Ch 27: Virtualization

Question 1

1. What is a virtual machine?
2. A software emulation of a virtual server with an operating system
3. A software emulation of a physical server with an operating system
4. A software emulation of a physical server without an operating system
5. A software emulation of a virtual server with or without an operating system

Answer 1

2.

A virtual machine is a software emulation of a virtual server with an operating system.

Question 2

What is a container?

1. A lightweight virtual machine
2. A software emulation of a physical server without an operating system
3. An application with its dependencies packaged inside a tarball
4. An isolated environment where containerized applications run.

Answer 2

4.

A container is an isolated environment where containerized applications run. It contains the application, along with the dependencies that the application needs to run. It is created by a container engine running a container image.

Question 3

Which of the following are container engines? (Choose all that apply.)

1. Rkt
2. Docker
3. vSphere hypervisor
4. LXD

Answer 3

1, 2, and 4.

Rkt, Docker, and LXD are container engines. The vSphere hypervisor is a hypervisor that enables the creation of VMs.

Question 4

What is a virtual switch (vSwitch)?

1. A software version of a physical multilayer switch
2. A software version of a physical Layer 2 switch
3. A software version of a physical switch with advanced routing capabilities
4. A cluster of switches forming a virtual switching system (VSS)

Answer 4

2.

A virtual switch (vSwitch) is a software-based Layer 2 switch that operates like a physical Ethernet switch and enables VMs to communicate with each other within a virtualized server and with external physical networks through the physical network interface cards (pNICs).

Question 5

T/F: Only a single vSwitch is supported within a virtualized server.

Answer 5

False.

Multiple vSwitches can be created under a virtualized server, but network traffic cannot flow directly from one vSwitch to another vSwitch within the same host, and they cannot share the same pNIC.

Question 6

T/F: Containers do not need vSwitches to communicate with each other or with the outside world.

Answer 6

False.

Containers, just like VMs, rely on vSwitches (also known as virtual bridges) for communication within a node (server) or the outside world.

Question 7

Which of the following is the virtual or software version of a network function and typically runs on a hypervisor as a VM?

a. VNF
b. NFV
c. NFVI
d. NFVIS

Answer 7

1.

A virtual network function (VNF) is the virtual or software version of a physical network function (NF) such as a firewall, and it typically runs on a hypervisor as a VM.

For reference:

• NFV: Network Function Virtualization
• NFVI: Network Function Virtualization Infrastructure
• NFVIS: Network Function Virtualization Infrastructure Software

Question 8

Which of the following is an architectural framework created by ETSI that defines standards to decouple network functions from proprietary hardware-based appliances and have them run in software on standard x86 servers?

a. VNF
b. NFV
c. NFVI
d. NFVIS

Answer 8

2.

Network functions virtualization (NFV) is an architectural framework created by the European Telecommunications Standards Institute (ETSI) that defines standards to decouple network functions from proprietary hardware-based appliances and have them run in software on standard x86 servers. It also defines how to manage and orchestrate the network functions.

Question 9

Connecting VNFs together to provide an NFV service or solution is known as ______.

1. daisy chaining
2. bridging
3. switching
4. service chaining
5. linking

Answer 9

4.

Service chaining refers to chaining VNFs together to provide an NFV service or solution.

Question 10

Which of the following is the I/O technology that uses VFs and PFs?

1. OVS
2. OVS-DPDK
3. SR-IOV
4. PCI passthrough

Answer 10

c.

In SR-IOV, the emulated PCIe devices are called virtual functions (VFs), and the physical PCIe devices are called physical functions (PFs).

For reference:

OVS: Open vSwitch, sometimes abbreviated as OVS, is an open-source implementation of a distributed virtual multilayer switch. The main purpose of Open vSwitch is to provide a switching stack for hardware virtualization environments, while supporting multiple protocols and standards used in computer networks.[3]

OVS-DPDK: DPDK stands for Data Plane Development Kit, is a set of libraries that improves data plane performance.

SR-IOV: Single Root I/O Virtualization (SR-IOV) allows multiple VMs running a variety of guest operating systems to share a single PCIe network adapter within a host server. SR-IOV allows a VM to move data directly to and from the network adapter, bypassing the hypervisor for increased network throughput and lower server CPU burden. Recent x86 server processors include chipset enhancements, such as Intel VT-x technology, that facilitate direct memory transfers and other operations required by SR-IOV.

The SR-IOV specification defines two device types:

Physical Function (PF)—Essentially a static vNIC, a PF is a full PCIe device that includes SR-IOV capabilities. PFs are discovered, managed, and configured as normal PCIe devices. A single PF can provide management and configuration for a set of virtual functions (VFs).

