350-401 Virtualization

Virtualization Detailed Explanation

Virtualization allows one physical device to behave like many logical devices, which saves cost, improves flexibility, and makes networks easier to scale and manage. We'll start step-by-step from the basics.

1. Device Virtualization

1.1 VRF (Virtual Routing and Forwarding)

What is VRF?

• VRF allows multiple routing tables to exist on a single physical router.

• Each VRF is like a separate “virtual router” running inside the real router.

• Devices in different VRFs can’t talk to each other unless explicitly configured.

Why use VRF?

• Multi-tenant environments: ISPs can serve different customers using the same hardware.

• Security: Keeps different departments (e.g., HR and Finance) logically separated.

• MPLS networks rely heavily on VRF for customer traffic separation.

Visual Analogy:

Imagine a hotel with multiple guests. Each guest has their own room (VRF), and can only see their own space. They share the same building (router), but have no access to each other’s rooms.

Basic Configuration Example (Cisco IOS):

ip vrf CUSTOMER_A
 rd 100:1
!
interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER_A
 ip address 192.168.1.1 255.255.255.0
!
ip route vrf CUSTOMER_A 10.0.0.0 255.255.255.0 192.168.1.2

• ip vrf CUSTOMER_A creates a new VRF.

• The interface is assigned to the VRF.

• A route is added within the VRF.

Common Use Cases:

• MPLS VPNs for different customers.

• Internal department segmentation in large enterprises.

• Testing labs: simulate multiple networks using one router.

Important Note for Beginners:

VRF does not encrypt data or physically isolate traffic — it’s a logical separation, not a security mechanism like IPsec VPN.

1.2 Cisco CSR1000v

What is it?

• CSR1000v = Cloud Services Router 1000v

• It’s a fully virtual router — runs on software only (no physical chassis).

• Works on:

  • VMware ESXi

  • Microsoft Hyper-V

  • Amazon AWS

  • Microsoft Azure

Key Features Supported:

• Dynamic routing: OSPF, EIGRP, BGP

• VPN: IPsec

• NAT, QoS, ACLs

• Cloud integration: supports REST APIs and SD-WAN

Why use CSR1000v?

• Great for testing, cloud deployments, or lightweight branch routers.

• Avoids physical hardware costs.

• Integrates well into cloud-native environments.

Real-World Scenario:

An enterprise builds a new branch office in AWS. Instead of shipping a physical router, they spin up a CSR1000v instance in the AWS cloud and connect it to headquarters via VPN.

Summary for Device Virtualization

Concept	Purpose	Key Features
VRF	Logical routing isolation	Multiple routing tables per device
CSR1000v	Virtual router	Cloud-ready, supports enterprise features

2. Network Function Virtualization (NFV)

NFV is one of the most important developments in modern networking. It replaces dedicated hardware appliances (like firewalls or load balancers) with virtual machines running on general-purpose servers.

2.1 NFV Concepts

What is NFV?

• NFV stands for Network Function Virtualization.

• It transforms traditional, physical network functions (routers, firewalls, IDS/IPS, etc.) into software-based functions that run on standard servers.

Instead of buying a separate physical box for each function, you can run many network services on one server.

Key Components of NFV:

1. VNF (Virtual Network Function)

• This is the actual network service running as a virtual machine (VM).

• Examples:

  • A virtual firewall

  • A virtual router (CSR1000v)

  • A virtual WAN accelerator

• Each VNF can be independently deployed, updated, and scaled.

2. NFVi (NFV Infrastructure)

• The physical resources that support VNFs:

  • CPU

  • Memory

  • Storage

  • Networking

• Typically uses virtualization platforms like VMware ESXi, KVM, or OpenStack.

3. MANO (Management and Orchestration)

• This is the control system for managing all the virtualized services.

• Responsible for:

  • Provisioning VNFs

  • Monitoring performance

  • Scaling up/down resources

• Common MANO platforms:

  • Open Source MANO (OSM)

  • Cisco NSO (Network Services Orchestrator)

Visual Analogy:

Think of NFV like a hotel:

• Each VNF is a guest (firewall, router, etc.).

• NFVi is the building and utilities (electricity, plumbing, etc.).

• MANO is the front desk and management team — they assign rooms, handle requests, and monitor everything.

2.2 Benefits of NFV

1. Lower CAPEX/OPEX

• No need to buy and maintain multiple physical appliances.

• Use standard x86 servers.

• Fewer devices = less power, less cooling, lower costs.

2. Flexibility and Scalability

• You can deploy new services in minutes.

• Services can be moved, resized, or duplicated easily.

3. Faster Provisioning

• You don’t need to wait for hardware delivery.

• Deploy a new firewall or VPN server in software instantly.

