network virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · a network virtualization...
TRANSCRIPT
![Page 1: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/1.jpg)
Network Virtualization
Ben Pfaff
Nicira Networks, Inc.
![Page 2: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/2.jpg)
Preview
●Data Centers●Problems: Isolation, Connectivity●Solution: Network Virtualization●Network Tunnels●A Network Virtualization Architecture●Open vSwitch Design●Questions?
![Page 3: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/3.jpg)
Data CentersFront of a rack Rear of a rack
“Top of Rack” switch
A data center has many racks.
A rack has 20-40 servers.
The servers in a rack connect to a 48-port “top of rack” (ToR) switch.
Data centers buy the cheapest ToR switches they can find. They are pretty dumb devices.
Data centers do not rewire their networks without a really good reason.
![Page 4: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/4.jpg)
Data Center Network Designbefore VMs
Machine 1 Machine 40Machine 2 . . .
“Top of Rack” Switch
One rack of machines
Aggregation Switch
other ToRs
Core Switch
other agg switches
![Page 5: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/5.jpg)
Data Center Network Designwith VMs
Machine 1 Machine 40Machine 2 . . .
“Top of Rack” Switch
One rack of machines
Aggregation Switch
other ToRs
Core Switch
other agg switches
VM VM VMup to 128 VMs each VM VM VM VM VM VM
virtual switch(= vswitch)
![Page 6: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/6.jpg)
Problem: Isolation
Machine 1 Machine 40Machine 2 . . .
“Top of Rack” Switch
One rack of machines
Aggregation Switch
other ToRs
Core Switch
other agg switches
VM VM VMup to 128 VMs each VM VM VM VM VM VM
virtual switch(= vswitch)
All VMs can talk to each other by default.
You don't want someone in engineering screwing up the finance network. You don't want a break-in to your production website to allow stealing human resources data.
Some switches have security features but:●You bought the cheap ones instead.●There are hundreds of switches to set up.
![Page 7: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/7.jpg)
Problem: Connectivity
Machine 1 Machine 40Machine 2 . . .
“Top of Rack” Switch
One rack of machines
Aggregation Switch
other ToRs
Core Switch
other agg switches
VM VM VMup to 128 VMs each VM VM VM VM VM VM
virtual switch(= vswitch)
The VMs in a data center can name each other by their MAC addresses (L2 addresses). This only works within a data center.
To access machines or VMs in another data center, IP addresses (L3 addresses) must be used. And those IP addresses have to be globally routable.
The InternetL3
L2
![Page 8: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/8.jpg)
Non-Solution: VLANs
A VLAN partitions a physical Ethernet network into isolated virtual Ethernet networks:
Ethernet IP TCPVLAN
L2 L3 L4
The Internet is an L3 network. When a packet crosses the Internet, it loses all its L2 headers, including the VLAN tag. You lose all the isolation when your traffic crosses the Internet.
Other problems: limited number, static allocation.
![Page 9: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/9.jpg)
Solution: Network Virtualization
Virtual Resource
Virtualization Layer
Physical Resource
Virtualization Layering
Virtual Ethernet network
Tunnel
Physical Ethernet network
Network Virtualization
Ethernet IP TCP
Ethernet IP TCPEthernet IP GRE
Tunneling: Separating Virtual and Physical Network
Physical Headers Virtual Headers
![Page 10: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/10.jpg)
Path of a Packet (No Tunnel)
Machine 1 Machine 40Machine 2 . . .
“Top of Rack” Switch
One rack of machines
Aggregation Switch
other ToRs
Core Switch
other agg switches
VM VM VMup to 128 VMs each VM VM VM VM VM VM
virtual switch(= vswitch)
A packet from one VM to another passes through a number of switches along the way.
Each switch only looks at the destination MAC address to decide where the packet should go.
![Page 11: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/11.jpg)
Path of a Packet (Via Tunnel)
Machine 1 Machine 40Machine 2 . . .
“Top of Rack” Switch
Aggregation Switch
Core Switch
VMVMVM VMVMVM VMVMVM VMVMVMVMVMVMVMVMVM
Core Switch
Aggregation Switch
“Top of Rack” Switch
. . .Machine 2 Machine 40Machine 1
The Internet rout
ing
swit c
hing
phys
i cal
virt
ual
Ethernet IP TCPEthernet IP GREPhysical Headers Virtual Headers
Data Center 1 Data Center 2
![Page 12: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/12.jpg)
Challenges
● Setting up the tunnels:● Initially.● After VM startup/shutdown● After VM migration
● Handling network failures● Monitoring, administration● Administration
Use a central controller to set up the tunnels.