Virtual Function (VF)—Similar to a dynamic vNIC, a VF is a full or lightweight virtual PCIe device that provides at least the necessary resources for data movements. A VF is not managed directly but is derived from and managed through a PF. One or more VFs can be assigned to a VM.

Question 11

Which platform plays the role of the orchestrator in Cisco’s Enterprise NFV solution?

1. APIC-EM
2. Cisco DNA Center
3. Cisco Enterprise Service Automation (ESA)
4. APIC Controller

Answer 11

2.

Cisco DNA Center provides the VNF management and NFV orchestration capabilities. It allows for easy automation of the deployment of virtualized network services, consisting of multiple VNFs. APIC-EM and ESA are no longer part of the Enterprise NFV solution.

Question 12

T/F: NFVIS is based on a standard version of Linux packaged with additional functions for virtualization, VNF lifecycle management, monitoring, device programmability, and hardware acceleration.

Answer 12

True.

NFVIS is based on standard Linux packaged with additional functions for virtualization, VNF lifecycle management, monitoring, device programmability, and hardware acceleration.

Question 13

What is NFV?

Answer 13

Server virtualization is the process of using software to create multiple independent virtual servers (virtual machines) or multiple independent containerized operating systems (containers) on a physical x86 server.

Network functions virtualization (NFV) is the process of virtualizing specific network functions, such as a firewall function, into a virtual machine (VM) so that they can be run in common x86 hardware instead of a dedicated appliance. This chapter describes server virtualization and NFV and the benefits they bring to an enterprise network.

Question 14

What is a hypervisor? What are some examples of these?

Answer 14

The virtualization software that creates VMs and performs the hardware abstraction that allows multiple VMs to run concurrently is known as a hypervisor.

VMware vSphere, Microsoft Hyper-V, Citrix XenServer, and Red Hat Kernel-based Virtual Machine (KVM) are the most popular hypervisors in the server virtualization market. Figure 27-1 provides a side-by-side comparison of a bare-metal server and a server running virtualization software.

Question 15

What is a container?

Answer 15

A container is an isolated environment where containerized applications run. It contains the application, along with the dependencies that the application needs to run. Even though they have these and many other similarities to VMs, containers are not the same as VMs, and they should not be referred to as “lightweight VMs.”

Containers share the underlying resources of the host operating system and do not include a guest OS, as VMs do; containers are therefore lightweight (small in size). The application, along with the specific dependencies (binary files and libraries) that it needs to run, are included within the container.

Containers originate from container images. A container image is a file created by a container engine that includes the application code along with its dependencies. Container images become containers when they are run by the container engine. Because a container image contains everything the application code within it needs to run, it is extremally portable (easy to move/migrate). Container images elimi- nate some typical problems, such as applications working on one machine but not another and applications failing to run because the necessary libraries are not part of the operating system and need to be downloaded to make it run.

Figure 27-4 shows a side-by-side comparison of VMs and containers. Notice that each VM requires an OS and that containers all share the same OS while remaining isolated from each other.

Question 16

What is the difference between a container and and VM?

Answer 16

A container does not try to virtualize a physical server as a VM does; instead, the abstraction is the application or the components that make up the application.

Here is one more example to help clarify the difference between VMs and containers: When a VM starts, the OS needs to load first, and once it’s operational, the application in the VM can then start and run. This whole process usually takes minutes. When a container starts, it leverages the kernel of the host OS, which is already running, and it typically takes a few seconds to start.

Question 17

What are some of the most popular container engines?

Answer 17

There are many container engines to create, run, and manage containers available. The most popular container engine is the Docker engine. Here’s a list of some of the other container engine options available:

1. rkt (pronounced “rocket”)
2. Open Container Initiative
3. LXD (pronounced “lexdi”), from Canonical Ltd.
4. Linux-VServer
5. Windows Containers

Question 18

What is a vSwitch? What layer does it operate at?

Answer 18

A virtual switch (vSwitch) is a software-based Layer 2 switch that operates like a physical Ethernet switch.

A vSwitch enables VMs to communicate with each other within a virtual- ized server and with external physical networks through the physical network interface cards (pNICs).

Multiple vSwitches can be created under a virtualized server, but network traffic cannot flow directly from one vSwitch to another vSwitch within the same host, and the vSwitches cannot share the same pNIC.

Question 19

T/F: Multiple vSwitches can be created under a virtualized server, but network traffic cannot flow directly from one vSwitch to another vSwitch within the same host, and the vSwitches cannot share the same pNIC.

Answer 19

True.

Each vSwitch requires a pNIC and is logically isolated from the other vSwitches on a single host.

Question 20

What are some of the most popular vSwitches?

Answer 20

The most popular vSwitches include the following:

1. Cisco Nexus 1000VE Series Virtual Switch
2. Cisco Application Virtual Switch (AVS)
3. Open vSwitch (OVS)
4. IBM DVS 5000v
5. vSphere Switch

Question 21

See the attached diagram.