Real-World Use Case:

A service provider wants to offer firewalls to customers. Instead of sending hardware to each customer site, they create VNFs in the cloud and give customers secure access — with lower cost and easier management.

Summary of Network Function Virtualization (NFV)

Component	Role	Example
VNF	The actual network function	Virtual firewall, router
NFVi	Physical infrastructure	CPU, RAM, storage
MANO	Orchestration layer	Cisco NSO, OSM

3. Server Virtualization Concepts

Server virtualization is the foundation of all modern IT and networking infrastructure. It allows one physical server to run multiple virtual machines (VMs), each acting like a separate computer.

3.1 Hypervisors

A hypervisor is the software layer that allows virtualization. It sits between the hardware and the virtual machines.

There are two types of hypervisors:

Type 1 – Bare-metal Hypervisor

• Installs directly on physical hardware.

• Used in data centers and production environments.

• Very efficient and stable.

• Examples:

  • VMware ESXi

  • Microsoft Hyper-V (on Server Core)

  • KVM (Linux-based)

Think of it as the foundation of a building — you build VMs directly on top of it.

Type 2 – Hosted Hypervisor

• Installs on top of a host operating system (like Windows or macOS).

• Used for labs, testing, or small-scale setups.

• Less efficient than Type 1, but easier to set up.

• Examples:

  • VMware Workstation

  • Oracle VirtualBox

  • Parallels Desktop (for Mac)

Like putting a tent inside your house — it works, but it’s limited by the house.

3.2 Virtual Machines (VMs)

What is a VM?

A VM is a software-based emulation of a computer. Each VM has its own:

• Operating system (Windows, Linux, etc.)

• CPU (virtual)

• Memory

• Storage

• Network adapter

You can have multiple VMs on a single server.

Benefits of VMs:

• Isolation: Each VM runs separately — crashing one doesn't affect others.

• Flexibility: Easily copy, move, backup, or clone.

• Efficiency: Use hardware resources more fully.

Real-world scenario:

• One physical server runs:

  • A web server VM

  • A file server VM

  • A Cisco CSR1000v router VM

This saves cost and simplifies deployment.

3.3 Virtual Switches

A virtual switch is a software switch that connects VMs to each other and to the outside world. It's built into the hypervisor.

Types of Virtual Switches:

Standard vSwitch (Virtual Switch)

• Basic Layer 2 switch

• Supports:

  • VLANs

  • Port groups

  • Uplink ports

Distributed vSwitch (DvSwitch – VMware)

• Centralized control across multiple ESXi hosts

• Better for large environments

Key Features of Virtual Switches:

VLAN Tagging

• Allows multiple VLANs over a single virtual interface

• Trunking is done just like on a physical switch

Port Groups

• Logical groupings of ports

• Used to apply policies (e.g., VLAN assignment, security settings)

Trunking Support

• Enables a VM or vNIC to carry traffic from multiple VLANs

• Important for devices like virtual firewalls or routers

Summary Table

Concept	Description	Use Case
Type 1 Hypervisor	Runs on hardware directly	Data center (ESXi, Hyper-V)
Type 2 Hypervisor	Runs on host OS	Testing/labs (VirtualBox)
VM	Virtual computer	Runs apps, services, routers
Virtual Switch	Software switch for VMs	VM-to-VM, VM-to-network traffic

4. Layer 2 Virtualization

Layer 2 virtualization allows you to create isolated broadcast domains within a physical switch or network — essential for security, scalability, and organization.

4.1 VLAN (Virtual Local Area Network)

What is a VLAN?

A VLAN is a logical grouping of devices on the same Layer 2 network, even if they are not physically connected to the same switch.

Each VLAN is a separate broadcast domain — just like a separate switch.

Why use VLANs?

• To separate different departments (e.g., HR, Finance, IT)

• To improve security

• To reduce broadcast traffic

• To enable better traffic management and policies

Basic VLAN Configuration (Cisco IOS):

vlan 10
 name HR
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10

Real-World Example:

• VLAN 10: HR

• VLAN 20: Finance

• VLAN 30: Engineering
  Even though these users connect to the same switch, they can’t see each other’s broadcasts — they are logically separated.

4.2 VLAN Trunking

What is trunking?

A trunk link allows a switch port to carry traffic from multiple VLANs.

Trunking is required when:

• Connecting switch to switch

• Connecting switch to router (Router-on-a-Stick)

• Connecting to virtual switches in virtualization platforms

Trunking Protocol:

• IEEE 802.1Q is the standard trunking method.

• It adds a 4-byte VLAN tag in the Ethernet frame.

Basic Trunk Configuration:

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

This interface will carry traffic for VLANs 10, 20, and 30.

