NETWORK FUNCTION

VIRTUALIZATION UNIT 5
SYLLABUS

• Building SDN Framework

• Network Functions Virtualization
• Introduction –Virtualization and Data Plane I/O –
• Service Locations and Chaining –
• Applications – Use Cases of SDNs:
• Data Centers, Overlays, Big Data and Network Function Virtualization
BUILDING SDN FRAMEWORK

• Software-Defined Networking (SDN) is an approach to networking that uses software-based controllers

or application programming interfaces (APIs) to communicate with underlying hardware infrastructure
and direct traffic on a network.
• OpenDaylight (ODL) is standard [1] platform for open SDN, which can be for any scope
and size of network and permit network services over a range of hardware in a network.
Many networks are designed in such a way that it can fulfil the needs and requirement of that point in time.
Software defined networking is the one which is capable of improving current network by easily accepting
the changes as the user requirements.This is because OpenDaylight is capable of dealing with network
challenges by allowing for constructing the universal platform so that it can set up in several ways.
BUILDING SDN FRAMEWORK

• The network is portrayed through modeldriven method for performing some functions
and achieving outcomes by OpenDaylight controller. In order to solve complex
problems OpenDaylight contribute data structures in familiar massaging framework
and data store, and by allowing elegant services to be designed and combined
together.
BUILDING SDN FRAMEWORK

• The open sources controller and idea of SDN to implement four-tier architecture of
SDN and control platform. Application interface, message acceptance and other services
are obtained and managed by establishing the connection with SDN
BUILDING SDN FRAMEWORK
BUILDING SDN FRAMEWORK

• SDN: Embracing change The very heart of networking is about change.Your current
network infrastructure is a platform on which the entire IT portfolio depends for
communication and services. Although the network is made of many physical elements,
such as routers, switches, and firewalls, it is for all practical purposes a single system. A
change in any part of the network can cause a failure of the whole. This wholesale
interdependence has led to a fear of change among network operators that prevents new
services, new features, and even good operational practices. SDN is a network
architecture that changes how we design, manage, and operate the entire network so
that changes to the network become practical and reliable.
BUILDING SDN FRAMEWORK
BUILDING SDN FRAMEWORK

• Planes of operation The internal architecture of a network device has three planes of
operation. The management plane handles external user interaction and administrative
tasks like authentication, logging, and configuration via a Web interface or CLI. The
control plane administers the internal device operations, providing the instructions used
by the silicon engines to direct the packets. The control plane runs the routing and
switching protocols and feeds operational data back to the management plane. The data
plane is the engine room that moves packets through the device, using the forwarding
table supplied by the control plane to determine the output port.
BUILDING SDN FRAMEWORK
BUILDING SDN FRAMEWORK

• Planes of operation, continued In networking today, the control plane on each device
communicates with the control planes on all other devices in the network using
protocols like OSPF or Spanning Tree. As a result, networking is a system of distributed
computing in which all of the system elements must be coherent for the network to
function as a whole. Although network protocols are well proven, networking remains
less than perfect because 1) distributed computing systems are limited by "eventual
consistency" (for networks, that means outage during reconvergence), and 2) we’re
constrained by poor features like destination-based routing (when source/destination
would be better).
NETWORK FUNCTIONS VIRTUALIZATION

• Network functions virtualization (NFV) is the replacement of network appliance

hardware with virtual machines. The virtual machines use a hypervisor to run networking
software and processes such as routing and load balancing.
• NFV allows for the separation of communication services from dedicated hardware, such
as routers and firewalls. This separation means network operations can provide new
services dynamically and without installing new hardware. Deploying network
components with network functions virtualization takes hours instead of months like
with traditional networking. Also, the virtualized services can run on less expensive,
generic servers instead of proprietary hardware.
NETWORK FUNCTIONS VIRTUALIZATION

• Additional reasons to use network functions virtualization include:

• Pay-as-you-go: Pay-as-you-go NFV models can reduce costs because businesses pay only
for what they need.
• Fewer appliances: Because NFV runs on virtual machines instead of physical machines,
fewer appliances are necessary and operational costs are lower.
• Scalability: Scaling the network architecture with virtual machines is faster and easier, and
it does not require purchasing additional hardware.
NETWORK FUNCTIONS VIRTUALIZATION

• How does network functions virtualization work?

