Abstract Business and IT leaders have been demanding an IT infrastructure which is more dynamic and responsive to the quick

pace of business while being less costly. By dynamic they mean the ability to deliver new applications at the speed in which to be responsive to market dynamics while creating competitive differentiation. For many, IT expenditures as a percentage of revenue are to be managed down. To address these industry requirements IT suppliers have offered virtualization technology and services. Network virtualization represents a new IT paradigm, which challenges existing assumptions and IT deployment models. In this paper we explore network virtualization as a strategy to make corporations more agile and IT expenditure efficient. Network virtualization is presented as a new approach to network design and IT service delivery. Its main four building blocks are presented along with guiding deployment principals. lippis.com Page 2Network Virtualization: The New Building Blocks of Network Design Table of Contents A New IT Management Model Emerges Network Virtualization Defined Virtualized Dual Backbone Network Service Virtualization Virtualized Networks The VN Architecture Retail Goes Virtual Virtual Service Orchestration A New Approach To IT Service Delivery Network Virtualization Concerns Guiding Principals: Putting the BuildingBlocks To Work For Your Organization Principal One: Re-Think IT Service Delivery Principal Two: Think Dynamic Auto-Provisioning Principal Three: Question New Appliance Deployments Principal Four: Look to Pool Network Device Management Principal Five: Consolidate Multiple Networks Into a Common Network Separated by Logical Isolation Principal Six: Utilize all Network Resources Principal Seven: Think Network Virtualization A New IT Management Model Emerges All IT leaders balance expense reduction with business growth initiatives as part of their annual plans. New business growth initiatives usually bring with them funded IT programs designed to seize opportunities. Expense reduction is a business reality

independent of the financial condition of the concern, albeit expense reduction projects are ramped up during financially challenging times. This give and take of growth and expense reduction was born out of the fact that IT has been procured as a fixed asset, meaning that most IT leaders were forced to design IT resources for peak traffic/consumption utilization. This design requirement led IT to over design their infrastructures, which remain idle during off-peak periods. Over the past five years business and IT leaders have explored a new model for IT service delivery, which is more agile or flexible and strives to scale resources up and down based upon demand. In short, business and IT leaders have been seeking a more responsive IT infrastructure to business initiatives and one that will remove inefficiencies. This would change the current management mantra of balance expense reduction with business growth initiatives to provision services when needed. The technology to deliver this new dynamic IT infrastructure is called virtualization. Related Podcast: The First American Corporation and_Network Virtualization Listen to the Podcast Data center design has been the focus of most virtualization projects as data centers consume the bulk of IT budget spend and exhibit wide utilization swings. Virtualization delivers two main benefits: expand single IT assets available to many or to manage/pool many IT assets as a single resource. For example, a rack of blade servers can be managed as a single server. An application can be virtualized so that its image is available as a logical entity on many servers, increasing its availability. Storage area networks are virtualized in an attempt to more efficiently allocate compute storage making storage available to many servers. Certain aspects of networking have been virtualized for nearly ten years, such as Virtual Local Area Networks (VLANs) which divide broadcast domains to service many applications, thus increasing performance. Virtualization is being extended well beyond the data center to the entire enterprise now that virtualization projects have proven their value. In particular a new generation of network virtualization technologies is available which are becoming the new building blocks of network design. Local Area Networking (LAN) -based physical networking will remain constant, that being the typical three-tier network structure of edge, distribution and core. Wide area networking (WAN)s physical structure

will too remain constant where a router interfaces to a WAN service such as frame relay, MPLS, broadband connection, private line, etc. What is becoming virtualized are network services such as network security, management, routing, switching, broadcast domains, application intelligence, et al. With many network virtualization technologies available deployment scenarios are as varied as business needs. For example, network virtualization is delivering unique network attributes to each application to the point where each application believes it has a dedicated network to service its needs, thus increasing application performance. Another important attribute to network virtualization is auto provisioning, which is the auto configuration of network devices based upon application demand. Consider a set of telepresence sessions initiated. Network virtualization will detect the application initiation and configure VLANs, quality of service and other network attributes to support the application by scaling network assets both up and down without operator intervention. The benefits of network virtualization are many, ranging from revenue generation, expense reduction and increased customer satisfaction to name a few. For those who have deployed network virtualization the returns have been large and the experiences mostly positive. This has prompted many business and IT leaders to demand that virtualization be included in annual IT plans. lippis.com Page 4Network Virtualization: The New Building Blocks of Network Design Network Virtualization Defined This white paper provides a framework on how to think about network virtualization and its associated value to your organization. Network virtualization delivers increased application performance by dynamically maximizing network asset utilization while reducing operational requirements. There are many aspects of network virtualization such as virtualized dual backbones, virtualized networks, network service virtualization, virtual service orchestration, network I/O virtualization, network hosted storage virtualization, etc. All of these network virtualization technologies can be thought of as building blocks as network virtualization represents a new way to design corporate networks and allocate resources within them. These building blocks can be deployed one at a time or layered to add value based upon business need. In fact each building block satisfies specific business needs; this will be discussed below. Network virtualization bridges the gap between networks as a hardware-based connectivity service to a

