This document discusses the evolution of network virtualization. It begins with an overview of using VLANs for network virtualization, which provides L2 isolation but has limitations around scalability and management. OpenFlow is presented as an early approach that uses a centralized controller but has performance impacts. The document then introduces network overlays using software-defined networking as a more advanced approach, allowing network services to be decoupled from physical network hardware for improved scalability, agility and fault tolerance. It provides an overview of using the Midokura network virtualization platform with OpenStack Neutron for network automation and management.

1. Evolu&on
of
Network
Virtualiza&on
Cloud
KC
MeetUp
August
2014

2. Agenda
▪ Network
Virtualiza&on
Requirements
▪ OpenFlow
vs.
Overlay
▪ Brief
Overview
of
OpenStack
and
Neutron
Networking
(OVS)
▪ Use
Cases
for
Network
Virtualiza&on
&
Midokura
Solu&on
1

3. 2
Network Virtualization
Requirements#

4. What is Network Virtualization (NV)?
3
Taking logical (virtual) networks
and services, and decoupling
them from the underlying network
hardware.
Well suited for highly virtualized
environments.
Any Application
Virtual Networks
Any Cloud Management Platform
MidoNet
Virtualiza&on
PlaOorm
Distributed
Firewall
Logical
L2
Existing Network Hardware
service
Distributed
Load
Balancer
ser
Distributed
VPN
Service
Logical
L3
KVM, ESXi, Xen LXC

5. Requirements for NV
4
Requirements
4
Tenant/Project A
Network A1
VM1 VM3
Network A2
VM5
Tenant/Project B
Network B1
VM2 VM4
uplink
Provider Virtual
Router (L3)
Tenant A
Virtual Router
Tenant B
Virtual Router
VM6
Virtual L2
Switch B1
Virtual L2
Switch A1
Virtual L2
Switch A2
TenantB office
Tenant B
VPN Router
Office
Network

6. Requirements for NV
5
Requirements
5
Tenant/Project A
Network A1
VM1 VM3
Network A2
VM5
Tenant/Project B
Network B1
VM2 VM4
uplink
Provider Virtual
Router (L3)
Tenant A
Virtual Router
Tenant B
Virtual Router
VM6
Virtual L2
Switch B1
Virtual L2
Switch A1
Virtual L2
Switch A2
TenantB office
Tenant B
VPN Router
Office
Network
Isolated tenant
networks
(virtual data center)

7. Requirements for NV
6
Requirements
6
Tenant/Project A
Network A1
VM1 VM3
Network A2
VM5
L3 Isolation
(similar to VPC and VRF)
Tenant/Project B
Network B1
VM2 VM4
uplink
Provider Virtual
Router (L3)
Tenant A
Virtual Router
Tenant B
Virtual Router
VM6
Virtual L2
Switch B1
Virtual L2
Switch A1
Virtual L2
Switch A2
TenantB office
Tenant B
VPN Router
Office
Network

8. Requirements for NV
Redundant, optimized, and
fault tolerant paths to to/
from external networks
(e.g. via eBGP)
7
Requirements
7
Tenant/Project A
Network A1
VM1 VM3
Network A2
VM5
Tenant/Project B
Network B1
VM2 VM4
uplink
Provider Virtual
Router (L3)
Tenant A
Virtual Router
Tenant B
Virtual Router
VM6
Virtual L2
Switch B1
Virtual L2
Switch A1
Virtual L2
Switch A2
TenantB office
Tenant B
VPN Router
Office
Network
Fault-tolerant devices and links

9. Requirements for NV
8
8
Tenant/Project A
Network A1
VM1 VM3
Network A2
VM5
Tenant/Project B
Network B1
VM2 VM4
uplink
Provider Virtual
Router (L3)
Tenant A
Virtual Router
Tenant B
Virtual Router
VM6
Virtual L2
Switch B1
Virtual L2
Switch A1
Virtual L2
Switch A2
TenantB office
Tenant B
VPN Router
Office
Network
Fault-tolerant devices and links
Fault tolerant
devices and links

10. Requirements for NV
9
Device-agnostic networking services:
• Load Balancing
• Firewalls
• Stateful NAT
• VPN
Networks and services must be fault
tolerant and scalable

