Delivering Value with
Network Virtualization
SOLUTION GUIDE
Introduction
Virtualization is a central theme in IT development and new technology implementation because it has the power to maximize IT investment. The ability to leverage the performance of critical IT infrastructure and support converged networks is proving to be an extremely high-value proposition for businesses in all industries.
The convergence of services on the network requires higher availability for mission-critical applications. Those providing advanced services to customers are well aware of the need to balance maximizing operational efficiency with meeting Service Level Agreements (SLAs).
Virtualization provides the means to meet these increasing demands, with the unique ability to also provide businesses with cost benefits such as:
- Streamlining operational efficiency
- Greater flexibility to adapt to changing business needs
- Maximizing benefits from IT investment
- Simplifying management of IT systems
- Reducing energy consumption
- Improving network uptime
- Simplifying the integration of new hardware
- Simplifying the upgrading of software applications
- Automating the movement of data storage locations
- Optimizing disaster recovery provisioning
Virtualization, an innovative solution for multiplying the effectiveness and value of network infrastructure, has captured the imagination and endeavour of the networking industry.
While early advances in IT virtualization relate mainly to Server and workstation technology, there are some important virtualization developments occurring in the underlying Ethernet infrastructure:
Virtualized Dual Backbone
Replacing the traditional LAN redundancy solution (a redundant pair of separate switches) with a resiliency solution based on a pair of switches operating as a single virtual switch.
Network Service Virtualization
Enabling network services, particularly security services, to be delivered in a distributed fashion across the network, without the requirement to deploy multiple specialized appliances for each service.
Virtualized Networks
Enabling multiple networks to share the same Ethernet infrastructure, but remain quite isolated from each other. This is particularly powerful when delivered in an identity-based fashion.
Allied Telesis has been delivering innovation in these areas of virtualization for some time.
Virtualized Dual Backbone
This development meets the current industry trend of moving to ‘Green IT’, and is important for virtualization as it helps eliminate the need for expensive, energy consuming equipment to stand effectively idle just to provide failover redundancy. In the virtualized network, failed hardware is simply removed from the available pool, while processing is seamlessly distributed across other units.
The extension of this theme from Server/workstation hardware into LAN switching is embodied in the concept of the Virtualized Dual Backbone. Traditionally, high availability in LANs has been achieved by provisioning redundant switches and redundant links. This has resulted in expensive equipment sitting effectively unused for most of the time. Moreover, it has increased the complexity of network management—more devices to manage, and control protocols (VRRP and Spanning Tree) to manage and troubleshoot.
The Virtualized Dual Backbone removes this redundancy, and provides a high availability solution based on pairs of switches operating together as a single virtual switch, and sets of links operating together as single aggregated virtual links, as seen in figure 1.
More information on Allied Telesis high availability solutions
Figure 1: Virtualized Dual Backbone
Network Service Virtualization
Server virtualization enables applications to be decoupled from specific server hardware units or even specific physical locations in the network. The applications can be served in whatever distribution best fits the performance characteristics of the network.
The extension of the application virtualization concept from servers to switches is referred to as Network Service Virtualization. The switches don’t serve desktop applications, but they do provide underlying network services. The virtualization of these services, so that they are not tied to single appliances, but distributed across the switching infrastructure, increases service availability and can reduce management overhead.
The most important service provided by Allied Telesis switches is security policy enforcement. The AlliedWare Plus operating system provides a unique combination of functionality for complete LAN policy enforcement:
- RADIUS: Embedded RADIUS server enables the distribution of authentication facilities, ensuring very high availability of this service.
- Tri-authentication: 802.1x, MAC-based and Web-based authentication can all be used together on every port, ensuring that every device connected to the network edge can be authenticated, and forced to participate in the LAN security policy, as shown in figure 2.
Figure 2: Tri-authentication
NAC integration: the switches can operate as the Enforcement Point within all the leading Network Access Control solutions currently in the market, as seen in figure 3.
Figure 3: NAC Integration
By distributing this comprehensive security capability across network switches and divorcing them from centralized appliances, a network manager can implement a highly automated, reliable and foolproof LAN security system.
Allied Telesis switches also allow the virtualized distribution of other network services like DHCP address allocation, RADIUS authentication, boot image serving and network time synchronization.
By distributing these services across the network switches themselves, load is removed from application servers, and high availability of these fundamental network services is ensured.
