The Virtual Enterprise

A virtual enterprise network must provide each group with the same services as a traditional dedicated enterprise network would. The experience from an end-user perspective should be that of being connected to a dedicated network that provides connectivity to all the resources the user requires. The experience from the perspective of the network administrator is that they can easily create and modify virtual work environments for the different groups of users and adapt to changing business requirements in a much easier way. The latter derives from the ability to create security zones that are governed by policies enforced centrally. Because policies are centrally enforced, adding or removing users and services to or from a VN does not require any policy reconfiguration. Meanwhile, new policies affecting an entire group can be deployed centrally at the VN perimeter. To virtualize an enterprise network, the basic functional blocks of the modular enterprise must be enhanced to provide the following functionality:

• Dynamically authenticate and authorize users into groups

• Isolate connectivity to guarantee privacy between groups

• Create well-defined and controllable ingress/egress points at the perimeter of each VN

• Enforce independent security policies for each group at the perimeter

• Centralize the enforcement of the perimeter security policies for the different VNs by

  - Allowing secure collaboration mechanisms among groups

  - Allowing secure sharing of common resources

• Provide basic networking services for the different groups, either shared or dedicated

• Provide independent routing domains and address spaces to each group

You could use many different technologies to solve the listed challenges. The technologies available and how these can be used to meet the above requirements are the topic of the remaining chapters in the book.

From an architectural perspective, the previous requirements can be addressed by segmenting the network pervasively into VNs and centralizing the application of network policies at the perimeter of each VN. These are, of course, the policies for ingress and egress to the VN or security zone. The formation of a trusted security zone relies on traffic-isolation mechanisms rather than a distributed policy. Because traffic internal to a zone is trusted, policies are required only at the perimeter to control the access to external resources that could in many cases be shared. Figure 3-2 illustrates this concept.

Figure 3-2. Virtual Networks with Centralized Policies at the Perimeter

Regardless of where a user is connected, its traffic should always use the same VN and be directed through a central site of policy enforcement (VN perimeter), should it need to exit the VN. This makes users mobile and ensures that regardless of their location they will always be subject to the same policies. To ensure that users are always connected to the right VN, dynamic authentication and authorization mechanisms are required. These allow the identification of devices, users, or even applications so that these can be authorized onto the correct virtual segment and thus inherit the segment's policies.

The virtualization architecture described so far can be organized into functional areas. These functional areas provide a framework for the virtualization of networks:

• Transport virtualization

• Edge authorization

• Central services access (VN perimeter)

As you will see throughout the book, this modular framework gives the network architect a wide choice of technologies for each functional area. A key element in achieving this degree of flexibility is the definition of clear communication interfaces between the different areas.

VLANs provide an example of a communication interface between functional areas. The edge authorization module assigns a user to a VLAN, and the transport module maps that VLAN to a VN. At the destination, the transport module maps the VPN back to a VLAN. If the destination is outside the VN perimeter, the transport module hands off a VLAN to the central services access module, which maps the VLAN to the necessary virtual services. As you progress through the book, you learn that the interface between modules could very well be a label or a policy.

Note

There are, of course, pros and cons to using different types of communication interfaces. These are analyzed as the different technologies are discussed in detail, so read on.

Figure 3-3 shows the functional areas of the virtualized enterprise. As shown, you can use a variety of technologies for each different area.

Figure 3-3. Virtualized Enterprise Network Functional Areas

A useful way to look at Figure 3-3 and understand the role of the different functional areas is to look at it from the top down. Starting at the top, the endpoints connected to the network are authenticated and as a result of the authentication are authorized onto a specific VLAN (edge authorization). Each VLAN maintains its traffic separate from other VLANs and is mapped to a virtual routing and forwarding instance (VRF).

Note

VRFs are logical routing and forwarding tables with associated interfaces and routing processes, what could be thought of as a virtual routing instance. The section on "Control-Plane-Based Segmentation" and Chapter 4 examine the concept of a VRF in more detail.

Each VRF is connected to other VRFs in its VN and keeps its traffic separate from VRFs that belong to other VNs (transport virtualization). When traffic is destined to a resource outside the VN (for example, the data center), it is routed to the VN perimeter, where virtual services, such as firewalling and load balancers, are applied to each group (central services accessVN perimeter). Traffic destined to a subnet over the WAN is kept separate from traffic in other VNs through the virtualization of the WAN transport (transport virtualizaton).