Tuesday, February 17, 2009

Campus Architecture – Network Virtualization

Virtualization is the buzz word due to its great and immediate impact in operational costs by reducing the equipment foot print, real estate requirements, energy consumption, and administrative burden of systems. It is definitely a straight forward concept to grasp. What is not so simple to understand is how to extrapolate that concept to a network infrastructure, unified communication services, and other IT elements that are not just servers.

For example, LAN virtualization solutions address three important aspects of network virtualization: LAN virtualization, path isolation, and services edge

First, LAN virtualization allows access control to recognize and classify legitimate users and devices, and authorize them to enter assigned portions of the network. It provides secure, customized access for individuals and groups to protect the Enterprise LAN from external threats. Also, some complementary features include: Port authentication using standards such as IEEE 802.1x for strong connections between authorized users and VPNs, and Network Admission Control (NAC) to minimize security risks by removing viruses, worms, and other harmful traffic before they reach the distribution or core layers.

Second, Path Isolation maps validated users or devices to the correct secure set of available resources (virtual private network, or VPN). These solutions use a mix of Layer 2 and Layer 3 technologies to best address LAN virtualization for typical LAN designs. There are three different path isolation solutions: (1) Generic routing encapsulation (GRE) tunnels create closed user groups on the Enterprise LAN to allow guest access to the Internet, while preventing access to internal resources. (2) Virtual routing and forwarding (VRF)-lite, also called Multi-VRF Customer Edge, is a lightweight version of MPLS that allows network managers to use a single routing device to support multiple virtual routers. (3) MPLS VPNs also partition a campus network for closed user groups. Previously, MPLS was not widely deployed in enterprise networks because of the lack of support on LAN switches, but it is now possible.

And third, Services Edge provides access to services for a legitimate set or sets of users and devices by using centralized policy enforcement. The objective to centralize policy enforcement is to minimize capital and operational expenses, share service modules across all partitions of the network, and accelerate the deployment of policies and services across the whole network.


No comments: