Its Time To Virtualize the Network

Transforming data center networks to meet the needs of the cloud.

The Network for Clouds

Hosting providers have gained tremendous efficiency and flexibility as a direct result of the compute and storage virtualization technologies developed over the past decade. However, server and storage virtualization is only the tip of the iceberg.
Virtualized Compute & Storage
Physical Server Consolidation Simple Automation Network Agility Dynamic Security Programmable Network Massive Scale Reduced Cost Reduced Complexity

Clouds are dynamic by design and require flexibility, scalability and programmability that todays data center networks do not provide. The physical network is an inflexible, complex and costly barrier to realizing the full agility now available to cloud service providers and large enterprise data centers. Networking has not kept pace with the dynamic requirements of cloud data centers and instead is bogged down in a 20-year-old operational model originally designed for manual provisioning on a device-by-device basis. Networks are overly complicated, fragile systems constructed from hundreds of individual devices tied together by complex and often vendor specific interfaces with no central programmatic control. Networks lack the fundamental operational characteristics to achieve efficiency and flexibility required by todays cloud data centers.

Virtualized Network

The Root of the Problem

Network services are bound to physical network hardware and topology. This binding has resulted in limited scalability, increased complexity and inflated cost for customers. In the absence of a viable solution, many data centers have developed custom CLI scripts to automate hardware configuration. Only a stop gap, this approach has not fixed the problem and in most cases requires expensive hardware upgrades and even more tightly binds services to a vendor specific hardware.

Fix the Problem

Virtualize the network. Like you virtualized compute. Decouple network control from network hardware and enable programmatic creation of agile logical networks that meet the needs of clouds for the first time. Nicira delivers the first ever network hypervisor and enables the network for clouds.

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 2

A Network Hypervisor
A network hypervisor must:
Completely decouple network services from underlying hardware. Faithfully reproduce physical network model in logical space. Operate on any existing IP network infrastructure. Integrate with any server virtualization solution. Allow logical networks to be programmatically provisioned and managed through central API. Bind network services to workloads, allowing dynamic placement and mobility of any workload, anywhere. Enable physical network capacity to scale independent of logical network con guration. Expose logical ports on physical access switches through integration with hardware partners.

A network hypervisor decouples network services from the underlying physical network hardware. Its software that operates at the edge of any existing IP network and faithfully reproduces the entire networking environment in logical space. A network hypervisor transforms a physical network into a generalized pool of network capacity, like a server hypervisor transforms physical servers into a pool of compute capacity.

Decoupling logical networks from the physical hardware allows you to scale the pool of network capacity without affecting the logical networks operating above it. Now delivering simple IP connectivity, the physical networks complexity is greatly reduced and any requirement for specialized hardware features is eliminated. Hardware independent capacity can be added as required without affecting the logical networks utilizing the physical infrastructure.

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 3

Beyond VLANs
Are you creating and managing complex L2 networks that require reconfiguration of hardware to extend VLANs to another part of the data center? Are VLAN limits one of your concerns? Would you like to be able to extend L2 connectivity into your customers data center? Do you want both physical and virtual workloads to be on the same L2 network? If you answered yes to any of these questions, you need to virtualize your network. A Nicira virtualized network supports 100s of thousands of dynamically provisioned, fully isolated logical networks, completely decoupled from the underlying network hardware. Logical networks are able to connect into existing physical VLANs, but VLANs are not required by the architecture. Each logical network is equivalent to a hardware-based Layer 2 switch, with all of the enterprise network services you expect. (See diagram to the right) The difference, of course, is that logical network ports are programmatically provisioned, attached to workloads and placed or moved on demand, anywhere in the data center.
Packet Forwarding

Logical Ports
Port Isolation (PVLAN) Port Security (Tie Port to MAC to IP) Port Visibility (NetFlow, RSPAN, SNMP) Port Performance Guarantees (QoS, Caps, Min/max w/ priority) Port Level Access Policy (ACLs, Firewall Rules) Port Level Accounting (RX/TX Packets/Bytes) Integrate with Layer 4-7 services (SLBs, IPSs, FWs)

Physical Ports

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 4

Nothing Changes... and Everything Changes.

