Network Virtualisation – an overview

11th September 2019

First three articles on Network Virtualisation:  here  here and here.

There are critical concepts which undergird network virtualization, and in particular market-leading products or platforms such as VMware NSX (network virtualization), including a multi-hypervisor, multi-cloud management network virtualization platform and approach.  All of which are becoming more important in the general market, as the entire IT Stack becomes virtualised.

Some of the key functionalities of a virtualized network, including overlays and packet flow are described below.

Overlays

Network virtualization makes use of overlay technologies, which sit above the physical network hardware and work with the server hypervisor layer. Logical switching is achieved via the use of overlays, as shown below.

Logical Switching – VM to VM

Figure: Logical switching via the use of overlays

Network overlays make it possible to run networks entirely in software, abstracted from the supporting physical network infrastructure. They basically create tunnels within the data center network.

Packet flow from sender to receiver

Virtual networks use the underlying physical network as a simple packet‐forwarding backplane.  When VMs communicate with each other, the packet is encapsulated with the IP address information of the destination hypervisor.  The physical network delivers the frame to the destination hypervisor, which can remove the outer header, and then the local vSwitch instance delivers the frame to the virtual machine.

In this way, the communication uses the underlying physical network as a simple IP backplane one that requires no STP, no VLANs, no ACLs, and no firewall rules. This approach dramatically simplifies configuration management and eliminates physical network changes from the network provisioning process.

Overlay technologies

There are various overlay technologies. One industry‐standard technology is called Virtual Extensible Local Area Network, or VXLAN. VXLAN provides a framework for overlaying virtualized layer 2 networks over layer 3 networks. NVGRE, is another type of overlay. NVGRE stands for network virtualization using generic routing encapsulation.  NVGRE is similar to VXLAN in its goals, but it uses different approaches to create the overlay. NVGRE has had limited adoption in comparison to the momentum of VXLAN.

In a VMware environment, network virtualization is based on VXLAN. This widely adopted standard was developed jointly by VMware and major networking vendors.

VXLAN

With its broad industry support, VXLAN has become the de facto standard overlay (or encapsulation) protocol. VXLAN is key to building logical networks that provide layer 2 adjacency between workloads, without the issue and scalability concerns found with traditional layer 2 technologies. 

VXLAN is an overlay technology encapsulating the original Ethernet frames generated by workloads (virtual or physical) connected to the same logical layer 2 segment, usually named a logical switch (LS).  VXLAN is a layer 2 over layer 3 (L2oL3) encapsulation technology. The original Ethernet frame generated by a workload is encapsulated with external VXLAN, UDP, IP, and Ethernet headers to ensure that it can be transported across the network infrastructure interconnecting the VXLAN endpoints (virtual machines).

Scaling beyond the 4,096 VLAN limitation on traditional switches has been solved by leveraging a 24‐bit identifier, named VXLAN Network Identifier (VNI), which is associated with each layer 2 segment created in the logical space. This value is carried inside the VXLAN header and is normally associated with an IP subnet, similar to what traditionally happens with VLANs. Intra‐IP subnet communication hap- pens between devices connected to the same virtual network (logical switch).

Hashing of the layer 2, layer 3, and layer 4 headers present in the original Ethernet frame is performed to derive the source port value for the external UDP header. This is important to ensure load balancing of VXLAN traffic across equal cost paths potentially available inside the transport network infrastructure.

The source and destination IP addresses used in the external IP header uniquely identify the hosts originating and terminating the VXLAN encapsulation of frames. This hypervisor‐based logical functionality is usually referred to as a VXLAN Tunnel EndPoint (VTEP).

Encapsulating the original Ethernet frame into a UDP packet increases the size of the IP packet. Increase the overall maximum transmission unit (MTU) size to a minimum of 1,600 bytes for all the interfaces in the physical infrastructure that will carry the frame.  The MTU for the virtual switch uplinks of the VTEPs performing VXLAN encapsulation is automatically increased when preparing the VTEP for VXLAN.

The below describes (at a high level) the steps required to establish layer 2 communications between VMs leveraging VXLAN overlay functionality:

  • VM1 originates a frame destined to the VM2 part of the same layer 2 logical segment (IP subnet).
  • The source VTEP identifies the destination VTEP where VM2 is connected and encapsulates the frame before sending it to the transport network.
  • The transport network is required only to enable IP communication between the source and destination VTEPs.
  • The destination VTEP receives the VLXLAN frame, de‐ encapsulates it, and identifies the layer 2 segment to which it belongs.

The frame is delivered to VM2.

IP plane

Figure: Establishing layer 2 communication between VMs with VXLAN

The Benefit

Network virtualization helps enterprises achieve major advances in speed, agility, and security, by automating and simplifying many of the processes that go into running a data center network.