![Page 13: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/13.jpg)
A Network VirtualizationDistributed System
Machine 1 Machine 2 Machine 3 Machine 4
controller
OVS OVS OVS OVS
control protocols
VM VM VM VM VM VM VM VM VM VM VM VM
Data Center 1 Data Center 2
“Top of Rack” Switch
Aggregation Switch
Core Switch
wires
The Internet
“Top of Rack” Switch
Aggregation Switch
Core Switch
![Page 14: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/14.jpg)
Controller Duties
● Monitor:● Physical network● VM locations, states
● Control:● Tunnel setup● All packets on virtual and physical network● Virtual/physical mapping
● Tells OVS running everywhere else what to do
![Page 15: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/15.jpg)
Open vSwitch
● Ethernet switch implemented in software● Can be remotely controlled● Tunnels (GRE and others)● Integrates with VMMs, e.g. XenServer, KVM● Free and open source
openvswitch.org
![Page 16: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/16.jpg)
Open vSwitch: OVSDB protocol
● Slow-moving state:● VM placement (via VMM integration)● Tunnel setup
● Buzzwords:● Lightweight● Transactional● Not SQL● Persistent
![Page 17: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/17.jpg)
Open vSwitch: OpenFlow protocol
Ethernet switch
Flow table = ordered list of “if-then” rules:
“If this packet comes from VM A and going to VM B, then send it out via tunnel 42.”
(No rule: send to controller.)
![Page 18: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/18.jpg)
OpenFlow in the Data Center(One Possibility)
Machine 1 Machine 2 Machine 3 Machine 4
controller
OVS OVS OVS OVS
control protocols
VM VM VM VM VM VM VM VM VM VM VM VM
Data Center 1 Data Center 2
“Top of Rack” Switch
Aggregation Switch
Core Switch
wires
The Internet
“Top of Rack” Switch
Aggregation Switch
Core Switch
1. VM sends packet.2. Open vSwitch checks flow table – no match. Sends packet to controller.3. Controller tells OVS to set up a tunnel to the destination and send the packet on that tunnel.4. OVS sends packet on the new tunnel.5. Normal switching and routing carry the packet to its destination in the usual way.
The same process repeats on the other end to send the reply back.
This is done at most on a per-”flow” basis, and other optimizations keep it from happening too frequently.
2
1
3
4
5
![Page 19: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/19.jpg)
Open vSwitch: Design Overview
NIC NIC
Hostoperating system
VM 1 VM 2 VM 3
VNIC VNIC VNICVNIC VNIC
Virtual machines
Hypervisor physical machine
Controller
ovs-vswitchd
AdminstrativeCLI/GUI
...other network elements...
![Page 20: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/20.jpg)
Open vSwitch: Design Details
OVS kernelmodule
ovs-vswitchd
NIC NIC
Hypervisor
Hostoperating system
user kernel
VM 1 VM 2 VM 3
VNIC VNIC VNICVNIC VNIC
Virtual machines
Hypervisor physical machine
Controller
Cache hierarchy:<1us: Kernel module<1ms: ovs-vswitchd<10ms: controller
![Page 21: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/21.jpg)
OpenFlow: Another Use
1 2 3
4 5 6
7 8 9
Redundant Wiring Between Switches:
![Page 22: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/22.jpg)
OpenFlow: Another Use
1 2 3
4 5 6
7 8 9
Effective topology with normal L2 switching:
![Page 23: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/23.jpg)
OpenFlow: Another Use
1 2 3
4 5 6
7 8 9
controller
L2 routing managed by controller:
(Requires all switches to support OpenFlow)
![Page 24: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/24.jpg)
Conclusion
● Companies spread VMs across data centers.● Ordinary networking exposes differences
between VMs in the same data center and those in different data centers.
● Tunnels can hide the differences.● A controller and OpenFlow switches at the edge
of the network can set up and maintain the tunnels.
![Page 25: Network Virtualization - pspp.benpfaff.orgblp/network-virt-lecture.pdf · A Network Virtualization Distributed System Machine 1 Machine 2 Machine 3 Machine 4 controller OVS OVS OVS](https://reader034.vdocuments.mx/reader034/viewer/2022042916/5f564c34c642d77b553e6757/html5/thumbnails/25.jpg)
Questions?