What happens to untagged traffic?

By default, it is assigned to the native VLAN, which is typically VLAN 1 (but can be changed).

4.3 Private VLANs (PVLANs)

What are Private VLANs?

In large shared networks (like data centers), even within the same VLAN, you may want to restrict communication between hosts.

Private VLANs provide micro-segmentation within a VLAN.

Types of PVLANs:

Type	Can Talk To	Use Case
Promiscuous	Everyone	Default gateway or firewall
Isolated	Only promiscuous	Most secure — perfect for DMZ
Community	Same community + promiscuous	Devices that need limited group access

Example Use Case:

• Data center hosting many customer VMs on the same VLAN.

• You don’t want VMs from one customer to talk to another.

• Use isolated PVLANs to enforce that.

Real-World Summary:

Feature	Function	Why It Matters
VLAN	Logical segmentation	Reduces broadcasts, separates groups
Trunking	Carries multiple VLANs over one link	Needed for switch-to-switch or router links
Private VLAN	Micro-segmentation within VLAN	Ideal for data centers and security zones

5. Overlay Technologies

Overlay technologies allow you to build virtual networks on top of physical infrastructure. These are especially important in data centers, SD-WAN, and cloud environments where you need flexibility, scalability, and isolation across shared infrastructures.

5.1 GRE (Generic Routing Encapsulation)

What is GRE?

GRE is a tunneling protocol that allows you to encapsulate Layer 3 packets inside other Layer 3 packets.
It enables you to send data from one router to another through an IP network, even if that network doesn’t support your traffic type.

Key Features:

• Encapsulates almost any Layer 3 protocol (IPv4, IPv6, IPX, etc.)

• Doesn’t provide encryption by itself — often combined with IPsec for security

• Often used in:

  • Site-to-site VPNs

  • DMVPN (Dynamic Multipoint VPN)

  • Routing over non-routing-capable networks

Basic GRE Configuration Example (Cisco IOS):

interface Tunnel0
 ip address 10.1.1.1 255.255.255.0
 tunnel source 192.0.2.1
 tunnel destination 198.51.100.1

Real-World Use Case:

You need to connect two routers over the internet, and you want to route OSPF between them. Use a GRE tunnel to allow OSPF traffic through.

5.2 VXLAN (Virtual Extensible LAN)

What is VXLAN?

VXLAN is a modern Layer 2 overlay that lets you stretch VLANs across Layer 3 networks — perfect for data centers, cloud, and multi-site networks.

How It Works:

• Encapsulates Ethernet frames in UDP packets

• Uses a 24-bit VNI (VXLAN Network Identifier) — supports 16 million segments (much more than the 4096 VLAN limit)

• Requires a VTEP (VXLAN Tunnel Endpoint) at each edge device

Benefits of VXLAN:

• Extends Layer 2 over Layer 3 — L2 adjacency without physical proximity

• Enables multi-tenant isolation (each VNI = tenant)

• Supports mobility of virtual machines

Where it’s used:

• Cisco SDA (Software-Defined Access)

• Cisco ACI (Application Centric Infrastructure)

• Data center fabrics

Analogy:

Think of VXLAN as giving each tenant in a skyscraper their own exclusive internal elevator shaft, even though the building’s exterior infrastructure is shared.

5.3 LISP (Locator/ID Separation Protocol)

What is LISP?

LISP is a routing architecture that separates a device’s identity (who you are) from its location (where you are).

Key Concepts:

• EID (Endpoint Identifier) = IP address of the device

• RLOC (Routing Locator) = IP address of the device’s location (e.g., the router it's behind)

• Map Servers help match EIDs to RLOCs

Benefits of LISP:

• Allows host mobility: a device can move between networks but keep its IP address

• Enables traffic engineering and multihoming

• Used in Cisco SDA to support dynamic user movement across sites

Real-world Use Case:

In Cisco SDA, users can move between offices (or buildings), and LISP ensures their policies and IP reachability follow them — no reconfiguration needed.

Summary Table

Overlay	Purpose	Key Benefit	Used In
GRE	Encapsulate Layer 3 over Layer 3	Protocol tunneling	DMVPN, OSPF over Internet
VXLAN	Extend Layer 2 over Layer 3	Millions of segments	SDA, ACI, Data centers
LISP	Separate identity/location	Mobility, policy persistence	SDA, WAN edge

6. Software Defined Networking (SDN) Principles

Software Defined Networking (SDN) is a new approach to networking where control is centralized and automated through software — instead of being manually configured on each device.

6.1 Control Plane Decoupling

What does this mean?

Traditionally, each network device (like a router or switch) makes its own forwarding decisions using a local control plane (e.g., running OSPF or STP).

