Over the past several years, there's been an explosion of new networking concepts and terminology resulting from trends in data center technologies and virtualization. Terms like software-defined networking (SDN), network virtualization, and network functions virtualization (NFV) are used frequently in technical talks, vendor marketing material, and blogs.
Many networking professionals have a tenuous grasp on just what those terms mean and how they relate to one another. In this post, I will provide a basic working definition for each.
SDN is probably the most heavily used (and overused) term of the three. It generally means separating a data network's control functions from its packet forwarding functions. Why separate these functions? There are three main reasons being pushed by different solution sets in the networking industry right now.
First, the separation of hardware and software can allow vendors that specialize in each component to focus on bringing successful products to market in an independent, interoperable way. This, in turn, allows end users to select a combination of hardware and software that best suits their needs. This aspect of SDN is often called the "white-box" movement, harkening back to early white box personal computers, which were themselves decoupled from the operating systems that ran on them and sold largely as a collection of commodity components at a lower price than a fully integrated solution, such as an IBM PC or a Macintosh.
Not all SDN use cases necessitate (or even support) purchasing hardware and software developed independently, but the trend is growing. The result is value being driven into the networking software while the hardware vendors focus on reducing the cost of the commodity physical components.
Second, the decoupling of networking hardware and software allows for centralization of the control portion (called the control plane) while keeping the actual packet forwarding function (the forwarding plane) distributed across many physical network switches. This provides a means to configure, monitor, troubleshoot, and automate a large network built of many discrete hardware components as a single network "fabric."
The centralized control plane can then enable new or different forwarding behaviors and broader, more precise control of traffic flow. Many products that encompass data center fabrics and flow control methods such as OpenFlow leverage this facet of SDN.
Finally, the term SDN often goes hand in hand with the idea of network programmability: using homegrown or commercial tools that can interact closely with the software-based control plane to affect their configuration and behavior. By providing application programming interfaces (APIs) into the centralized SDN network control function and the information that supports the forwarding function, network management applications, provisioning tools, and homegrown scripts have a single point of interaction with the network that can greatly improve their effectiveness.
Network virtualization refers to the virtualization of network resources or pathways to achieve application or tenant isolation. This isolation is often desirable for a variety of reasons, including scalability, fault isolation, security, and network abstraction. Isolation is sometimes accomplished with technologies that create virtual instances of a physical device, such as load balancers or firewall appliances that support being split into multiple virtual devices for different purposes.
Routers and Layer 3 switches can be virtualized using technologies such as virtual routing and forwarding instances (VRFs) to virtualize and isolate IP routing tables and routing functions. Ethernet switches support VLANs to provide Layer 2 path isolation and virtually carve up the broadcast domain of a single physical switch into multiple logical ones.
These techniques are often used in combination to provide a completely separate network environment for an application, business unit, or data center tenant. Path isolation and network virtualization can also be achieved using newer techniques like overlay network technologies such as VXLAN and NVGRE. This method provides tenant separation, containerization, and isolation as well as scalability. Another means for path isolation is flow manipulation using SDN technologies like OpenFlow.
There are various benefits and drawbacks to each of these network virtualization techniques, and there are situations in which they complement or conflict with one another. Detailed exploration of these pros and cons is beyond the scope of this article.
Network functions virtualization
NFV describes the concept of taking a function that traditionally runs on a dedicated network appliance -- usually a large appliance in the center of the network, shared by many tenants or applications -- and running those functions as virtual machines on the virtual server infrastructure (or sometimes dedicated virtualization resources).
The drawbacks of the traditional approach of monster firewalls or load balancers sitting in the middle of the network are numerous: They represent a large, shared fault domain and are typically very expensive because they must be sized for peak capacity (and thus are usually chronically underutilized). They also make it difficult to provide customers or users with configuration and monitoring access, or to perform maintenance without impacting multiple applications or tenants.
Major advances in the power of x86 microprocessors and compute virtualization technology have driven the success of NFV. Specialized hardware is increasingly unnecessary for many functions with virtual server hosts containing such powerful compute nodes. Once virtualized, those functions can be placed closer to where they are needed, containerized with an application or tenant, and replicated easily for building new, duplicate, or backup environments.
Fault domains are reduced to the specific container in which the function exists, and maintenance activities becomes easier, because multiple application owners don't need to agree on a common maintenance window for a software upgrade or other changes. NFV is usually used for upper-layer networking devices like firewalls, load balancers, NATs, and VPN appliances.
Virtualized network functions may rely on path isolation and containerization to ensure they are used by the intended application, such as ensuring a firewall is the default gateway for a containerized, isolated application. NFV may also rely on SDN flow programming techniques to force traffic through one or more virtualized network functions -- a process called service chaining.
NFV, SDN, and network virtualization are related when considering ways to design and implement a modern, scalable, secure, and highly available data center environment for multiple applications or tenants. Each topic has enough depth to warrant many volumes of material, but the goal of this post was to define the basics of each term and the basic means in which they are interdependent in modern data center implementation.
Learn more about SDN, NFV, and network virtualization at Interop New York. "Software Defined Networking and Network Virtualization" is a full-day workshop with networking guru Ivan Pepelnjak of ipSpace.net and Eric Hanselman, chief analyst at 451 Research, and SDN track chair. Sessions include a panel discussion led by Hanselman, "Application Control of Networks: Nirvana or Insanity?" Another session will examine the trend of combining big data, SDN, and NFV for wireless operators, "Unlocking the Network Operational Environment of the Future." Register now for Interop Sept. 28-Oct. 3 in New York City.