered Enterprise Application design L3VPN Network Segmentation for applications, business partners, regulatory compliance 5 Copyright 2009 Juniper Networks, Inc. www.juniper.net

DRIVER FOR NETWORK VIRTUALIZATION Establish traffic segmentation and improve privacy Increase network resiliency Improve network scalability and performance Improve security Rapidly deploy new services and applications Improve end user application performance Adhere to regulatory compliance 6 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION COMPONENTS Device Partitioning 1 : N Network Communication N : M Logical Systems VLAN VLAN VLAN MPLS Virtualization with MPLS VLAN VRF IRB Virtual Routers Virtual Bridging Logical Systems JCS1200 L3 VPN (MPLS, GRE, IPsec) L2 VPN (VPLS, Pseudo-wires, 802.1q) Circuit to Packet (TDM, Serial, etc. to IP) Device Aggregation N : 1 Virtual Chassis Virtual Chassis Multi-Chassis LAG TX Matrix JCS 1200 7 Copyright 2009 Juniper Networks, Inc. www.juniper.net

VIRTUALIZATION ATTRIBUTES Adapt easily to changing business needs Scalable Rapidly increase throughput and ports Allow separation of Applications and Architecture Flexible Transparent High-Performance MX Series Cloud Hardware and software resiliency i.e. NSR and ISSU Resilient Secure Traffic Segmentation Application Security 8 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION TECHNOLOGIES Service Virtualization L2VPN L3VPN VPLS L2 Point-to-Point Privacy L3 Multipoint-to Multipoint MPLS Traffic Engineering Scalability L2 Point-to-Multipoint Resiliency Improves layering of services using secure virtual connectivity System Virtualization (Many-to-One) Resiliency Simplifies Configuration Virtual Chassis Service Scalability Physical Port Scalability Improves resiliency, scalability and manageability Device Virtualization (One-to-Many) Virtual Router Scalable Routing Separation VRF lite Routing Separation Logical Systems Routing and Management Separation Bridge Group Simplifies Configuration Virtual Switch Scalable Switching Separation Improves device utilization and manageability Link Virtualization VLAN LAG GRE MPLS LSP Traffic Segmentation Priority Scale Bandwidth Resiliency Tunnel non-ip traffic Traffic Segmentation Priority Improves Link utilization, scalability and resiliency 9 Copyright 2009 Juniper Networks, Inc. www.juniper.net

THE MPLS NETWORK VIRTUALIZATION SOLUTION Shared physical network No compromises MPLS enables one physical network to be configured and operate as many separate virtual networks L2 or L3 VPN services RELIA Easily BLE add new applications or networks SECU RE Simply manage bandwidth needs New acquisitions and various applications can be added to the network via MPLS VPNs Each subsidiary or application is allowed to operate as though each has a private network over a cost effective shared infrastructure MPLS allows for optimal utilization of network bandwidth Allocation per service/application while maintaining latency requirements for critical applications The Result: Diverse needs of business units are satisfied with virtualized networks that cost less and effectively scale to support the largest enterprises 10 Copyright 2009 Juniper Networks, Inc. www.juniper.net

DATA CENTER SERVICES EDGE WITH MPLS MX & M Series MX Series Powerful, reliable routers for the edge L2/L3 Boundary Low latency and scalable multicast Network Virtualization Boundary MX in Core & WAN FW #3 IPS #3 NAT #3 FW #2 IPS #2 FW #1 SRX5800 EX8216 VRF#3 VRF #2 VRF#3 VRF #2 VRF #1 VRF #1 VLANs (mapped into VRFs) Enterprise Services Edge: Cloud/Application Segments - L3 VPN VLAN extensions VPLS TDM replacements over IP WAN Regulatory compliance MPLS, VPLS extend VLANs enabling mobility EX4200 11 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION TRANSLATION Service ID (MPLS Label) Application / Service Network Communication Network Characteristics Network Technology L2-0001 Storage Network L2 Stretch RSVP-TE VPLS L2-0101 VMotion POD1 L2 Stretch Low Latency VPLS L2-0102 VMotion POD2 L2 Stretch Low Latency VPLS L3-0001 L3-0002 L3-0003 Primary Application Production Primary Application Pre-Production Primary Application Compliance L3 Unicast IP L3 Unicast IP L3 Unicast IP L3-1001 Business Partner Access L3 Unicast IP Policy map to Services (SRX) Policy map to Services (SRX) Policy map to Services (SRX) Policy map to Services (SRX) L3VPN L3VPN L3VPN L3VPN Hub and Spoke M3-0001 Multicast Application L3 Multicast BW constrained P2MP Simple example of how customers might track application/services to VPLS, L3VPN or Multicast VPN from within a Data Center management system. 12 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION ADVANTAGES Enables new services/applications onto the network in a matter of minutes Configuration changes add segmented applications without disrupting production services Supports network segmentation and privacy Regional-, departmental-, and project-oriented groups have control over their network assets and configurations for M&A, and Divestitures Privacy Scalable MPLS Architecture Enhance User Experience Enhances end-user application experience Traffic Engineering enables a fine-tuning of the network to deliver appropriate levels of services Improve network resiliency With features like Fast Re-Route Enabling sub-50 msec reroute to maintain real-time traffic during a node or link failure Boost network scalability and performance Scales for future growth Fast and Secure New Service Creation Improve Network Resiliency Seamless Network Connectivity 13 Copyright 2009 Juniper Networks, Inc. www.juniper.net

