Fabric Virtualization

Multitenancy, Network Segmentation, Tenant vRouters

Open Fabric Virtualization – Unifying the Overlay and Underlay Networks

The concept of the Overlay Network was amazingly convenient for those building VXLAN networks trying to connect two or more L2 networks over L3. However, the overlay concept creates a number of challenges and problems, including a lack of visibility into network traffic. Fortunately, there is a solution from Pluribus Networks, Open Fabric Virtualization.


Features

  • Virtual Networks with VLAN/subnet re-use
  • Multiple Virtual Routers (HW accelerated)
  • Role-based Access Management (RBAC)
  • Virtual Network Services:
    • Domain Name Services (DNS)
    • PXE Server
    • Network Time Protocol (NTP) Server
    • Precision Time Protocol (PTP)
  • OpenStack ML2 Neutron Plugin

Network Segmentation

Network segmentation, the ability to take a single physical network and slice and dice it into individually manageable parts, is very important for modern networks, particularly in the data center. Netvisor provides this capability through VNETs.

Each VNET has its own set of network services such as DNS, DHCP etc. VNETs are not limited to a single rack, but are a fabric wide feature. Management of the network can be done from any switch. Any vlan can contain any switch (or port) on the network and every VNET has its own set of vlans. Netvisor virtualizes the network and masks the underlying network complexity to the applications.

A typical implementation would be similar to the following diagram:

NetVisor VNET Network Segmentation

This segmentation can be easily achieved using Netvisor architecture. The database servers can run on different machines connected to the switches in the fabric. They will part of VNET “Database”.

VNET & Software-Defined Infrastructure

VNET & Software-Defined Infrastructure

Virtual Network Goals

  • VNET provides physical Network Topology Independent Abstraction for Multi-tenancy
  • Fabric administrator creates VNETs and allows the tenants to get control over dedicated set of switch ports across the FABRIC termed as vnet-private-ports
  • VNET has full control over vnet-private-ports, his 4k VLANs and any IP address range without conflict with other tenants
  • Tenant also has access to shared ports for shared services like external routers etc
  • VNET gets a topology independent view of its physical ports and VPORTS
  • Tenant has access to a independent container based vnet-manager to configure and manage his own resources and application analytics related to its physical servers, VMs and applications

VNET Resources

  • VNET gets following resources under its control
    • Assigned vnet-private-ports across the FABRIC that connects his bare metal, virtualized servers (vswitch or SR-IOV based) and storage devices
    • VPORTs related to its VMs and Containers (each bare metal server also has a vport)
    • For VLAN based VNETs, control over assigned VLANs that it can manage
    • For VXLAN based VNET, control over full 4k VLANs independent from other tenants
    • Any IP address range independent from other tenants
    • Shared ports for accessing shared services like Routing etc
    • Ability to assign VXLAN VNI to fabric tunnels and create tunnels between the switch (H/W VTEPS) and his servers using vnet-private-ports
  • VNET has ability to manage its own resources
    • VNET also gets a container based VNET manager that runs a CLI to manage his private-ports, VLAN, VXLAN-VNI, shared-services
  • Application Analytics
    • VNET also has access to his application analytics (every TCP connection between his servers, VMs and storage) and ability to filter and get historical data directly from CLI

Communication between VNETs – vRouters

Communication between VNETs can be routed over the fabric using vrouters. Netvisor offers hardware vrouters as well as software vrouters. In the following, we will illustrate the creation of some routers.

Creating vRouters

Webinar On-Demand with explanation of our Segmentation approach applied to Security

Securing IT Through Macro-Segmentation

Solution Brief – Macro-Segmentation for Security

Macro-Segmentation for Security Solution Brief

Blog: Securing Your Data, One Next-Generation Data Center at a Time

Securing One Data Center at a Time

Includes 7 Security Architecture Principles
Author: Jonathan Cornell – Principal Architect