• Essentially, network functions virtualization replaces the functionality provided by
individual hardware networking components. This means that virtual machines run
software that accomplishes the same networking functions as the traditional hardware.
Load balancing, routing and firewall security are all performed by software instead of
hardware components. A hypervisor or software-defined networking controller allows
network engineers to program all of the different segments of the virtual network, and
even automate the provisioning of the network. IT managers can configure various
aspects of the network functionality through one pane of glass, in minutes.
NETWORK FUNCTIONS VIRTUALIZATION

• Benefits of network functions virtualization

• Many service providers feel that the benefits of network functions virtualization outweigh the risks. With
traditional hardware-based networks, network managers have to purchase dedicated hardware devices
and manually configure and connect them to build a network. This is time-consuming and requires
specialized networking expertise.

• NFV allows virtual network function to run on a standard generic server, controlled by a hypervisor,
which is far less expensive than purchasing proprietary hardware devices. Network configuration and
management is much simpler with a virtualized network. Best of all, network functionality can be changed
or added on demand because the network runs on virtual machines that are easily provisioned and
managed.
NETWORK FUNCTIONS VIRTUALIZATION

• Risks of network functions virtualization

• NFV makes a network more responsive and flexible, and easily scalable. It can accelerate
time to market and significantly reduce equipment costs. However, there are security
risks, and network functions virtualization security concerns have proven to be a hurdle
for wide adoption among telecommunications providers. Here are some of the risks of
implementing network functions virtualization that service providers need to consider:
NETWORK FUNCTIONS VIRTUALIZATION

• Physical security controls are not effective:Virtualizing network components increases their vulnerability
to new kinds of attacks compared to physical equipment that is locked in a data center.
• Malware is difficult to isolate and contain: It is easier for malware to travel among virtual components
that are all running off of one virtual machine than between hardware components that can be isolated
or physically separated.
• Network traffic is less transparent:Traditional traffic monitoring tools have a hard time spotting
potentially malicious anomalies within network traffic that is traveling east-west between virtual
machines, so NFV requires more fine-grained security solutions.
• Complex layers require multiple forms of security: Network functions virtualization environments are
inherently complex, with multiple layers that are hard to secure with blanket security policies.
NETWORK FUNCTIONS VIRTUALIZATION

• NFV vs. SDN

• While NFV separates networking services from dedicated hardware appliances, software-
defined networking, or SDN, separates the network control functions such as routing, policy
definition and applications from network forwarding functions. With SDN, a virtual network
control plane decides where to send traffic, enabling entire networks to be programmed
through one pane of glass. SDN allows network control functions to be automated, which
makes it possible for the network to respond quickly to dynamic workloads. A software-
defined network can sit on top of either a virtual network or a physical network, but a virtual
network does not require SDN to operate. Both SDN and NFV rely on virtualization
technology to function.
 INTRODUCTION –VIRTUALIZATION AND DATA
PLANE I/O –
• With the introduction of NFV, more networking vendors are starting to implement their
traditional devices as VNFs. While the majority of them are looking into virtual machines
(VMs), some are also looking at container-based approach, per design choice. OpenStack-
based solution should be rich and flexible due to two primary reasons:
• Application readiness - Network vendors are currently in the process of transforming
their devices into VNFs. So different VNFs in the market have different maturity levels;
common barriers to this readiness include enabling RESTful interfaces in their APIs,
evolving their data models to become stateless, and providing automated management
operations. OpenStack should provide a common platform for all.
 INTRODUCTION –VIRTUALIZATION AND DATA
PLANE I/O –
• Broad use-cases - NFV includes a broad range of applications that serve different use-
cases. For example,Virtual Customer Premise Equipment (vCPE) aims at providing a
number of network functions such as routing, firewall, VPN, and NAT at customer
premises. Virtual Evolved Packet Core (vEPC), is a cloud architecture that provides a
cost-effective platform for the core components of Long-Term Evolution (LTE) network,
allowing dynamic provisioning of gateways and mobile endpoints to sustain the increased
volumes of data traffic from smartphones and other devices.
 INTRODUCTION –VIRTUALIZATION AND DATA
PLANE I/O –
• NFV Data Plane Options:
• Some of the common datapath options are as follows:

