| < draft-ietf-nvo3-use-case-02.txt | draft-ietf-nvo3-use-case-03.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 13 ¶ | skipping to change at page 1, line 13 ¶ | |||
| Internet Draft Huawei | Internet Draft Huawei | |||
| Category: Informational M. Toy | Category: Informational M. Toy | |||
| Comcast | Comcast | |||
| A. Isaac | A. Isaac | |||
| Bloomberg | Bloomberg | |||
| V. Manral | V. Manral | |||
| Hewlett-Packard | Hewlett-Packard | |||
| L. Dunbar | L. Dunbar | |||
| Huawei | Huawei | |||
| Expires: January 2014 July 11, 2013 | Expires: July 2014 January 8, 2014 | |||
| Use Cases for DC Network Virtualization Overlays | Use Cases for DC Network Virtualization Overlays | |||
| draft-ietf-nvo3-use-case-02 | draft-ietf-nvo3-use-case-03 | |||
| Abstract | Abstract | |||
| This document describes the DC Network Virtualization (NVO3) use | This document describes DC Network Virtualization (NVO3) use cases | |||
| cases that may be potentially deployed in various data centers and | that may be potentially deployed in various data centers and apply | |||
| apply to different applications. | to different applications. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with | This Internet-Draft is submitted to IETF in full conformance with | |||
| the provisions of BCP 78 and BCP 79. | the provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| months and may be updated, replaced, or obsoleted by other documents | months and may be updated, replaced, or obsoleted by other documents | |||
| at any time. It is inappropriate to use Internet-Drafts as reference | at any time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January, 2014. | This Internet-Draft will expire on July, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with | carefully, as they describe your rights and restrictions with | |||
| respect to this document. Code Components extracted from this | respect to this document. Code Components extracted from this | |||
| document must include Simplified BSD License text as described in | document must include Simplified BSD License text as described in | |||
| Section 4.e of the Trust Legal Provisions and are provided without | Section 4.e of the Trust Legal Provisions and are provided without | |||
| warranty as described in the Simplified BSD License. | warranty as described in the Simplified BSD License. | |||
| Conventions used in this document | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||||
| document are to be interpreted as described in RFC-2119 [RFC2119]. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction...................................................3 | 1. Introduction...................................................3 | |||
| 1.1. Contributors..............................................4 | 1.1. Contributors..............................................4 | |||
| 1.2. Terminology...............................................4 | 1.2. Terminology...............................................4 | |||
| 2. Basic Virtual Networks in a Data Center........................4 | 2. Basic Virtual Networks in a Data Center........................5 | |||
| 3. Interconnecting DC Virtual Network and External Networks.......6 | 3. Interconnecting DC Virtual Network and External Networks.......6 | |||
| 3.1. DC Virtual Network Access via Internet....................6 | 3.1. DC Virtual Network Access via Internet....................6 | |||
| 3.2. DC VN and Enterprise Sites interconnected via SP WAN......7 | 3.2. DC VN and Enterprise Sites interconnected via SP WAN......7 | |||
| 4. DC Applications Using NVO3.....................................8 | 4. DC Applications Using NVO3.....................................9 | |||
| 4.1. Supporting Multi Technologies and Applications in a DC....9 | 4.1. Supporting Multi Technologies and Applications in a DC....9 | |||
| 4.2. Tenant Network with Multi-Subnets or across multi DCs.....9 | 4.2. Tenant Network with Multi-Subnets or across multi DCs.....9 | |||
| 4.3. Virtual Data Center (vDC)................................11 | 4.3. Virtualized Data Center (vDC)............................11 | |||
| 5. OAM Considerations............................................12 | 5. OAM Considerations............................................13 | |||
| 6. Summary.......................................................13 | 6. Summary.......................................................13 | |||
| 7. Security Considerations.......................................14 | 7. Security Considerations.......................................14 | |||
| 8. IANA Considerations...........................................14 | 8. IANA Considerations...........................................14 | |||
