Advanced Computer Network

ITec5101 1
 Chapter 5- Network Virtualization

Virtualization
Network Function Virtualization
Network Virtualization
Virtual Private Network

ITec5101 2
 Motivation
• Traditionally, applications have run directly on an operating system on a
personal computer or on a server.
• Each PC or Server would run only one OS at a time
• To support multiple OSs, application vendors needed to
• Create, manage and support multiple hardware and OS infrastructures
• a costly and resource-intensive process
• Effective strategy for dealing with this problem is known as hardware
virtualization
• Virtualization is not a new technology
• In 1970s , IBM mainframe systems offered the first capabilities that would
allow programs to use only a portion of the system’s resource
• In 2000s, it became into mainstream computing and was commercially
available on x86 servers

ITec5101 3
 Virtualization
• Virtualization is using a single physical machines’ hardware to run multiple
virtual machines within it. Or
• it enables a single PC or server to simultaneously run multiple operating
systems or multiple sessions of a single OS.
• It turns physical resources into logical
or virtual resources
• It provides abstraction layer between
the software and physical hardware.
• allows users, applications & management
software operating above the abstraction
layer to manage and use resources
without needing to be aware of the physical
details of the underlying resources Virtual Machine Concept
ITec5101 4
 Cont.
• Server Virtualization – becomes a central element in dealing with Big data
applications, in implementing data centers and cloud computing infrastructures
• Key points
• Use a systems hardware
• Allocate CPU/RAM/Storage to VMS
• Cannot exceed the CPU/RAM/Storage that is available on the physical hardware
• Benefits
• Better use of hardware resources
• Power saving/reduced footprints
• Backup and Recovery (VMs can be saved as files)
• Flexibility and Availability (VMs can be moved-Live Migration via vMotion)
• Fault tolerance (Shadowed VM) and Load balancing
• Researching OSs & other software

ITec5101 5
 Cont.
Virtual Machine Monitor
• Virtual Machine (VM) is a software construct that mimics the
characteristics of a physical server.
• It is configured with some number of processors, RAM, storage
resources and connectivity through the network ports.
• Virtual Machine Monitor is known as hypervisors
• It is a software that sits between the hardware and the VMs acting as a
resource broker
• It allows multiple VMs to safely coexist on a single physical server host
and share that host’s resources
• The number of guests that can exist on a single host is measured as a
consolidation ration. E.g. 6:1 , initial commercial spaces provide ratios
between 4:1 and 12:1
ITec5101 6
 Cont.
Types of hypervisors
• Type1 Hypervisor
• Loaded as thin software layer directly into
a physical server (bare metal server)
• Examples:
• VMWare vSphere/ESXi Type1 Hypervisor
• Microsoft Hyper-V
• Citirix XenServer
• Type2 Hypervisor
• Installed on a host OS
• Example
• VMWARE Workstation/Fusion
• Oracle VirtualBox
• Parallels(Mac)
Type2 Hypervisor
ITec5101 7
 Cont.
• Type1 vs Type2 Hypervisor
• Type1 hypervisor can directly control hardware resources but in
type2 the host OS handles all the hardware interactions
• Type1 hypervisor perform better than type2 (due to the layer
differences they have)
• Type1 hypervisor is more secure than type2 because in type2
hypervisor malicious guests could potentially affect more than itself
• Type1 hypervisor implementation would not require the cost of a
host OS but type2 hypervisors do
• Type2 hypervisor provide an opportunity to run multiple processes as
part of their process. (No need of extra cost for dedicated server)