Furthermore, the software and hardware architecture of the Allied Telesis switches provides a future-proof solution, where other services (including hardware-accelerated services) can be easily integrated, increasing the distribution of the workload across the network.
Virtualized Networks
The ability to virtualize LANs has been inherent in Ethernet switching for some time, in the form of VLANs.
Virtualized Networks are achieved by extending this concept of network separation and virtualization further. By enforcing complete end-to-end data separation, Virtualized Networks truly enable multiple networks to share the same physical infrastructure. This separation can be extended across the WAN as well as the LAN, and provides different characteristics for different networks.
For example, this has been used to:
- provide separated logical networks to businesses sharing the same physical network, within multi-business environments like shopping malls, airports and multi-tenanted office buildings.
- enable retail chains to provide shared data access for franchises.
- give departments within a University campus the freedom to control and design their own LANs while still being able to share inter-building backbones.
- ease the process of network integration between merged companies.
The Allied Telesis product range provides the necessary components to build Virtualized Networks.
User identification
In a truly Virtualized Network, the association of an end-device to a particular shared network is based not on the location of the connecting port, but on the identity of the connected user. This enables users to roam across the network and access their particular virtualized network wherever they connect. For example, in an airport, where different airlines use gates at different times, an identity-based network allocation enables every airline to access their own network from any gate. Similarly, in a University campus, academic staff can access their own departmental network from any lecture theatre or even from within other departments.
So, user identification is a key component of full network virtualization.
Allied Telesis tri-authentication ensures that any end-user device can be identified and authenticated, irrespective of whether it supports 802.1x.
Path isolation
Once a device has been allocated to a particular network, it is essential that its data remain confined within the paths allocated to that network. The Allied Telesis product range implements reliable and scalable path isolation mechanisms at both Layer 2 and Layer 3.
The technology employed for creating isolated Layer 2 paths over Layer 2 networks is VLAN stacking (Q-in-Q double tagging), which enables multiple entire VLAN structures to share the same physical Ethernet infrastructure, as seen in figure 4.
A variety of technologies have been implemented by Allied Telesis for overlaying virtual paths across Layer 3 networks—L2TP, GRE, Policy Routing and transparent LAN bridging over L2TP. This provides a range of options for overlaying Layer 2 or Layer 3 networks across Layer 3 networks (including the Internet, of course). These can be combined with IPSEC to ensure full data security.
Quality of Service (QoS)
When multiple virtual networks share the same links, it is necessary to ensure that each separate network experiences the QoS that it expects. Bandwidth usage must be controlled, so that no single network can starve the others of bandwidth. Latency and jitter must also be managed for those virtual networks that are supporting real-time applications, like Voice over IP (VoIP) and streaming video.
Allied Telesis x900 Series switches have an extremely feature-rich QoS offering that can manage the characteristics of over 1000 separate datastreams simultaneously, making them ideal for the provisioning of Virtualized Networks.
Figure 4:Secure virtual networks over a single physical infrastructure
Allied Telesis Switches & IT Virtualization
Integration of Allied Telesis switches with server and workstation virtualization
The Allied Telesis Enterprise LAN offering is highly compatible with successful IT virtualization, as the Allied Telesis hardware and feature set offering has been developed to deliver similar outcomes.
Waste reduction, cost optimization, and maximization of network performance and uptime have been key drivers of Allied Telesis technology development for some time, and are among the defining characteristics of the xSeries switches and the AlliedWare Plus operating system.
The flexible and expandable nature of the product line, with its low investment entry point and ability to add building blocks almost seamlessly, fits very well with the aims of IT virtualization.
The delivery of a full enterprise switching feature-set on a series of products with increasing performance and physical-resiliency capabilities enables an enterprise to target its investments at levels that are appropriate to the needs of different parts of its organization.
To fully understand the extent to which the Allied Telesis enterprise switch offering is compatible with IT virtualization, we need to look at some of the specific capabilities of the IT virtualization solutions currently available in the market.
Appropriate provisioning of hardware capacity
Server virtualization enables the network to maximize the utilization of the processing capability across all available servers. This avoids the need to over invest in individual high-powered servers which must, alone, meet the peak requirements of particular applications, but spend much of their time under utilized. Instead, that peak load can be spread across existing lower-powered units. As processing requirements increase, the capacity can be increased in a cost-effective manner by gradually adding more units. Similarly, it is possible to have a regular program whereby sets of older units are retired (or redeployed to other tasks) and replaced by a smaller number of more modern units.