| 9. Acknowledgements..............................................14 | 9. Acknowledgements..............................................14 | |||
| 10. References...................................................14 | 10. References...................................................14 | |||
| 10.1. Normative References....................................14 | 10.1. Normative References....................................14 | |||
| 10.2. Informative References..................................15 | 10.2. Informative References..................................15 | |||
| Authors' Addresses...............................................15 | Authors' Addresses...............................................15 | |||
| 1. Introduction | 1. Introduction | |||
| Server Virtualization has changed IT industry in terms of efficiency, | Server Virtualization has changed IT industry in terms of efficiency, | |||
| cost, and the speed in providing a new applications and/or services. | cost, and the speed in providing a new applications and/or services. | |||
| However the problems in today's data center networks hinder the | However, today's data center networks have limited support for cloud | |||
| support of cloud applications and multi tenant networks [NVO3PRBM]. | applications and multi tenant networks.[NVO3PRBM] The goal of DC | |||
| The goal of DC Network Virtualization Overlays, i.e. NVO3, is to | Network Virtualization Overlays, i.e. NVO3, is to decouple the | |||
| decouple the communication among tenant systems from DC physical | communication among tenant systems from DC physical networks and to | |||
| networks and to allow one physical network infrastructure to provide: | allow one physical network infrastructure to provide: 1) multi- | |||
| 1) traffic isolation among tenant virtual networks over the same | tenant virtual networks and traffic isolation among the virtual | |||
| physical network; 2) independent address space in each virtual | networks over the same physical network; 2) independent address | |||
| network and address isolation from the infrastructure's; 3) Flexible | spaces in individual virtual networks such as MAC, IP, TCP/UDP etc; | |||
| VM placement and move from one server to another without VM address | 3) Flexible VM placement including the ability to move from one | |||
| and configuration change. These characteristics will help address | server to another without requiring VM address and configuration | |||
| the issues in today's cloud applications [NVO3PRBM]. | change and the ability doing a hot move in which no disruption to | |||
| the live application on the VM. These characteristics will help | ||||
| address the issues in today's cloud applications [NVO3PRBM]. | ||||
| Although NVO3 enables a true network virtualization environment, the | Although NVO3 enables a true network virtualization environment, the | |||
| NVO3 solution has to address the communication between a virtual | NVO3 solution has to address the communication between a virtual | |||
| network and a physical network. This is because 1) many DCs that | network and a physical network. This is because 1) many DCs that | |||
| need to provide network virtualization are currently running over | need to provide network virtualization are currently running over | |||
| physical networks, the migration will be in steps; 2) a lot of DC | physical networks, the migration will be in steps; 2) a lot of DC | |||
| applications are served to Internet users which run directly on | applications are served to Internet users which run directly on | |||
| physical networks; 3) some applications are CPU bound like Big Data | physical networks; 3) some applications are CPU bound like Big Data | |||
| analytics and may not need the virtualization capability. | analytics and may not need the virtualization capability. | |||
| skipping to change at page 3, line 50 ¶ | skipping to change at page 4, line 8 ¶ | |||
| o DC virtual network access from external. A DC provider offers a | o DC virtual network access from external. A DC provider offers a | |||
| secure DC service to an enterprise customer and/or Internet users. | secure DC service to an enterprise customer and/or Internet users. | |||
| An enterprise customer may use a traditional VPN provided by a | An enterprise customer may use a traditional VPN provided by a | |||
| carrier or an IPsec tunnel over Internet connecting to a virtual | carrier or an IPsec tunnel over Internet connecting to a virtual | |||
| network within a provider DC site. This mainly constitutes DC | network within a provider DC site. This mainly constitutes DC | |||
| North-South traffic. | North-South traffic. | |||
