![Page 1: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/1.jpg)
Roman Hochuli -‐ nexellent ag / Mathias Seiler -‐ MiroNet AG
![Page 2: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/2.jpg)
Core
Distribution
Access
North
South
![Page 3: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/3.jpg)
Core
Distribution
Access
North
South
Upstream #1
Upstream #2
“Series of Tubes”
Peering #1
Cust
![Page 4: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/4.jpg)
Internet
Web Server
Application Server
Database Server
East West
![Page 5: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/5.jpg)
Internet
Web Servers
Application Servers
DB Server DB Server
East West
![Page 6: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/6.jpg)
¡ Vir Internet
Web Servers
Application Servers
DB Server DB Server
Virtualized Workloads
East West
![Page 7: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/7.jpg)
Virtualized Workloads
Internet
Web Server
SSL Session Broker
Virtualized Desktops
File Server
East West
![Page 8: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/8.jpg)
¡ Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real computer with an operating system.
¡ Software executed on these virtual machines is separated from the underlying hardware resources.
Source: http://en.wikipedia.org/wiki/Virtualization
![Page 9: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/9.jpg)
¡ Show Hands: § Xen § KVM § VMware § Hyper-‐V ??? § OpenStack ? § other ?
![Page 10: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/10.jpg)
Bottleneck
STP Overhead
![Page 11: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/11.jpg)
Leaf
Spine
![Page 12: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/12.jpg)
¡ what if for you 1k/4k VLANs are not enough? (hint: they aren’t ;)
¡ your customers want to use overlapping IP addresses internally ?
¡ How much time does it take to provision a VLAN through all devices ?
¡ how many devices to you have to touch to provision one single VLAN?
¡ how do you manage your VLANs? Excel…? ¡ how to interconnect redundant sites without L2-‐Links (Topic DCI)?
![Page 13: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/13.jpg)
Abstraction
Flexibility
Automation
![Page 14: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/14.jpg)
Large scale network segmentation (L2) Multi-‐Tenancy
Mobility/Portability (DC to DC, SP to SP)
![Page 15: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/15.jpg)
¡ Layer-‐2 Overlay Networking ¡ new protocols being introduced ¡ basic operation:
§ encapsulate L2-‐Traffic with a new header at virtual network edge
§ send traffic over existing network § decapsulate L2-‐Traffic at other virtual network edge
¡ virtual network edge may be hypervisor / appliance / physical device
![Page 16: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/16.jpg)
¡ VXLAN § Virtual Extensible Local Area Network § originally developed by VMware and Cisco § now IETF draft-‐mahalingam-‐dutt-‐dcops-‐vxlan-‐04 § 24bit “Virtual Network Segments” § relies upon multicast to carry broadcast, unknown unicast and multicast traffic originated within tenant (multicast-‐routing anyone?)
§ some vendors develop add-‐ons to alleviate reliance upon multicast
§ encapsulated traffic is UDP (same src:port/dst:port for all pakets à LAGs anyone???)
![Page 17: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/17.jpg)
¡ NVGRE § Network Virtualization using Generic Routing Encapsulation
§ originally developed by Microsoft (yuck!) § now IETF draft-‐sridharan-‐virtualization-‐nvgre-‐02 § 24bit “Virtual Subnets” § encapsulated traffic is GRE with slightly mangled headers to reflect VSID and L2 payload
§ protocol specification does not specify how tunnel-‐endpoints find each other (WTF?!?)
§ only existing implementation (Hyper-‐V) pre-‐populates host-‐to-‐tunnel endpoint mappings via PowerShell scripts
![Page 18: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/18.jpg)
¡ STT § Stateless Transport Tunneling Protocol § originally developed by Nicira ▪ company behind Open vSwitch (OVS) ▪ since mid-‐2012 a VMware company
§ now IETF draft-‐davie-‐stt-‐03 § 64bit “Context ID” § encapsulated traffic is TCP § can leverage NICs TSO functionality
![Page 19: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/19.jpg)
¡ you gotta love standard bodies: they even produce new standard problems: "Problem Statement: Overlays for Network Virtualization" (draft-‐ietf-‐nvo3-‐overlay-‐problem-‐statement-‐03)
¡ anyone noticed these were all submitted to IETF? Why not an RFC or maybe even IEEE?
¡ IETF started a whole Network Virtualization Overlays WG à NVO3
![Page 20: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/20.jpg)
¡ MPLS over IP instead? § What would we win? What about hardware support?
¡ Security? § encryption, integrity? § Protection from customers? Even legal issues?
¡ MPLS over GRE over IPSec? J ¡ Portability / Collaboration between SPs ? ¡ Other creative ideas?