Can the traffic from VM1 reach the internet via VM0, which has the connection to the outside world?

Answer 21

Yes, provide the NGFW permits it.

Since network traffic cannot flow from one vSwitch to another, network traffic from VM1 destined to the external network, or VM0, needs to flow through the virtual next-generation firewall (NGFWv).

Figure 27-5 illustrates a virtualized server with three vSwitches connected to the virtual network interface cards (vNICs) of the VMs as well as the pNICs. vSwitch1 and vSwitch3 are linked to pNIC 1 and pNIC 3, respectively, to access the physical network, whereas vSwitch2 is not linked to any pNICs.

Question 22

T/F: Like VMs, containers rely on vSwitches (also known as virtual bridges) for communication within a node (server) or the outside world.

Answer 22

True.

Like VMs, containers rely on vSwitches (also known as virtual bridges) for communication within a node (server) or the outside world.

Docker, for example, by default creates a virtual bridge called Docker0, and it is assigned the default subnet block 172.17.0.1/16. This default subnet can be customized, and user-defined custom bridges can also be used.

Figure 27-6 illustrates how every container created by Docker is assigned a virtual Ethernet interface (veth) on Docker0. The veth interface appears to the container as eth0.

The eth0 interface is assigned an IP address from the bridge’s subnet block. As more containers are created by Docker within the node, they are each assigned an eth0 interface and an IP address from the same private address space. All containers can then communicate with each other only if they are within the same node.

Containers in other nodes are not reachable by default, and this can be managed using routing at the OS level or by using an overlay network.

Question 23

What is NF and NFV?

Answer 23

Network functions virtualization (NFV) is an architectural framework created by the European Telecommunications Standards Institute (ETSI) that defines standards to decouple network functions from proprietary hardware-based appliances and have them run in software on standard x86 servers.

It also defines how to manage and orchestrate the network functions. Network function (NF) refers to the function performed by a physical appliance, such as a firewall or a router function.

Question 24

What is NFVI?

Answer 24

NFV infrastructure (NFVI) is all the hardware and software components that comprise the platform environment in which virtual network functions (VNFs) are deployed.

Question 25

What is a VNF?

Answer 25

A virtual network function (VNF), as its name implies, is the virtual or software version of an NF, and it typically runs on a hypervisor as a VM.

VNFs are commonly used for Layer 4 through Layer 7 functions, such as those provided by load balancers (LBs) and application delivery controllers (ADCs), firewalls, intrusion detection systems (IDSs), and WAN optimization appliances. However, they are not limited to Layer 4 through Layer 7 functions; they can also perform lower-level Layer 2 and Layer 3 functions, such as those provided by routers and switches.

Some examples of Cisco VNFs include the following:

• Cisco Cloud Services Router 1000V (CSR 1000V)
• Cisco Cloud Services Platform 2100 (CSP 2100)
• Cisco Integrated Services Virtual Router (ISRv)
• Cisco NextGen Firewall Virtual Appliance (NGFWv)
• Cisco Adaptive Security Virtual Appliance (ASAv)

Question 26

What is service-chaining?

Answer 26

Service chaining refers to chaining VNFs together to provide an NFV service or solution, as illustrated in Figure 27-8.

Question 27

What is an EM?

Answer 27

Element managers (EMs), also known as element management systems (EMSs), are responsible for the functional management of VNFs; in other words, they perform fault, configuration, accounting, performance, and security (FCAPS) functions for VNFs. A single EM can manage one or multiple VNFs, and an EM can also be a VNF.

Question 28

What is N-S and E-W traffic?

Answer 28

In NFV solutions, the data traffic has two different patterns: north–south and east–west.

North–south traffic comes into the hosting server through a physical NIC (pNIC) and is sent to a VNF; then it is sent from the VNF back out to the physical wire through the pNIC.

East–west traffic comes into the hosting server through a pNIC and is sent to a VNF. From there, it could be sent to another VNF (service chained) and possibly service chained to more VNFs and then sent back out to the physical wire through a pNIC.

There can also be combinations of the two, where a VNF uses a north–south traffic pattern for user data and an east–west traffic pattern to send traffic to a VNF that is just collecting statistics or that is just being used for logs or storage.

These patterns and the purpose of the VNFs are important to understand when deciding which technology to use to switch traffic between VNFs as well as to the outside world. Picking the right technologies will ensure that the VNFs achieve optimal throughput and performance.

Question 29

Multiple I/O technologies have been developed to solve a very specific problem with performance. The most prevalent of these technologies are the following:

1. OVS Data Plane Development Kit (OVS-DPDK)
2. PCI passthrough
3. Single-root I/O virtualization (SR-IOV)

What do all of these solutions address?

Answer 29

They all address how to avoid continual interruptions of the CPU which is very inefficient and leads to degredation in perfomance.

Every packet received needs to go through the same process, which requires the CPU to be continuously interrupted. The number of interrupts increases when using high-speed NICs (for example, 40 Gbps) and the packet size is small because more packets need to be processed per second. Interrupts add a lot of overhead because any activity the CPU is doing must be stopped, the state must be saved, the interrupt must be processed, and the original process must be restored so that it can resume what it was doing before the interrupt.

To avoid all the overhead and increase packet throughput, multiple I/O technologies have been developed. The most prevalent of these technologies are the following:

OVS Data Plane Development Kit (OVS-DPDK)

PCI passthrough

Single-root I/O virtualization (SR-IOV)

Question 30

What is OVS-DPDK?

Answer 30

OVS Data Plane Development Kit (OVS-DPDK):

To overcome the performance impact on throughput due to interrupts, OVS was enhanced with the Data Plane Development Kit (DPDK) libraries. OVS with DPDK operates entirely in user space. The DPDK Poll Mode Driver (PMD) in OVS polls for data that comes into the pNIC and processes it, bypassing the network stack and the need to send an interrupt to the CPU when a packet is received—in other words, bypassing the kernel entirely.

To be able to do this, DPDK PMD requires one or more CPU cores dedicated to polling and handling the incoming data. Once the packet is in OVS, it’s already in user space, and it can then be switched directly to the appropriate VNF, resulting in huge performance benefits.

Figure 27-11 illustrates an x86 host with a standard OVS compared to an x86 host with an OVS with DPDK.

Question 31

What is PCI passthrough?

Answer 31

PCI passthrough allows VNFs to have direct access to physical PCI devices, which appear and behave as if they were physically attached to the VNF. This technology can be used to map a pNIC to a single VNF, and from the VNF’s perspective, it appears as if it is directly connected to the pNIC.

PCI passthrough offers many performance advantages:

• Exclusive one-to-one mapping
• Bypassed hypervisor
• Direct access to I/O resources
• Reduced CPU utilization
• Reduced system latency
• Increased I/O throughput

Question 32

What is the downside to PCI passthrough?

Answer 32

The downside to PCI passthrough is that the entire pNIC is dedicated to a single VNF and cannot be used by other VNFs. Therefore, the number of VNFs that can use this technology is limited by the number of pNICs available in the system.

Figure 27-12 illustrates an x86 host with a standard OVS and an x86 host with PCI passthrough.

Question 33

What is SR-IOV?

Answer 33

SR-IOV, Single-Root I/O Virtualization​, is an enhancement to PCI passthrough that allows multiple VNFs to share the same pNIC.

SR-IOV emulates multiple PCIe devices on a single PCIe device (such as a pNIC). In SR-IOV, the emulated PCIe devices are called virtual functions (VFs), and the physical PCIe devices are called physical functions (PFs). The VNFs have direct access to the VFs, using PCI passthrough technology.

An SR-IOV-enabled pNIC supports two different modes for switching traffic between VNFs:

1. Virtual Ethernet Bridge (VEB): Traffic between VNFs attached to the same pNIC is hardware switched directly by the pNIC.
2. Virtual Ethernet Port Aggregator (VEPA): Traffic between VNFs attached to the same pNIC is switched by an external switch.

Figure 27-13 illustrates an x86 host with a standard OVS compared to an x86 host with SR-IOV.

Question 34

What Cisco solution replaces physical firewalls, routers, WLC, load balancers, and so on with virtual devices running in a single x86 platform?

Answer 34

The Cisco ENFV solution, Cisco Enterprise Network Functions Virtualization, is a Cisco solution based on the ETSI NFV architectural framework. It reduces the operational complexity of enterprise branch environments by running the required networking functions as virtual networking functions (VNFs) on standard x86-based hosts. In other words, it replaces physical firewalls, routers, WLC, load balancers, and so on with virtual devices running in a single x86 platform.

The Cisco ENFV solution provides the following benefits:

• Reduces the number of physical devices to be managed at the branch, resulting in efficiencies in space, power, maintenance, and cooling
• Reduces the need for truck rolls and technician site visits to perform hardware installations or upgrades
• Offers operational simplicity that allows it to roll out new services, critical updates, VNFs, and branch locations in minutes
• Centralizes management through Cisco DNA Center, which greatly simplifies designing, provisioning, updating, managing, and troubleshooting network services and VNFs
• Enhances network operations flexibility by taking full advantage of virtualization techniques such as virtual machine moves, snapshots, and upgrades
• Supports Cisco SD-WAN cEdge and vEdge virtual router onboarding
• Supports third-party VNFs