| o DC applications or services that may use NVO3. Three scenarios | o DC applications or services that may use NVO3. Three scenarios | |||
| are described: 1) use NVO3 and other network technologies to | are described: 1) use NVO3 and other network technologies to | |||
| build a tenant network; 2) construct several virtual networks as | build a tenant network; 2) construct several virtual networks as | |||
| a tenant network; 3) apply NVO3 to a virtual DC (vDC) service. | a tenant network; 3) apply NVO3 to a virtualized DC (vDC). | |||
| The document uses the architecture reference model defined in | The document uses the architecture reference model defined in | |||
| [NVO3FRWK] to describe the use cases. | [NVO3FRWK] to describe the use cases. | |||
| 1.1. Contributors | 1.1. Contributors | |||
| Vinay Bannai | Vinay Bannai | |||
| PayPal | PayPal | |||
| 2211 N. First St, | 2211 N. First St, | |||
| San Jose, CA 95131 | San Jose, CA 95131 | |||
| skipping to change at page 4, line 47 ¶ | skipping to change at page 5, line 8 ¶ | |||
| NAT: Network Address Translation | NAT: Network Address Translation | |||
| VIRB: Virtual Integrated Routing/Bridging | VIRB: Virtual Integrated Routing/Bridging | |||
| Note that a virtual network in this document is an overlay virtual | Note that a virtual network in this document is an overlay virtual | |||
| network instance. | network instance. | |||
| 2. Basic Virtual Networks in a Data Center | 2. Basic Virtual Networks in a Data Center | |||
| A virtual network may exist within a DC. The network enables a | A virtual network may exist within a DC. The network enables a | |||
| communication among Tenant Systems (TSs) that are in a Closed User | communication among Tenant Systems (TS). A TS may be a physical | |||
| Group (CUG). A TS may be a physical server/device or a virtual | server/device or a virtual machine (VM) on a server. A network | |||
| machine (VM) on a server. The network virtual edge (NVE) may co- | virtual edge (NVE) may be co-located with a TS, i.e. on a same end- | |||
| exist with Tenant Systems, i.e. on a same end-device, or exist on a | device, or reside on a different device, e.g. a top of rack switch | |||
| different device, e.g. a top of rack switch (ToR). A virtual network | (ToR). A virtual network has a unique virtual network identifier | |||
| has a unique virtual network identifier (may be local or global | (may be local or global unique) for an NVE to properly differentiate | |||
| unique) for an NVE to properly differentiate it from other virtual | it from other virtual networks. | |||
| networks. | ||||
| The TSs attached to the same NVE may belong to the same or different | Tenant Systems attached to the same NVE may belong to the same or | |||
| virtual network. The multiple CUGs can be constructed in a way so | different virtual network. The multiple virtual networks can be | |||
| that the policies are enforced when the TSs in one CUG communicate | constructed in a way so that the policies are enforced when the TSs | |||
| with the TSs in other CUGs. An NVE provides the reachbility for | in one virtual network communicate with the TSs in other virtual | |||
| Tenant Systems in a CUG, and may also have the policies and provide | networks. An NVE provides tenant traffic forwarding/encapsulation | |||
| the reachbility for Tenant Systems in different CUGs (See section | and obtains tenant systems reachability information from Network | |||
| 4.2). Furthermore in a DC operators may construct many tenant | Virtualization Authority (NVA)[NVO3ARCH]. Furthermore in a DC | |||
| networks that have no communication in between at all. In this case, | operators may construct many tenant networks that have no | |||
| each tenant network may use its own address space. One tenant | communication in between at all. In this case, each tenant network | |||
| may use its own address spaces such as MAC and IP. One tenant | ||||
| network may have one or more virtual networks. | network may have one or more virtual networks. | |||
| A Tenant System may also be configured with multiple addresses and | A Tenant System may also be configured with one or multiple | |||
| participate in multiple virtual networks, i.e. use different address | addresses and participate in multiple virtual networks, i.e. use the | |||
| in different virtual networks. For examples, a TS may be a NAT GW; | same or different address in different virtual networks. For | |||
| or a firewall for multiple CUGs. | examples, a TS may be a NAT GW or a firewall and connect to more | |||
| than one virtual network. | ||||
| Network Virtualization Overlay in this context means that a virtual | Network Virtualization Overlay in this context means that a virtual | |||
