Network Virtualization


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Virtualization

  1. 1. Network Virtualization Claudia Hildebrandt Systems Engineer/GSE Sun Microsystems 1
  2. 2. Agenda • The need for network virtualization • The network stack • VLANs and VLAN tagging • Link Aggregation • IP Multi Pathing • Network virtualization > Solaris Container: Solaris Zones and virtual machines > VNICs with Solaris Zones and xVM > Logical Domains Property of Sun Microsystems 2
  3. 3. The Need for network Virtualization • Service Consolidation > Some services have minimum performance requirements, or higher priority • Host Consolidation > Users expect minimal performance level per virtual host • Network Infrastructure > Network functions need high throughput, scalability,and separation Property of Sun Microsystems 3
  4. 4. Agenda The Network Stack Property of Sun Microsystems 4
  5. 5. The Network Stack Property of Sun Microsystems 5
  6. 6. OpenSolaris - a new implementation • Assigning Link Names • The new implementation makes network administration more flexible in the following two ways: > Link and interface configurations are preserved even if the underlying hardware is removed. These same configurations can then be reapplied to any replacement NIC, provided that the two NICs are of the same type. > The separation of the network configuration from the network hardware configuration also allows the use of customized link names in the data-link layer. • you can now use flexible names for data links . The device instance name continues to be based on the underlying hardware and cannot be changed. However, the data link name is no longer similarly bound. Property of Sun Microsystems 6
  7. 7. Example: Nic(k)names Hardware ( NIC ) Device Instance Link's Assigned Name IP Interface ce0 ce0 subitops0 subitops0 qfe qfe3 subitops1 subitops1 • As the table indicates, the ce0 device instance's link is assigned the name subitops0, while the link for the qfe3 instance is assigned the name subitops1. Such names allow you to readily identify links and their functions on the system. In this example, the links have been designated to service IT Operations. Property of Sun Microsystems 7
  8. 8. Other types of link configurations Property of Sun Microsystems 8
  9. 9. Link Names and the dladm Command • Subcommands of the dladm command have either been created or modified to work with link names. For more detailed information about dladm subcommands, refer to the dladm(1M) man page. • Changes were also implemented on current dladm subcommands to enable the following operations to work with link names: > Creating link aggregations. > Administering autopush link properties. Property of Sun Microsystems 9
  10. 10. Agenda Virtual Local Area Network Property of Sun Microsystems 10
  11. 11. Virtual Local Area Network (VLAN) • A virtual local area network (VLAN) is a subdivision of a local area network (LAN ) at the data link layer of the TCP/IP protocol stack. • You can create VLANs for local area networks that use switch technology. • By assigning groups of users to VLANs, you can improve network administration and security for the entire local network. • You can also assign interfaces on the same system to different VLANs. Property of Sun Microsystems 11
  12. 12. VLAN Topology Property of Sun Microsystems 12
  13. 13. VLAN Tags Property of Sun Microsystems 13
  14. 14. Configuring a VLAN # dladm show-link LINK CLASS MTU STATE OVER subitops0 phys 1500 up -- ce1 phys 1500 up -- # dladm create-vlan -l subitops0 -v 7 sales # dladm show-vlan LINK VID OVER FLAGS sales 7 subitops0 ---- # dladm show-link LINK CLASS MTU STATE OVER subitops0 phys 1500 up -- ce1 phys 1500 up -- sales vlan 1500 up subitops0 # ifconfig sales plumb up # echo > /etc/hostname.sales Property of Sun Microsystems 14
  15. 15. Agenda Link Aggregation Property of Sun Microsystems 15
  16. 16. Link Aggregation • The Solaris OS supports the organization of network interfaces into link aggregations. • A link aggregation consists of several interfaces on a system that are configured together as a single, logical unit. • Link aggregation, also referred to as trunking, is defined in the IEEE 802.3ad Link Aggregation Standard ( > The IEEE 802.3ad Link Aggregation Standard provides a method to combine the capacity of multiple full-duplex Ethernet links into a single logical link. This link aggregation group is then treated as though it were, in fact, a single link. Property of Sun Microsystems 16
  17. 17. Features • Increased bandwidth • Automatic failover/failback • Load balancing • Support for redundancy • Improved administration • Less drain on the network address pool Property of Sun Microsystems 17