AGENDA 1. How to achieve L2/L3 network virtualization 2. Customer Deployment Scenarios Inter-Data Center L2 VLAN stretch connectivity Multi-Tiered Enterprise Application design L3VPN Network Segmentation for applications, business partners, regulatory compliance 14 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK VIRTUALIZATION DEPLOYMENT EXAMPLES WITH MPLS Inter-DC L2 Stretch Multi-Tier Applications VPLS over MPLS Core MX Series MPLS SRX Series MX Series MX Series SRX Series VLAN EX 4200 Network Virtualization Layer VM1 VM2 DB1 DB1 VM1 VM2 Data Center 1 Data Center 2 AA DMZ Exnet Web Apps DB NOC NAS A MPLS Services Edge Architecture Regulatory Compliance Transmission Distribution Power Generation Stations Internet Juniper Router SCADA/Control System VPN Network Utility Provider Administrative VPN Network Converged MPLS-based Network Consumer Smart Meter Juniper Router 15 Copyright 2009 Juniper Networks, Inc. www.juniper.net

INTER-DATA CENTER L2 STRETCH CONNECTIVITY 16 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SERVER LIVE MIGRATION AND MIRRORING SERVICES VPLS over MPLS Core L2 stretch between Data Centers VMotion services DB/Storage mirroring VLAN to VPLS mapping at Service Edge boundary MX Series MX Series MPLS Service Edge Boundary MX Series VLAN MX Series EX Series EX Series VM1 VM2 DB1 DB1 VM1 VM2 Data Center 1 Data Center 2 DB1 VLAN VM1 VLAN DB1 VPLS VM1 VPLS 17 Copyright 2009 Juniper Networks, Inc. www.juniper.net

MIXED PRIVATE/PUBLIC TRANSPORT WITH PRIVATE MPLS CONFIGURATIONS Core WAN Plane A Private WAN (Leased Circuits) Suitable for Large Data Center Inter/Intra-data center transport over an MPLS super core With comprehensive MPLS L2/L3 VPN and VPLS feature-set Core WAN Plane B VPLS Service or L2VPN Data Center Core/Aggregation Layer MX Series with 16 Port 10GE Line Card Data Center 1 Data Center 2 18 Copyright 2009 Juniper Networks, Inc. www.juniper.net

ENTERPRISE DEPLOYMENT APPLICATIONS Small Data Center Corp Core LAN/WAN WAN Edge MX80s WAN Edge MX80s Small Campus WAN Edge M or MX Series INTERNET/Private IP/MPLS WAN WAN Edge MX80s MPLS Virtualization in the Data Center Access Layer MX80s Optimized for Ethernet Connectivity: For Corporate, Small Campus and Small Data Center WAN Ethernet Edge Top of Rack Router in Large DCs bringing the power of MPLS Virtualization & L3 to the Access Layer 19 Copyright 2009 Juniper Networks, Inc. www.juniper.net

COMPLETE INTRA- AND INTER-DATA CENTER VIRTUALIZATION SCENARIO 23 Copyright 2009 Juniper Networks, Inc. www.juniper.net