• Single Root I/O Virtualization (SR-IOV) - is a standard that makes a single PCI hardware
device appear as multiple virtual PCI devices. It works by introducing Physical Functions (PFs)
which are the full featured PCIe functions representing the physical hardware ports and
Virtual Functions (VFs) that are lightweight functions that can be assigned to the virtual
machines. The virtual machines see the VF as a regular NIC that communicates directly with
the hardware. NICs support multiple VFs.
 INTRODUCTION –VIRTUALIZATION AND DATA
PLANE I/O –
• NFV Data Plane Options:
• Open vSwitch (OVS) - is an open source software switch that is designed to be used
as a virtual switch within a virtualized server environment. OVS supports the capabilities
of a regular L2-L3 switch and also offers support to the SDN protocols such as
OpenFlow to create user-defined overlay networks (for example,VXLAN). OVS uses
linux kernel networking to switch packets between virtual machines and across hosts
using physical NIC.
 INTRODUCTION –VIRTUALIZATION AND DATA
PLANE I/O –
• NFV Data Plane Options:
• Data Plane Development Kit (DPDK) - consists of a set of libraries and poll mode
drivers (PMD) for fast packet processing. It is designed to run mostly in the user-space,
enabling applications to perform their own packet processing directly from/to the NIC.
DPDK reduces latency and allows more packets to be processed. DPDK Poll Mode
Drivers (PMDs) run in busy loop, constantly scanning the NIC ports on host and vNIC
ports in guest for arrival of packets.
 SERVICE LOCATIONS AND CHAINING

• A ‘service chain’ is a set of network services which are performed in a specific order and
‘service chaining’ refers to steering the traffic through such a “chain”. It’s like a recipe where
actions are performed in a preordained order. Services can be performed in parallel or in
serial, depending on the situation. The chain can be implemented by cabling individual devices
together or, increasingly, by using software provisioning to control the flow of data through
the selected services. Monitoring tools that are linked together in this way are sometimes
referred to as a daisy-chain. The use of service chains is linked to the automation of functions
that have been either embedded in single purpose hardware devices, dictated by physical
topologies, or performed manually--which are increasingly perceived as too costly and
inflexible in our fast-moving digital economy.
 SERVICE LOCATIONS AND CHAINING -TRADITIONAL /
STATIC SERVICE CHAIN IMPLEMENTED BY OPERATOR
 SERVICE LOCATIONS AND CHAINING

• In the example scenario illustrated in the previous slide(“Example service function chain
implemented by network operators today”), Subscriber 1 wishes to access video content
on their mobile device. The user would simply need the video optimization service, as
well as basic firewalling. However, the user’s traffic will have to traverse the entire chain.
Adding to this, services must often be applied in a specific order, which implies the need
for complex routing techniques and VLANs to ensure that this performed correctly. This
example highlights the sub-optimal use of network and compute resources, as the entire
service chain has to be traversed, regardless of whether this is required or not.
 SERVICE LOCATIONS AND CHAINING

• Service chaining is one of several approaches that make it possible to centrally manage and direct the
operation of IT resources, to increase efficiency and time-to-market, as well as decrease costs.
• Use Case - Real-Time Network Monitoring
• With real-time monitoring, you need to keep traffic moving quickly and your security tools working
efficiently. Chaining tools together allows to you to pass only the suspicious traffic to additional tools for
deeper inspection or to a honeypot to be quarantined. Packets without anomalies are moved along
quickly, to maintain maximum response time. A common example is the use of a Security Information
and Event Management (SIEM) solution to filter out suspicious traffic for further analysis by other tools
in the daisy-chain. Traffic without exception is quickly sent back through the network to support the
fastest possible response time.
 SERVICE LOCATIONS AND CHAINING

• Use case - Out-of-Band Monitoring

• Out-of-band monitoring tools can be chained for similar reasons. An example would be
to take the result of application classification provided by a Keysight network packet
broker and send the application-specific information on to the best tool for analyzing a
given packet type. Meta data can also be added to the packets to let tools farther in the
chain know more about the origin or destination of the traffic.
 SERVICE LOCATIONS AND CHAINING

• Use case - Value Added Traffic Management

• Service chaining is also common when administrators must enable multiple resources or
processes to be used. Examples are to enforce policies, perform QoS monitoring, to
gather real-time analytics for traffic flow adjustments, are enforced to ensure quality of
service
 SERVICE LOCATIONS AND CHAINING