11. Requirements for NV
10
Single pane of glass to manage it all.

12. Bonus Requirements for NV
11
Integration with cloud or
virtualization management
systems.
Optimize network by exploiting
management configuration.
Single virtual hop for networking
services
Fully distributed control plane
(ARP, DHCP, ICMP)

13. Checklist for Network Virtualization
12
q Multi-tenancy
q Scalable, fault-tolerant devices
(or device-agnostic network
services).
q L2 isolation
q L3 routing isolation
• VPC
• Like VRF (virtual routing
and fwd-ing)
q Scalable gateways
q Scalable control plane
• ARP, DHCP, ICMP
q Floating/Elastic Ips
q Stateful NAT
• Port masquerading
• DNAT
q ACLs
q Stateful (L4) Firewalls
• Security Groups
q Load Balancing with health checks
q Single Pane of Glass (API, CLI, GUI)
q Integration with management platforms
• OpenStack, CloudStack
• vSphere, RHEV, System Center
q Decoupled from Physical Network

14. Evolution of Network Virtualization
13
INNOVATION
IN
NETWORKING
AGILITY
VLAN
APPROACH
Manual End-to-End
VLAN configured
on physical switches
• Static
• Manual
• Complex
• Tenant state
maintained in
physical network
13

15. Using VLANs for NV
14
q Multi-tenancy
q Scalable, fault-tolerant devices
(or device-agnostic network
services).
ü L2 isolation
q L3 routing isolation
• VPC
• Like VRF (virtual routing
and fwd-ing)
q Scalable gateways
q Scalable control plane
• ARP, DHCP, ICMP
q Floating/Elastic IPs
q Stateful NAT
• Port masquerading
• DNAT
q ACLs
q Stateful (L4) Firewalls
• Security Groups
q Load Balancing with health checks
q Single Pane of Glass (API, CLI, GUI)
q Integration with management platforms
• OpenStack, CloudStack
• vSphere, RHEV, System Center
q Decoupled from Physical Network

16. Evolution of Network Virtualization
15
INNOVATION
IN
NETWORKING
AGILITY
OPENFLOW
REACTIVE
APPOACH
Reactive End-to-End
Requires programming
of flows
• Limited scalability
• Hard to manage
• Impact to
performance
• Still requires tenant
state in physical
network
VLAN
APPROACH
Manual End-to-End
VLAN configured
on physical switches
• Static
• Manual
• Complex
• Tenant state
maintained in
physical network
15

17. What is OpenFlow?
16
A communication protocol that gives access to the forwarding
plane of a network switch over the network.

18. What is OpenFlow?
17
A centralized remote controller
decides the path of packets
through the switches

19. Using OpenFlow for NV
18
ü Multi-tenancy
q Scalable, fault-tolerant devices
(or device-agnostic network
services).
ü L2 isolation
△ L3 routing isolation
• VPC
• Like VRF (virtual routing
and fwd-ing)
q Scalable gateways
q Scalable control plane
• ARP, DHCP, ICMP
q Floating/Elastic IPs
q Stateful NAT
• Port masquerading
• DNAT
q ACLs
q Stateful (L4) Firewalls
• Security Groups
q Load Balancing with health checks
△ Single Pane of Glass (API, CLI, GUI)
△ Integration with management platforms
• OpenStack, CloudStack
• vSphere, RHEV, System Center
q Decoupled from Physical Network

20. Evolution of Network Virtualization
19
PROACTIVE
INNOVATION
IN
NETWORKING
AGILITY
SOFTWARE OVERLAY
Virtual Network
Overlays
Decoupling hardware
and software
• Cloud-ready agility
• Unlimited scalability
• Open, standards-based
• No impact to physical
network
OPENFLOW
REACTIVE
APPOACH
Reactive End-to-End
Requires programming
of flows
• Limited scalability
• Hard to manage
• Impact to
performance
• Still requires tenant
state in physical
network
VLAN
APPROACH
Manual End-to-End
VLAN configured
on physical switches
• Static
• Manual
• Complex
• Tenant state
maintained in
physical network
19

21. 20
How do overlays achieve
real network
virtualization?