Nothing Changes
Gone are the days of costly hardware upgrades being necessary to realize new network capabilities. If your hardware provides IP connectivity, you have what you need. Existing physical network Whether your existing network is built on 15-year-old network hardware or the latest integrated system of brand name super switches; if it forwards IP traffic, its good enough. Existing server virtualization solution Deployed without disruption, Nicira software operates seamlessly with your compute and storage virtualization solution. Existing Cloud Management System Nicira programmatically integrates with your Cloud Management System (CMS), to automate the creation of isolated logical networks for each tenant. Existing management tools Logical networks deliver the visibility you are used to in physical networks (SNMP, NetFlow, SFlow). Logical network traffic looks the same to your management tools. Existing IP addresses. No need to change your IP addresses or force your customers to change theirs.

Everything Changes
Virtualize your network, and your cloud ascends into a new era of network computing where hardware limitations and physical boundaries vanish. Multi-tenant and fully-isolated Your cloud data center network has become a dynamic, highly scalable, multi-tenant environment in which 100s of thousands of logical Layer 2 networks are fully isolated from each other. Dynamically place any workload anywhere You can now programmatically place any workload, anywhere. Both physical and virtual workloads can be dynamically joined on the same logical networks that span physical IP subnets, across and between data centers and even into customer data centers. Accurate, pay-as-you-go accounting Fine grain port level visibility accurately measures usage on a, per-port-per-serviceper-hour basis, allowing you to tightly align costs with revenue and accurately bill on a usage basis. Dynamic security for clouds Security is configured centrally and enforced at the edge, completely changing the security equation and removing the traditional choke point network security model. IPv6 over existing IPv4 Infrastructure Nicira allows IPv6 end hosts to communicate seamlessly over logical networks on an existing IPv4 physical infrastructure.

No Rip-and-Replace
Nicira creates an intelligent network edge managed by a distributed central control system that transforms your existing physical network into an IP backplane and enables the programmatic creation of thousands of agile logical networks to connect workloads anywhere in your cloud. With this capability, everything changes...
Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 5

Virtualize the Network. Grow Your Cloud Business.

Place any workload, anywhere
Service providers are painfully reminded of the barrier the network is to their cloud operations each time a tenant grows beyond the compute capacity built into their physical pod. While flexible compute capacity exists in the data center, it is physically isolated and requires costly and complex manual reconfiguration of network hardware to extend the network and meet the customer needs. Nicira enables dynamic placement of any workload, anywhere. With Nicira, if you have compute capacity, the network is always there, its that simple. Nicira integrates with your Cloud Management System (CMS), to automate the creation of isolated logical networks for each tenant. A logical network appears as a L2 switch to tenants. However, each logical port will support L2-L7 services, so you can tier services offerings, beginning with highly scalable L2 connectivity and dynamically adding additional services as required by a tenant. Logical ports are programmatically created and attached to either physical or virtual workloads, anywhere in the data center, on demand. Logical networks span physical IP subnets, allowing the physical network to be engineered and segmented independent from tenant isolation. Leveraging the agility delivered by virtualizing the network, cloud service providers are able to easily migrate managed physical server customers to their cloud and significantly reduce the cost and complexity associated with placing, moving and joining workloads.

Migrate enterprise to your cloud

Many companies are eager to take advantage of the benefits of cloud computing, but they need a solution that allows them to migrate applications seamlessly into the cloud, without disrupting current operations. Nicira enables logical networks to span throughout a data center, between data centers and even onto a customer premise. Logical networks are fully isolated from each other, supporting overlapping MAC and IP addresses. Workloads on the same server hypervisor can be assigned to different tenants and remain fully isolated. Service providers are able to painlessly onboard new enterprise customers, allowing the enterprise to maintain existing IP configurations. Enterprises can host workloads both on premises and in the cloud data center, all on the same L2 broadcast domain.