• Use case - Service Management

• The concept of service chaining plays a strong role in helping carriers provide services to end
users with speed and accuracy or helping providers deliver a service with an excellent
experience. One example is the chain of special-purpose platforms that video packets must
pass through before delivery to the end customer, beginning with video optimization, then
transparent caching, then (optional) parental controls, and finally a Wireless Access Point
(WAP) gateway. These services are linked or chained together so that tasks necessary for all
of these services do not have to be performed multiple times. Details about each user—such
as their device, location, or whether they are subject to parental control—are also used to
dynamically steer traffic through the necessary services.
 SERVICE LOCATIONS AND CHAINING -DYNAMIC
SERVICE CHAIN USING SDN & NFV
 SERVICE LOCATIONS AND CHAINING

• Based on the previous slide diagram when traffic arrives at the network gateways, it is
now labelled by a dedicated classification device with the use of deep packet inspection
(DPI). The traffic is then intelligently forwarded to the required services, based on the
service identifier. The identifier itself can be derived from a field in the traffic such as:
network service header (NSH), virtual local area network (VLAN), Source MAC Address
(SMAC), or it can be directly programmed in the switch flow-tables. This allows for
network and compute resources to be used more efficiently, as traffic only flows through
the required services. The provider is thereby relieved from continuously having to over-
provision the network.
 SERVICE LOCATIONS AND CHAINING

• Advantages of Service Chaining

• Enable Network Function Virtualization (NFV): Once upon a time, specialized network appliances
ruled the data center and in many places they still do. When you consider their purpose, however, you
can identify multiple functions taking place inside each appliance. For instance, a firewall might perform
network address translation, deep packet inspection, and access control. The hardware appliance was
designed to perform these functions at wire speed. But in recent years, many of the functions once
performed by expensive hardware appliances are being redesigned as software functions that can be run
on any generic and low-cost CPUs. This process is called network function virtualization and the goal is
to achieve the same results as the appliance, but at greater efficiency and less cost.
 SERVICE LOCATIONS AND CHAINING

• Advantages of Service Chaining

• Reduce Redundant Inspections: Without the ability to chain together certain functions, a particular
packet may need to pass through a particular service more than once to meet the qualifications for
other types of inspection tools. For instance, in the case of security monitoring, SSL traffic can pass
through a powerful decryption tool and the exposed content can be sent through a series of additional
inspection tools. This avoids the need to send the traffic through decryption for each tool, which would
increase latency and multiply the cycles being consumed on the decryption tool. A more efficient and
more cost-effective result is achieved by sending decrypted traffic through multiple tools before passing
it through to the trusted network. • Apply Consistent Policies: Pre-set service chains help ensure that
actions are taken in a specific sequence, and nothing is overlooked. This reduces errors and increases the
chance that abnormalities will be identified in time to prevent damage to an organization’s data or other
resources.
 SERVICE LOCATIONS AND CHAINING

• Advantages of Service Chaining

• Increase Flexibility: The ability to define service chains dynamically, based on the user,
device, location, service level, or other characteristic is a powerful capability in the fast-moving
digital economy. Well defined rules and policies can help decrease the time to deliver a service
and increase the quality of the user experience.
• Service chaining is a useful concept that can help you organize operational tasks
into more manageable groups. As programmability becomes the norm in
network management, organizations will find more ways to use service chaining
to increase network visibility, improve security monitoring, and increase the
speed and quality of applications.
APPLICATIONS – USE CASES OF SDNS

• The SDN use cases, from data center fabrics and programmable network taps to WAN optimization and
policy enforcement. The webinar focuses on SDN use cases that have been deployed in production or
pilot networks and covers these categories:
• Data center fabrics
• Forwarding optimizations and exception routing
• WAN optimizations
• Centralized traffic engineering
• Programmable network taps and tap aggregation networks
• Network monitoring
• Network services insertion
APPLICATIONS – USE CASES OF SDNS

• Scale-out network services

• DDoS detection and mitigation tools
• Edge policy enforcement
 DATA CENTER NETWORKING

• Data center networking is the integration of a constellation of networking resources — switching,

routing, load balancing, analytics, etc. — to facilitate the storage and processing of applications and data.