  18. 18. Link Aggregation: example 1 • For systems that run an application with distributed heavy traffic, you can dedicate an aggregation to that application's traffic. • For sites with limited IP address space that nevertheless require large amounts of bandwidth, you need only one IP address for a large aggregation of interfaces. • For sites that need to hide the existence of internal interfaces, the IP address of the aggregation hides its interfaces from external applications. Property of Sun Microsystems 18
  19. 19. Link Aggregation: example 2 • Link Aggrgation with a switch • Switch must be aggregation capable • Redundant systems • High Availability Property of Sun Microsystems 19
  20. 20. Back-to-back Link Aggregation • The back-to-back link aggregation topology involves two separate systems that are cabled directly to each other. • The systems run parallel aggregations. • Used for mirrored database servers • And in datacenters Property of Sun Microsystems 20
  21. 21. Agenda IP Multi Pathing Property of Sun Microsystems 21
  22. 22. IP Multipathing ( IPMP ) • Why you should use IPMP • With IPMP, one or more IP interfaces can be configured into an IPMP group • An interface or switch can fail > High Availability > Network connectivity is always available • Network Performance > load spreading ( outbound ) Property of Sun Microsystems 22
  23. 23. Comparision: IPMP and Link Aggregation IPMP Link Aggregration Network technology type Layer 3 ( Network Layer ) Layer 2 ( Data/link Layer ) Configuration tool ifconfig dladm Link based failure detection supported supported ICMP-based, targeting any defined system in the Based on Link Aggregation Control Protocol ( LACP ), Probe-based failure detection same IP subnet as test addresses, across multiple targeting immediate peer host or switch. levels of intervening layer 2 switches. Use of standby interfaces supported not supported Generally not supported, some vendors provide Span multiple switches supported proprietary and non-interoperable solutions to span multiple switches. Required. For example, a link aggregation in the system that is running the Solaris OS requires that Hardware support not required corresponding ports on the switches be also aggregated. Link layer requirements Broadcast capable Ethernet specific Driver Framework requirements none must use GLDv3 framework Finer grain control of the administrator over load Present, controlled by kernel. Inbound load spreading Load spreading support spreading of outbopund traffic by using dladm is indirectly affected by source address selection. command. Inbound load spreading supported Property of Sun Microsystems 23
  24. 24. IPMP Example Property of Sun Microsystems 24
  25. 25. Interface failure in IPMP Property of Sun Microsystems 25
  26. 26. Agenda Network Virtualization Terms and Definitions Property of Sun Microsystems 26
  27. 27. Network virtualization • Network virtualization is the process of combining hardware network resources and software network resources into a single administrative unit. The goal of network virtualization is to provide systems and users with efficient, controlled, and secure sharing of the networking resources. • The end product of network virtualization is the virtual network. Virtual networks are classified into two broad types, external and internal. > External virtual networks consist of several local networks that are administered by software as a single entity. The building blocks of classic external virtual networks are switch hardware and VLAN software technology. Examples of external virtual networks include large corporate networks and data centers. > An internal virtual network consists of one system using virtual machines or zones that are configured over at least one pseudo-network interface. These containers can communicate with each other as though on the same local network, providing a virtual network on a single host. • The building blocks of the virtual network are virtual network interface cards or virtual NICs (VNICs) and virtual switches. • Solaris network virtualization provides the internal virtual network solution. Property of Sun Microsystems 27
  28. 28. Network virtualization with containers • Vitual machines and zones > A virtual machine is a container with its own kernel and IP protocol stack > A zone is a container that provides an isolated environment for running applications • Non-Global Zones and Exclusive IP Zones • OpenSolaris VNICs ( Project Crossbow ) > • LDOMs virtual machines • SUN xVM virtual machines Container 1 Container 2 Container 3 ( SXE xvm ) Container 4 LDom 1 Container 5 LDom 2 Sun CoolThreads Server Property of Sun Microsystems 28
  29. 29. Agenda Network Virtualization VNICs ( Crossbow ) Property of Sun Microsystems 29
  30. 30. VNICs • OpenSolaris 2008.11 ( Project crossbow ) • A VNIC is a virtual network device with the same data-link interface as a physical interface. You configure VNICs on top of a physical interface. For the current list of physical interfaces that support VNICs, refer to theNetwork Virtualization and Resource Control FAQ ( • You can configure up to 900 VNICs on a single physical interface. When VNICs are configured, they behave like physical NICs. In addition, the system's resources treat VNICs as if they were physical NICs. • Each VNIC is implicitly connected to a virtual switch that corresponds to the physical interface. • The virtual switch provides the same connectivity between VNICs on a virtual network that switch hardware provides for the systems connected to a switch's ports. Property of Sun Microsystems 30