ITec5101 8
 Container Virtualization
• It is OS level virtualization .
• OS-level virtualization refers to an operating system paradigm in which the
kernel allows the existence of multiple isolated user space instances.
• Applications run on top of the host OS kernel. This eliminates the resources
needed to run a separate OS for each application and can greatly reduce
overhead.
• containers are much smaller and lighter weight(contains apps with its
dependencies) compared to VM (contains apps and guest OS)
• Example: Docker
• Benefit
• Portability – Develop in a contained host environment,
deploy on any host that is running a container host
• Isolation – apps running in one container is isolated
from others
ITec5101 9
 Network Function Virtualization (NFV)
• NFV decouples network functions, such as Network Address Translation (NAT),
firewall, intrusion detection, Domain Name Service (DNS), and caching, from
proprietary hardware appliances so that they can run in software on VMs
• NFV means moving from monolithic vertical integrated box proprietary
solutions to networking functions as VMS using standard Commercial Off-
The- Shelf (COTS) solutions
• VM Technology can be applied on network based devices such as
• Network function devices: Such as switches, routers, network access points,
customer premises equipment (CPE), and deep packet inspectors (for deep packet
inspection).
• Network-related compute devices: Such as firewalls, intrusion detection
systems, and network management systems.
• Network-attached storage: File and database servers attached to the network.

ITec5101 10
 Cont.
• In traditional network
• all devices are deployed on proprietary/closed platforms.
• All network elements are enclosed boxes and hardware cannot be shared.
• Each device requires additional hardware for increased capacity, but this
hardware is idle when the system is running below capacity.
• In NFV
• Network elements are independent applications that are flexibly deployed on a
unified platform comprising standard servers, storage devices, and switches
• software and hardware are decoupled, and capacity for each application is
increased or decreased by adding or reducing virtual resources
• Network Functions Virtualization Industry Standards Group (ISG NFV),created
as part of the European Telecommunications Standards Institute (ETSI) in
2012, has the lead and indeed almost the sole role in creating NFV standards
ITec5101 11
Cont.
Vision for Network Functions Visualization

ITec5101 12
 Cont.
NFV Principles
• Three key NFV principles are involved in creating practical network services:
• Service chaining: VNFs are modular and each VNF provides limited functionality
on its own. For a given traffic flow within a given application, the service provider
steers the flow through multiple VNFs to achieve the desired network
functionality. This is known as Service Chaining
• Management and orchestration (MANO): involves deploying and managing the
lifecycle of VNF instances. Examples include VNF instance creation, VNF service
chaining, monitoring, relocation, shutdown, and billing. It also manages the NFV
infrastructure elements.
• Distributed architecture: A VNF may be made up of one or more VNF
components (VNFC), each of which implements a subset of the VNF’s
functionality. Each VNFC may be deployed in one or multiple instances. These
instances may be deployed on separate, distributed hosts to provide scalability
and redundancy.
ITec5101 13
 Cont.
High Level NFV Framework
• defined by ISG NFV and supports the
implementation of network functions as
software-only VNFs
• It consists of three domains of operation:
• Virtualized network functions: The collection of
VNFs, implemented in software, that run over the
NFVI.
• NFV infrastructure (NFVI): performs a
virtualization function on devices such as computer,
storage and network.
• NFV management and orchestration: focuses on
all virtualization specific management tasks
necessary in the NFV framework
High Level NFV Framework