• Modern data center networking architectures leverage full-stack networking and security virtualization
platforms that support a rich set of data services connecting everything from VMs, containers, and bare
metal applications while enabling centralized management and granular security controls.

• This model of data center networking represents a significant shift from the standard networking model
in data centers not long ago. From on-premises physical servers, to virtualized infrastructure, to an
integrated edge-to-cloud model of networking and security that is present wherever apps and data live,
data center networking has evolved greatly in a short time.
 DATA CENTER NETWORKING

• Why data center networking?

• The most advanced data center networking platforms connect and protect everything in
an organization’s environment, adjusting dynamically to the evolving needs of users and
applications. They deliver critical services for apps and data, including automation,
consistent operations, and granular security via micro-segmentation.
•
• Let’s look at some of the requirements for a modern data center networking platform:
•
 DATA CENTER NETWORKING

• Automation. Achieving speed and agility in modern data centers depends greatly on
automated provisioning of networking services for applications. Far faster and more
reliable than a human administrator, modern networking platforms not only find the most
efficient way to program a network, balance workloads, and automate time-consuming
tasks, they also respond dynamically to changes in usage.
• Consistent policies. With modern data center networking responsible for integrating
resources from edge to cloud, consistent application of policies is essential.
• Single pane of glass. Typically connecting resources located both on-premises, in the cloud,
and at the edge, modern data center networking platforms offer centralized management
from a single console.
 DATA CENTER NETWORKING

• Granular security. Today’s data center networking platforms often feature integrated
security controls that can include micro-segmentation and IDS/IPS.
• Global visibility. Most data center networking platforms can display a visual
representation of the network and its interconnections, which makes troubleshooting
network issues much easier.
 DATA CENTER NETWORKING

• How does data center networking work?

• A modern data center networking platform runs all network services required to
support traditional enterprise applications entirely in software, enabling the automation
of what were previously manual and error-prone provisioning tasks. It also makes
possible capacity planning, security policy planning, and network troubleshooting. When
applications are decommissioned, the networking platform handles de-provisioning
policies associated with that application, which prevents the sprawl of stale policies that
would otherwise degrade manageability, security, connectivity, and compliance.
OVERLAYS

• An overlay network is a virtual or logical network that is created on top of an existing

physical network. The internet, which connects many nodes via circuit switching, is an
example of an overlay network.
• An overlay network is any virtual layer on top of physical network infrastructure. This
may be as simple as a virtual local area network (VLAN) but typically refers to more
complex virtual layers from software-defined networking (SDN) or a software-defined
wide area network (SD-WAN).
OVERLAYS

• The overlay creates a new layer where traffic can be programmatically directed through
new virtual network routes or paths instead of requiring physical links. Overlays enable
administrators to define and manage traffic flows, irrespective of the underlying physical
infrastructure.
• SDN is a quickly growing network strategy where the network operating system
separates the data plane (packet handling) from the control plane (the network topology
and routing rules). SDN acts as an overlay, running on the distributed switches,
determining how packets are handled, instead of a centralized router handling those
tasks.
OVERLAYS

• SDN is a quickly growing network strategy where the network operating system
separates the data plane (packet handling) from the control plane (the network topology
and routing rules). SDN acts as an overlay, running on the distributed switches,
determining how packets are handled, instead of a centralized router handling those
tasks.
BIG DATA

• Big data refers to data that is so large, fast or complex that it’s difficult or impossible to
process using traditional methods. The act of accessing and storing large amounts of
information for analytics has been around for a long time. But the concept of big data
gained momentum in the early 2000s when industry analyst Doug Laney articulated the
now-mainstream definition of big data as the three V’s:
BIG DATA

• Volume. Organizations collect data from a variety of sources, including transactions, smart
(IoT) devices, industrial equipment, videos, images, audio, social media and more. In the
past, storing all that data would have been too costly – but cheaper storage using data
lakes, Hadoop and the cloud have eased the burden.
• Velocity. With the growth in the Internet of Things, data streams into businesses at an
unprecedented speed and must be handled in a timely manner. RFID tags, sensors and
smart meters are driving the need to deal with these torrents of data in near-real time.
• Variety. Data comes in all types of formats – from structured, numeric data in traditional
databases to unstructured text documents, emails, videos, audios, stock ticker data and
financial transactions.