business platform delivering a wide range of IT services and corporate value. The following section details four building blocks and highlights the business value delivered to business and IT management. Virtualized Dual Backbone One of the first building blocks is the virtualized dual backbone. This is a new concept, which will be deployed rapidly over the next business cycle. The virtualized dual backbone increases performance and reduces administration. A dual backbone is a completely redundant backbone network design. Building and campus networks utilize a dual backbone design to ensure that paths between end-points, data centers, plus wide area and internet connections are always available. The dual backbone design is a near total redundant backbone based upon redundancy at the edge, distribution and core tiers of a network. See Figure 1. At the network edge both wireless LANs as well as dual wired LAN connections provide alternative paths between end-points and network access. There are redundant edge, distribution and core LAN switches along with their interconnections, which eliminate a single point of failure. The dual backbone network is common in large corporations and provides high network availability operation. While dual backbones provide high reliability the design can be improved upon. For example, there are multiple devices and control protocols to manage and trouble shoot such as spanning tree and VRRP (Virtual Router Redundancy Protocol). To recover from a distribution switch or link failure, failover convergence times can be long measured in the second range, which can interrupt application flow and performance. Further, redundant links between switches, which use spanning tree protocol, are used only in standby mode, which underutilizes these expensive resources. Further, the fact that dual backbones provide redundant switches is both a high availability feature and an operational chore requiring network operations to manage each switch separately. lippis.com Page 5Network Virtualization: The New Building Blocks of Network Design Virtualizing switches and links can optimize the dual backbone network. New switch virtualization modules allow switches to be pooled and managed as one virtual system, simplifying network operations. In short, multiple switches are managed as one. Further, inter-switch links utilizing multichassis Etherchannel eliminates spanning tree and/or VRRP, reducing convergence time to below 200ms while preserving network state information. These two virtualization aspects eliminate application distribution in the event of a switch failure, thus increasing performance. In addition to increased network reliability and simplified network operations a virtualized dual backbone fully utilizes network capacity by activating all available bandwidth plus enabling link aggregation for server NIC (Network

Interface Card) teaming across redundant datacenter switches. Figure 2 illustrates the virtual dual backbone network. The value of the virtualized dual backbone to business and IT leaders is three fold. First, network operations are simplified during configuration and ongoing management as network devices are managed as a pooled entity; plus the number of control protocols is reduced. Second, overall network and application uptime is improved by the fact that virtualized switches are connected so that in the event one device fails there will be nearly no down time. Third, network capacity is increased as all inter-switch and server links are utilized and maximized. The best industry example of the Virtual Dual Backbone is Ciscos Virtual Switching Systems 1440 module for its Catalyst 6500 series switches. Expect others to deliver similar functionality over the next business cycle. Related Podcast: Cisco Redefines Modular Switching; Launches Virtual Switching Listen to the Podcast Network Service Virtualization Another building block is network service virtualization. While all of the building blocks can be deployed in isolation, network service virtualization is an excellent strategy to consolidate multiple appliances into one, simplifying network operations and acquisition cost. Network Service Virtualization (NSV) virtualizes a network service, for example, a firewall module or IPS software instance, by dividing the software image so that it may be accessed independently among different applications all from a common hardware base. NSV negates the need to acquire separate devices every time the network service is required by utilizing the software instance off the same physical hardware. Some NSV implementations such as Ciscos Application Control Engine Module can support nearly 250 separate instances of a network service software image. NSV is the natural evolution of network service delivery and packaging. Network security provides an excellent example of this trend. To protect networks and systems from attack or to minimize their effects, adaptive threat defense technology is evolving in two complementary directions: vertically and virtualization. Network security products were first brought to market as single purpose appliances. These appliances are now bundled as a set of security functions within one appliance. For example, firewalls were offered on special purpose hardware as were IPS (Intrusion Protection System), VPN (Virtual Private Network), lippis.com Page 6Network Virtualization: The New Building Blocks of Network Design

NBAD (Network-Based Anomaly Detection) and other security products. The vertical movement toward adaptive threat defense is increasingly integrating firewalls, IPS systems, VPNs (both IPSec and SSL), etc., into one appliance. This integration allows for greater software collaboration between security elements, lowers cost of acquisition and streamlines operations. For example, alarms stemming from the IPS function inspecting VPN flows could cause the firewall software to take action and change its rules to block this VPN flow. In addition to network security software collaboration, virtualizing network security software extends its reach and an IT organizations defenses. The value of NSV to business and IT leaders is three fold. First, management interfaces are more flexible as network operations has the option to manage many network service instances as one or each instance may have its own and separate management interface. The latter is useful as network operations processes, procedures and management interface familiarity remain the same even though the network service has been virtualized. Second, acquisition cost is reduced as network services delivery is removed from a physical device to a software image extending its access without the need to deploy specialized hardware for every instance the network service is required. Third, alluded to in one and two above, a network service can be extended more easily and effectively as a virtualized entity, thus increasing application performance. Virtualized Networks The Virtualized Networks (VN) building block partitions a network into multiple isolated logical networks with unique attributes such as routing, switching, independent polices, quality of service, bandwidth, security, etc. VN is a oneto-many class of virtualization, by dividing a common network into many different logical partitions. These logical network partitions are as varied as the businesses they support. For example, users may be segmented into corporate employees, contractors/consultants and/or guests. These classes of users are associated further into logical partitions which may be segmented into departments, partners, suppliers, a new merged corporate entity, a department segregated from an organization due to regulatory compliance requirements or even based upon specific applications. VN builds upon network switching and routing features and delivers attributes not attainable previously with the same hardware devices. In short, VN

