Category Archives: Network

OpenFlow and software defined networks are here. Now what?

I just listened to a talk from Berkeley professor Scott Shenker yesterday on youtube http://www.youtube.com/watch?v=WVs7Pc99S7w that gave an excellent breakdown of SDN and he spoke of the need of the Network Operating System before SDN’s can become a reality.

When I think about it, I’m rather amazed that we haven’t created an abstraction for the network. His talk speaks about how relatively easily we’ve done this at layer 2 but how difficult it is to do at higher layers due to the non-modular design of the network stack. Applications shouldn’t be making calls to the network address but rather to the network service.

Interesting stuff. OpenFlow is a step in the right direction to creating the “BIOS” that we need. I’m especially happy that Google is at the bleeding edge of this in a production network.

Gigaom

Earlier this month I spent a few days at the Open Networking Summit in Santa Clara, Calif. and walked away certain I watched history being made in the networking industry. The emergence of the OpenFlow standard and software defined networking have been on my radar for a while, but at this event, the future coalesced.

The secret is out on SDN.

I’ve been following SDN and OpenFlow almost since its earliest days. I’ve been lucky enough to know Martin Casado since before Nicira knew what it was going to build and Guido Appenzeller of Big Switch of SDN since his days at Voltage Security. I attended the first Open Networking Summit back in October, but was floored by the scale of the April event. Attendance was up over 3x, and people from all corners of the ecosystem were there. Clearly the secret is out and it’s evident that the networking…

View original post 709 more words

VMware isn’t going to let network virtualization pass it by

I haven’t gotten excited about anything network related in a long time. Most of the changes in the last few years have been evolutionary. The idea of a programmable network is revolutionary. I think Cisco and Juniper have protection for market share on the high end but I see this as getting “good enough” sooner than latter and challenging the big guys on the low end.
I’m more excited about this from a cloud provider’s prospective. This will give providers the ability to create the same multitenant administration constructs for customer networks on commodity hardware similar to server virtualization.

Gigaom

VMware(s vmw) teamed up with Stanford and Berkeley on Tuesday to create an industry consortium around software defined networks, called the Open Networking Research Center. The company, famous for hypervisors that virtualize servers isn’t about to watch while companies attempt to build the same disruption in networking. The consortium counts CableLabs, Cisco(s csco), Ericsson, Google(s goog), Hewlett-Packard(s hpq), Huawei, Intel(s intc), Juniper(s jnpr), NEC, NTT Docomo, Texas Instruments(s txn) and VMware as its founding sponsors.

Much as server virtualization abstracts the hardware for the software that runs on it, allowing people to put different virtual machines on top of one server, virtualizing the network abstracts the cables and ports from the demands of the applications. But that’s not enough. To really achieve the flexibility that webscale and cloud companies demand, the network must be both virtualized and programmable.

The current enabler for this shift in networking is OpenFlow, a…

View original post 482 more words

Configuring VMware Workstation 8 Networking for Nested VM’s

I’ve posted more than a couple of articles on running vSphere inside of VMware Workstation.  One thing we haven’t done a deep dive is how to setup networking in the environment to do things such as vMotion, DRS and Storage.  Also, the ability to access nested VM’s from your production network.

Visit Virtualized Geek on YouTube

In this post, I’ll show how to create the sample lab in VMware Workstation 8.

Just as in a production environment we have 4 isolated networks in this configuration.

Management: This network will be used for VMkernel traffic dedicated to the management of ESXi.

iSCSI: This network is used for SAN traffic.  This can be iSCS, NFS or NAS

vMotion: Traffic is dedicated to vMotion/DRS traffic.

Production: This network is for our Virtual Machines.

To support the hardware configuration in ESXi we need to add 3 additional NIC’s to our virtual ESXi host.  Each NIC needs to be in a dedicated vmnet as shown below.

I normally assign a NAT’d IP address to my management interface.  This isn’t required but since my vCenter is normally on a NAT’d interface my Management network ends up on the same interface. Once we’ve added the NIC’s we need to configure the virtual network to support our “Production” switch.  This is done by using the Virtual Network Editor that comes with VMware Workstation 8.  The vmnet we are utilizing for the “Production” network should be in Bridge mode.  This will allow access to the nested VM’s via your physical network.