Increase Service Velocity

A simple formula for success acquire new customers and add services for existing customers. Adding virtualized compute services is now standard operating procedure for cloud services providers. Dynamic provisioning of elastic compute and storage capacity defines cloud as we know it today. On demand provisioning of port level network services such as security access control and quality of service (QoS) guarantees, have been out of reach for services providers because of the manual operations required to provision, monitor and account for such services in a dynamic environment. Nicira enables a dynamically tiered network service model. Ranging from commodity level network connectivity to enterprise class network services, all provisioned on the same physical infrastructure. Nicira enables network services to be programmatically provisioned and accounted for on a per-port-per-hour basis. This allows networks services to be dynamically provisioned on demand, and charged for on a pay-as-you-go basis. Service providers are able to increase their network service velocity, while eliminating the operational costs which, when bound to physical hardware, put such dynamic provisioning services out of reach.

The right operational model for cloud

In order to cost effectively offer dynamic services in the cloud, service providers must be able to automate and optimize. Nicira enables hands off service delivery. Applications are able to programmatically interface with the CMS to provision and de-provision logical networks, logical ports, network services and policies along with VMs, on demand. Then, when the CMS needs to migrate VMs to optimize resources, the network services, policies and counters move with the VM, anywhere in the data center, with no human interaction.

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 6

Agile, Secure, Scalable & Programmable

Dynamic Security for Clouds
In physical networks, security is often built using a choke point model. Network security policy is enforced as traffic traverses the network and passes through inline devices such as routers or firewalls with rules or access control lists, which are manually configured to allow or deny access. The choke point model simply does not work for clouds. Clouds are dynamic by design; VMs come up, go down, move and the network is expected to change continuously. Nicira completely transforms the network security equation. In a virtualized network, security policies are programmatically generated and centrally managed, then pushed to and enforced at the edge of the network. Malicious traffic is dropped at the edge before it even leaves the logical port. An added benefit of this model is that security policies are always up-to-date even when VMs move, new hypervisors are added or physical network devices are updated or replaced. There is a complete separation of trust; physical, logical and management networks are completely isolated from each other. There is no intermediate interpretation of any part of any packet as logical network traffic traverses the physical network; the system is impervious to spoofing or compromised VMs and there are no control protocols, such as dynamic trunking or discovery, which could be exploited. Nicira does not change the existing threat model and does not introduce new vulnerabilities. A virtualized network does not solve all security challenges, but the architecture enables a model that meets the dynamic security needs of clouds.

IPv6 on your Existing v4 Infrastructure

The timeframe for complete IPv4 address exhaustion is now widely expected to be in early 2012. A serious concern for cloud service providers who are expecting significant growth, but have not upgraded their network infrastructure to support IPv6. Nicira offers an attractive solution. Simply as a product of the of the virtualized network architecture, Nicira allows IPv6 end hosts to communicate seamlessly over logical networks on an existing IPv4 physical infrastructure. Additionally, leveraging the isolated nature of the logical networks, the virtualized data center can support both IPv4 logical networks and IPv6 logical networks on the same IPv4 infrastructure.

Programmatic Interface for Automation

At the core of the Nicira system is a RESTful Web Services API. All logical network configurations are accessible through this API. This includes creating and managing logical networks, managing logical network policies, associating VMs with logical networks, managing the integration of physical network with logical networks and monitoring and accounting for logical network counters. Using the web services API, service providers can easily integrate the provisioning of logical network services into their CMS. Application developers can use the APIs to enable cloud applications to programmatically adjust port level network service, performance guarantees for example.

Scaling your Existing Hardware

Nicira enables service providers to obtain greater scale from their existing network hardware. All network hardware has limitations. Two key limitations for cloud service providers are VLAN limits and MAC table limits. In a virtualized network, 100s of thousands of isolated logical networks are created and operate independent from the underlying hardware and therefore are not effected by VLAN limits. Additionally, the architecture of a virtualized network exposes only the MAC addresses of physical network interface cards to physical switches. The MAC addresses of the VMs are transparent to physical switches, enabling far greater scale.