  31. 31. Internal virtual network Property of Sun Microsystems 31
  32. 32. Crossbow Network Virtualization • Carve up 1Gb/s and 10Gb/s hardware NIC into multiple virtual NICs • Crossbow NIC Virtualization functionality is provided by the MAC layer and VNIC pseudo driver • MAC layer: core virtualization, resource partitioning and virtual switching, leverage hardware classification • VNIC driver: expose virtual NICs which appear to the system as regular NICs. Property of Sun Microsystems 32
  33. 33. Crossbow Virtual NICs example Property of Sun Microsystems 33
  34. 34. Crossbow VNICs • Implemented as a pseudo Nemo/GLDv3 MAC driver • Managed through dladm(1M) • Exposes virtual network devices which can be used as any regular NIC • VNICs can be assigned to Zones or Virtual Machines (e.g. XVM) • VNICs are based on the virtualized MAC layer, each VNIC corresponds to a MAC client • VNIC pass-through for data path and most of the control path for better performance Property of Sun Microsystems 34
  35. 35. Crossbow virtual switching • The MAC layer provides packet switching semantics equivalent to an ethernet switch • A virtual switch is created implicitly each time >2 MAC clients are created on a NIC • Provides a local data path at the MAC layer between MAC clients (e.g. VNICs, plumbed NIC) defined on the same NIC • Provides connectivity between MAC clients and external network • Distributes broadcast and multicast packets to local MAC clients and external hosts Property of Sun Microsystems 35
  36. 36. Fully virtual networks • Virtual switches on top of physical NICs > Constrained by physical NICs availability • VNICs can be created on top of ether stubs instead of regular NICs > An ether stub is a special NIC with no underlying hardware > Like with physical NICs, VNICs created on top of the same ether stub are connected through a virtual switch > Unlimited number of ether stubs Property of Sun Microsystems 36
  37. 37. Example etherstub Property of Sun Microsystems 37
  38. 38. Crossbow virtual switching example Property of Sun Microsystems 38
  39. 39. High Availability on Virtual Networks • Solaris provides high availability through IP Multipathing (IPMP) and Link Aggregation • Link Aggregation (IEEE 802.3ad): > Aggregates multiple ethernet ports at layer 2 > VNICs can be creating on top of aggregations > HA is provided transparently to domains and Zones • IPMP > Groups layer 3 IP interfaces > IPMP groups can be created on top of VNICs by the domains and Zones Property of Sun Microsystems 39
  40. 40. Virtual Network Machines • A Virtual Network Machine (VNM) is a Zone or Virtual Machine associated with a set of network functions (routing, firewalling, load balancing, etc) • A single general purpose machine can run multiple VNMs • Dedicated bandwidth, kernel and hardware resources per VNM • Enables the Consolidation of network devices • Framework open to 3rd party ISVs Property of Sun Microsystems 40
  41. 41. Virtual Network Machines Property of Sun Microsystems 41
  42. 42. Resource Controls • Allows the assignment of bandwidth and priorities to MAC clients (e.g. VNICs) and flows (e.g. Protocols, services, or connections) • The MAC layer performs bandwidth enforcement by polling the hardware, or tail dropping when shared resources are used • Limits and priorities are specified > By system administrators through dladm(1M), • flowadm(1M) > By application using setsockopt() Property of Sun Microsystems 42
  43. 43. Agenda Network Virtualization Solaris Zones – IP Instances Property of Sun Microsystems 43
  44. 44. IP Instances • Allow a zone to have its own exclusive IP instance (separate routing, ARP, IPsec, IP Filter etc) • Possible to have a management network separate from the data network • VLANs can be attached to different zones with no IP leakage between them • Per zone network configuration (routing tables, transport tunable, IPsec configuration, etc) • IPFilter between zones Property of Sun Microsystems 44
  45. 45. Non-global zones and Exclusive IPs • A zone can either share the IP instance with the global zone, which is the default, or have its own exclusive instance of IP. • Shared-IPs > One or more zones shares one NIC. Each shared-IP zone that requires network connectivity has one or more unique IP addresses. Both IPv4 and IPv6 addresses are supported. • Exclusive Ips > Inside an exclusive-IP zone, configure addresses as you do for the global zone. Note that DHCP and IPv6 stateless address autoconfiguration can be used to configure addresses. • See zonecfg(1M) Property of Sun Microsystems 45
  46. 46. Example shared IPs example# zonecfg -z myzone3 my-zone3: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:myzone3> create zonecfg:myzone3> set zonepath=/export/home/my-zone3 zonecfg:myzone3> set autoboot=true zonecfg:myzone3> add fs <...> zonecfg:myzone3> add net zonecfg:myzone3:net> set address= zonecfg:myzone3:net> set physical=eri0 zonecfg:myzone3:net> end zonecfg:myzone3> add net zonecfg:myzone3:net> set address= zonecfg:myzone3:net> set physical=eri0 zonecfg:myzone3:net> end zonecfg:myzone3> add net zonecfg:myzone3:net> set address= zonecfg:myzone3:net> set physical=eri0 zonecfg:myzone3:net> end zonecfg:myzone3> exit Property of Sun Microsystems 46
  47. 47. Example 3 Creating an Exclusive-IP Zone The following example creates a zone that is granted exclusive access to bge1 and bge33000 and that is isolated at the IP layer from the other zones configured on the sys- tem. The IP addresses and routing is configured inside the new zone using sysidtool(1M). example# zonecfg -z excl excl: No such zone configured Use 'create' to begin configuring a new zone zonecfg:excl> create zonecfg:excl> set zonepath=/export/zones/excl zonecfg:excl> set ip-type=exclusive zonecfg:excl> add net zonecfg:excl:net> set physical=bge1 zonecfg:excl:net> end zonecfg:excl> add net zonecfg:excl:net> set physical=bge33000 zonecfg:excl:net> end zonecfg:excl> exit Property of Sun Microsystems 47
  48. 48. Solaris Zones global zone (v1280-room3-rack12-2; global zone root: / web zone app_server zone database zone zone root: /zone/web zone root: /zone/app zone root: /zone/mysql Environment Application system services web service project jes project mysql project (patrol) (Apache 1.3.22) (j2se) (mysqld) audit services crypto project app users proj dba users proj (ssl) (sh, bash, prstat) (sh, bash, prstat) (auditd) security services proxy project system project system project (proxy) (inetd, sshd) (inetd, sshd) (login, BSM) hme0:1 hme0:2 Platform console Ce0:2 zcons zcons zcons ce0:1 ce1:1 Virtual hme0 /usr /usr ce1 /usr /usr ce0 ce1 zoneadmd zoneadmd zoneadmd zone management core services remote admin/monitoring platform administration (zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM) (syseventd, devfsadm, ifconfig,...) storage complex network device network device network device (hme0) (ce0) (ce1) Property of Sun Microsystems 48
  49. 49. Agenda Network Virtualization VNICs and xVM Server Property of Sun Microsystems 49
  50. 50. Crossbow and xVM x64 Server Property of Sun Microsystems 50
  51. 51. Crossbow and LDoms Property of Sun Microsystems 51
  52. 52. Agenda Network Virtualization VNICs and LDoms Property of Sun Microsystems 52
  53. 53. Virtual Machine for SPARC • Thin software layer between OS and platform hardware • Hypervisor + sun4v interface • Virtualises machine HW and isolates OS from register- level • Delivered with platform not OS • Not itself an OS Property of Sun Microsystems 53
  54. 54. Logical Domains ( LDoms) • Virtualized I/O • Service Domain > Own a physical device > Export a device service to other domains > A platform can have several service domains • Device services are accessed thru virtual devices > A virtual device emulates the real devices > I/O are forwarded to the service domain > The service domain interacts with the physical device • Current virtual devices and device services: > Disk, Network, Console Property of Sun Microsystems 54
  55. 55. Virtualisierter I/O Virtual network Service Logical Logical Domain Domain 1 Domain 2 APP APP APP APP APP APP APP Device Driver vsw Privileged vnet vnet Hyper Privileged Hardware /pci@780 e1000g0 /pci@7c0 e1000g2 e1000g1 e1000g3 Property of Sun Microsystems 55
  56. 56. Virtual network switch • Layer 2 switch > Handles uni-cast and broadcast packets • Enable domains to connect directly for domain to domain traffic • For v-LANs: simply create an additional v-switch • Connects to a NEMO compliant device driver for external network connection • Provides a NEMO compliant driver interface > Use service-domain's kernel for Layer-3 > routing, iptable filtering, NAT, firewalling Property of Sun Microsystems 56
  57. 57. Virtual LANs Property of Sun Microsystems 57
  58. 58. Redundancy ( Multipath I/O ) Property of Sun Microsystems 58
  59. 59. Thank You! Claudia Hildebrandt 59
  60. 60. Network virtualization Disclaimer: - text and images were mostly copied from the System Administration Guide: Network Interfaces and Network Virtualization - some images and slides are from Nicolas Droux' presentation: “Crossbow Network Virtualization and Resource Partitioning” - images regarding LDoms and vnet are from Martin Muellers presentation he held at the Partner University 2007. Others from the presentation: “LDoms: Logical DomainsTechnical Overview” by Alexandre Chartre, Solaris RPE. Property of Sun Microsystems 60
  61. 61. Helpful Links Crossbow LDOMs Property of Sun Microsystems 61
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.