ITec5101 14
 Cont.
NFV Benefits
• NFV has the following benefits if it is implemented efficiently and effectively:
• Reduced CapEx (Capital Expenditure) - in purchasing network equipment via
migration to software on standard servers
• Efficiencies in space, power, cooling, network management and control (OpEx)
• Faster time to deployment
• Ease of interoperability because of standardized and open interfaces.
• Flexibility – elastic scale up and scale down of capacity
• Use of a single platform for different applications, users and tenants which in
turn allows network operators to share resources across services and across
different customer bases
• A wide variety of ecosystems and encourages openness. It encourages more
innovation to bring new services and new revenue streams quickly at much
lower risk
ITec5101 15
 Cont.
NFV Requirements
• To deliver these benefits, NFV must be designed and implemented to meet a
number of requirements and technical challenges, including the following:
• Portability/Interoperability – capability to load and execute VNFs provided
by different vendors on a variety of standardized hardware platforms
• Performance trade-off – Since the NFV is based on industry standard
hardware, avoiding any proprietary hardware such as acceleration engines
may cause performance degradation so keep the performance degradation
as small as possible
• Migration and coexistence with respect to legacy equipment - Virtual
appliance must use the existing North Bound Interfaces to interwork with
physical appliances
• Management and orchestration – consistency is required
ITec5101 16
 Cont.
• Automation - Make NFV scalable by automating all functions
• Security and resilience - VNFs should not have impact on security,
resilience and availability of the network
• Network Stability – ensure stability of the network not impacted when
managing and orchestrating a large number of virtual appliances between
different hardware vendors and hypervisors
• Simplicity - ensuring that virtualized network platforms are simpler to
operate than those that exist today
• Integration – allow network operators to “mix and match” servers ,
hypervisors, and virtual appliances from different vendors without
incurring significant integration cost and avoiding lock-in
• NFV suppliers
• Ericsson, Nokia, Huawei , Cisco, HPE, Dell-EMC, VMware, and Red Hat etc supply ranging
from full to specific NFV solutions such as NFVi, NFVs, MANO & integration services etc
ITec5101 17
 Network Virtualization
Virtual LANs
• A VLAN is a broadcast domain consisting of a group of end stations, perhaps
on multiple physical LAN segments, that are not constrained by their physical
location and can communicate as if they were on a common LAN.
• Why use VLANs
• Improves network Performance - reduce broadcast and multicast traffics
• Formation of Virtual Groups – easy to place members of a workgroup together and allow
them to access common services and resources regardless of their physical location
• Simplified Administration- simplify tasks related to re-cabling, addressing and
reconfiguration of network devices for new or mobile users
• Reduced Cost – enable us to create broadcast domains which eliminates the need for
expensive routers
• Security – sensitive data can be broadcasted to respected VLANs, VLANs can also be used
to control broadcast domains, setup firewalls, restrict access and notify network managers
ITec5101 18
 Cont.
• Defining Membership in VLANs
• Membership by port group - Membership in a VLAN can be defined based on the ports that
belong to the VLAN.
• Advantage – easy to configure
• Disadvantage - it does not allow user mobility (need reconfiguration)
• Membership by MAC address - membership in a VLAN is based on the MAC address of the
workstation
• Advantage - allow user mobility (No need of reconfiguration – the workstation retain its
membership)
• Disadvantage – VLAN membership must be assigned initially (difficult to implement in networks
with thousands of users)
• Membership based on protocol information - LAN membership can be assigned based on
IP address, transport protocol information, or even higher-layer protocol information
• Advantage - flexible approach
• Disadvantage - it does require switches to examine portions of the MAC frame above the MAC
layer, which may have a performance impact
ITec5101 19
 Cont.
• Communicating VLAN Membership
• The common approach that a switch understand VLAN membership when
network traffic arrives from other switches is frame tagging.
• The IEEE 802 committee has developed a standard for frame tagging, IEEE
802.1Q.
• Each VLAN has VID with a value in the range from 1 to 4094
• VLAN Configuration
Switch(config)#vlan vlan_number
Switch(config-vlan)#name vlan_name
Switch(config-vlan)#exit
Switch# show vlan

ITec5101 20
 Cont.
• By default, all ports are initially members of VLAN1.
• Use the following commands to assign individual ports to VLANs:
Switch(config)#interface fa#/#
Switch(config-if)#switchport access vlan vlan_no
Switch(config-if)# exit
• Use the following commands to assign multiple ports to VLANs:
Switch(config)#interface range fa#/start #- end#
Switch(config-if)#switchport access vlan vlan_no
Switch(config-if)#exit

ITec5101 21
 Cont.
VLAN Links
• Access links
• This type of link is only part of one VLAN (native VLAN of the port)
• Any device attached to an access link is unaware of a VLAN
• Switches remove any VLAN information from the frame before it’s sent to
an access-link device.
• Trunk links
• carry the traffic of multiple VLANs
• A trunk link is a 100- or 1000Mbps point-to-point link between two switches,
between a switch and router.
• Dynamic links
• sets trunking mode to dynamically negotiate access or trunk mode

