White Paper

Network Services Virtualization

What Is Network Virtualization?
Business and IT leaders require a more responsive IT infrastructure that can help accelerate business initiatives and
remove inefficiencies. To meet this challenge, the IT infrastructure needs to be based on an IT model with a new
services delivery architecture that enables services as needed. It needs to evolve from a traditional campus
architecture that delivers basic connectivity to separate, siloed departments into an agile, resilient, and adaptive
architecture that delivers service orchestration. With these changes, the IT department becomes a business unit that
delivers services to improve the enterprise rather than simply a cost center. The technology that helps deliver this
new dynamic IT infrastructure is called Network Virtualization (Figure 1).

Figure 1. Network Virtualization

Business Challenges
In this new economy of globally distributed workforces and global competition, enterprises continue to use
collaborative technologies to help connect geographically dispersed user groups so that they act and feel like a
single, centralized entity. These collaborative technologies improve employee productivity while reducing operating
expenses by creating the notion of a borderless enterprise in which employees, customers, and partners all share
significant information and connect their business processes efficiently.

© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8

White Paper Adoption of collaborative technologies demands the network infrastructure to: ● Be agile: IT leaders are looking for ways to be more responsive to changing market dynamics. ● Manage growth in user groups that need similar services: As the number of groups increases. contractors and consultants. requiring them to accelerate deployment of new applications such as video conferencing equipment to help reduce travel costs. It also applies policy per partition and isolates application environments. with an increasing emphasis on service delivery. ● Network Services virtualization: This component provides access to shared or dedicated network services such as security. with respective access to IT assets. This component identifies users who are authorized to access the network and then places them into the appropriate logical partition. Page 2 of 8 . This document is Cisco Public Information. ● Connect a globally distributed workforce. ● Path isolation: Network isolation is preserved across the entire enterprise: from the edge to the campus to the WAN and back again. and address management (Dynamic Host Configuration Protocol [DHCP] and Domain Name System [DNS]). ● Reduce operating expenses: IT needs to increase asset utilization and simplify services provisioning. quality of service (QoS). Network services virtualization within the campus helps IT focus on providing a unique set of policies to different network segments without having to deploy dedicated service nodes. they are looking at new service delivery options that can provide incremental services on the same infrastructure. keeping them separate and secure is a challenge that IT leaders must continue to address. with ubiquitous devices and omnipresent users: Users expect more control over when and how they work. ● Become energy efficient: IT needs to control the power and cooling requirements for the network infrastructure and service nodes. To accomplish this. Inc. Network virtualization architecture has three main components (Figure 2): ● Network access control and segmentation of classes of users: Users are authenticated and either allowed or denied into a logical partition. if required. The function of mapping isolated paths to VLANs and to virtual services is also performed in component. © 2009 Cisco Systems. Users are segmented into employees. This component maintains traffic partitioned over a routed infrastructure and transports traffic over and between isolated partitions. It has been widely deployed as part of data center network designs and is seeing increasing adoption in campus networks. All rights reserved. achieving better device utilization. Cisco Network Virtualization Architecture The concept of virtualization is not new and has been employed since the days of mainframe computers. and guests.

simplifying network operations and reducing overall acquisition cost. giving the end user greater flexibility in deploying the right number of virtual instances. The service virtualization provides independent instances of name space. achieved by enabling additional capabilities within existing infrastructure ◦ Pay-as-you-grow licensing model for the virtualized service. Page 3 of 8 . configuration. Network services virtualization virtualizes a network service node such as a firewall module. users see: ◦ Reduced total cost of ownership (TCO) and increased return on investment (ROI) through improved asset utilization. Cisco Network Virtualization Architecture What Is Network Services Virtualization? Network services virtualization is a critical building block in network virtualization. Some implementations such as the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) can support nearly 250 separate virtual firewall instances. inspection engines. Although all the building blocks can be deployed in isolation. network services virtualization is an excellent strategy for consolidating multiple appliances into one. by partitioning the available hardware resources among different virtual firewalls. All rights reserved. Network services virtualization negates the need to acquire separate devices every time the network service is required by using the software instance on ® the same physical hardware. further. This document is Cisco Public Information. it is easy to scale to a greater number of instances if future needs increase © 2009 Cisco Systems. and other resources within each instance. From an expense-management perspective. extending its access without the need to deploy specialized hardware for every instance of the network service that is required. White Paper Figure 2. for example. Inc. Network services virtualization provides numerous business and IT benefits: ● Efficient utilization: Acquisition cost is reduced as network services delivery is removed from a physical device to a virtual context.

