* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download meetings.apnic.net
Asynchronous Transfer Mode wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
Nonblocking minimal spanning switch wikipedia , lookup
Wireless security wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Service-oriented architecture implementation framework wikipedia , lookup
NETWORKING SOLUTIONS FOR A SERVER VIRTUALIZATION ENVIRONMENT APRICOT 2011 Russell Cooper [email protected] WHAT YOU WILL GET FROM THIS SESSION 1. Talk: about challenges Server Virtualization technologies brings for the data center networks. 2. Demonstrate: standards based approach, where available, to improve the experience and economics in a virtualized environment. 2 AGENDA 1. Market Drivers 2. Limitations of legacy network 3. Solutions Simplification Infrastructure Enhanced services 4. Summary 3 THE EVOLUTION OF SERVER VIRTUALIZATION PHASE 1 PAST PHASE 2 FUTURE Server Consolidation Business Agility Guiding Principle: Improve utilization of physical resources Guiding Principle: : Improve utilization of a pool of resources Driver: Power and space Improvements in server utilization Savings Driver: Adapt quickly to new demands Heightened compliance & security Better disaster management Cloud Based Computing Models Network had no role 4 Network has a huge role LEGACY NETWORKS RESTRICT AGILITY COMPLEX: Too Many Devices to Manage Additional virtual switches LACK OF ADDITIONAL SERVICES: INFRASTRUCTURE: POOR PERFORMANCE Multiple layers Across North-South path MOBILITY: North-south path Scale & scope of L2 adjacencies Across sites PROPRIETARY: Pre-standard protocols SECURITY: Silo’ed , unavailable across domains IntraVM traffic NIC 5 NIC VM1 VM2 VM3 VM1 VM2 VM3 SERVER 1 SERVER 2 MANAGEABILITY: Orchestration between the physical and virtual network NETWORK SIMPLIFICATION FOR SUPPORTING SERVER VIRTUALIZATION COMPLEX: Too Many Devices toSIMPLIFICATION Manage Additional virtual switches LACK OF ADDITIONAL ENHANCED SERVICES SERVICES: NEEDED INFRASTRUCTURE INFRASTRUCTURE: THAT IS: POOR PERFORMANCE HIGH Multiple layers PERFORMANCE Across North-South path MOBILITY: North-south path Scale & scope of L2 MOBILITY adjacencies Across sites PROPRIETARY: OPEN, Pre-standard STANDARDS protocols Interoperability BASED Lock-in SECURITY: Silo’ed , unavailable across domains IntraSECURITY VM traffic 6 NIC NIC VM1 VM2 VM3 VM1 VM2 VM3 SERVER 1 SERVER 2 MANAGEABILITY: Orchestration MANAGEABILITY between the physical and virtual network NETWORK DEVICE CLUSTERING SIMPLIFICATION Fewer devices to manage: 44 -> 4 BEFORE 7 AFTER TECHNOLOGY APPROACHES Control Plane Unification Facts Simplify operations Behaves as a single node both at L2 & L3 layers so it inherits all benefits found in L2 Table Synch approach Multiple Devices – One Control Plane 8 L2 Table Synch Facts Distributed link aggregation (LAG) plus some L2/L3 protocols enhancements to minimize interchassis link load Multiple Devices – Enhanced Protocols OPEN STANDARDS BASED SIMPLIFICATION INFRASTRUCTURE THAT IS: ENHANCED SERVICES NEEDED HIGH PERFORMANCE MOBILITY OPEN, STANDARDS BASED SECURITY MANAGEABILITY 9 COMMUNICATION BETWEEN THE VIRTUAL MACHINES NIC VM1 VM2 NIC VM3 1. In the hypervisor vendor’s switch(e.g. VM Ware vSwitch) 10 VM1 VM2 2. In the NIC NIC VM3 VM1 VM2 VM3 3. In the existing external physical switch (VEPA) COMPARING VEPA AND VEB Network services in hardware Physical switch NIC NIC Hypervisor/software