ITec5101 22
 Cont.
• To configure inter-VLAN routing, use the following steps:
1. Configure a trunk port on the switch.
• Switch(config)#interface fa0/2
• Switch(config-if)#switchport mode trunk
2. On the router, configure a FastEthernet interface with no IP address or subnet mask.
• Router(config)#interface fa0/1
• Router(config-if)#no ip address
• Router(config-if)#no shutdown
3. On the router, configure one subinterface with an IP address and subnet mask for each VLAN.
Each subinterface has an 802.1Q encapsulation.
• Router(config)#interface fa0/0.10
• Router(config-subif)#encapsulation dot1q 10
• Router(config-subif)#ip address <address> <subnetmask>

ITec5101 23
 Cont.
4. Use the following commands to verify the inter-VLAN routing configuration and functionality.
• Switch#show trunk
• Router#show ip interfaces
• Router#show ip interfaces brief
• Router#show ip route

ITec5101 24
 Cont.
Nested VLAN / Stacked VLAN
• The original 802.1Q specification allows a single VLAN header to be inserted
into an Ethernet frame. (support a total of 4096 VLAN ids)
• More recent versions of the standard which incorporate IEEE 802.1ad into the
base 802.1Q standard as amendment in 2011 allows multiple VLAN tags in an
Ethernet frame; together these tags constitute a tag stack. It is known as VLAN
Stacking or Q-in-Q.
• With stacked VLANs, service providers can use a unique VLAN (called a
service-provider VLAN ID, or SP-VLAN ID) to support customers who have
multiple VLANs. Customer VLAN IDs (CE-VLAN IDs) are preserved and traffic
from different customers is segregated within the service-provider
infrastructure even when they appear to be on the same VLAN.
• Stacked VLANs expand the VLAN space by using a VLAN-in-VLAN hierarchy.
ITec5101 25
 Cont.
• The expanded VLAN space allows a service provider to provide certain services, such
as Internet access on specific VLANs for specific customers, while providing other
types of services to other customers on other VLANs.
• Example: Stacked VLAN Processing on Cisco ASR 1000 Series Aggregation Services
Routers in a Service-Provider Network. (Refer -
https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/lanswitch/configuration/guide/qinq_xe.html )

ITec5101 26
 Cont.
• Frame Formats

• OpenFlow VLAN Support Position of stacked VLAN tags

• Drawbacks of traditional 80.2.1Q VLAN

• Requires that switches have a complete knowledge of the VLAN mapping . (Manually
configured or acquired automatically)
• Multiple switches and routers have to be configured whenever VMs are relocated
• Defining group membership is decided by the network administrator according to the type of
network they wish to deploy
• OpenFlow allows for much more flexible management and control of VLANs
ITec5101 27
 Cont.
Virtual Private Network (VPN)
• VPN is a network that uses a public telecommunication infrastructure,
such as the Internet, to provide remote offices or individual users with
secure access to their organization's network
• VPNs are widely used by enterprises to create WANs that span large
geographic areas, to provide site-to-site connections to branch offices,
and to allow mobile users to dial up their company LANs.
• It provides encryption and authentication facilities
• Benefits of VPN
• Cheaper connection
• Available anywhere the internet is available
• Heavily encrypted and secured
• Many to many connections
ITec5101 28
 Cont.
• The two most common technologies for creating VPNs are:
• IP Security (IPsec)
• MPLS
• IPsec VPN
• IPsec is used to construct a secure VPN. All distributed applications including remote
logon, client/server, email, file transfer, web access and so on can be secured
• It Support
• Authentication – ensure that unauthorized users do not penetrate the VPN
• Encryption – ensure that eavesdroppers on the Internet cannot read messages sent
over VPN
• It can work in two modes:
• Transport mode – the channel of the message is protected
• Tunnel Mode - the channel, the routing and header information are protected. It
makes use of the combined authentication/encryption function IPsec called
Encapsulating Security Payload(ESP) and a key exchange function.
ITec5101 29
 Cont.
• IPsec VPN Tunnel Configuration
• Configure the basic and some advanced configuration (In all CE routers)
• Configure IP address for each active interface
• Configure default route on the customer edge routers
• ip route 0.0.0.0 0.0.0.0 <nexthop IP address>
• Create ACL to allow permission for accessing resources of remote LAN via VPN
• access-list 100 permit ip <src-add> <wildcardmask> <dst-add> <wildcardmask>
• Enable security license on customer edge router:
• license boot module <Model-c2900> technology-package securityk9
• Phase-1
• ISAKMP policy:
• crypto isakmp policy <1-10000>
• encryption aes 256
• authentication pre-share
• group 5 (DH- Key exchange)
ITec5101 30
 Cont.
• Configure ISAKMP pre-shared key and Identity
• crypto isakmp key secretkey address <Global-Address-Remote-CE-Router>
• Phase-2
• IPsec transform-set
• crypto ipsec transform-set R1-R2 esp-aes 256 esp-sha-hmac (R1 and R2 – CER)
• Setup IPsec crypto map
• crypto map IPSEC-MAP 10 ipsec-isakmp [10- ISAKMP police created in Phase 1]
• set peer <Global-Address-Remote-Router>
• set pfs group5
• set security-association lifetime seconds 86400 Verification commands
✓ show crypto isakmp policy
• set transform-set R1-R2 ✓ show crypto ipsec transform-set
• match address 100 [Access List] ✓ show crypto ipsec sa
✓ show crypto map
• Apply crypto map ✓ debug crypto isakmp
• interface GigabitEthernet0/0 ✓ debug crypto ipsec