| network is implemented in overlay, i.e. traffic from an NVE to | network is implemented with an overlay technology, i.e. traffic from | |||
| another is sent via a tunnel.[NVO3FMWK] This architecture decouples | an NVE to another is sent via a tunnel between a pair of | |||
| tenant system address scheme and configuration from the | NVEs.[NVO3FRWK] This architecture decouples tenant system address | |||
| infrastructure's, which brings a great flexibility for VM placement | scheme and configuration from the infrastructure's, which brings a | |||
| and mobility. This also makes the transit nodes in the | great flexibility for VM placement and mobility. This also makes the | |||
| infrastructure not aware of the existence of the virtual networks. | transit nodes in the infrastructure not aware of the existence of | |||
| One tunnel may carry the traffic belonging to different virtual | the virtual networks. One tunnel may carry the traffic belonging to | |||
| networks; a virtual network identifier is used for traffic | different virtual networks; a virtual network identifier is used for | |||
| demultiplexing. | traffic demultiplexing. | |||
| A virtual network may be an L2 or L3 domain. The TSs attached to an | A virtual network may be an L2 or L3 domain. The TSs attached to an | |||
| NVE may belong to different virtual networks that may be in L2 or | NVE may belong to different virtual networks that may be in L2 or | |||
| L3. A virtual network may carry unicast traffic and/or | L3. A virtual network may carry unicast traffic and/or | |||
| broadcast/multicast/unknown traffic from/to tenant systems. There | broadcast/multicast/unknown traffic from/to tenant systems. There | |||
| are several ways to transport BUM traffic.[NVO3MCAST] | are several ways to transport BUM traffic.[NVO3MCAST] | |||
| It is worth to mention two distinct cases here. The first is that | It is worth to mention two distinct cases here. The first is that | |||
| TSs and NVE are co-located on a same end device, which means that | TSs and NVE are co-located on a same end device, which means that | |||
| the NVE can be made aware of the TS state at any time via internal | the NVE can be made aware of the TS state at any time via internal | |||
| API. The second is that TSs and NVE are remotely connected, i.e. | API. The second is that TSs and NVE are remotely connected, i.e. | |||
| connected via a switched network or point-to-point link. In this | connected via a switched network or point-to-point link. In this | |||
| case, a protocol is necessary for NVE to know TS state. | case, a protocol is necessary for NVE to know TS state. | |||
| One virtual network may connect many TSes that attach to many | One virtual network may connect many TSs that attach to many | |||
| different NVEs. TS dynamic placement and mobility results in | different NVEs. TS dynamic placement and mobility results in | |||
| frequent changes in the TS and NVE bindings. The TS reachbility | frequent changes in the TS and NVE bindings. The TS reachbility | |||
| update mechanism need be fast enough to not cause any service | update mechanism need be fast enough to not cause any service | |||
| interruption. The capability of supporting many TSs in a virtual | interruption. The capability of supporting many TSs in a virtual | |||
| network and many more virtual networks in a DC is critical for NVO3 | network and many more virtual networks in a DC is critical for NVO3 | |||
| solution. | solution. | |||
| If a virtual network spans across multiple DC sites, one design is | If a virtual network spans across multiple DC sites, one design is | |||
| to allow the network seamlessly to span across the sites without DC | to allow the network seamlessly to span across the sites without DC | |||
| gateway routers' termination. In this case, the tunnel between a | gateway routers' termination. In this case, the tunnel between a | |||
| skipping to change at page 7, line 42 ¶ | skipping to change at page 8, line 6 ¶ | |||
| An enterprise company may lease the VM and storage resources hosted | An enterprise company may lease the VM and storage resources hosted | |||
| in the 3rd party DC to run its applications. For example, the rd company may run its web applications at 3 party sites but run | in the 3rd party DC to run its applications. For example, the rd company may run its web applications at 3 party sites but run | |||
| backend applications in own DCs. The Web applications and backend rd applications need to communicate privately. The 3 party DC may | backend applications in own DCs. The Web applications and backend rd applications need to communicate privately. The 3 party DC may | |||