a firewall). and rack space that would otherwise have been required. All rights reserved. and administrators. secure applications with essentially guaranteed resources and role-based access. If it uses a single physical services node (for example. Its choices are to share everything or nothing. also called security contexts: Each security context is an independent firewall with its own security policy. and Sarbanes-Oxley require customers to segment their network services on a group basis. changes to one policy can affect the others. © 2009 Cisco Systems. VRF-aware DHCP helps enable pervasive DHCP policies for groups of geographically dispersed users ◦ Optimized traffic redirection using VRF-aware Policy-Based Routing (PBR) and PBR-set VRF ◦ Facilitating operational manageability with VRF-aware syslog and VRF Aware Telnet. and traffic path manipulation of one group is different from the other groups within the enterprise. To enable a particular service within existing siloed infrastructure requires addition of network infrastructure equipment and changes to network cabling. With the network service virtualization approach. ● Virtual Route Forwarding (VRF) network services: VRF-aware network services include: ◦ VRF-Aware Address anagement services. Network Services Virtualization: Before and After Consider a typical enterprise before it implements virtualization. This system resource administration is required to make sure that no context inadvertently affects another context. The management interface becomes more flexible as many network service instances can be managed as one. Adding more physical service nodes creates an inefficient isolation of applications and results in device sprawl. . Inc. This document is Cisco Public Information. separate management interface. Network Services Virtualization – Cisco Catalyst 6500 Virtualized network services available on the Cisco Catalyst 6500 series platform include: ● Network security virtualization through multicontext virtual firewall contexts. and power requirements. QoS. such as that enabled by Cisco products. operating expenditures (OpEx). or each instance can have its own. cooling. This approach results in dramatic reductions in provisioning cycles. a virtual service node instance can be created on the same physical infrastructure without the need for additional network cabling. applications must compete for resources. interfaces. This segmentation of network services helps ensure that the security. Page 4 of 8 . and device configuration is complex. ® With a virtualized architecture. ● Regulatory compliance: Compliance with regulations such as Health Insurance Portability and Accountability Act (HIPAA). abstraction and partitioning allow one physical network service node to provide multiple virtual contexts. and complexity in upgrading. The overall system resources within a single physical firewall can be administrated separated for other contexts. White Paper ● Green: Reduced power consumption is achieved by consolidating multiple service instances into a single physical device without requiring deployment of dedicated hardware for each instance. underutilized resources. facilitating operational manageability Network Security Virtualization: Firewalls Network security using firewalls has evolved from a process that limit access to secure data and networks beginning with simple access lists to a technology that provides context-based stateful application inspection capabilities. Eliminating the need for additional physical devices effectively removes the need for additional power supplies. ● Manageability: Virtual service instances offer simplified provisioning. enabling isolated. Office of the Controller of the Currency (OCC) rules.