• crypto map IPSEC-MAP https://www.youtube.com/watch?v=Z7LwU6H5IGE

ITec5101 31
 Cont.
Network Virtualization (NV)
• Network Virtualization is defined differently in a number of academic industry
publications. Based on ITU-T Y.3011 (Framework of Network Virtualization for
future networks, January 2012):
• Network Virtualization: A technology that enables the creation of logically
isolated virtual networks over shared physical networks so that
heterogeneous collections of multiple virtual networks can simultaneously
coexist over the shared physical networks. It includes the aggregation of
multiple resources in a provider and appearing as a single resource.
• It is a far broader concept than VPNs, which only provide traffic isolation, or
VLANs, which provide a basic form of topology management.
• NV implies full administrative control for customizing virtual networks both
in terms of the physical resources used and the functionalities provided by the
virtual networks
ITec5101 32
 Cont.

• The virtual network presents an abstracted network view whose virtual

resources provide users with services similar to those provided by physical
networks.
• Because the virtual resources are software defined, the manager or
administrator of a virtual network potentially has a great deal of flexibility
in altering topologies, moving resources, and changing the properties
and service of various resources.
• In addition, virtual network users can include not only users of services or
applications but also service providers. For example, a cloud service provider
can quickly add new services or expanded coverage by leasing virtual networks
as needed.
See the example in your text book at page-489.

ITec5101 33
 Cont.

• The architecture depicts NV as

consisting of four levels:
• Physical resources –shared among
virtual resources
• Virtual Resources –are created from
physical resource and managed by
virtual resource manager
• Virtual Network – consists of virtual
resources and provides a set of
services to users
• Services

A conceptual Architecture of Network Virtual (Y.3011)

ITec5101 34
 Cont.
• Benefits of Network Virtualization
• Flexibility - NV enables the network to be quickly moved, provisioned, and
scaled to meet the everchanging needs of virtualized compute and storage
infrastructures
• Operational cost savings: Virtualization of the infrastructure simplifies the
operational processes and equipment used to manage the network.
• Agility: Modifications to the network’s topology or how traffic is handled can
be tried in different ways, without needing to modify the existing physical
networks
• Scalability: A virtual network can be rapidly scaled to respond to shifting
demands by adding or removing physical resources from the pool of
available resources
• Capital cost savings: A virtualized deployment can reduce the number of
devices needed, providing capital as well as operational costs savings
ITec5101 35
 Cont.

• Rapid service provisioning/time to market:

• Virtualization allows enterprise resources to be quickly shifted as demand by different
users or applications changes.
• From a user perspective, resources can be acquired and released to minimize utilization
demand on the system.
• New services require minimal training and can be deployed with minimal disruption to
the network infrastructure.
• Equipment consolidation: NV enables the more efficient use of network
resources, thus allowing for consolidating equipment purchases to fewer,
more off-the-shelf products.

ITec5101 36
 Further Reading
• Virtual Tenant Network

ITec5101 37