| construct one or more virtual networks to connect all VMs and | construct one or more virtual networks to connect all VMs and | |||
| storage running the Enterprise Web applications. The company may buy | storage running the Enterprise Web applications. The company may buy | |||
| a p2p private tunnel such as VPWS from a SP to interconnect its site | a p2p private tunnel such as VPWS from a SP to interconnect its site | |||
| and the virtual network at the 3rd party site. A protocol is | and the virtual network at the 3rd party site. A protocol is | |||
| necessary for exchanging the reachability between two peering points | necessary for exchanging the reachability between two peering points | |||
| and the traffic are carried over the tunnel. If an enterprise has | and the traffic are carried over the tunnel. If an enterprise has | |||
| multiple sites, it may buy multiple p2p tunnels to form a mesh rd interconnection among the sites and the 3 party site. This requires | multiple sites, it may buy multiple p2p tunnels to form a mesh | |||
| each site peering with all other sites for route distribution. | interconnection among the sites and the third party site. This | |||
| requires each site peering with all other sites for route | ||||
| distribution. | ||||
| Another way to achieve multi-site interconnection is to use Service | Another way to achieve multi-site interconnection is to use Service | |||
| Provider (SP) VPN services, in which each site only peers with SP PE | Provider (SP) VPN services, in which each site only peers with SP PE | |||
| site. A DC Provider and VPN SP may build a DC virtual network (VN) | site. A DC Provider and VPN SP may build a DC virtual network (VN) | |||
| and VPN independently. The VPN interconnects several enterprise | and VPN independently. The VPN interconnects several enterprise | |||
| sites and the DC virtual network at DC site, i.e. VPN site. The DC | sites and the DC virtual network at DC site, i.e. VPN site. The DC | |||
| VN and SP VPN interconnect via a local link or a tunnel. The control | VN and SP VPN interconnect via a local link or a tunnel. The control | |||
| plan interconnection options are described in RFC4364 [RFC4364]. In | plan interconnection options are described in RFC4364 [RFC4364]. In | |||
| Option A with VRF-LITE [VRF-LITE], both DC GW and SP PE maintain a | Option A with VRF-LITE [VRF-LITE], both DC GW and SP PE maintain a | |||
| routing/forwarding table, and perform the table lookup in forwarding. | routing/forwarding table, and perform the table lookup in forwarding. | |||
| skipping to change at page 9, line 35 ¶ | skipping to change at page 9, line 42 ¶ | |||
| encapsulation/decapsulation and may also perform address mapping or | encapsulation/decapsulation and may also perform address mapping or | |||
| translation, and etc. | translation, and etc. | |||
| A data center may be also constructed with multi-tier zones. Each | A data center may be also constructed with multi-tier zones. Each | |||
| zone has different access permissions and run different applications. | zone has different access permissions and run different applications. | |||
| For example, the three-tier zone design has a front zone (Web tier) | For example, the three-tier zone design has a front zone (Web tier) | |||
| with Web applications, a mid zone (application tier) with service | with Web applications, a mid zone (application tier) with service | |||
| applications such as payment and booking, and a back zone (database | applications such as payment and booking, and a back zone (database | |||
| tier) with Data. External users are only able to communicate with | tier) with Data. External users are only able to communicate with | |||
| the Web application in the front zone. In this case, the | the Web application in the front zone. In this case, the | |||
| communication between the zones MUST pass through the security | communication between the zones must pass through the security | |||
| GW/firewall. One virtual network may be configured in each zone and | GW/firewall. One virtual network may be configured in each zone and | |||
| a GW is used to interconnect two virtual networks. If individual | a GW is used to interconnect two virtual networks. If individual | |||
| zones use the different implementations, the GW needs to support | zones use the different implementations, the GW needs to support | |||
| these implementations as well. | these implementations as well. | |||
| 4.2. Tenant Network with Multi-Subnets or across multi DCs | 4.2. Tenant Network with Multi-Subnets or across multi DCs | |||
| A tenant network may contain multiple subnets. The DC physical | A tenant network may contain multiple subnets. The DC physical | |||
