Are your applications grinding to a halt thanks to all of that
VoIP traffic? Does your patch cabinet look like something from
a bad Italian restaurant? If the answer is yes, you need to
virtualise your network. But what does that involve, and how
can you do it properly?
When applied to networks, virtualisation does the same thing as
it does on servers, separating a logical resource from a physical
one. The most common type of network virtualisation technique - the
virtual local area network (Vlan) - creates a number of different
logical networks that share a physical connection, but which cannot
see each other. Operating at Layer 2 in the
Open Systems Interconnection (OSI) stack, these networks
typically need a
Layer 3 resource - a router - to communicate traffic between
them.
Why might you virtualise your network? Security is one obvious
answer, says Malcolm Price, technical director of network training
and consulting firm LanBase Technologies. "It makes it much harder
for a would-be hacker to exploit traffic streams and sniff frames
across the switch, because they would need to sniff specific local
area network (Lan) ports and not just target any switch port," he
says.
With router access control lists and firewalls at Layer 3, it is
also possible to protect and control traffic passing between
various Vlans, adds Adil Tahiri, technology strategy director in
the office of the CTO at Atos Origin.
Virtualised networks can be complemented by device and user
authentication to ensure that someone joining to the network gets
put onto the appropriate Vlan. When used in a network access
control (NAC) environment, where devices are subject to a health
check before being allowed onto the system, this might result in a
machine being put onto a quarantine Vlan with restricted access to
corporate resources.
Another benefit is performance. Vlans were originally introduced
in part to stop broadcast storms on large networks, says Pierre
Emmanuel-Ettori, technical marketing engineer at Cisco. Nodes
wanting to speak with each other use a broadcast packet that all
other nodes on the network hear. In large networks the broadcasts
could easily bring down the system. "You might, for example, break
out a 2000-node network into five Vlans with 400 hosts each. So
that minimises the broadcast domain and minimises the performance
impact," he explains.
Network virtualisation can also involve device partitioning to
turn a single device into multiple logical ones, each serving a
separate network. Virtual routing and forwarding (VRF) makes it
possible for a single device to hold multiple routing tables at the
same time, each supporting the same IP addresses, so that devices
do not conflict on the network.
Such techniques can be used to simplify things by creating
virtual layers of the network to overcome physical problems. Ettori
gives an example of a company merger (something that we will be
seeing a lot of as the fallout from the financial crisis
continues). Two companies trying to merge their networks may find
that they are using the same address space. You could go to the
trouble and expense of reconfiguring a company's whole network, but
there is an easier way.
"By placing the company in their own virtual network, you would
join them together and use a type of address translation," he says.
"Virtualisation has then stopped you having to do a huge
re-addressing project, and saved you quite a bit of effort."
VRF can also be used to overcome some limitations in
conventional Vlan environments. For example, Vlans are designed to
be used locally, rather than across wide area network links, but
there may be scenarios in which you need Layer 2 adjacency for
geographically dispersed environments that want to be on the same
Vlan. Two datacentres that need a low-latency connection, for
example, or perhaps all the IP phones across more than one office.
VRF can be used to send traffic between geographically distributed
nodes without having to get into Layer 3 routing.
While you are mulling the benefits of isolating network paths,
you may also consider network service virtualisation, which is
closer to the kind of server virtualisation that non-network
managers may be used to. Traditionally, network-based services such
as firewalls,
Domain Name System (DNS) servers and intrusion prevention
systems were all housed in their own dedicated hardware. More
frequently, these services are being virtualised in the same box,
reducing the physical footprint and power consumption required to
operate them.
All of these techniques will help to squeeze more performance,
efficiency and security out of your network, but only with the
necessary planning. "You must understand the design of the Vlan to
achieve certain ends so that you can direct traffic flow through
the network in a particular pattern. You want to ensure that
high-risk things such as workstations on the network are on a
separate logical virtual network from things such as back-end
servers. In that way, you can reduce the security footprint," says
James Price, vice-president at storage area networking specialist
DataCore Software.
It is also worth considering quality of service requirements for
low-latency traffic such as voice and video. Putting all of your IP
phones on the same Vlan (using something such as VRF to bridge
multiple locations) would help to guarantee performance and stop
them from polluting traffic in the rest of the infrastructure.
With virtualisation taking the server world by storm, it seems
only natural that it should continue to make headway in the
networking world. And with device partitioning, service
virtualisation and multi-site Vlan capabilities bringing network
virtualisation into the modern age, there are broad opportunities
for infrastructure enhancement.