This configuration will furhter enhance your value from VMware workstation 8.  If you have enough memory this makes for a great foundation for a VDI lab to test using physical workstations.

Update 7/20/12: I’ve added a tutorial video to my YouTube channel on how to setup this entire environment.

 

Hold both a CCIE and VCP

A while back I brought the VMWare vSphere training videos from TrainSignal.  I was surprised to see the instructor had both his CCIE and VCP.

These two certifications are probably the most highly sought certifications in the IT industry.  I remember the horror stories of people trying to write the CCIE and their many failed attempts.  I even had delusions grandeur considering going for the certification myself.  I soon discovered I didn’t have the love for networking needed to commit to the certification.  It may no longer be the guaranteed meal ticket it once was but it’s still a highly sought certification.

Over the past few years, I’ve noticed a huge uptick in the number of job postings looking for a VCP.  The VCP is a difficult certification to achieve. The candidate has to take an official VMWare course which could be a minimum of a $2500 investment.   As a result many self-taught people (such as me) are filtered out from being able to sit for the exam.

I did a quick search on Theladders.com for the keywords “CCIE” and “VCP”.  I found it interesting and not at all surprising that the hiring companies for both certifications were primarily IT service providers, or telco’s in the case of the CCIE.  However, the CCIE still carries a bit of weight in the enterprise.  I saw several job posts for fortune 500/non-IT companies such as GMC and financial institutions looking for candidates with the CCIE.  It still may be a couple of years before the same can be said of the VMware certifications

I don’t know how practical it is to hold both certifications.  I believe virtualization has grown into its own category/discipline within the IT industry.  VMware even offers a CCIE like certification in the VCDX.  There are obviously some synergies between the disciplines and advantages to being certified in both.  I’ve studied and obtained Cisco certifications in the past and it takes a great deal of regular hands on experience to maintain the CCNA and CCNP let alone the CCIE and VCP.

I’m of the opinion that a combination of VCP, CCNA/CCNP and a storage certification would be more valuable and maintainable for an infrastructure engineer/architect than the combination of the CCIE and VCP.  It’s my experience that from a practical knowledge perspective an infrastructure architect doesn’t need to be an expert in all three areas (Virtualization, Disk, and Network) but rather an expert in one area and strong in the other two.  It will be a rare and undesirable situation where one person would be called upon to be the SME for all three disciplines.

This topic has made me look at my bookshelf and think about dusting off my CCNP study guides.  I’m glad that the taught has passed.

Virtual Host Security

Security is a never ending battle for us folks in the business of IT Infrastructure.  There are always new threats that we need to consider from every layer of the network.  Now that virtualization is becoming a huge part of the infrastructure, it’s a good idea to extend our security policy to include virtualization challenges.

I wanted to take a look at some of the common challenges to consider within VMware.  Specifically the VI3 platform as I’m running into this platform %90 of the places I go versus vSphere which has a completely new model and API available for securing your virtual environment.  I will take a separate look at Hyper-V, XenServer and vSphere at a later date.  Since VI3 is so prevalent it’s the audience that I believe I could touch the most.  It’s important to note that these principles could apply to the other platforms as well.

So, what are the security challenges with hypervisors?  Out of the box the kernel and consol are pretty secure.  There aren’t a lot of services that could be exploited running by default.  There’s a firewall enabled by default.  And communication is over SSH and SSL.  These are all things we should expect but here are three areas of concern.

Guest OS

One of the first area’s to look at would be the guest OS and services.  The vulnerabilities of the guest OS could easily become the not so obvious vulnerabilities of the hypervisor.  I’m not going to pick on any one operating system as things issues are common amongst all OS’s that provide services.  One thing to really consider is DoS attacks against the VMware host through a subject able guest OS or service.

An attacker could direct a DoS at a service running on one guest OS which could affect the performance of the physical hardware.  This in turn could affect other guest operating systems.  This is why it’s important to have system monitoring in place for your hardware and applications.   This is where tools like vMotion could really pay for themselves as you can isolate servers that are experiencing high utilization or suspicious activity.