provides secure logical isolation for users, applications and/or departments on an end-to-end basis throughout a corporate network. VNs logical isolation of networks allows business and IT leaders to protect assets, consolidate infrastructure, and adhere to regulatory requirements. The VN Architecture The VN architecture is made up of three major components. The first VN component is controlling network access and segmenting classes of users. Users are authenticated with authorization, either being allowed or denied into a logical partition. Users are segmented into employees, contractors/consultants and/or guests with respective access to IT assets. In short, this component identifies users, which are authorized to access the network, then places them into the appropriate logical partition. The second architectural component is isolating paths within the network, which preserves network isolation across the entire enterprise from edge-to-campus-to-WAN-to-back again. This component maintains traffic partitioned over a routed infrastructure as well as transports traffic over and between isolated partitions. The function of mapping isolated paths to virtual LANs and to virtual services is also performed in component two. The third and last component is called virtual services which provides access to shared or dedicated network services such as DHCP, DNS, IP telephony call management, etc., plus applying policy per partition and isolating application environments, if required. There are multiple business applications for VN, which cross the economy. By consolidating multiple WAN networks into one VN, retail concerns are able to not only significantly reduce their WAN charges but in fact turn them into profit centers. In addition to this change of fortune, retailers are able to experiment with new services and add those most promising quickly, measured in days versus many months. lippis.com Page 7Network Virtualization: The New Building Blocks of Network Design Retail Goes Virtual A large retail concern has deployed a VN with great success. This company operates membership warehouses that offer a selection of nationally branded and private-label products in a range of merchandise categories in selfservice warehouse facilities. The company operates approximately 500 locations across North America. This firm was looking to increase their customers store experience by offering new in-store services through partners. Before

VN the barrier of entry for adding new services was too high, requiring separate WAN connections or opening up security concerns with partners connecting into their network. According to their IT department, with logical partitioning thanks to VN, they were able to lower the barrier of entry for new in-store services to the point where testing, selecting and deploying new services was easy. With a VN the concern was able to experiment with a host of businesses to measure which ones added value to customers and its revenue. During this experimentation stage, the company found five to six new in-store services and used them to justify an overall VN roll-out to their stores. The VN investment allowed it to create an incubator to experiment with new services and business models and then rapidly deploy those which held promise. In-store network-based services were isolated into separate partitions alleviating security and cross-application performance concerns. Without VN some in-store services would simply not have been possible to deploy. For example, their photo business processes as many as 10,000 prints per day in select stores. The bandwidth load on a private frame relay or ATM network between the store, its headquarters and the partner site would be too large and unable to justify economically. An internetbased VN proved economically viable and secure, allowing them to isolate paths and scale bandwidth up and down based upon demand. In addition to photo processing, the concern added a mobile phone service, a travel agency, in California there is Californias Cigarette and Tobacco Products Tax programs which require a dedicated network to support, in Canada the Canadian Pharmacy License requires a separate network to process prescriptions, an in-store kiosk, computer returns, customer returns, concierge service and many more. The firms VN economics are by any measure outstanding. The company spent $8 million to deploy their VN and realized $50 million in revenue from sales of its photo processing service alone. Note that the $8 million spend was depreciated over a number of years while revenues are annual which account for an impressive return on investment. As for the other services, the travel and mobile phone services generates some $2.3 million and $200 thousand annually respectively. The kiosk generates between $20-$24 million annually. The California cigarette tax and Canadian Health services are cost avoidance, saving the firm some $1.7 million per year. The total annual revenue generated by the $8 million VN capital expenditure is

approximately $75 million, the return on investment was 1.3 months. In addition to the economic benefits gained by VN, the firm has increased membership returns and memberships due to the increase in services available at its stores. The company can evaluate new applications such as video, music and software services as they have the VN infrastructure to experiment and rapidly deploy. Nearly all retail concerns can find benefit with VN. Retail banking is embracing VN too as it consolidates many networks into one logically partitioned VN reducing operational expenses. In addition, retail banking is required through regulation to separate new services from existing. Before VN a retail bank would have to deploy two networks, one that ran production applications and one that ran test services. With VN one network can now support both test and production branch applications reducing total cost of ownership and providing a competitive advantage through rapid new service delivery. Higher education has embraced VN too as a means to segment a common network infrastructure into logical partitions for each department, school and user group (students, facility, administrators, guest, etc.) Rather than dedicate departure and arrival gates to airlines, airports are choosing to deploy virtual gates, which increase the efficiency of their prime resource and increase profitability. For example, the Munich airport has deployed a VN and turned their departure gates into virtual gates. Munichs virtual gates are equipped with a large flat panel screen overhead and a VN connection at the gate desk. Once an airline representative plugs into the VN their airline logo, flight number, destination city, boarding and departure time are displayed for that gate. After the flight has departed another airline representative will plug into the VN and all of their flight information is now displayed on the gate screen as well as throughout the airport on flight monitoring displays. In this case, the user authentication process triggers a series of events, which change the gate information for the appropriate airline, increasing gate utilization. The value of VN to business and IT leaders is at least four fold. First, VN enables new profitable business models as the retail concern and Munich Airport examples highlight. There is enough evidence to justify that business and IT executives conduct a due diligence exercise to explore how VN can benefit their operations. Second, security is increased through path isolation