switch Network services in software VM1 11 VM2 VM3 VM1 VM2 VM3 Virtual Ethernet Port Aggregator (VEPA) Virtual Ethernet Bridge (VEB) North – South optimized Full functioned hardware switch East – West optimized Limited function software switch COMPARISON OF OPTIONS Switching done in Feature Richness Customer’s Time to adopt solution Customers’ Cost to adopt 2 3 vSwitch NIC VEPA Software Hardware Hardware Low High Unknown Low - simple software upgrade Unknown Free - software upgrade Very Low Low – comes inbuilt with hypervisor Low – comes with hypervisor Compatibility with any existing network Yes Unknown Yes Latency for switching Very Low Very Low Low NA Unknown Yes Server admin Unknown Network Admin Industry support (standards based) Virtual switching managed by 12 1 VEPA Virtual Ethernet Port Aggregator Uses external physical network for intra- NIC VM1 VM2 VM3 server VM to VM communication It’s an evolving open standard IEEE 802.1Qbg / 802.1Qbh Supported by almost all the major IT vendors For more information http://www.ieee802.org/1/files/public/docs2 009/new-bg-thaler-par-1109.pdf http://www.ieee802.org/1/pages/802.1bg.ht ml VEPA brings the evolved Ethernet functionality to virtual networking 13 TOP 3 BENEFITS OF VEPA 14 Elegant Features & Scale VEPA is a non-disruptive and cost-effective Switching where it belongs – on the switches Open Server and hypervisor agnostic, maximum flexibility. HIGH PERFORMANCE SIMPLIFICATION INFRASTRUCTURE THAT IS: ENHANCED SERVICES NEEDED HIGH PERFORMANCE MOBILITY OPEN, STANDARDS BASED SECURITY MANAGEABILITY 15 LATENCY WITH LEGACY NETWORK Every hop adds additional latency Increases load on uplinks Requires VLANs to span multiple access switches to support VM migration A 16 B VIRTUALIZATION WITH CHASSIS CLUSTERING 10x latency improvement by eliminating trip to upper layers Single-point lookup model Works with any Hypervisor Clustered Access Switches A 17 B MOBILITY SIMPLIFICATION INFRASTRUCTURE THAT IS: ENHANCED SERVICES NEEDED HIGH PERFORMANCE MOBILITY OPEN, STANDARDS BASED SECURITY MANAGEABILITY 18 NETWORK REQUIREMENTS FOR VM MOBILITY IP network with 622 Mbps is required. The maximum latency between the two servers < 5 milliseconds (ms). Access to the IP subnet & data storage location Access from vCenter Server and vSphere Client. Same IP subnet & broadcast domain Layer 2 adjacency VLAN stretch 19 VM MIGRATION SCENARIOS Scenario #1 Scenario #2 Scenario #3 Within Same Data Center Data Centers in the same City - two different locations Data Centers in different Cities VPLS Clustered Access Switches Clustered Access Switches Data Center Data Center Clustered Access Switches Data Center Data Center Remember the vMotion Requirements! Bandwidth/Latency/IP Subnet/VLAN Rack A Rack A Layer 2 domain across racks 20 Layer 2 domain across fiber connected data centers Layer 2 domain across virtual private LAN RACK TO RACK RACK 1 RACK 2 Top-of-Rack / End-ofRow Clustered Switches NIC NIC Managed as a single device Automatic VLAN update propagation. Sub 10us latency VM1 21 VM2 VM3 VM4 VM5 POD TO POD Core Clustered Chassis Extends L2 domain across multiple Rows/Pods in a DC NIC NIC NIC NIC NIC NIC Clustered Access Switches Extends L2 adjacency to over 10,000 1GbE servers Eliminates STP VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 POD 1 22 POD N Core managed as a single device ACROSS DC/CLOUDS Routers With VPLS VPLS Over MPLS Cloud Routers with VPLS Core Switches