![Page 21: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/21.jpg)
¡ Virtual Firewalls § VMware vCNS, Cisco ASA 1000v, …
¡ Virtual Load Balancers § VMware vCNS, Citrix NetScaler, F5 BIG-‐IP, …
¡ Virtual Routers § Brocade/Vyatta VRouter, Cisco CSR 1000v, …
¡ Virtual Switches § VMware DVS, Cisco Nexus 1000V, IBM DVS 5000V, OVS, …
![Page 22: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/22.jpg)
¡ Compute and fabric edge are merging ¡ First hop probably virtual ¡ Network edge is blurring, runs partly on x86 servers
¡ Where’s the DC edge?
![Page 23: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/23.jpg)
¡ Why? § DR / DA § “Hot” migrations
¡ How? § Encapsulate Frames into IP (sounds familiar?) J § Wait … § Why not “stretch” VXLANs? Problem solved … right?
![Page 24: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/24.jpg)
¡ Common problems of “stretched VLANs” § Broadcasts § Per-‐VLAN flood rate-‐limiting (noisy neighbor)
§ Unknown unicast blocking at the WAN/DC edge § In general: Much smaller bandwidth on the DCI than in the DC
§ Traffic trombones (ingress + egress)
![Page 25: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/25.jpg)
¡ OTV solves most of those problems ¡ VXLANs does not ¡ OTV encapsulates MAC in UDP too ¡ Uses IS-‐IS for reachability information exchange
¡ Multicast is turned into multicast IP traffic § Multicast backbone needed! § Or IP multicast over GRE J
¡ Fun fact: OTV is actually EoMPLSoGRE in vendor C’s current implementation J
![Page 26: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/26.jpg)
¡ Still, stretching VLANs across data centers might not be the best idea in all cases § Do the math! (Distributed Storage) § Danger: Partitioned cluster à probably 1/2 of the services restarting
§ Disaster: Split brain L
![Page 27: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/27.jpg)
¡ VPLS ¡ BGP MPLS-‐based MAC VPN ¡ LISP: this time not trying to solve the global routing table size problem § Works together with L2 virtualization (VXLANs, OTV)
§ Single IP mobility across subnets (even foreign subnets)
§ Could even do L2 in LISP (any implementations?)
![Page 28: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/28.jpg)
¡ Locator/ID Separation Protocol ¡ Mapping system (like DNS) for routing (simplified J )
¡ w/o LISP: When host moves, it acquires a new IP address and thus a new identity
¡ LISP: When host moves, it preserves its IP address (identity), but its locator changes
![Page 29: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/29.jpg)
LISP B LISP A
DC Basel DC Zürich
Without DCI
AS65000 AS65001
“Cold” Migration 10.10.10.0/24 10.20.20.0/24
10.10.10.5 10.10.10.5
before after
192.168.20.1 172.16.1.1
![Page 30: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/30.jpg)
LISP B LISP A
DC Basel DC Zürich With DCI
AS65000 AS65001
“Hot” Migration 10.10.10.0/24 10.20.20.0/24
10.10.10.5 10.10.10.5
before after
192.168.20.1 172.16.1.1
![Page 31: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/31.jpg)
¡ Possible future scenarios § IPv4 address trading beyond /24 (oh-‐oh) J § Automatic distribution between different SPs § IPv6 deployment on Cloud SPs without IPv6 support J
§ Public “anycasted” LISP service (cooperation between SPs, announcing each other’s selected prefixes over BGP)
§ Automated failover / site recovery “as-‐a-‐service”
![Page 32: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/32.jpg)
¡ basic inner workings of a network device
Data plane
Management plane Control plane Configuration
Forwarding Instructions Statistics
![Page 33: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/33.jpg)
¡ Separation of Control-‐ / Dataplane
Management plane
Control plane
Configuration
Forwarding Instructions
Data plane Data plane Data plane Data plane
Open Flow
![Page 34: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/34.jpg)
¡ Server Virtualization started it (SV) § CPU § RAM § Storage (to a certain extent)
¡ Network starts to follow (SDN) § Network Virtualization § OpenFlow
¡ Storage next in line (SDS) § even today storage is mostly software § COTS vs. Purpose Built-‐Hardware
![Page 35: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/35.jpg)
SDDC SV
SDN SDS
![Page 36: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/36.jpg)
¡ now that we have the whole world virtualized, what’s next?
¡ Automation!
à DevOps movement
![Page 37: Roman&Hochuli&-&nexellent&ag&/&Mathias&Seiler-&MiroNet&AG · VirtualizedWorkloads Internet& Web&Server SSL&Session&Broker Virtualized&Desktops& File&Server West% East%!](https://reader036.vdocuments.us/reader036/viewer/2022071300/60890a92d8a1af25c9587521/html5/thumbnails/37.jpg)
¡ this story is not yet finished ¡ the datacenter stays a hot topic for the upcoming years
¡ speed of development is incredible
¡ somewhere all those poor lonely clouds have to find a home, right? ;)