DATA CENTER MPLS / VPLS VLAN/VPLS 10GE LAG Optional Internet Access Internet WAN Inter-DC RSVP / TE MPLS Core or SuperCore SRX5800 MX Series LDP [RSVP] MPLS Service Edge VPLS or L3VPN (L2/L3 Boundary) POD 1 VLAN Access L2 Agg VLANs SRX5800 Dom N Dom 3 Dom 2 Dom 1 2 TORs 2 TORs 2 TORs TOR 24 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SCALING DATA CENTER MPLS / VPLS VLAN/VPLS 10GE LAG Internet WAN Inter-DC RSVP / TE MPLS Core or SuperCore SRX5800 LDP MX Series LDP [RSVP] MPLS Service Edge VPLS or L3VPN (L2/L3 Boundary) POD N POD 1 SRX5800 L2 Agg VLANs VLAN Access L2 Agg VLANs SRX5800 Dom N Dom 3 Dom 2 Dom 1 Dom N Dom 3 Dom 2 Dom 1 2 TORs 2 TORs 2 TORs TOR 2 TORs 2 TORs 2 TORs TOR 25 Copyright 2009 Juniper Networks, Inc. www.juniper.net

DATA CENTER MPLS / VPLS WITH VIRTUAL CHASSIS ON MX VLAN/VPLS 10GE LAG Internet WAN Inter-DC RSVP / TE MPLS Core or SuperCore SRX5800 LDP MX Series LDP [RSVP] MPLS Service Edge VPLS or L3VPN (L2/L3 Boundary) POD N POD 1 SRX5800 L2 Agg VLANs VLAN Access L2 Agg VLANs SRX5800 Dom N Dom 3 Dom 2 Dom 1 Dom N Dom 3 Dom 2 Dom 1 2 TORs 2 TORs 2 TORs TOR 2 TORs 2 TORs 2 TORs TOR 26 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SUMMARY Network Virtualization in the Data Center with MPLS Enables new services/applications onto the network in a matter of minutes Supports network segmentation and privacy Privacy Scalable MPLS Architecture Enhance User Experience Enhances end-user application experience Improve network resiliency Fast and Secure New Service Creation Improve Network Resiliency Boost network scalability and performance Seamless Network Connectivity 27 Copyright 2009 Juniper Networks, Inc. www.juniper.net

STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION 28 Copyright 2009 Juniper Networks, Inc. www.juniper.net

MARKET DRIVERS Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08 Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013 Gartner Dataquest Insight January 09 43% of enterprises with 500+ employees and 26% of SMBs 100-499 employees are using server virtualization Yankee July 09 Installed Base Grows 10x VM Penetration of Installed Workloads YE 2008 (5.8M) YE 2012 (58M) 29 Copyright 2009 Juniper Networks, Inc. www.juniper.net

JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION 1 2 3 5 Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 30 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SERVER VIRTUALIZATION BEFORE NIC NIC O/S Application Network Switch Network Switch NIC NIC Network endpoint O/S Application Server 31 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SERVER VIRTUALIZATION - AFTER NIC NIC O/S Application Network Switch Network Switch NIC NIC Network virtual endpoint VEB Hypervisor Virtual Port Virtual Port Virtual Port O/S O/S Application O/S Server Application 1 Application 2 Application 3 32 Copyright 2009 Juniper Networks, Inc. www.juniper.net VM 1 VM 2 VM 3

JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION 1 2 3 5 Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 33 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SERVER VIRTUALIZATION: NEW ACCESS LAYER Virtualized Virtualized Virtualized Virtualized Virtualized Virtualized Virtualized Not Virtualized virtualized vswitch vswitch vswitch vswitch vswitch vswitch vswitch vswitch New Access Layer (Server admin) Control Plane + Data Plane New challenges Too many switching elements Additional switching tiers Different management tools for physical and virtual Change from traditional roles and responsibilities VM network state and policy migration Unpredictable performance with software implementations Old access Layer (Network Operator) 35 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SERVER VIRTUALIZATION - IMPACT ON NETWORKING NETWORK MANAGEMENT FEATURES Large number of end points VM live migration, flexible VM placement VM clusters Mobility, Fault tolerance, HA Additional switching tiers, switching elements Change from traditional roles and responsibilities Fragmented networks lack of network and security policies Different management tools Feature inconsistency between physical and virtual Unpredictable performance with software Vswitches Lack of Standards based solutions; vendor lock-ins 36 Copyright 2009 Juniper Networks, Inc. www.juniper.net

JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION 1 2 3 5 Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 37 Copyright 2009 Juniper Networks, Inc. www.juniper.net

NETWORK FOR VIRTUALIZED DATA CENTER NETWORK Support Scale Enable Ubiquitous Resource Pools Any to any connectivity Low latency, High speed Provide flat L2 network Spanning Tree Protocol (STP) free design Simplify network design Collapse tiers, reduce number of switching elements Switching platforms EX Virtual Chassis Stratus Inter-DC L2 Domain Span MX VPLS and MAC VPNs Security in the DC SRX and Altor Virtual Firewall 38 Copyright 2009 Juniper Networks, Inc. www.juniper.net

JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION 1 2 3 5 Server Virtualization Before and After Impact on Networking Network for Virtualized DC Feature rich Virtual Switching VEPA 39 Copyright 2009 Juniper Networks, Inc. www.juniper.net

VIRTUAL ETHERNET PORT AGGREGATOR VEPA- 40 Copyright 2009 Juniper Networks, Inc. www.juniper.net

FEATURE RICH VIRTUAL SWITCHING FEATURES Standards Based and Interoperable Solutions Built to fully realize the ubiquitous resource pools and flexible VM placement VM state and policy migration VEPA Virtual Ethernet Port Aggregator Gains access to external switch features Packet processing (TCAMs, ACLs, etc.) Security features such as: DHCP guard, ARP monitoring, source port filtering, dynamic ARP protection/inspection, etc. Enhances monitoring capabilities Statistics NetFlow, sflow, rmon, port mirroring, etc. 41 Copyright 2009 Juniper Networks, Inc. www.juniper.net

FEATURE RICH VIRTUAL SWITCHING - VEPA VEB / vswitch VEPA VM1 VM2 VM3 VM1 VM2 VM3 Vswitch Access VEPA Access Pswitch Pswitch Access Currently deployed Multiple implementations No clean, standard handoffs for signaling VM mobility Evolving open standard IEEE 802.1Qbg Simple - Bypasses virtual switches and additional tiers in the network. Co-existence possible. Open any server, hypervisor and switch Scalable span of VM mobility Business agility automated policy provisioning & migration 42 Copyright 2009 Juniper Networks, Inc. www.juniper.net

BASIC VEPA OPERATION UNICAST TRAFFIC- 43 Copyright 2009 Juniper Networks, Inc. www.juniper.net

BASIC VEPA OPERATION MULTICAST TRAFFIC- 44 Copyright 2009 Juniper Networks, Inc. www.juniper.net

CURRENT STATUS OF VEPA IEEE Atlanta plenary meeting in November 2009 approved two new PARs 1. 802.1Qbg Virtual Bridged Local Area Networks Amendment: Edge Virtual Bridging (http://www.ieee802.org/1/files/public/docs2009/new-bg-thalerpar-1109.pdf) - includes simple VEPA, multi-channel VEPA and AMPP 2. 802.1Qbh Virtual Bridged Local Area Network Amendment: Bridge Port Extension (http://www.ieee802.org/1/files/public/docs2009/new-bh-thalerpar-1109-v2.pdf) - covers the original Cisco proposal of VN_Tag or port extender Juniper will support 802.1Qbg 802.1Qbh - Cisco is currently the proposer and sole supporter! Control plane signaling in 802.1Qbg is called VDP Juniper is working very closely with industry leading server, NIC and network equipment vendors to develop a VDP standard by 2H 2010. 45 Copyright 2009 Juniper Networks, Inc. www.juniper.net

JUNIPER S SOLUTIONS LANDSCAPE yes Switching within the server (VEB)? no VMware Vswitch Standards based? no yes vds Integrate virtual appliances e.g. Altor firewall no Industry Wide support? yes Junos Space application to manage vds Junos Space Virtual Control ( Shipping) Replace VMware's Vswitch Nexus 1000v VNTag Nexus (1K + 5K) Port Extender IEEE 802.1Qbh VEPA IEEE 802.1Qbg (2H 2011) 46 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SECURING THE VIRTUAL DATA CENTER 47 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SECURING THE VIRTUAL DATA CENTER 1 Market Drivers 2 Security Implications of Virtual Servers 3 Introducing Altor Virtual Firewall (VF) What Juniper s strategy? 48 Copyright 2009 Juniper Networks, Inc. www.juniper.net

