Cisco and other network vendors are taking network virtualization beyond VLANs, into the data center, and strategizing about what the network becomes in a virtualized enterprise.
Amid the excitement of virtualizing server, storage and desktop resources, the network hasn't received much attention. As these virtual resources take their places in the New Data Center, however, the network will emerge from behind the scenes to command center stage and play a pivotal role in tomorrow's virtualized environments.
This isn't to say the concept of network virtualization is new - virtual LANs (VLAN), VPNs and MPLS, enabling multiple virtual connections to share bandwidth resources on one network pipe, are longtime favorites. The rush to virtualize multiple infrastructure and application resources, however, is changing the rules for network virtualization, and IT managers are gearing up for the network's second act. (Compare storage virtualization products.)
"Virtualization is the most disruptive technology to hit networking in 10 years. It's the first computing architecture that has a high network dependency, which means the network architecture going forward has to be in lock step with server, storage and desktop," says Robert Whiteley, an analyst at Forrester Research. "The network historically has been plumbing that everything rode on top of. Now it is becoming the new backplane," he says.
Jeremy Gill, CIO of Michael Baker Corp., a civil engineering firm in the Pittsburgh area, agrees. "When we think of virtualization in a large environment, the more we can push down to the network layer, the better we will be from a total-cost-of-administration standpoint," he says. "VMware took a great first step with x86 server virtualization, but now it's time to embed this knowledge at the network layer."
For the network to serve a virtual environment best, however, some cardinal rules of networking must change, industry watchers say. For one, the flexibility and portability of virtual-server resources demand that the traditional, three-tiered network architecture - edge, distribution and core switches - collapse into a flat landscape across which virtual machines can be allocated and reallocated.
"Server virtualization has very much blurred the line of where the network stops and the server begins," says Andreas Antonopoulos, an analyst with Nemertes Research.
Take VLANs in a virtual-server environment, for instance. Administrators might use a Layer 2 VLAN to allow virtual machines to travel freely between two data centers while remaining on the same subnet. Because Layer 2 routing is local and Layer 3 is used to go from one subnet to another, this type of design "goes against everything taught in traditional networking," Antonopoulos says. "It violates the sacred cows of networking and makes no sense using the old rules."
Adopting server- and storage-virtualization technologies forced The First American Corp. in Santa Ana, Calif., to rethink its network architecture, says Jake Seitz, enterprise architect at the company, which provides business information to consumers and businesses.
In the physical world, for example, First American relied on many VLANs to segment traffic. In the virtual world, fewer VLANs are required on a switch - and that makes planning more of a challenge. "Being able to consolidate many services virtually on the same hardware reduces the need to create as many VLANs, but now their importance increases because there are fewer of them," he says.
"In the past, you could have disparate networks, and one being down didn't affect everyone. In a virtualized environment, if you make a change, it's a global change and everyone is touched," Seitz explains. "The gamut of all these applications that make up the business now go riding on a common pipe; and when you start piling everything on there, the importance of that pipe becomes very apparent - especially when you have a problem," he says.
In addition, IT has made sure the network doesn't become a bottleneck by segregating the VMware VMotion management data from the network traffic, Seitz says. "We don't want VMotion traffic to influence how our customer-facing and revenue-generating applications behave," he says.
Making sure nothing goes amiss as First American rearchitects its networks also has meant IT process change, Seitz says. New change-management boards with representatives from each IT discipline - servers, storage, networks and so forth - work to make sure nothing gets lost or errors get introduced "while we collapse the network," he says.
That's a smart move, says Forrester's Whiteley, who points out that the network has yet to come up in talks around server virtualization at most companies because deployment hasn't reached critical mass. "A small amount of virtualization in servers, storage and desktops doesn't stress the network, but as enterprise companies scale out, they will hit a tipping point at which they will become highly dependent on the network and bottlenecks will ensue," he says.
Network security in the form of firewalls and DMZs also is undergoing changes because of virtualization. In some cases, people are placing inward- and outward-facing machines on the same pool of resources and collapsing multiple DMZs into a single zone, changing the traditional role of the perimeter.
And although enterprises are adopting virtual network services, such as load-balancing, virtual security-related services aren't as popular. The network security changes are ahead of most network managers' comfort levels, says Ian Rousom, who works in Infrastructure Design Engineering for Lockheed Martin Enterprise Business Services in Denver.
"Most reputable network vendors offer some kind of virtual-firewall capabilities that they are integrating directly into switching platforms," Rousom says. "Opposition to network-security virtualization usually involves a mindset that virtualization somehow decreases the effectiveness of security to an unacceptable level. Most organizations must carefully determine the actual level of risk of virtualizing network security, then weigh those risks against the cost advantages of needing fewer physical devices," he says.
Virtual moves by network vendors
A virtualized enterprise's success relies on the network gaining more intelligence about the virtual components it will be routing. That means network-gear vendors at the very least need to make their equipment virtualization-aware: In other words, the switch must be able to spot virtual resources and comprehend their actions.
Ideally, physical-network gear would have visibility into the virtual resources and could allocate those resources based on knowledge of the physical and virtual realms. The gear would have predefined server-, storage- and network-resource policies for a given service, and could allocate those resources as virtual and physical conditions change. The network gear would have to be able to communicate with computing resources and vice versa.
Network vendors don't understand the computing world very well, however, so they will have to work with the virtual-server companies to make sure that when a virtual event happens the network understands what to do with the traffic, says Zeus Kerravala, an analyst at The Yankee Group. "For the network to be the governing component, it needs to understand the application process as well," he says, noting that Cisco has a good handle on this.
Cisco has worked closely with VMware, in which it holds a stake, to exploit VMware APIs and enable Cisco gear to tackle virtual environments. With its VFrame Data Center, Cisco offers a policy-orchestration and -management engine for highly virtualized environments. Plus, the Nexus 5000 data center switch supports virtual machine capabilities, which allow the dynamic provisioning of application and infrastructure services from shared pools of compute, storage and network resources.
Other vendors have been working on network virtualization, too - though their approaches aren't as advanced as Cisco's. Nortel, for example, is developing the Virtual Services Switch 5000, expected later this year, for virtualizing firewall, application-switching and SSL-acceleration services. The VSS 5000 switch will be able to consolidate these virtual functions into a single device, then orchestrate and provision services to different departments or workgroups based on predefined policies, the company says.
3Com has taken the partnership route, pairing with LineSider Technologies to include virtualization capabilities in its MSR Series multiservice routers. The goal is to let users virtualize networks and improve management of infrastructure services, 3Com says.
F5 Networks has gained a file-virtualization offering through its acquisition of Acopia Networks, as application acceleration vendors across the board have been developing and partnering to consolidate network services from many appliances into one. Riverbed Technology, for example, has teamed with IP address-management vendor Infoblox on an appliance that will combine a virtual instance of Infoblox's core network-services software with the Riverbed operating system. The goal is to couple local branch services with such core network services such as DNS and RADIUS.
While such products might boast some virtual capabilities - which is good - virtual-machine-aware gear is the future, network managers say. Only by outfitting networks with virtual-machine-aware gear will they be able to smooth the transition from traditional networks to those of the virtual realm.
Such companies as VMware also will be expected to work more closely with network-gear vendors to make hypervisor technology network-aware. Enabling native integration between virtualization technologies and network equipment will give network managers the visibility into the virtualization layer they need to monitor traffic, manage resources and prevent performance degradations.
"VMware and the like will be working hard to be the network-aware virtual vendors," Baker's Gill says. "And Cisco will want to become the leading-edge virtual network vendor. It will be an interesting time."