22. 21
Encapsulation and Tunneling
Provides isolation

23. 22
Stateless core. Stateful edge.

24. 23
Network processing at the edge
Decoupled from the physical network

25. 24
Virtual network changes don’t affect
the physical network

26. 25
Single virtual hop network services
avoid “traffic trombones”

27. 26
Centralized state and control for
maximum agility

28. 27
Scalable, fault tolerant gateways to
external networks

29. Using Overlays for NV
28
ü Multi-tenancy
ü Scalable, fault-tolerant devices
(or device-agnostic network
services).
ü L2 isolation
ü L3 routing isolation
• VPC
• Like VRF (virtual routing
and fwd-ing)
ü Scalable Gateways
ü Scalable control plane
• ARP, DHCP, ICMP
ü Floating/Elastic IPs
ü Stateful NAT
• Port masquerading
• DNAT
ü ACLs
ü Stateful (L4) Firewalls
• Security Groups
ü Load Balancing with health checks
ü Single Pane of Glass (API, CLI, GUI)
ü Integration with management platforms
• OpenStack, CloudStack
• vSphere, RHEV, System Center
ü Decoupled from Physical Network

30. 29
Sounds great, but when
will it be a reality?

31. Network Virtualization Overlays Today
30

32. OpenStack
31

33. What
is
OpenStack?
32

34. 33
Before
Neutron:
Nova
Networking
#
Nova-Networking was the only option in OpenStack prior to Quantum/Neutron.
Still available today as an alternative to Neutron, but will likely be phased out.
#
Options Available within nova-networking initially:
• Only Flat
• Flat DHCP
#
Limitations
• No flexibility with topologies (no 3-tier)
• Tenants can’t create/manage L3 Routers
• Scaling limitations (L2 domain)#
• No 3rd party vendors supported
• Complex HA model#

35. 34
Nova-­‐network
slightly
evolves
Introduced VLAN DHCP mode
Improvements:
• L2 Isolation – each project gets a
VLAN assigned to it
#
Limitations
• Need to pre-configure VLANs on
physical network.
• Scaling Limitations - VLANs
• No L3
• No 3-tier topologies
• No 3rd party vendors

36. Introducing
Neutron
35
OpenStack Networking as a first
class Service
#
• Pluggable Architecture
• Standard API
• Many choices#
#
Plugins Available!
• MidoNet!
• OVS Plugin
• Linux Bridges
• Flat DHCP
• VLAN DHCP#
• ML2
#
#
• Supports Overlay Technology
• More Services (LBaaS, VPNaaS)
• Flexible network topologies#
#
#
#
• NSX
• Plumgrid#
• Nuage#
• Contrail
• Ryu#

37. 36
OVS Plugin Overview#

38. OVS Agent - receives tunnel/flow setup info from OVS Plugin, and programs Open
vSwitch to setup tunnels and send traffic through the tunnel#
#
DHCP Agent - Sets up dnsmasq in a namespace per network/subnet and enters mac/
ip into dhcp lease file
#
L3 Agent – OVS Plugin orchestrates to set up IPTables, Routing, NAT tables#
37
OVS
Open
Source
Plugin

39. 38
Challenges
with
OVS
Plugin
Neutron Network Node is a SPOF#
Need to use corosync, etc for active/standby failover.
#
Challenging at Scale
Since there’s a single network node, this becomes a bottleneck fairly quickly.
!
Inefficient Networking
IPTables, L3 Agent, multiple hops for single flow are causing unnecessary traffic
and added latency on your physical network
!