MARKET DRIVERS Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08 Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013 Gartner Dataquest Insight January 09 43% of enterprises with 500+ employees and 26% of SMBs 100-499 employees are using server virtualization Yankee July 09 Installed Base Grows 10x VM Penetration of Installed Workloads YE 2008 (5.8M) YE 2012 (58M) 49 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SECURITY IMPLICATIONS OF VIRTUAL SERVERS PHYSICAL NETWORK VIRTUAL NETWORK VM1 VM2 VM3 ESX Host HYPERVISOR Firewall/IPS Inspects All Traffic Between Servers Physical Security is Blind to Traffic Between Virtual Machines 50 Copyright 2009 Juniper Networks, Inc. www.juniper.net

APPROACHES TO SECURING VIRTUAL SERVERS: THREE METHODS 1. VLAN Segmentation 2. Agent-based 3. Kernel-based Firewall Each VM in separate VLAN Inter-VM communications must route through the firewall Drawback: Possibly complex VLAN networking VM1 VM2 VM3 Each VM has a software firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs VM1 VM2 VM3 VMs can securely share VLANs Inter-VM traffic always protected High-performance from implementing firewall in the kernel Micro-segmenting capabilities VM1 VM2 VM3 ESX Host ESX Host FW as Kernel Module ESX Host HYPERVISOR HYPERVISOR HYPERVISOR FW Agents 51 Copyright 2009 Juniper Networks, Inc. www.juniper.net

INTRODUCING THE ALTOR VIRTUAL FIREWALL VM1 VM2 VM3 ALTOR VF ESX Host Hypervisor Kernel Stateful Firewall Purpose-built virtual firewall Secure Live-Migration (VMotion) Security for each VM by VM ID Fully stateful firewall VMware VMsafe Certified Tight Integration with Virtual Platform Management, e.g. VMware vcenter Fault-Tolerant Architecture NSM Network STRM Juniper Switch Juniper SRX 52 Copyright 2009 Juniper Networks, Inc. www.juniper.net

ALTOR KERNEL IMPLEMENTATION Altor built a custom kernel enforcement module in ESX Hypervisor Packets are forwarded to Altor directly from the Virtual OS ALTOR VM VM1 VM2 VM3 Policy Logging Management ALTOR VM Policy Logging Management VM1 VM2 VM3 Altor VMsafe Kernel Module Packet / Data ESX Kernel Altor 3.0 Engine Packet / Data SRX w/ips Altor VS VF VMware DVFilter ESX Host VMware vswitch 53 Copyright 2009 Juniper Networks, Inc. www.juniper.net

INTEGRATION WITH JUNIPER DATA CENTER SECURITY VM1 VM2 VM3 ALTOR VM Altor Center Policies Altor Integration Point Central Policy Management Altor Virtual Firewall VMware vsphere Altor Integration Point Firewall Event Syslogs Netflow for Inter-VM Traffic Altor Integration Point Traffic Mirroring to IPS STRM NSM Network Juniper Switch Juniper SRX with IPS 54 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Solution Challenge CUSTOMER USE CASE: VIRTUAL DESKTOPS (VDI) Desktops can carry a lot of dirty apps Malware can easily propagate in a virtual environment from VM to VM and from VM host to host Access control and worm suppression is imperative for VDI deployment Altor VF blocks worm outbreaks in the virtual environment Juniper IPS + Altor VF can detect and block malware in physical and virtual environment 55 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Solution Challenge CUSTOMER USE CASE: COMPLIANCE Comply with PCI, SOX, FISMA, ISO27001 etc. mandates to enforce access control, separation of duties Comply with requirements for reporting and alerting on access activity Show the effectiveness of security controls for audits Purpose Built Firewalling Altor s stateful VF sees all inter-vm traffic, enforces policy on VMs, and produces detailed reports on traffic, traffic flows and applied security Virtual IPS - Altor VF integrates with STRM and NSM to send firewall events, Netflow data and mirror traffic to Juniper IPS 56 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Solution Challenge CUSTOMER USE CASE: VIRTUAL DMZ DMZ resources span many applications and services All DMZ resources share an Internet facing network so security is critical Partner and customer extranets must be appropriately segmented and protected Altor can segment each VM or group of VMs with unique firewall policies Security zones are maintained with NO VLAN changes 57 Copyright 2009 Juniper Networks, Inc. www.juniper.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback