Assis Ngolo

Network Technologies Research Project

Network Virtualization Technologies

I have chosen this topic because not only is it very interesting to me, I see how it could improve the

efficiency and usability of networks, large and small. The idea that the network resources can be

made granular enough so that instead of allocating very large amount of resources, or locking up

limited hardware resources for specific tasks is very attractive, for the IT personnel, who feel the

strain directly, and for the end users who see resources more fairly and transparently.

Virtual Networks

It’s no news that today, applications are demanding a enormous amount of resources on computer

systems and the the networks linking them, as data files packets tend to increase in size, while the

applications become even more time sensitive. Although this is true, not all applications are so

demanding, but they are so widely used, that when a network is large, there can be as many as tens

of thousands of clients generating traffic. This creates a problem, in which the networks are

implemented with a single routing protocol, that that is hardly ever effective for both high

performance and for scalability of the network. Routing protocols today have to ensure

reachability, scalability, traffic optimization, fast convergence, security, etc, so that not all tasks will

be implemented perfectly, and the improvements in some, usually are at the cost of decreased

performance in other features. One solution would be for a network to run several protocols, each

optimized for a specific type of application. An example vould be voice communication, in which,

the network could run a different protocol or even a different network layer, and the data
processing delegated to separate CPU resources. This could solve the convergence delay/scalability

compromise issue. On the issue of security versus reachability, two virtual networks could be used,

with different policies for access. Terminals could then connect to different virtual networks to

perform different tasks or access different applications and services.

The network resources can then be managed from a central control pane, so that only the

administrators see the different networks as well as the actual physical infrastructure from which

the users are abstracted.

Another benefit would be that administering several networks with a less number of applications

provides a modular factor to the IT process and makes it easier than managing one large complex

network.

Network virtualization

network virtualization is the process of configuring a networks physical and logical structure so

that the logical structure is abstracted from the physical structure in a way that customers are

unaware of. In essence, one network could be made to appear as many different networks or vice

versa. This would allow resources to be either consolidated or segmented. Which option is chosen

depends on how the network will be used, for example, if there are several networks at various

sites of a company, but their respective users need to be on a common address space and share

resources, these networks could be consolidated, so that the geographical locations do not affect

the users experience. On the other hand, if a business needs to separate certain groups of users or

customers, for example in a software development company where antivirus software is tested

against malicious software, a lab would need to be implemented in a separate network from the

rest of the company network. Although the same physical network might be used, the network
could be separated logically, and even addressing and routing rules could be different. There are

many benefits to virtualizing networks, some of which have already been illustrated in this

paragraph. Other benefits include reduced costs in setting up several networks and administering ...

There are several ways in which this can be achieved, one of which I will talk about in this paper.

Current state of vendor products for network virtualization technologies

Today, most enterprises go about virtualization in several different ways, one of which is the

creation of Campuswide VLANS.

Layer 2 Campuswide VLAN

This solution consisted in creating a layer 2 domain, meaning that for every isolated group, there

would be a VLAN spanning across the entire physical network, hence the name campuswide VLANS.

There are a few drawbacks to this approach:

Spanning tree: this factor directly affects scalability, as the spanning tree algorithm gets very

complex and quicly increases the risk of a layer 2 loop. For networks intended to be for smaller,

closed groups, the network diameter is also large, and is a limiting factor for the spanning tree

protocol.

Moreover, as the VLAN clients increase, so do the number of broadcasts, an effect that can be seen

as an increase in the CPU load in networks and client devices, as well as network performance

decrease. STP issues usually affect all groups in the network, as well the the business process of the

enterprise.
Layer 3 campuswide VLAN

Using Layer 3 switching, in the distribution layer solves the issues of the layer 2 solution mentioned

above, and results in a resilient, hight performance network implementation. The only problem is

that layer 3 switches tend to switch between all networks in a routing table, making it difficult to

segment the various user groups. Using access control protocols such as Access control lists (ACL),

policy based routing (PBR) or overlay generig routing encapsulation (GRE) tunnels are good

solutions to segment traffic from isolated groups, but they have drawbacks. For example, ACLs are

stored in a single location, which could result in a leak an dallow unauthorized groups or malware
to access data from other groups. ACL and PBR also have the issue that although by carefully

chosing an addressing scheme greatly simplifies adminisration, changing end systems addressing

affects all network groups and the respective administrator within each group.

Layer 3 VPNs

There are wo types of layer 3 VPNs, IP Security (IPSec) and Multiprotocol Label Switching (MPLS).

IPSecs are focus on point to point encryption, whereas MPLS focus on logically separating networks

sitting on a common physical insfrastructure. MPLS has been used by service provides for around a

decade, but enterprises started embracing it at around 2006, mainly because of the costs incurred

and the fact that the technology was only available in carrier grade hardware. Since segmentation is

implicitly built into MPLS it offered a clear solution to Unique, the operator of Zurich airport. The

airport harbors around 180 companies and offers work for about 20,000 individuals and transports

about 18 million passengers per year. The need for a network that separates between airport

operations such as security scans and checks, baggage processing, internet kiosks, dedicated

networks for airport service providers and to the various constituents of an airport is obvious, and

MPLS technology presents a solution. Closed groups are defined using different VPNs, which are

transported independently over the core of the network using labels. This way, any VPN can be

configured to be present in any location on the network without affecting the performance of the

underlying physical network, or its network design. Since the user groups are completely

autonomous, flexibility of addressing is also implicitly supported and each VPN has its own virtual

routing and forwarding (VRF) table, which is a separate routing table for each VPN, allowing

various routing protocols to run on a single physical network, without overlapping one another,

although addressing is independent and can be overlapping. If DNS, email and internet access are

used, they would need to be used on a per VRF basis.

In this setup, any Unique customer would be in a separate VPN, but would not need to be aware of

that, or of the underlying structure. There would be any to any connectivity through thr VRFs and

the speed requirements would range from a few Mbps to multiple Gigabit Ethernet ports.

The Product

The product used by Unique to implement such a solution is the Cisco Catalyst 6500 Series Switch

with Supervisor Engine 720, which would accommodate the following requirements:

o Network access across multiple distribution zones (such as operations of Unique

itself, customs, baggage claim, travel agencies, etc.)

o Internet access for Internet kiosks that are scattered throughout airport terminals

o Building automation such as badge readers, parking meters, air conditioning, etc.

spread all over the airport and connected to a central

o operations center

o Airline networks to gates, lounges, and check-in infrastructure

 o Integration of SITA airport infrastructure and connectivity to the global SITA

network

o Video surveillance and x-ray scanners with multicast requirements

o Public WLAN (PWLAN) infrastructure covering all of the passenger area

The Cisco Catalyst 6500 Series Switch with Supervisor Engine 2 already offered MPLS VPN support

with the additional use of Optical Services Modules (OSMs), but the Supervisor Engine 720 with

integrated PFC31 introduced MPLS VPN support on LAN interfaces. Effectively, All LAN ports in the

network could use the hardware-based MPLS forwarding (PE or P router). Fabric enabled line cards

could use optional DFC3s, which increased the performance to support switching local to the line

card, satisfying the highest levels of performance in the enterprise space.

Latest Developments

Although the solution mentioned above was implemented in 2006, the Cisco Catalyst 6500 switches

are still in production and have had several improvements, like IPv6 support. Another feature of

these switches is the ability to add modules, such as wireless LAN and Firewall Services modules. A

lot of the changes also occur in the switch operating system, Cisco IOS.
Works Cited
Cisco Press. (2010, July 4). Cisco Catalyst 6500 and 6500-E Series Switches Obtain IPv6 Ready
Logo Phase-2. Retrieved July 4, 2010, from Cisco:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product__bulletin_c
25_542215.html?areaOfInterest=bn_Page

Cisco Press. (2010, July 4). Cisco Catalyst 6500 Series Switches. Retrieved July 4, 2010, from
Cisco: http://www.cisco.com/en/US/products/hw/switches/ps708/

Cisco Press. (2010, July 4). Models Comparison. Retrieved July 4, 2010, from CIsco:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_models_comparison.html

Cisco's Catalyst 6500 Remains the Network Switch to Beat. (n.d.). Retrieved July 4, 2010, from
Townsendassets: http://www.townsendassets.com/company/catalyst_6500_article.htm

Feamster, N., Gao, L., & Rexford, J. (2006). How to lease the Internet in your spare time.
Georgia: Georgia Tech.