| network needs support the connectivity for many tenant networks. The | network needs support the connectivity for many tenant networks. The | |||
| inter-subnets policies may be placed at some designated gateway | inter-subnets policies may be placed at some designated gateway | |||
| skipping to change at page 10, line 32 ¶ | skipping to change at page 10, line 38 ¶ | |||
| Bridging (VIRB) is used between L2VNI and L3VNI on NVE5 and NVE6, | Bridging (VIRB) is used between L2VNI and L3VNI on NVE5 and NVE6, | |||
| respectively. The L2VNI is the MAC/NVE mapping table and the L3VNI | respectively. The L2VNI is the MAC/NVE mapping table and the L3VNI | |||
| is the IP prefix/NVE mapping table. A packet to the NVE5 from L2VNa | is the IP prefix/NVE mapping table. A packet to the NVE5 from L2VNa | |||
| will be decapsulated and converted into an IP packet and then | will be decapsulated and converted into an IP packet and then | |||
| encapsulated and sent to the site Z. The policies can be checked at | encapsulated and sent to the site Z. The policies can be checked at | |||
| VIRB. | VIRB. | |||
| Note that the L2VNa, L2VNz, and L3VNx in Figure 2 are overlay | Note that the L2VNa, L2VNz, and L3VNx in Figure 2 are overlay | |||
| virtual networks. | virtual networks. | |||
| NVE5/DCGW+------------+ +-----------+NVE6/DCGW | NVE5/DCGW+------------+ +-----------+ NVE6/DCGW | |||
| | +-----+ | '''''''''''''''' | +-----+ | | | +-----+ | '''''''''''''''' | +-----+ | | |||
| | |L3VNI+----+' L3VNx '+---+L3VNI| | | | |L3VNI+----+' L3VNx '+---+L3VNI| | | |||
| | +--+--+ | '''''''''''''''' | +--+--+ | | | +--+--+ | '''''''''''''''' | +--+--+ | | |||
| | |VIRB | | VIRB| | | | |VIRB | | VIRB| | | |||
| | +--+---+ | | +---+--+ | | | +--+---+ | | +---+--+ | | |||
| | |L2VNIs| | | |L2VNIs| | | | |L2VNIs| | | |L2VNIs| | | |||
| | +--+---+ | | +---+--+ | | | +--+---+ | | +---+--+ | | |||
| +----+-------+ +------+----+ | +----+-------+ +------+----+ | |||
| ''''|'''''''''' ''''''|''''''' | ''''|'''''''''' ''''''|''''''' | |||
| ' L2VNa ' ' L2VNz ' | ' L2VNa ' ' L2VNz ' | |||
| skipping to change at page 11, line 12 ¶ | skipping to change at page 11, line 17 ¶ | |||
| | ++---++ | | ++---++ | | ++---++ | | ++---++ | | | ++---++ | | ++---++ | | ++---++ | | ++---++ | | |||
| +--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+ | +--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+ | |||
| |...| |...| |...| |...| | |...| |...| |...| |...| | |||
| Tenant Systems Tenant Systems | Tenant Systems Tenant Systems | |||
| DC Site A DC Site Z | DC Site A DC Site Z | |||
| Figure 2 Tenant Virtual Network with Bridging/Routing | Figure 2 Tenant Virtual Network with Bridging/Routing | |||
| 4.3. Virtual Data Center (vDC) | 4.3. Virtualized Data Center (vDC) | |||
| Enterprise DC's today may deploy routers, switches, and network | Enterprise DC's today may deploy routers, switches, and network | |||
| appliance devices to construct its internal network, DMZ, and | appliance devices to construct its internal network, DMZ, and | |||
| external network access and have many servers and storage running | external network access and have many servers and storage running | |||
| various applications. A DC Provider may offer a virtual DC service | various applications. A DC Provider may construct a virtualized DC | |||
| to enterprise customers. A vDC provides the same capability as a | over its DC infrastructure and offer a virtual DC service to | |||
| enterprise customers. A vDC provides the same capability as a | ||||
| physical DC. A customer manages what and how applications to run in | physical DC. A customer manages what and how applications to run in | |||
| the vDC. Instead of using many hardware devices to do it, with the | the vDC. Instead of using many hardware devices to do it, with the | |||
| network virtualization overlay technology, DC operators may build | network virtualization overlay technology, DC operators may build | |||
| such vDCs on top of a common DC infrastructure for many such | such vDCs on top of a common DC infrastructure for many such | |||
| customers and run network service application per vDC. The network | customers and offer network service functions to a vDC. The network | |||
| service applications may include firewall, DNS, load balancer, | service functions may include firewall, DNS, load balancer, gateway, | |||
| gateway, etc. The network virtualization overlay further enables | etc. The network virtualization overlay further enables potential | |||
| potential for vDC mobility when a customer moves to different | for vDC mobility when a customer moves to different locations | |||