and user segmentation. Third, total cost of ownership is reduced through network consolidation, especially in wide area networking environments. Fourth, by isolating specific applications and users VN is a regulatory compliance enabler. lippis.com Page 8Network Virtualization: The New Building Blocks of Network Design Virtual Service Orchestration As services become virtual with the goal of businesses to scale IT capacity both up and down to meet demand, orchestration of resource provisioning becomes central to this goal. The above three building blocks address network infrastructure virtualization, which improve network behavior and cost to existing applications. Virtual Service Orchestration (VSO) redefines IT service delivery by virtualizing the relationship between computing, storage and networking. VSO provides an abstraction between the physical infrastructure and the applications running on that infrastructure. VSO will ultimately allow much greater flexibility in the choice, management, and provisioning of resources to better support changing business applications. One of the requirements for end-to-end service orchestration is the creation of virtual service elements. Each service element is an abstraction of the physical element that has the entire relevant configuration for a particular application service. The benefits of this approach are that physical resources can be pooled and used on an as-needed basis. Physical infrastructure need no longer be over-provisioned to meet peak demand or 1:1 High Availability requirements. The same physical resources can be used across all application services, thereby reducing capital expenditures. For example, when a physical server fails, VSO is able to detect it and pick another server from a spare server pool and replace the failed server. The storage and network configurations that are required to bring in the new server are done automatically. Since some VSO implementations such as Ciscos VFrame Data Center follows a remote boot model, the OS image of the original server is applied to the new server this way to the outside world the new server appears exactly identical to the failed server. A New Approach to IT Service Delivery So how will IT service delivery design and operations change with VSO? Most applications start off with a set of business requirements or business architecture, which drives application architecture. Application architecture is translated into physical

architecture or a blueprint meaning computing, storage, networking, etc. In the traditional method of deploying an application, a set of architects develop a design and partition that blueprint into multiple entities: the network administrator, server administrator, core administrator tasks, etc. Each group deploys their piece and builds the architecture. At the end of deployment there is an infrastructure thats running the application. What VSO does is take that infrastructure and programmatically represent it as an abstracted view of what the application means. Then VSO takes the application architecture and instantiates it on a physical network. Typically an architect will start with an application architecture, which drives a physical and logical infrastructure such as firewalls, network devices, load balancing, operating system, data base, number of computer and amount of storage required, etc. Now enter VSO. VSO discovers the physical and virtualized devices that represent a data center as part of the application architecture. With discovery and templating features VSO can analyze the application architecture and calculate the number of servers and capacity required which will result in desired performance characteristics, etc. Consider a web service. Most architects will transition through a design abstraction process to define a web service. VSO contains various templates for application delivery. A template is basically a logical design based upon an existing application infrastructure. For this web service, assume that the data center has a firewall, switch, load balancer, set of servers, and some storage all connected to each other. A service template is the logical definition that has a set of properties associated with it but no direct linkage to the physical infrastructure. To link to the physical architecture VSO needs to discover what is available and its associated capacity. VSO does discovery on multiple fronts. Its leverage is the presence it has on the network for discovery. VSO discovers servers connected to the network and storage connected to fiber channel as well as IP addressing. Part of the discovery process is the building of an inventory of different devices available and their capabilities, both physical and virtual. A pool of available resources is being built during the discovery process. Once the pool of resources is understood VSO can start on the deployment task. VSO performs a mapping of the requirements set for design in the above template area to the capabilities that were discovered

in the discovery area. VSO then selects appropriate resources from the appropriate pool and configures them. In the end, VSO is dividing the initial provisioning of the different data center resources available in support of an application. So for the web service design above, VSO has a template web service from which an architect can create N number of instances off that web service. For each instance the architect creates, VSO takes the set of discovered resources available, then maps it to the physical and logical network and configures the resources so the new web services application is available. lippis.com Page 9Network Virtualization: The New Building Blocks of Network Design What if servers are moved or storage is added or reduced? VSO discovery is scheduled by operations. If new storage is added, then that will be discovered during the next discovery run and be added to the pool of resources to be divided accordingly. The same process is true for servers or other assets. If application performance becomes an issue, one of the typical ways to address this is to add more compute capacity. VSO has an understanding of the relationships among different devices as part of the application design abstraction and discovery. For example, if operations needs to add a server, VSO knows what software image needs to be associated with the server, to what VLANS the server needs to connect, if the service needs to be load balanced, etc. For the web services application VSO would know how to apply load balancing, IP addressing, and what firewall rules/ additions need to be made so that client traffic can reach the new server. A set of automated coordinated actions needs to be orchestrated in support of server addition that can occur thanks to VSOs virtualized infrastructure. Architects now have insight into the data centers physical and logical resources plus associated capacity. Not only are architects able to perform streamlined initial provisioning, but theyre able to automate the run time behavior of the application needs. Life in the data center becomes more automated with VSO thanks to its ability to virtualize IT assets. VSO implementations are appliance-based and sit in the data center providing control and management services. VSO is a management feeder and control point designed to improve service orchestration. The best example of a VSO product and ecosystem is Cisco Systems VFrame Data Center. The value of VN to business and IT leaders is at least four fold. First, VN enables new profitable business models as the retail

concern and Munich Airport examples highlight. There is enough evidence to justify that business and IT executives conduct a due diligence exercise to explore how VN can benefit their operations. Second, security is increased through path isolation and user segmentation. Third, total cost of ownership is reduced through network consolidation, especially in wide area networking environments. Fourth, by isolating specific applications and users VN is a regulatory compliance enabler. There are multiple value points of VSO to business and IT leaders. For example, VSO provides template driven provisioning, optimizes storage operations, automates server failover, enables a Service-oriented Architecture SOAbased application development environment, normalizes network connectivity between front- and back-end networking and more. VSO tightly links application deployment and management to networks in ways that it never was before. VSO is the glue that binds networks, computing and storage together to support dynamic business needs by virtualizing the orchestration of IT service delivery and management. In short, VSO enabled IT resources to scale up and down based upon consumption need. Network Virtualization Concerns Some of the above building blocks are relatively new concepts, which create business and IT executive management concern. The concerns usually are focused on network virtualization management. For example, when multiple building blocks are deployed an enterprise may create a large virtual domain, which may be difficult to manage. Having the tools to manage change is important as virtual entities are linked, meaning that one change in the network will impact other entities, potentially triggering a series of changes. Troubleshooting is another concern. As network services are virtualized troubleshooting tools need to provide both physical and logical views and tools to help operational staff quickly identify root source of troubles and fix them. In short visibility into a virtualized network is required. To mitigate this concern, both vendor selection and pace of deployment are effective. In vendor selection, a full review of network management tools and views will contribute to product selection. The pace of deployment is also an effect strategy with pilots, then measured deployments to both test functionality and train staff on management tools, building trust with the network virtualization vendors products and support.