  • Reduce network provisioning time from weeks to minutes.
  • Achieve greater operational efficiency by automating manual processes.
  • Place and move workloads independently of physical topology.
  • Improve network security within the data center.

An example:  VMWare NSX

The NSX approach to network virtualization allows you to treat your physical network as a pool of transport capacity that can be consumed and repurposed on demand. Virtual networks are created, provisioned, and managed in software, using your physical network as a simple packet‐forwarding backplane.

Virtualized network services are distributed to each virtual machine independently of the underlying network hardware or topology. This means workloads can be added or moved on the fly and all the network and security services attached to  the virtual machine move with it, anywhere in the data center. Your existing applications operate unmodified. They see no difference between a virtual network and a physical network connection.

NSX is not an all‐or‐nothing approach. You don’t have to virtualize your entire network. You have the flexibility to virtualize portions of your network by simply adding hyper- visor nodes to the NSX platform. Gateways, available as software from VMware or top‐of‐rack switch hardware from VMware partners, give you the ability to seamlessly interconnect virtual and physical networks.

These can be used, for example, to support network access by workloads connected to virtual networks or to directly connect legacy VLANs and bare‐metal workloads to virtual networks.

Simplified networking

After NSX is deployed, little interaction with the physical network is required. You no longer need to deal with the physical network configuration of VLANs, ACLs, spanning trees, com- plex sets of firewall rules, and convoluted hair-pinning traffic patterns — because these are no longer necessary when the network is virtualized.

As you deploy NSX virtual networks, you can increasingly streamline your physical network configuration and design. Vendor lock‐in becomes a thing of the past because the physical network only needs to deliver reliable high‐speed packet‐forwarding. This means you can mix and match hardware from different product lines and vendors.

Extreme flexibility and extensibility

NSX is extremely flexible, highly extensible, and widely sup- ported. A powerful traffic‐steering capability allows any combination of network and security services to be chained together in any order. It’s all defined by the application policies you set for each workload.

This high degree of flexibility applies not only to native NSX services but also to a wide variety of compatible third‐party solutions — including virtual and physical instances of next‐ generation firewalls, application delivery controllers, and intrusion prevention systems.

Virtualised Networking

  • Logical switching: NSX allows you to reproduce the complete layer 2 and layer 3 switching functionality in a virtual environment, decoupled from the underlying hardware.
  • NSX gateway: This layer 2 gateway enables seamless connection to physical workloads and legacy VLANs.
  • Logical routing: Routing between logical switches pro- vides dynamic routing within different virtual networks.
  • Logical, distributed firewalling: NSX allows you to create a distributed firewall, integrated into the hypervisor and wrapping security around each workload.
  • Logical load balancer: NSX provides a full‐featured load balancer with SSL termination.
  • Logical VPN: NSX supports site‐to‐site and remote access VPNs in software.
  • NSX API: This RESTful API enables integration into any cloud management platform.

Essential isolation, segmentation, and advanced security services

NSX brings security inside the data center with automated fine‐grained policies tied to the virtual machines. Network security policies are enforced by firewalling controls integrated into the hypervisors that are already distributed throughout the data center. These security policies move when VMs move and adapt dynamically to changes in your data center.

Virtual networks can operate in their own address spaces or have overlapping or duplicate address spaces — all without interfering with each other. Virtual networks are inherently isolated from all other virtual networks, and the under-lying physical network, by default. Each virtual  network  is like an island in a data center sea. This approach allows you to securely isolate networks from each other. You end up with an inherently better security model for the data center. Malicious software that slips through your firewall is no longer free to jump from server to server.

Of course, none of this means you have to give up your favorite network security solutions. NSX is a platform for bringing the industry’s leading networking and security solutions into the software‐defined data center. Thanks to tight integration with the NSX platform, third‐party products and solutions can be deployed as needed and can adapt dynamically to changing conditions in your data center.

NSX network virtualization capabilities enable the three key functions of micro‐segmentation:

  • Isolation: No communication across unrelated networks
  • Segmentation: Controlled communication within a network
  • Security with advanced services: Made possible by tight integration with third‐party security solutions

Performance and scale

NSX delivers proven performance and scale. Because net- working functions are embedded in the hypervisor, NSX features a scale‐out architecture that enables seamless scaling of additional capacity while also delivering solid availability and reliability.

In the NSX environment:

  • The processing required for the execution of distributed network services is only incremental to what the vSwitch is already doing for connected workloads.
  • The vSwitch is a module that is integrated with the hypervisor kernel, along with all the NSX network and security services.
  • Virtual network transport capacity scales linearly (along- side VM capacity) with the introduction of each new hypervisor/host, adding 20 Gbps of switching and routing capacity and 19.6 Gbps of firewalling capacity.

==END