Network Isolation

It’s extremely important to fully plan out your virtual network and physical network layout and the access lists governing control between the two.  It’s been my experience that the team that manages the virtual switches and the team that manages the physical network are two separate teams.  I personally think that this is a mistake.

I have experience as both a Network Engineer and a Server Administrator and have a strong understanding of routing, switching and access control.  This is a critical skill when dealing with an extremely large virtual environment.  I find that when I wear both hats I have conflicting agendas.  The network engineer in me wants to think security first but the server administrator wants the course of least resistance.

This leads to shortcuts and poking holes in VLAN configurations by using static routes between Virtual Machines on different network segments.  These shortcuts are normally undocumented and come to bite us in the rear sometime in the future when we least expect it.  Worst case hopefully its internal audit doing a review of controls and not some bad guy taking advantage of our laziness.

Virtual Center Clients

This is an area that we may not give much thought to because the list of people allowed to access the console is limited.  But it’s this area that we need to pay a great deal of attention.  I’m very reluctant to give access to the Virtual Center Console to Jr. Level Administrators.  Even when configured correctly by restricting rights to virtual machines through Directory Services it’s important to realize how big of a security risk it is giving access to someone who doesn’t have the appropriate training in Virtualization or even security.

This is an area that can lead to a great deal of damage if an administrator is lacks about securing their desktop.  This is why it’s also importing to have the appropriate level of logging configured to re-enforce the security policy with accountability.

There are plenty of other area’s to look at like iSCSI security, Storage Network and device level challenges.  I’ve provided a few links at the end where you can get much more detail on securing you virtual environment.

Useful Links

I found these useful links that give more detail in securing your virtual environment.

VMware Harding VI3

http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf

VMware vSphere Hardening Guide

http://communities.vmware.com/docs/DOC-12306

Keith Townsend

Why No True Network Virtualization

So, I want to talk about network virtualization from another angle.  We know that with VMware you can create virtual switches and even outsource the process to the Cisco Nexus product line.  I think this should actually go farther out to include chassis virtualization. 

I worked for a pretty big hosting provider for a very short period of time and one of the issues we ran into was multi-tenancy.  For a smaller enterprise data center multi-tenancy isn’t too big of an issue that VRF and the like or even multiple chassis wouldn’t solve.  But for larger data centers this becomes an issue.  There are a couple of issues to address from physical space consideration to management and cable plant issues.

There are many instances where both internal and external customers would like the peace of mind that comes with virtualized hardware on the network side of the equation.  A good example would be a customized solution for a single customer or a set of customers in a shared cabling plant.

Today if you want to create this type of environment in the Cisco IOS world you’d do it via ACL’s, Route Reflectors and etc…  Why not just create a virtualized switch inside of the chassis?  A completely separate instance of the IOS to just simplify the whole configuration.  It would allow you to assign separate security settings for each instance.  I don’t know something like what Extreme has been doing for the past few years http://tinyurl.com/vojus.

I figured if Cisco can create a server with 512GB of RAM they could be able to virtualize their core offering – IOS.

I don’t think this is too farfetched of a request.  I like to play around with GNS3 located at www.gns3.net.  It’s a great little tool that is actually a hypervisor for Cisco IOS on Wintel platforms.  It’s not meant for production but technically there’s nothing stopping you from using it to do some really cool stuff in a lab.  You can map physical or virtual interfaces (think VMware workstation) to the logical Ethernet ports of the virtual routers.  You could in theory create a virtual DC of VMware servers on a single workstation running a virtual MPLS end node.  Connect that to another workstation running another virtual DC and MPLS node and have you a nice MPLS cloud running on one or both workstation.  If you have a beefy enough machine it could all run on one workstation.  If Cisco sends me one of those blade deals, I’d be more than happy to let you know how well it works.

My biggest complaint about the product is that you can’t virtualize Cisco switches.  You can do routers on a stick because you can still associate a physical NIC on your workstation to one connected to a Cisco Switch.  I’ve found it an invaluable tool for creating lab and test scenario’s.