Another concern expressed by IT executives is the centralization of software images which virtualization enables being a single point of failure. This centralization is realized by the consolidation of software on fewer hardware devices to service many applications. To mitigate this concern IT executives have reviewed their high availability and disaster recovery strategies to remove single points of failure. In short, many executives are analyzing resources to determine the correct balance of consolidation with redundancy and back up to deploy for their business. Complexity, especially in the VSO building block concerns some executives. VSO is a complex building block that touches on all parts of IT infrastructure. For many executives there will be a measured deployment schedule to build trust before pervasive roll-out. All of the above concerns are both valid and to be expected when a new technology becomes available. Some of the same concerns and associated mitigation strategies were utilized when VLAN were first introduced into the market, some ten years ago. The concern was that broadcast domains would look like spaghetti, by creating virtual links across the enterprise. But deployment pace and management tools calmed these concerns to the point where VLANs are an important and systemic lippis.com Page 10Network Virtualization: The New Building Blocks of Network Design building block of corporate networks. Network virtualization building blocks will traverse the same path. Guiding Principals: Putting the Building Blocks to Work for Your Organization There is a new design paradigm in corporate networking that exploits the benefits of virtualization. Network virtualization puts powerful tools in the hands of business and IT leaders to create a dynamic and agile IT infrastructure that responds and scales to business needs. The network virtualization deployment cycle will be deliberate and staged over time regulated by business requirements. The IT industry is at the beginning of a long virtualization cycle with many IT suppliers adding network virtualization building blocks over time. The four building blocks mentioned above can be independently deployed based upon business need and operational staff ability. Network architecture is the bridge between business strategy and evolution. The best way to think about the new design rules for network virtualization is through the use of guiding principals. The following seven design principals are offered which will transform your network into a network business platform: Principal One: Re-Think IT Service Delivery

During application development meetings and initiatives, review the service delivery process and explore how VSO and the other building blocks may be applied to the task at hand. IT executives should strive to move away from the laborious process of traditional service delivery which over designs IT infrastructure for peak traffic toward a dynamic IT infrastructure. An infrastructure which is responsive to business needs in near real time. A dynamic IT infrastructure which can bring up applications in days versus months, thanks to network virtualization. Principal Two: Think Dynamic Auto-Provisioning Network virtualization delivers auto-provisioning of services via templated solutions and rules, which accelerate application delivery and management. The key here is to think about how all the parts of an application, compute, storage, networking, security, load balancing, etc., can be dynamically provisioned via rules and allocated based upon demand versus the status quo of tweaking, configuring, and optimizing infrastructure. Principal Three: Question New Appliance Deployments During times of network service requirement needs, consider virtualized network services first before the deployment of another physical appliance. This will reduce dependence on appliances over time and its associated high total cost of ownership cost while allowing IT to implement NSV on an as needed, event basis. Principal Four: Look to Pool Network Device Management IT leaders should consider opportunities where pool network devices can be configured, monitored and troubleshot as one. This will reduce operational cost and workload as well as increase network availability. Principal four strives to reduce the number of physical devices to be managed by virtualizing their image for network operations. Principal Five: ConsolidateMultiple Networks Into a Common Network Separated by Logical Isolation For scenarios where multiple wide area networks exist, principal five and VN in particular offer an attractive alternative. That alternative is the consolidation of multiple networks and their associated cost into a common network, which logically isolates the collapsed networks. It is not uncommon that in retail scenarios, revenue generation is created while network cost is reduced and service cost avoided. Principal five recommends logical isolation versus the deployment of a new network. Principal Six: Utilize all Network Resources Before upgrading inter-switch links and overall network and backplane capacity consider the deployment of the virtual dual

lippis.com Page 11Network Virtualization: The New Building Blocks of Network Design backbone to capture unused and static network capacity while in the process providing a more flexible and reliable network. Principal Seven: Think Network Virtualization As many corporations are in the process of a network refresh, now is the time is consider the various network virtualization building blocks. The value of network virtualization will be realized on many fronts including financial payback accounting, but more importantly from an overall corporate value perspective by enabling an organization to be more responsive to business pressures and opportunities. For every IT project, which includes a network component, network virtualization should be included in the agenda for consideration. Benefits are always subjective and highly dependent upon pre-existing network and IT conditions. Very few IT organizations architect their networks. Rather they choose vendors, equipment, software and services for each requirement or project with which they are confronted. The result is similar to house construction. Often consumers can choose a builders package and save a few dollars or do it right and hire an architect to customize a solution for their needs. The architected solutions can cost more and at times take slightly longer but the pay-back is big. You can always tell an architected home. The rooms are pleasing to the eye, the space is planned out and works well, rooms flow into each other and the home sits perfectly on its land. The builders package often comes with odd-sized rooms, a poor flow, disproportionate windows and doors and the feeling that something is just not right. Often times additional work is done and paid for to fix these anomalies or the buyer lives with dissatisfaction. In IT an architected solution is business driven and provides an excellent experience for employees, customers, partners and suppliers. The interfaces work well, performance is within human delay tolerances, shifting between applications is painless and work just flows. The IT systems are not frustrating and fatiguing to work with, but support business process as effortlessly as possible. The time to use the above guiding principals is every time a new project is being evaluated. The IT team should review every major design decision by applying each of the guiding principals and discussing them, one by one, to ensure that the network

design supports the principals. Dont move forward until there is agreement that the architecture supports the principal. Over time the network will take on more and more network virtualization attributes, being able to evolve beyond application support to being an integrated component to application delivery creating a dynamic IT infrastructure and competitive business in the process. As mentioned above, all IT leaders balance expense reduction with business growth initiatives as part of their annual plans. Network virtualization offers the promise to decrease the slope of IT expenditures, which would be favorable when compared to increasing revenue. Network virtualization is a new organizing principal for business and IT leaders that will have material effect on corporate operations. About Nick Lippis Nicholas J. Lippis III is a world-renowned authority on advanced IP networks, communications and their benefits to business objectives. He is the publisher of the Lippis Report, a resource for network and IT business decision leaders to which over 40,000 business and IT executive leaders subscribe. Its Lippis Report podcasts have been downloaded over 30,000 times; i-Tunes reports that listeners also download the Wall Street Journals Money Matters, Business Weeks Climbing the Ladder, The Economist and The Harvard Business Reviews IdeaCast. Mr. Lippis is currently working with clients to transform their converged networks into a business platform. He has advised numerous Global 2000 firms on network architecture, design, implementation, vendor selection and budgeting, with clients including Barclays Bank, Microsoft, Kaiser Permanente, Sprint, Worldcom, Cigitel, Cisco Systems, Nortel Networks, Lucent Technologies, 3Com, Avaya, Eastman Kodak Company, Federal Deposit Insurance Corporation (FDIC), Hughes Aerospace, Liberty Mutual, Schering-Plough, Camp Dresser McKee and many others. He works exclusively with CIOs and their direct reports. Mr. Lippis possesses a unique perspective of market forces and trends occurring within the computer networking industry derived from his experience with both supply and demand side clients.
CHALLENGE The ability to provide flexible connectivity options while keeping closed user groups (groups of users and resources isolated from non-group members) is vital in today's campus networks. Network virtualization-giving multiple groups access to the same physical network while keeping them logically separate to a degree that they have no visibility into other groups-is a requirement that has challenged network managers for many years. In the 1990s, campus LANs were characterized by broad deployments of Layer 2 switches. Campus LAN design has evolved significantly since the introduction of Ethernet switching. Many technological improvements and a wealth of expertise, combined with evolving customer requirements, have shaped today's network design philosophy. With the growth of campus LANs has come the need to partition the network more effectively-by users, location, or function. All different groups need to retain their privacy while sharing the same physical network. For end users on the

network, the experience should be that of using totally separate physical networks that can be securely interconnected. Initially, virtual LANs (VLANs) and the Spanning Tree Protocol offered a mechanism to divide the LAN into virtual networks to address the need for separate workgroups within a common network. This solution was effective and secure, but it did not scale well, nor was it easy to manage as these campus LANs grew to encompass a large number of switches and global locations. Compelling Factors Many factors promote the requirement to create closed user groups. The following are just a few examples: Varying levels of access privileges within an enterprise: Almost every enterprise needs solutions for granting different levels of access to customers, vendors, and partners as well as employees on the campus LAN. A visiting vendor, for instance, needs only to connect to the Internet while on campus, and the organization needs to help ensure that the vendor cannot gain access to corporate resources. Regulatory compliance: Some businesses are required by laws or rules to separate segments of a larger organization. For example, in a financial company, banking needs to remain separate from trading. Office buildings commonly require the separation of different departments, such as human resources and customer service in a corporate setting, or a police department and a fire department in a municipal office building. Network simplification for very large enterprises: In the case of very large campus networks such as airports, hospitals, or universities, the need for security between different groups or departments has in the past required the building and management of separate physical networks, an undertaking that is costly and difficult to manage. Network consolidation: In mergers and acquisitions, there is often a need to integrate the acquired company's network expeditiously. Outsourcing: As outsourcing and offshoring proliferate, subcontractors must demonstrate absolute isolation of information between clients. This is especially critical when a contractor services competing companies. Enterprises providing network services: Often retail chains support kiosks for other companies or on-location Internet access for patrons; similarly, airports serving multiple airlines and retailers can provide isolated and common services with a single network. Table 1. Application Examples of Network Virtualization in Individual Verticals Vertical
Manufacturing

Examples of Cases for Network Virtualization Production plants (robots, automation of production environment, and so on), administration, sales, video surveillance. Trading floors, administration, mergers. Shared buildings and facilities supporting different departments. In some countries the law mandates separate networks between such departments. General trend toward hotel service with medical treatment. Separation among medical staff, magnetic resonance imaging (MRI) and other technical equipment, Internet access for patients, media services such as radio and television for patients.

Finance Government

Healthcare

Commercial Real Some resources are shared among groups. Multiple companies on the same campus where Estate: Multibusiness different buildings belong to different groups, but all rely on the same core and Internet access. Campus

Building automation is administered by the owner and spans across all buildings.