Core Switches Extends L2 domain across DC /clouds Allows VM Motion across locations. NIC NIC NIC NIC Access NIC NIC Switches NIC NIC NIC NIC Access NIC NIC Switches VPLS can be provisioned or orchestrated using vendor tools and scripts VLAN to VPLS mapping VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 VM6 23 VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 DB/Storage mirroring MANAGEABILITY SIMPLIFICATION INFRASTRUCTURE THAT IS: ENHANCED SERVICES NEEDED HIGH PERFORMANCE MOBILITY OPEN, STANDARDS BASED SECURITY MANAGEABILITY 24 DC MANAGEABILITY CHALLENGES WITH SERVER VIRTUALIZATION B Physical n/w Network Admin A Virtual n/w 2. No automation/ orchestration to sync-up the 2 networks. A P VM1 VM2 VM3 P VM1 VM2 1. Blurred roles between the server and network admin. Server Admin 3. VM Migration can fail. 4. Proprietary products & protocols 25 ONE STEP ORCHESTRATION A Physical n/w A Network Admin A Orchestration Tools A A Virtual n/w 2. Automated orchestration between physical and virtual networks A P VM1 VM2 VM3 1. Clear roles and responsibilities P VM1 VM2 Server Admin 3. Scalable solution – allows VMs to move freely 4. Open Architecture 26 SECURITY SIMPLIFICATION INFRASTRUCTURE THAT IS: ENHANCED SERVICES NEEDED HIGH PERFORMANCE MOBILITY OPEN, STANDARDS BASED SECURITY MANAGEABILITY 27 SECURITY IMPLICATIONS OF VIRTUAL SERVERS PHYSICAL NETWORK VIRTUAL NETWORK VM1 VM2 VM3 ESX Host HYPERVISOR Firewall/IPS Inspects All Traffic Between Servers 28 Physical Security is “Blind” to Traffic Between Virtual Machines APPROACHES TO SECURING VIRTUAL SERVERS: THREE METHODS 1. VLAN Segmentation 2. Agent-based Each VM in separate VLAN Each VM has a software firewall VMs can securely share VLANs Inter-VM communications must route through the firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs Inter-VM traffic always protected Drawback: Possibly complex VLAN networking VM1 VM2 VM3 High-performance from implementing firewall in the kernel Micro-segmenting capabilities VM1 VM2 VM3 VM1 HYPERVISOR FW Agents VM2 FW as Kernel Module HYPERVISOR VM3 ESX Host ESX Host ESX Host HYPERVISOR 29 3. Kernel-based Firewall INTRODUCING THE IDEA OF A STATEFUL KERNEL FIREWALL Hypervisor Kernel Stateful Firewall VM1 VM2 Purpose-built virtual firewall VM3 Secure Live-Migration (VMotion) ESX Host KERNEL VF Security for each VM by VM ID Fully stateful firewall Tight Integration with Virtual Platform Management, e.g. VMware vCenter Fault-Tolerant Architecture Security Policy Management Network Access Switch 30 Data Center Firewall Security Information And Event Management FOLLOW-ME POLICIES VM1 VM2 VM3 VM2 P o l i c y Access Switch 31 Data Centre Firewall KERNEL VF ESX Host ESX Host KERNEL VF VM3 When a VM migrates, the network policies of the VM are migrated to the new server port. Traffic between VMs still gets re-directed to the same appliance in the Services cluster P o l i c y No migration of services state is required Access Switch SUMMARY OF SOLUTIONS FOR SERVER VIRTUALIZATION SIMPLIFCATION: Fewer Devices to Manage Few Devices INFRASTRUCTURE: ADDITIONAL SERVICES Routers HIGH PERFORMANCE Few layers Clustered Switches MOBILITY: VPLS Clustered Switch domains Core Switch Clusters Data Center Firewalls OPEN: VEPA Standards Based Access Switch Clusters NIC NIC SECURITY: Kernel Stateful Firewalls Integration with DC FWs for follow me policies MANAGEABILITY: VEPA Orchestration Tools 32 VM1 VM2 VM3 VM1 VM2 VM3 SERVER 1 SERVER 2