A Virtualization Technologies Primer: Theory--Part IV

VPLS configuration has two components. The first, which we have already referred to, defines the mesh of pseudowires that together act as a virtual switch. The second maps the VLAN trunk port to a VSI using the xconnect command. This appears at the end of Example 6.

Virtual Firewall Contexts
Device virtualization is not limited to switches and routers. As a final example, consider a firewall device. For essentially economic reasons, you might want to share a single firewall between multiple different customers or network segments. Each logical firewall needs to have a complete set of policies, dedicated interfaces for incoming and outgoing traffic and users authorized to manage the firewall.

Many vendors provide this capability today and undoubtedly have their own, well-chosen name for it, but on Cisco firewalls the term context is used to refer to a virtual firewall. Unlike VRFs, VFIs, or VLANs, a context is an emulation of a device (so an example of the VR concept discussed earlier in this chapter).

Firewall contexts are a little unusual in the way they assign a packet to a context. All the partitions we have seen up to now have static assignment of interfaces (you can assign IP packets to a VRF dynamically. We cover that later). A firewall module looks at an incoming packet's destination IP address or Ethernet VLAN tag to decide which context a packet belongs to. All the firewall needs is for one of the two fields to be unique. So either each context has a unique IP address space on its interfaces or the address space is shared, but each context is in a different VLAN.

Figure 4 shows a simple setup with an Ethernet switch connected to a firewall context using two VLANs. The switch binds the VLANs to VRF BLUE (at the top) and VRF RED. The firewall has two different contexts. The blue one receives all frames on VLAN 101 and the red one gets VLAN 102. In this way, packets from the outside (on the right side of the figure) that belong to VLAN 101 go through a different set of firewall rules than those that belong to VLAN 102.

Next: Network Device Virtualization Summary and Data-Path Virtualization

About the Authors
Kumar Reddy is a Manager of Technical Marketing Engineering at Cisco Systems. Kumar has more than 15 years of industry experience. He has held a variety of technical roles at Cisco, including working with service provider customers as a systems engineer, as a technical specialist for both digital subscriber line (DSL) and Ethernet products and technology and, most recently, designing end-to-end systems for small and medium-size businesses.

Before joining Cisco Kumar taught unsuspecting engineering students in Paris and worked as a programmer in Tokyo. Kumar has a degree in Computer Engineering from Trinity College, Dublin, Ireland.

Victor Moreno is a Technical Marketing Engineer at Cisco Systems and a Cisco Certified Internetworking Expert (CCIE). He has more than 10 years of industry experience and is a recognized expert in the field of virtual enterprise networks and has been involved with enterprise network virtualization since 2001. Victor has a degree in electrical engineering from the Simon Bolivar University in Caracas, Venezuela and a Master degree from the University of York, England, and specializations from Stanford University.

To contact any of the authors, please email: reviews@ciscopress.com and use Network Virtualization/post question as the subject line.

Title: Network Virtualization.ISBN: 1-58705-248-2 Authors: Victor Moreno, Kumar Reddy. Chapter 4: A Virtualization Technologies Primer: Theory.Published by Cisco Press.

Reproduced from the book Network Virtualization. Copyright [2006], Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.

*Visit Cisco Press for a detailed description and to learn how to purchase this title.

Page 1 | 2