This ability to provision processing capacity in a gradual and managed fashion is greatly preferable to increasing capacity in large expensive chunks, made more expensive by the need to over-provision in order to cover (unquantifiable) future growth.
Similarly, Allied Telesis has taken the approach of delivering LAN switching capacity in a manner that allows for gradual increments. With a very affordable entry cost for standalone Gigabit switches, further Gigabit, 10 Gigabit, 40 Gigabit and 100 Gigabit switching capacity can be gradually added by integrating new units into virtual chassis stacks. As older models are retired from core switching roles, they can continue to be used in access or edge roles. At no point do you need to make a big investment into a single large chassis-type switching unit that has no migration path when its useful life in the core is over.
Moreover, building core switching capacity from discrete units provides flexibility as business needs change. Individual units of switching capacity can be moved to where they are needed, rather than having to remain concentrated in a monolithic core.
Seamless addition/replacement of hardware components
Virtualization has had a remarkable affect on the ease with which physical servers can be added, removed, or replaced in the network. The ability to shift load off a particular server prior to its removal, coupled with the automatic assimilation of newly added servers, has moved the industry towards the concept of a plug-and-play data-centre. Hardware can be rearranged with zero downtime, and very little management overhead.
Similarly, the Allied Telesis product line delivers hitless hardware rearrangement:
- Service modules can be hotswapped in and out allowing you to add extra connectivity or backbone bandwidth with zero downtime. Connectivity and bandwidth can also be rearranged within the network with zero downtime.
- Individual switches can be swapped in and out of a virtual chassis stack with zero downtime. Just as server processing capacity can be increased in a gradual, managed fashion, so too can core switching capacity; and without the need to schedule network downtime.
- Redundant power supplies can be hot-swapped, avoiding downtime due to power supply failures.
Reliable management of network resources
The advantages of virtualization are most fully realized when the management system is able to achieve finely tuned dynamic load balancing across different machines. This requires that the management system can closely monitor the operation of every machine, and that machines can quickly and accurately transfer processing to each other. These activities cannot be reliable unless the communications that control them are reliable.
Reliable transport of communication sessions across an Ethernet network is achieved by priority queuing within the switches. However, the increasing convergence of real-time services on the LAN creates competition for those high priority queues. VoIP, video, process control, remote desktop sessions, and Layer 2 and 3 control protocols are all sensitive to loss and delay. Adding virtualization control traffic to this mix further complicates the QoS requirements. Ensuring reliable transport of all this loss and delay sensitive data, in even the busiest circumstances, requires a sophisticated QoS implementation. Allied Telesis advanced Enterprise switches have an unparallel QoS capability. The fine-grained data classification, flexible marking, accurate shaping, and rich queuing and scheduling functionality enable the creation of QoS policies capable of meeting the most demanding requirements.
Simple, reliable disaster recovery provisioning
An emerging benefit of IT virtualization is its ability to simplify the managing of a remote site for disaster recovery.
Once the tools had been developed which enable fine-grained control of virtual machines, and data storage, within a live site, it was a small step to then include a system replication capability. So, virtual IT management systems can automate the maintenance of replicated data storage and machine images at a remote site.
A component of the effectiveness of the disaster recovery system is the provisioning of alternative data paths between the live site and the remote disaster recovery sites. The Allied Telesis solution for resilient data communication between physically separated sites is Ethernet Protection Switching Ring (EPSR), as seen in figure 5. EPSR provides carrier-grade resiliency over a ring topology. Using a simple and highly reliable loop protection protocol, it can restore communication within as little as 50ms after a link or node failure. Furthermore, it can operate over aggregated links, to provide even stronger link and path resiliency.
Using EPSR over one or more 10 Gigabit links is a cost-effective means to enable extremely reliable and rapid communications between a live site and a disaster recovery site.
Figure 5:Resilient data communication between separated sites
Conclusion
The Allied Telesis product range delivers unique capabilities and solutions in the virtualization of Ethernet infrastructure. The flexible, scalable, reliable product set integrates naturally with the aims and needs of IT virtualization. The characteristic benefits of virtualized networks are enhanced by complementary features and solutions from Allied Telesis.