40. 39
MidoNet Overview#

41. 40
MidoNet
Network
Virtualiza&on
PlaOorm
Logical
L2
Switching
-­‐
L2
isola&on
and
path
op&miza&on
with
distributed
virtual
switching
Interconnect
with
VLAN
enabled
network
via
L2
Gateway
Logical
L3
Rou&ng
–
L3
isola&on
and
rou&ng
between
virtual
networks
No
need
to
exit
the
so]ware
container
-­‐
no
hardware
required
Distributed
Firewall
–
Provides
ACLs,
high
performance
kernel
integrated
firewall
via
a
flexible
rule
chain
system
Logical
Layer
4
Load
Balancer
–
Provides
applica&on
load
balancing
in
so]ware
form
-­‐
no
need
for
hardware
based
firewalls
VxLAN/GRE
–
Provides
VxLAN
and
GRE
tunneling
Provides
L2
connec&vity
across
L3
transport.
This
is
useful
when
L2
fabric
doesn’t
reach
all
the
way
from
the
racks
hos&ng
the
VMs
to
the
physical
L2
segment
of
interest.
MidoNet/Neutron
API–
Alignment
with
OpenStack
Neutron’s
API
for
integra&on
into
compa&ble
cloud
management
so]ware
Any Application
OpenStack/Cloud Management System
MidoNet
Network
Virtualiza&on
PlaOorm
v
Distributed
Firewall
Layer
4
Load
Balancer
Logical
L2
Logical
L3
Any Network Hardware
VxLAN/GRE
Any Hypervisor
NAT
MidoNet
/
Neutron
API
NAT
–
Provides
Dynamic
NAT,
Port
masquerading

42. OpenStack
Integra&on
5
Easy
integra&on
with
OpenStack:
MidoNet
provides
a
plugin
for
Neutron.
MidoNet Plugin

43. Architecture
Overview

44. Use
Cases
Automated
Provisioning
Isolated
Sandboxes
Enhanced
Security
Enable
Compliance
Scale
out
L3
Gateway
Bridge
legacy
VLANs
Do it Faster Do it Bigger
Val u e
Agility
Provide rapid
provisioning of isolated
network infrastructure for
labs and devops.
Logical
Network
Provisioning
Control
Network admins can
better secure, control &
view network traffic.
Single
Pane
of
Glass
OpsTools
Do it Better
IaaS
Cloud
Build multi-tenant
clouds with visibility
into usage.
Tenant
Control
Automated
Self Service
Metering
Performance
Improve network
performance using edge
overlay & complementary
technologies.
Single
Hop
Virtual
Networking
VXLAN
Hardware
Gateway
Massive
performance
with
40Gb
Support
Scale
Add virtual network infra
& services simply &
resiliently without
hardware & bottlenecks.
Distributed
Logical
Networking
FW,
LB,
L2/3,
NAT
Limitless
“VLANs”
IPv6
Solution for
OpenStack
Networking
Use MN to overcome
limitations of Neutron for
OpenStack users.
Replaces OVS
Plugin

45. 44
So what’s next for
Network Virtualization?

46. 45
Get more out of the physical network.

47. 46
Network Virtualization
decouples the logical
network from the physical
network.

48. NVOs can’t ignore the physical network
47
Dynamic changes to logical
network are not dependent on the
physical network configuration.
Sharing state to and from the
physical network can be
supplementary.
- Monitoring
- Traffic Engineering

49. 48
Get more intelligence out of your network

50. NVOs provide a wealth of information
49
NVOs centralize information on
your network
We can start taking advantage of
this information
- Security
- Compliance
- Optimizing Networks

51. 50
Bridge physical and virtual networks
more efficiently

52. Midokura VTEP Solution
51
IP Fabric
MidoNet MidoNet
Virtual
Any
Cloud
Management
PlaHorm
MidoNet
Network
State
Database
VM VM VM VM VM VM
OVSDBc
Server
Storage
Services
Physical
VM VM
VTEP
TCP/IP
OVSDB
VxLAN Tunnel
Physical Connection
Key
OVSDBs

53. 52
Break through performance barriers
of software networking

54. Performance
40Gb
VxLAN
Offloading:
virtualized
environments
require
high
throughput
infrastructure
• Integra&on
with
Mellanox
provides
40
Gbps
satura&on
• VxLAN
offloading
improves
CPU
u&liza&on
levels
• Scale
with
performance
through
HW
interconnect
• Increase
throughput
with
offloading
where
no
offloading
would
otherwise
have
flat
results
• High
bandwidth
can
now
be
achieved
in
so]ware

55. 54
Q&A

56. 55
MidoNet
Advantages
#
Check
out
our
blog:
hjp://blog.midokura.com/
Follow
us
on
Twijer:
@midokura

57. Thank You
Cynthia Thomas
@_techcet_
56