The Best of Both Worlds

In the past, cloud services providers had to choose between offering a complete enterprise network service model or an operational model of virtualization. A Nicira virtualized network enables the best of both worlds Logical network security, QoS, visibility and elastic scale, automated provisioning, on-demand network services and pay-as-you-go pricing.

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 7

How it Works
Nicira creates an intelligent network edge on your existing network, managed by a distributed system that transforms your physical network into an IP backplane and enables the programmatic creation of thousands of agile logical networks to connect workloads in your cloud. An intelligent edge Open vSwitch (OVS) is the core component on the intelligent edge. OVS is switch software designed for remote control. OVS is deployed in three possible forms at the edge of a Nicira virtualized network. See diagram below. First, and most widely deployed is OVS in the server hypervisor. A completely software solution that works with your existing VMware, Xen, Xen Server, KVM or Hyper-V hypervisor. Second, the Extender OVS in a virtual or physical x86 appliance. This is primarily deployed to integrate with legacy physical networks, for example, to connect an entire VLAN into the cloud data center on the same logical network. Third, the pSwitch OVS embedded in access switch hardware, supplied by partners. This is used to directly connect physical servers or to take advantage of hardware acceleration. A controller cluster The Nicira controller is a highly available clustered controller running on x86 servers that manages all virtualized network components and connections. The controller cluster exposes the web services API and defines logical networks. Capable of controlling and managing 10s of thousands of OVS edge devices, the controller does not sit in the data path.

V1 Virtual Machines V2 V3

Open vSwitch in Server Hypervisor for VMware, Xen, Xen Server, KVM & Hyper-V

DB1 V1 V2 V3 S1 S2

Controller Cluster

Logical Network Port Isolation Port Level Security & Access Control Port Level Performance Guarantees (QoS) Port Level Visibility Port Level Accounting Logical View

Existing Physical Network

API
ligent Edge Intel

DB1 Physical Server

Customer Data Center

Internet

Open vSwitch in Access Switch Hardware Embedded in switch, delivered by partners

Logical Network Tra c

Open vSwitch in Virtual or Physical Applicance Extender to customer premise

S1

S2 Customer VLAN

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 8

Its Time To Virtualize the Nework

True network virtualization is the essential next step for capitalizing on the promise of cloud computing. The right network operational model for the future is to enable isolated and distinct networks to be created, deleted, expanded, contracted and migrated on demand leveraging the existing physical network as a generalized pool of network capacity, just as physical servers are used as a generalized pool of compute capacity for virtual workloads. Virtualized networks change the deployment model for physical network hardware, just as compute virtualization has changed the deployment model for servers. The new deployment model allows all physical devices to be racked and cabled once, and then programmatically provisioned and re-provisioned on demand. Virtualized networks remove vendor lock-in from the equation, allowing the physical IP fabric to be built using the best price-performance solution. Nicira brings the flexibility of virtualization to the network, combining the standard attributes of traditional physical networking with the operational requirements of the cloud.
About Nicira Nicira Networks is accelerating the transformation to cloud infrastructure by delivering software that virtualizes the network. Based on the innovative Network Virtualization Platform (NVP) architecture, Nicira solutions provide unprecedented network flexibility and control for service provider and enterprise data centers, leading to dramatically improved scalability, increased service velocity, simplified operations and reduced costs. The company was founded by networking research leaders from Stanford University and University of California at Berkeley, and is led by proven entrepreneurs in networking, virtualization and security. Nicira Networks, Inc. 3600 W. Bayshore Road, Suite 200 Palo Alto, CA 94303 U.S.A. +1.650.473.9777 Phone +1.650.739.0997 Fax info@nicira.com www.nicira.com

Copyright Nicira Networks, Inc. All Rights Reserved.

Its Time To Virtualize the Network | 9