Virtualisation in the network

Are your applications grinding to a halt thanks to all of that VoIP traffic?

Are your applications grinding to a halt thanks to all of that VoIP traffic? Does your patch cabinet look like something from a bad Italian restaurant? If the answer is yes, you need to virtualise your network. But what does that involve, and how can you do it properly?

When applied to networks, virtualisation does the same thing as it does on servers, separating a logical resource from a physical one. The most common type of network virtualisation technique - the virtual local area network (Vlan) - creates a number of different logical networks that share a physical connection, but which cannot see each other. Operating at Layer 2 in the Open Systems Interconnection (OSI) stack, these networks typically need a Layer 3 resource - a router - to communicate traffic between them.

Why might you virtualise your network? Security is one obvious answer, says Malcolm Price, technical director of network training and consulting firm LanBase Technologies. "It makes it much harder for a would-be hacker to exploit traffic streams and sniff frames across the switch, because they would need to sniff specific local area network (Lan) ports and not just target any switch port," he says.

With router access control lists and firewalls at Layer 3, it is also possible to protect and control traffic passing between various Vlans, adds Adil Tahiri, technology strategy director in the office of the CTO at Atos Origin.

Virtualised networks can be complemented by device and user authentication to ensure that someone joining to the network gets put onto the appropriate Vlan. When used in a network access control (NAC) environment, where devices are subject to a health check before being allowed onto the system, this might result in a machine being put onto a quarantine Vlan with restricted access to corporate resources.

Another benefit is performance. Vlans were originally introduced in part to stop broadcast storms on large networks, says Pierre Emmanuel-Ettori, technical marketing engineer at Cisco. Nodes wanting to speak with each other use a broadcast packet that all other nodes on the network hear. In large networks the broadcasts could easily bring down the system. "You might, for example, break out a 2000-node network into five Vlans with 400 hosts each. So that minimises the broadcast domain and minimises the performance impact," he explains.

Network virtualisation can also involve device partitioning to turn a single device into multiple logical ones, each serving a separate network. Virtual routing and forwarding (VRF) makes it possible for a single device to hold multiple routing tables at the same time, each supporting the same IP addresses, so that devices do not conflict on the network.

Such techniques can be used to simplify things by creating virtual layers of the network to overcome physical problems. Ettori gives an example of a company merger (something that we will be seeing a lot of as the fallout from the financial crisis continues). Two companies trying to merge their networks may find that they are using the same address space. You could go to the trouble and expense of reconfiguring a company's whole network, but there is an easier way.

"By placing the company in their own virtual network, you would join them together and use a type of address translation," he says. "Virtualisation has then stopped you having to do a huge re-addressing project, and saved you quite a bit of effort."

VRF can also be used to overcome some limitations in conventional Vlan environments. For example, Vlans are designed to be used locally, rather than across wide area network links, but there may be scenarios in which you need Layer 2 adjacency for geographically dispersed environments that want to be on the same Vlan. Two datacentres that need a low-latency connection, for example, or perhaps all the IP phones across more than one office. VRF can be used to send traffic between geographically distributed nodes without having to get into Layer 3 routing.

While you are mulling the benefits of isolating network paths, you may also consider network service virtualisation, which is closer to the kind of server virtualisation that non-network managers may be used to. Traditionally, network-based services such as firewalls, Domain Name System (DNS) servers and intrusion prevention systems were all housed in their own dedicated hardware. More frequently, these services are being virtualised in the same box, reducing the physical footprint and power consumption required to operate them.

All of these techniques will help to squeeze more performance, efficiency and security out of your network, but only with the necessary planning. "You must understand the design of the Vlan to achieve certain ends so that you can direct traffic flow through the network in a particular pattern. You want to ensure that high-risk things such as workstations on the network are on a separate logical virtual network from things such as back-end servers. In that way, you can reduce the security footprint," says James Price, vice-president at storage area networking specialist DataCore Software.

It is also worth considering quality of service requirements for low-latency traffic such as voice and video. Putting all of your IP phones on the same Vlan (using something such as VRF to bridge multiple locations) would help to guarantee performance and stop them from polluting traffic in the rest of the infrastructure.

With virtualisation taking the server world by storm, it seems only natural that it should continue to make headway in the networking world. And with device partitioning, service virtualisation and multi-site Vlan capabilities bringing network virtualisation into the modern age, there are broad opportunities for infrastructure enhancement.

Read more on Networking hardware