VIRTUAL NETWORK AUTOMATION
As described in previous sections, physical network automation achieves Layer 3 connectivity between any two devices on the network. At this stage, the network administrator can start to construct virtual networks (VNs). To create a VN, they just need to perform two steps on the SDN controller.
First, specify resources including the physical device roles, IP address segment, and VN access location for the VN. This step is also called creating a fabric on an intent-driven network. The fabric virtualizes and pools all resources on the network and is presented in the form of VNs to carry services.
Second, create the VN based on service requirements, including specifying the VN name, available IP address segment, and access interfaces.
Throughout the entire process, the network administrator does not need to consider the specific network implementation. This significantly reduces the degree to which service requirements and network implementation are coupled, and improves network planning efficiency.
This two-step operational simplicity can be partially credited to the orchestration by the SDN controller. The following illustrates what happens to the SDN controller and network devices in the two steps performed by the network administrator.
Mapping between VNs and Resources
The SDN controller implements Framework as a Service (FaaS) to support the mapping from a physical network to a fabric by virtualizing a campus network, pooling network resources, and abstracting network services. When VNs are being created, FaaS resources are instantiated based on rules, as shown in Figure 6.9.
When a fabric is created, the SDN controller abstracts fabric resources into a virtual router pool, access port pool, subnet pool, and network egress pool. The following describes the functions of each pool:
• Virtual router pool: A virtual router uses a Virtual Private Network (VPN) to create an independent Layer 3 routing domain that provides the same functions as a physical router. Each VN occupies one VPN resource. [1]
FIGURE 6.9 Resource instantiation.
- • Subnet pool: Subnet pool contains IP address segments that can be assigned to VNs. A large network segment (for example, a class В network segment) assigned to a fabric is divided into subnets, with a subnet assigned to one VN.
- • Network egress pool: Network egress pool connects VNs to external resources such as the Internet and other VNs.
Automated VN Deployment
After physical network resources are pooled, the administrator can create VNs based on service requirements. In real-world situations, a VN is an independent service network that is typically created for an independent department. For example, if a company has a marketing department, a finance department, and an R&D department, a VN can be created for each of the three departments. Automated deployment of these VNs involves resource pool instantiation and VN creation by the administrator. When creating VNs, the administrator needs to specify virtual routers, an access port range, and subnets from the fabric resource pool. Based on the resource distribution modes, VNs can be created in three patterns, as shown in Figure 6.10. Table 6.2 compares the three VN creation modes.
An egress for network-side access needs to be specified for each VN. The intent-driven campus network solution supports three egress modes for different access scenarios, as shown in Figure 6.11. Table 6.3 describes the application scenarios of these egress modes.
Users in different VNs may need to communicate with each other. Figure 6.12 shows two solutions for inter-VN communication.
FIGURE 6.10 VN creation modes.
TABLE 6.2 Comparison of VN Creation Modes
|
Creation Mode |
Application Scenario |
Resource Distribution |
|
Vertical partition |
Users statically access VNs by using invariably authorized VLANs |
Resources of specified physical switches are exclusively used by a VN |
|
Horizontal partition |
Users dynamically access VNs by using flexibly authorized VLANs |
Resources of specified physical switches are shared by VNs |
|
Hybrid partition |
There are both users who access VNs statically and those who access VNs dynamically (applicable to network reconstruction and migration scenarios) |
Resources of specified physical switches are shared by the VNs created in horizontal partition mode When creating VNs in vertical partition mode, specify the physical switches to be used by the VNs |
FIGURE 6.11 VN egress modes.
TABLE 6.3 Application Scenarios of Different VN Egress Modes
|
VN Egress Mode |
Application Scenario |
|
Layer 3 shared egress |
Multiple VNs need to access the Internet or a DC Multiple VNs use the same security policy |
|
Exclusive egress |
Multiple VNs need to access the Internet or DC Each VN uses a customized security policy |
|
Layer 2 shared egress |
The border node does not function as a user gateway |
FIGURE 6.12 VN mutual access.
• Inter-VN communication through a border node: This mode is applicable when application-level policy control is not required. •
Inter-VN communication through an external gateway: This mode is applicable when application-level policy control is required.
- [1] Access port pool: Access port pool is a collection of ports that canbe used for accessing VNs. The ports can be wired ports or wirelessports. Wired ports refer to ports on all access switches, and wirelessports refer to SSIDs. User access automation enables multiple VNs touse the same physical port.
