Excerpt from Network Virtualization.
By Victor Moreno, Kumar Reddy Published by Cisco Press ISBN-10: 1-58705-248-2 ISBN-13: 978-1-58705-248-4

Newsletters: Sign-Up & Save! Receive Special Offers, Free Chapters, Articles Reference Guide Updates, and plug into the pulse of what's happening in your corner of the industry by subscribing to InformIT newsletters! FREE coupon after sign-up!

Try Safari Books Online NOW! Access the largest fully searchable e-reference library for programmers and IT professionals!

More Cisco Press book chapters from new and classic Cisco Press books.

Rate your favorite Cisco Press books.

This chapter covers the technology used to build virtualized networks (VNs). As discussed previously, virtualization is not just about IPsec tunnels in the WAN—it covers a wide range of technology options on routers and switches. There are virtual partitions on routers and switches and protocol extensions that combine to maintain the end-to-end coherency of VNs across a shared infrastructure. We consider virtualization in three main sections:

• Devices—How is traffic separation maintained internally to a device? What are the primitives used for Layer 2, Layer 3, or Layer 4 traffic?

• Data path—How is traffic separation enforced across a network path? What tools are available to maintain the separation across a network?

• Control plane—Because data-path virtualization essentially builds an overlay topology, what changes are needed for routing protocols to function correctly?

This chapter does not cover architectures, topologies, or designs. The purpose of this chapter is to make sure you understand the technology before using it. (The world would be a better place if this principle were universally applied).

The general format for each section of this chapter is to start with a discussion of the protocol technology, highlighting any important details, with some limited configuration examples.

Network Device Virtualization

One of the characteristics of a VN is that it provides what are essentially private communication paths between members of a group over a shared infrastructure. This creates two requirements for the network infrastructure:

• Traffic from one group is never mixed with another—For sending and receiving traffic over shared links, tunnels (many borrowed from existing virtual private network [VPN] solutions) can guarantee data separation. Network devices need to enforce group separation in their internal memory (for example, during routing table lookups, access lists processing, or NetFlow statistics gathering).

• Each VN has a separate address space—This requirement is derived from the fact that VNs offer the same characteristics as a physical network. Address space and forwarding within it are two of the most basic aspects of any network.

---

Note - In this section, we start with a narrow definition of device virtualization as creating a separate address space within a network device. However, you can think of this as a special case of a more general definition of a virtualized device, which is the ability for an administrator to allocate device resources to different uses. The first device resource we consider is address space, but as we proceed through both the chapter and book, we include different layers of device policy control mechanisms, such as quality of service (QoS) and security rules. Therefore, the final picture of a virtualized device will be much closer to the general definition.

---

The first problem to solve is how to virtualize the forwarding plane in a way that meets the requirements for address and traffic flow separation. Depending on the type of device, the virtual separation can go by the following names:

• Virtual LAN (VLAN)

• Virtual routing and forwarding (VRF)

• Virtual forwarding instance (VFI)

• Virtual firewall context

Layer 2: VLANs

VLANs are a good example of a piece of the virtualization puzzle that has been around for quite some time. A VLAN is a logical grouping of ports on a switch that form a single broadcast domain. Ports in a VLAN can communicate only with other ports in the same VLAN. How a given switch does this is implementation dependent, but a common solution is for the switch to tag each frame with a VLAN number as it arrives on a port. When a frame is sent to other ports, the output hardware copies the packet only if it is configured with the VLAN number carried in the frame.

On an Ethernet switch, there is typically a single MAC table, which maps ports to MAC addresses. To support VLANs (and simple Layer 2 virtualization), the MAC table has a field for the VLAN number on which the station was discovered, as demonstrated in Example 4-1.

Example 4-1  Switch MAC Table

Switch# show mac-address-table
...
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0010.0de0.e289      Dynamic         1 FastEthernet0/1
0010.7b00.1540      Dynamic         2 FastEthernet0/5
0010.7b00.1545      Dynamic         2 FastEthernet0/5
0060.5cf4.0076      Dynamic         1 FastEthernet0/1
0060.5cf4.0077      Dynamic         1 FastEthernet0/1
0060.5cf4.1315      Dynamic         1 FastEthernet0/1
0060.70cb.f301      Dynamic         1 FastEthernet0/1
00e0.1e42.9978      Dynamic         1 FastEthernet0/1
00e0.1e9f.3900      Dynamic         1 FastEthernet0/1

---

Note - Note that the output in Example 4-1 was taken from http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a0080417db7.html#wp1021274.

---

The summary effect of the VLANs is to partition the switch into logical Layer 2 domains. Each domain has its own address space and packets from one domain are kept separate from those of another.