| locations because vDC configuration is decouple from the | because vDC configuration is decouple from the infrastructure | |||
| infrastructure network. | network. | |||
| Figure 3 below illustrates one scenario. For the simple | Figure 3 below illustrates one scenario. For the simple | |||
| illustration, it only shows the L3 VN or L2 VN as virtual routers or | illustration, it only shows the L3 VN or L2 VN as virtual routers or | |||
| switches. In this case, DC operators create several L2 VNs (L2VNx, | switches. In this case, DC operators create several L2 VNs (L2VNx, | |||
| L2VNy, L2VNz) in Figure 3 to group the tenant systems together per | L2VNy, L2VNz) in Figure 3 to group the tenant systems together per | |||
| application basis, create one L3 VN, e.g. VNa for the internal | application basis, create one L3 VN, e.g. VNa for the internal | |||
| routing. A net device (may be a VM or server) runs firewall/gateway | routing. A net device (may be a VM or server) runs firewall/gateway | |||
| applications and connects to the L3VNa and Internet. A load balancer | applications and connects to the L3VNa and Internet. A load balancer | |||
| (LB) is used in L2 VNx. A VPWS p2p tunnel is also built between the | (LB) is used in L2 VNx. A VPWS p2p tunnel is also built between the | |||
| gateway and enterprise router. Enterprise customer runs | gateway and enterprise router. Enterprise customer runs | |||
| skipping to change at page 12, line 10 ¶ | skipping to change at page 12, line 16 ¶ | |||
| only and which by both intranet and extranet and configures the | only and which by both intranet and extranet and configures the | |||
| proper security policy and gateway function. Furthermore a customer | proper security policy and gateway function. Furthermore a customer | |||
| may want multi-zones in a vDC for the security and/or set different | may want multi-zones in a vDC for the security and/or set different | |||
| QoS levels for the different applications. | QoS levels for the different applications. | |||
| This use case requires the NVO3 solution to provide the DC operator | This use case requires the NVO3 solution to provide the DC operator | |||
| an easy way to create a VN and NVEs for any design and to quickly | an easy way to create a VN and NVEs for any design and to quickly | |||
| assign TSs to VNIs on a NVE they attach to, easily to set up virtual | assign TSs to VNIs on a NVE they attach to, easily to set up virtual | |||
| topology and place or configure policies on an NVE or VMs that run | topology and place or configure policies on an NVE or VMs that run | |||
| net services, and support VM mobility. Furthermore a DC operator | net services, and support VM mobility. Furthermore a DC operator | |||
| and/or customer should be able to view the tenant network topology | and/or customer should be able to view the vDC topology and access | |||
| and configure the tenant network functions. DC provider may further | individual virtual components in the vDC. Either DC provider or | |||
| let a tenant to manage the vDC itself. | tenant can provision virtual components in the vDC. It is desirable | |||
| to automate the provisioning process and have programmability. | ||||
| Internet ^ Internet | Internet ^ Internet | |||
| | | | | |||
| ^ +--+---+ | ^ +--+---+ | |||
| | | GW | | | | GW | | |||
| | +--+---+ | | +--+---+ | |||
| | | | | | | |||
| +-------+--------+ +--+---+ | +-------+--------+ +--+---+ | |||
| |FireWall/Gateway+--- VPN-----+router| | |Firewall/Gateway+--- VPN-----+router| | |||
| +-------+--------+ +-+--+-+ | +-------+--------+ +-+--+-+ | |||
| | | | | | | | | |||
| ...+.... |..| | ...+.... |..| | |||
| +-------: L3 VNa :---------+ LANs | +-------: L3 VNa :---------+ LANs | |||
| +-+-+ ........ | | +-+-+ ........ | | |||
| |LB | | | Enterprise Site | |LB | | | Enterprise Site | |||
| +-+-+ | | | +-+-+ | | | |||
| ...+... ...+... ...+... | ...+... ...+... ...+... | |||
| : L2VNx : : L2VNy : : L2VNx : | : L2VNx : : L2VNy : : L2VNx : | |||
| ....... ....... ....... | ....... ....... ....... | |||
| skipping to change at page 14, line 26 ¶ | skipping to change at page 14, line 34 ¶ | |||
| volume of traffic to overload DC underlying network. The NVO3 | volume of traffic to overload DC underlying network. The NVO3 | |||
| solution has to address these issues. | solution has to address these issues. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| This document does not request any action from IANA. | This document does not request any action from IANA. | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| Authors like to thank Sue Hares, Young Lee, David Black, Pedro | Authors like to thank Sue Hares, Young Lee, David Black, Pedro | |||