Today’s virtualization technologies enable an abstraction layer that decouples the security policies from the physical hardware to deliver greater network resource utilization and flexibility. which are a combination of both Layer 2 and Layer 3 firewalls coexisting on the same physical firewall. Each virtual firewall is called a context because it is one partition or instance of a fully functional firewall. White Paper Evolution to Firewall Virtualization: Conventional Stand-alone Firewalls: Conventional firewalls allow users to apply security policies on the data passing between networks (that is. with heterogeneous security policies. and administrators. IT managers can also allocate the firewall’s shared resources such as bandwidth. Inc. This document is Cisco Public Information. Targeted Firewall Virtualization Applications Multiple security contexts are useful for both enterprise campus and data center deployments. each context can be configured and managed by different administrators. or stealth) as well as mixed-mode firewalls. Multiple firewall contexts can be added in the module on the basis of the license © 2009 Cisco Systems. the traffic inspection and security policies of each context are independent of each other. All rights reserved. Therefore.1q support on firewalls allows customers to easily integrate into existing networks that have already been segmented using VLANs (IEEE 802. Virtualization allows multiple virtual machines. IT departments managing internal campus networks can now partition a physical firewall into multiple contexts for each group of users (either segmenting them by role or by business unit) without investing in a dedicated physical firewall for each group. the interfaces of a firewall). The capability to run multiple security contexts on single Cisco Catalyst 6500 Series FWSMs helps customers limit the cost of additional hardware. Page 5 of 8 . to run independently and simultaneously on the same physical firewall hardware module. Figure 3. the firewall applies a single set of policies for traffic traveling between the inside and the outside interface (Figure 3). In the conventional firewall case. Each virtual context has its own set of virtual interfaces to which the security policies can be applied. IEEE 802. Even though all the configured contexts are emulated by a single firewall CPU. Each individual context can be configured based on the group’s security policies without affecting other contexts. or they can all be managed by one administrator who has access to each of the contexts. Virtualization at the next level involves partitioning a single physical firewall into multiple virtual firewalls.1q VLAN tags on the same physical interface. interfaces. Cisco Catalyst 6500 Series FWSM Virtualization Architecture The Cisco Catalyst 6500 Series Firewall Services Module allows the customer to configure up to 250 mixed-mode multiple virtual firewalls. These contexts can be routed firewalls (Layer 3) or transparent firewalls (Layer 2.1q VLANs). Conventional Firewalls Firewall Virtualization: Virtualization in its simplest form can be achieved by supporting IEEE 802. total connections. as if being handled by a dedicated physical firewall. Virtualization techniques have evolved far beyond traditional VLAN integration. Each security context is an independent firewall. with its own security policy. and memory to each of the contexts based on customer needs and the needs of each group. known as the security contexts.

Figures 4 and 5 show how the internal architecture of the Cisco Catalyst 6500 Series FWSM functions before and after virtualization. Page 6 of 8 . creating virtual firewalls (VFs). both routed and transparent. All rights reserved. the administrator can allocate system resources such as connections and seconds as a percentage or an absolute number for each individual context. Single Firewall Before Virtualization Figure 5. Firewall Virtualization Figure 6 shows how a single Cisco Catalyst 6500 Series FWSM can be organized into multiple security contexts. Inc. White Paper limits. This document is Cisco Public Information. © 2009 Cisco Systems. To effectively share the system resources across all contexts. Figure 4.

Virtualized Firewall Network Services Virtualization: VRF-Aware Services The Cisco Catalyst 6500 and 4500 Series Switches enable VRF support for features that help provide network services. Main features include: ◦ NetFlow on VRF interfaces: Allows NetFlow statistics collection on interfaces that are part of a VRF instance ◦ VRF-aware syslog: Allows the switch to send system logging (syslog) messages to a syslog server host connected through a VRF interface ◦ VRF-aware Telnet: Allows the management interface to be part of a VRF instance instead of the global interface list © 2009 Cisco Systems. White Paper Figure 6. Inc. This document is Cisco Public Information. All rights reserved. Main functions include: ● Ease of operational manageability within VRF instances: The Cisco Catalyst 6500 Series supports features that enable switch management within a VRF instance. Page 7 of 8 .

the switch should be able to send AAA messages to an AAA server within a VRF instance ● Virtualized address management policies using VRF-aware DHCP: This feature helps enable pervasive DHCP policies for groups of geographically dispersed users. White Paper ◦ VRF-aware TACACS: Allows the authentication. Page 8 of 8 . Using the Cisco Network Virtualization architecture. For More Information Go online to learn more about Cisco Network virtualization solutions: www. mobility. All rights reserved. The Cisco Catalyst 6500 platform is a key component of the Cisco Network Virtualization architecture which allows customers to manage the networks services.html Printed in USA C11-531522-00 04/09 © 2009 Cisco Systems. This document is Cisco Public Information. This shared services architecture enables flexibility and agility while streamlining resources and reducing operational expenses. from the backbone to every endpoint. The Cisco Catalyst 6500 has a broad range of hardware and software features that enable customers to deploy virtualization across all places in the network to help reduce the management complexity of services including Unified Communications. organizations can reap the benefits of end-to-end virtualization and policy-driven service orchestration. end-to-end Network virtualization solution that spans the entire network infrastructure. and accounting (AAA) TACACS server to be part of the VRF instance. ● Optimized traffic redirection using PBR-set VRF: This feature helps segment and redirect traffic from the global routing table to a VRF instance.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.com/go/networkvirtualization. Network Services Virtualization design guides: http://www.cisco. authorization. Conclusion Cisco offers a proven. making it easier and faster to enable new network services. Inc.cisco. and security.