Retail

Kiosks, public wireless LAN (PWLAN) in branches, RF identification, WLAN devices (for example, older WLAN barcode readers that do not support any WLAN security). Separation among students, professors, administrators, and external research groups. Alternatively, individual departments that spread across multiple buildings might require access to their respective server areas. Some resources (Internet, e-mail, and news, for example) might be shared or accessed through a services zone. Building automation, too, must be separated.

Education

Campus VLANs

In years past, when Layer 2 switches defined the campus network environment, network virtualization was achieved with the use of VLANs. A separate VLAN could be configured for every closed user group on the network. These VLANs would then be configured to span the entire campus, an approach commonly referred to as campuswide VLANs. However, although this method was reasonably simple to implement, it introduced a number of complications, including: Limited network scalability resulting from the use of the Spanning Tree Protocol across a large number of switches Impaired client and network performance resulting from increases in broadcast and multicast traffic Complexity of troubleshooting Risk of problem propagation Among these problems, the Spanning Tree Protocol represented the greatest limitation, from a Layer 2 topology point of view. The risk of a Layer 2 loop, or broadcast storm, grew in parallel with the number of bridges in a Layer 2 domain. Furthermore, the network diameter could become a gating factor in midsize to large topologies. As the number of interfaces in a VLAN increased, the frequency of broadcasts also increased. These broadcasts resulted in higher CPU load for client and network devices, as well as reduced performance for applications. The Spanning Tree Protocol goal of providing a loop-free topology inherently prevented networks from having multiple active paths between any two local destinations and therefore limited the available network bandwidth. At the network edge, this characteristic did not present a major problem, but the core of the network could become a bottleneck. Troubleshooting large Layer 2 topologies required a significant amount of technical expertise and could be timeintensive. When a Layer 2 loop occurred, it not only resulted in the loss of client connectivity, but also could affect remote network administration. Layer 3 Campus In recent years, with the advent of multilayer switches capable of performing routing tasks, scalability and availability gained importance as design criteria. Today's campus LAN combines the services of Layer 2 switched and routed platforms to achieve the best-possible modularity, scalability, and high availability. The use of Layer 3 switching in the core and distribution layers can eliminate the scalability, performance, and troubleshooting drawbacks associated with the VLAN-based approach to network virtualization. Layer 3-based campus networks built over the past several years have proven to be scalable, robust, and high performing. However, a characteristic behavior of a Layer 3 switch-to route between all networks in the forwarding table-runs counter to the need for partitioning and closed user groups. Although access control lists (ACLs) and policy-based routing are possible approaches to traffic partitioning, the anticipated number of closed user groups and distribution zones is an important factor to consider in network planning. With increasing numbers of closed user groups come increases in administrative and operational tasks and the associated operational costs. One error in an ACL configuration for a single location could result in a dangerous security compromise, exposing the entire network to any number of threats. Network addressing structures should be carefully considered when using ACLs or policy-based routing. Optimized group IP address ranges simplify the configuration process; however, this can present a drawback because endsystem addressing often needs to be changed. Making this change affects not only the network group within an organization, but also the client/server administrators for individual closed user groups. One point to note is that with VLAN-based separation, address space cannot be reused. Campus design recommendations have lacked an elegant way of isolating traffic in the network to provide a secure and independent environment for closed user groups within the campus. THE SOLUTION: NETWORK VIRTUALIZATION A scalable solution is needed for keeping groups of users totally separate and centralizing services and security policies while preserving the high-availability, security, and scalability benefits of the campus design. To address this solution, the network design needs to effectively solve the following challenges: Access control: Help ensure that legitimate users and devices are recognized, classified, and authorized entry to their assigned portions of the network. Path isolation: Help ensure that the substantiated user or device is mapped to the correct secure set of available resources-effectively, the right VPN. Services edge: Help ensure that the right services are accessible to the legitimate set or sets of users and devices, with centralized policy enforcement.

The answer is network virtualization, which can be achieved in several ways. Virtualization technologies enable a single physical device or resource to act like it is multiple physical versions of itself and be shared across the network. Network virtualization is a crucial element of the Cisco SONA framework. Cisco SONA uses virtualization technologies to increase use of networked assets such as servers and storage-area networks (SANs). For example, one physical firewall can be configured to perform as multiple virtual firewalls, helping enterprises optimize resources and security investments. Other virtualization strategies include centralized policy management, load balancing, and dynamic allocation. The use of virtualization enhances agility and improves network efficiency, reducing both capital and operational expenses. Access Control: Authentication and Access-Layer Security Security at the access layer is vital for protecting the campus LAN from external threats, whether inadvertent or malicious, whether presented by a user or harbored by an infected device. With the delivery of wireless and mobile access to the campus LAN, user authentication and other security measures take on increased importance. Cisco network virtualization solutions are complemented by several technologies that help ensure threats are mitigated before they can enter the campus. One such technology is IEEE 802.1X, which is the standard for port authentication. The initial purpose of the 802.1x standard was related to authentication only. Enhancements such as VLAN assignment through RADIUS today greatly tie in with associating a user with a closer user group. Effectively, it enables an association between user IDs and their closed user groups. When a user from Group A authenticates at the network edge, 802.1X helps ensure that that port or user is connected to the Group A VLAN/VPN. Another complementary technology is Cisco NAC. Although it is supported on all Cisco campus switch platforms and can provide benefits to the entire network, NAC is optimally deployed at the access layer. NAC's job is to mitigate threats at the edge and remove harmful traffic before it reaches other clients and servers in the network. After a user authenticates and passes through the 802.1X checkpoint, NAC comes into play to help ensure that users do not expose the campus network to any viruses, worms, or other threats. NAC checks to see if the PC attempting access is up to date in terms of operating system and virus protection. If a user trying to gain access has missed the latest software update or is suspect for other reasons, then-after that user has authenticated with a user ID and password-the user is connected to a separate VLAN. This VLAN is connected to a closed user group for any PC not in compliance with corporate software standards. Effectively, the user is placed in quarantine, where the only network resource available is a server containing the necessary software downloads. Before the availability of the network virtualization solution, all noncompliant PCs would either need to be placed into a campuswide VLAN or policy-based routing would need to be configured on each Layer 3. Although enterprises aim for getting rid of Layer 2 VLANs through the core of their network, this campuswide VLAN would hinder them from getting there. However, configuring policy-based routing on a per Layer 3 hop basis would represent a significant configuration overhead. Network virtualization basically allows the scaling of this solution while not relying on campuswide VLANs. As shown in Figure 1, the users associated with the green group are fully up to date and can access resources on the campus LAN. However, the user in the red group is not up to date, and NAC sends that user to a "quarantine" VLAN until the PC has been updated with the proper software. Complete Network Virtualization Solution

CONCLUSION In today's evolved networking environments, typical campus network designs use a mix of switching (Layer 2) technologies at the network edge (access) and routing (Layer 3) technologies at the network core (distribution and core layers). Thus, network virtualization can be achieved at the network access layer (Layer 2) by means of VLANs and at the network core (Layer 3) by using GRE tunnels, VRF-lite, and MPLS-based Layer 3 VPNs to partition the routed domain and thus achieve scalable end-to-end virtualization. With Cisco network virtualization solutions for the campus (Figure 7), enterprises can deploy multiple closed user groups on a single physical infrastructure, while maintaining high standards of security, scalability, manageability, and availability throughout the campus LAN. In light of their virtualized nature and their enablement of centralized services, these solutions form a crucial element of the Cisco SONA framework. A wide range of Cisco Catalyst switches enables enterprises that adopt this framework to use more of their network assets with greater efficiency, allowing them to realize cost savings even as requirements for devices, systems, services, and applications grow. Figure 7. Complete Network Virtualization Solution

Figure 2. Scalable Network Design

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_implementation_whi te_paper0900aecd804a17c9.html
The advantage Leverage IBMs leadership in virtualization networking

IBM Networking Strategy, Optimization and Integration Services provide the networking expertise to help you assess - and proactively plan for the network that will meet the needs of your consolidation or virtualization initiatives. With over 30 years experience architecting, designing and integrating servers, storage, networks and management solutions in the data center, IBM can help you build your network to better meet the high-availability, high-performance and security requirements for your virtualized environments.
The benefits Maximize the value of your virtualization solutions

IBM virtualization networking solutions can help you:

Get the most from your virtualized infrastructure Reduce the risk associated with complex data center upgrades Improve resource availability, performance and security Prepare for infrastructure growth and network scalability Improve network flexibility to better support a dynamic infrastructure

http://blogs.oracle.com/hotnets/entry/virtualization_and_networking
Virtualization Since virtualization is one of the hottest areas of growth today, it would be good to blog about virtualization and networking today. This is one of the beauties of blogging, just writing about some topic in a public forum motivates one to do more research and become more thorough and proficient with the subject.

So why is virtualization so hot? It is primarily because as servers grow more and more powerful, virtualization allows consolidation of multiple hosts on one physical system. The benefits of consolidation are many, mainly power and administrative costs saving. These end hosts can be very different operating systems. The challenge is to run each independent of the other. So that the performance of one host is independent of the performance of the other. While they all share resources of the same physical system.

So what's the challenge that virtualization brings to networking. Simply put, sharing I/O is challenging. Why? Consider other components such as CPU and memory. Since modern servers have multiple CPUs, we can simply assign the desired number of CPUs to each host and not allow hosts to touch each other. If a single CPU needed to be shared, that too could be done with a scheduling algorithm that follows some time Division Multiplexed (TDM) like approach. How about memory? Since memory is always managed as virtual memory, all we need to do is play with the paging algorithm. Partition the memory and just be careful about paging algorithms. Now this is not always very simple because of memory locality issues in a system which is Non-Uniform Memory Access (NUMA). But more on that later.

Now let us consider I/O. It is hard to partition peripheral devices across multiple hosts. Consider a Network Interface Card (NIC). Suppose two hosts do network I/O using this NIC simultaneously. Who resolves this conflict? Who coordinates the device instructions so that DMA mappings do not overlap with each other? How to fairly distribute network bandwidth amongst the two hosts? These are challenging problems.

In comes the role of the hypervisor. The hypervisor is a thin layer of software which interfaces between the virtual hosts and the physical machine. Simply put, in a virtualized environment, it is the hypervisor which plays the role of managing all the resources, such as CPU, memory, and I/O, and coordinating all the instructions sent by the virtual hosts.

So now let us talk about virtualization and networking. Here are the prominent ways in which network I/O works over virtualized environments today. The hypervisor plays different roles depending on the solution chosen by the vendor.

NETWORKING: In the world of computers, networking is the practice of linking two or more computing devices together for the purpose of sharing data. Networks are built with a mix of computer hardware and computer software.

Network virtualization Network virtualization is a method of combining the available resources in a network by splitting up the available bandwidth into channels, each of which is independent from the others, and each of which can be assigned (or reassigned) to a particular server or device in real time. The idea is that virtualization disguises the true complexity of the network by separating it into manageable parts, much like your partitioned hard drive makes it easier to manage your files. http://www.olafm.de/2009/itc.pdf

Virtualized network infrastructure using OpenFlow