| Marques, Mike McBride, David McDysan, Randy Bush, and Uma Chunduri | Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, and | |||
| for the review, comments, and suggestions. | Eric Gray for the review, comments, and suggestions. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, March 1997 | ||||
| [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private | [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private | |||
| Networks (VPNs)", RFC 4364, February 2006. | Networks (VPNs)", RFC 4364, February 2006. | |||
| [IEEE 802.1ag] "Virtual Bridged Local Area Networks - Amendment 5: | [IEEE 802.1ag] "Virtual Bridged Local Area Networks - Amendment 5: | |||
| Connectivity Fault Management", December 2007. | Connectivity Fault Management", December 2007. | |||
| [ITU-T G.8013/Y.1731] OAM Functions and Mechanisms for Ethernet | [ITU-T G.8013/Y.1731] OAM Functions and Mechanisms for Ethernet | |||
| based Networks, 2011. | based Networks, 2011. | |||
| [ITU-T Y.1564] "Ethernet service activation test methodology", 2011. | [ITU-T Y.1564] "Ethernet service activation test methodology", 2011. | |||
| skipping to change at page 15, line 15 ¶ | skipping to change at page 15, line 19 ¶ | |||
| [RFC4301] Kent, S., "Security Architecture for the Internet | [RFC4301] Kent, S., "Security Architecture for the Internet | |||
| Protocol", rfc4301, December 2005 | Protocol", rfc4301, December 2005 | |||
| [RFC5880] Katz, D. and Ward, D., "Bidirectional Forwarding Detection | [RFC5880] Katz, D. and Ward, D., "Bidirectional Forwarding Detection | |||
| (BFD)", rfc5880, June 2010. | (BFD)", rfc5880, June 2010. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [NVGRE] Sridharan, M., "NVGRE: Network Virtualization using Generic | [NVGRE] Sridharan, M., "NVGRE: Network Virtualization using Generic | |||
| Routing Encapsulation", draft-sridharan-virtualization- | Routing Encapsulation", draft-sridharan-virtualization- | |||
| nvgre-02, work in progress. | nvgre-03, work in progress. | |||
| [NVO3ARCH] Black, D., et al, "An Architecture for Overlay Networks | ||||
| (NVO3)", draft-ietf-nvo3-arch-00, work in progress. | ||||
| [NVO3PRBM] Narten, T., et al "Problem Statement: Overlays for | [NVO3PRBM] Narten, T., et al "Problem Statement: Overlays for | |||
| Network Virtualization", draft-ietf-nvo3-overlay-problem- | Network Virtualization", draft-ietf-nvo3-overlay-problem- | |||
| statement-03, work in progress. | statement-04, work in progress. | |||
| [NVO3FRWK] Lasserre, M., Motin, T., and et al, "Framework for DC | [NVO3FRWK] Lasserre, M., Motin, T., and et al, "Framework for DC | |||
| Network Virtualization", draft-ietf-nvo3-framework-03, | Network Virtualization", draft-ietf-nvo3-framework-04, | |||
| work in progress. | work in progress. | |||
| [NVO3MCAST] Ghanwani, A., "Multicast Issues in Networks Using NVO3", | [NVO3MCAST] Ghanwani, A., "Multicast Issues in Networks Using NVO3", | |||
| draft-ghanwani-nvo3-mcast-issues-00, work in progress. | draft-ghanwani-nvo3-mcast-issues-00, work in progress. | |||
| [VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com | [VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com | |||
| [VXLAN] Mahalingam,M., Dutt, D., etc "VXLAN: A Framework for | [VXLAN] Mahalingam,M., Dutt, D., etc "VXLAN: A Framework for | |||
| Overlaying Virtualized Layer 2 Networks over Layer 3 | Overlaying Virtualized Layer 2 Networks over Layer 3 | |||
| Networks", draft-mahalingam-dutt-dcops-vxlan-03.txt, work | Networks", draft-mahalingam-dutt-dcops-vxlan-06.txt, work | |||
| in progress. | in progress. | |||
| Authors' Addresses | Authors' Addresses | |||
| Lucy Yong | Lucy Yong | |||
| Huawei Technologies, | ||||
| 5340 Legacy Dr. | ||||
| Plano, TX 75025 | ||||
| Phone: +1-469-277-5837 | Phone: +1-918-808-1918 | |||
| Email: lucy.yong@huawei.com | Email: lucy.yong@huawei.com | |||
| Mehmet Toy | Mehmet Toy | |||
| Comcast | Comcast | |||
| 1800 Bishops Gate Blvd., | 1800 Bishops Gate Blvd., | |||
| Mount Laurel, NJ 08054 | Mount Laurel, NJ 08054 | |||
| Phone : +1-856-792-2801 | Phone : +1-856-792-2801 | |||
| E-mail : mehmet_toy@cable.comcast.com | E-mail : mehmet_toy@cable.comcast.com | |||
| Aldrin Isaac | Aldrin Isaac | |||
| Bloomberg | Bloomberg | |||
| E-mail: aldrin.isaac@gmail.com | E-mail: aldrin.isaac@gmail.com | |||
| Vishwas Manral | Vishwas Manral | |||
| Hewlett-Packard Corp. | Hewlett-Packard Corp. | |||
| 3000 Hanover Street, Building 20C | 3000 Hanover Street, Building 20C | |||
| Palo Alto, CA 95014 | Palo Alto, CA 95014 | |||
| Phone: 650-857-5501 | Phone: 650-857-5501 | |||
| End of changes. 32 change blocks. | ||||
| 89 lines changed or deleted | 88 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||