With SDN:

• The control plane is moved to a centralized controller.

• The devices (called data plane devices) become simpler — they just forward traffic based on instructions from the controller.

Benefits:

• Centralized management

• Faster, more consistent policy deployment

• Easier network-wide changes and automation

Analogy:
Traditional networking = Each bus driver decides their own route.
SDN = One central traffic control tower tells all the buses where to go.

6.2 Southbound APIs

These are the interfaces used between the SDN controller and the network devices (like switches and routers). They allow the controller to tell devices what to do.

Common Southbound APIs:

API	Description
OpenFlow	The original SDN protocol. Used to program flow tables on switches.
NETCONF	XML-based protocol used to install, modify, and delete configurations.
RESTCONF	RESTful interface built on HTTP and YANG models. Easier and lighter than NETCONF.

Example:

The controller uses NETCONF to push a new configuration to a switch — no need to SSH into the switch manually.

6.3 Northbound APIs

Northbound APIs are used to communicate between the controller and external applications (such as monitoring systems, automation platforms, or security engines).

Purpose:

• Allows apps to read network state or request changes from the controller.

• Enables integration with custom dashboards, AI tools, or cloud orchestration systems.

Examples:

• A script that checks bandwidth utilization across all links

• A tool that automatically adjusts network paths when a server is under load

Why this matters:
Northbound APIs abstract the network — you don’t need to know each device’s command line; you interact with the controller.

6.4 SDN Examples

1. Cisco ACI (Application Centric Infrastructure)

• Data center-focused SDN solution.

• Policies are based on applications, not IPs or VLANs.

• Uses a central controller called the APIC.

2. Cisco SD-WAN (Viptela and Meraki)

• WAN-focused SDN.

• Centralized policy management across hundreds or thousands of sites.

• Uses vManage (GUI), vSmart (control plane), and vEdge (data plane).

3. OpenDaylight / ONOS

• Open-source SDN controllers.

• Used in research or open-platform environments.

• Highly customizable via APIs.

Summary Table

SDN Layer	Description	Example Technologies
Control Plane (Centralized)	Makes routing/switching decisions	Cisco APIC, vSmart
Data Plane (Device level)	Forwards packets	Cisco switches, routers
Southbound APIs	Controller → Devices	OpenFlow, NETCONF, RESTCONF
Northbound APIs	Controller → Apps	REST APIs for automation
SDN Solutions	End-to-end platforms	ACI, SD-WAN, Meraki, OpenDaylight

7. Virtual Routing and Switching Labs

These tools let you build fully virtualized network labs using real Cisco images or simulated devices. You can test routing, switching, security, and automation — without needing physical hardware.

7.1 EVE-NG (Emulated Virtual Environment – Next Generation)

What is EVE-NG?

EVE-NG is a powerful, browser-based network emulator that allows you to build complex labs using real Cisco IOS images, as well as devices from other vendors like Juniper, Palo Alto, and Fortinet.

Key Features:

• Fully web-based interface

• Supports multi-vendor topologies

• Can run Cisco IOSv, IOS-XRv, CSR1000v, and even full firewalls

• Excellent for CCNP/CCIE lab practice

• Allows integration with Wireshark, Docker containers, and Linux VMs

Why Use EVE-NG?

• Realistic, high-performance labs

• Perfect for testing routing protocols, VRF, SD-WAN, automation

• Can be installed on:

  • VMware ESXi

  • VMware Workstation

  • Google Cloud / AWS

  • Bare-metal

Example Use Case:

You want to build a 6-router OSPF and BGP lab to test redistribution and loop prevention. EVE-NG allows you to do this with full IOS routers, without buying real hardware.

7.2 GNS3 (Graphical Network Simulator 3)

What is GNS3?

GNS3 is a graphical tool that allows you to create network topologies and run real network device images using virtual machines.

Key Features:

• Visual drag-and-drop interface

• Runs real Cisco IOS via:

  • Dynamips

  • QEMU

  • VirtualBox/VMware

• Supports complex topologies with:

  • Cisco routers and switches

  • Linux servers

  • Firewalls (ASA, Palo Alto)

Pros and Cons:

• User-friendly for beginners

• Works on Windows, macOS, Linux

• Can get heavy on CPU/memory for large labs

• Not fully web-based like EVE-NG

Example Use Case:

Perfect for creating multi-router routing labs, practicing NAT, DHCP, ACLs, and simulating internet connectivity.

7.3 Cisco Packet Tracer

What is Packet Tracer?

Packet Tracer is a network simulation tool created by Cisco for beginners and CCNA students.

Key Features:

• Completely simulated devices (not real IOS)

• Lightweight, runs on basic hardware

• Graphical interface to design topologies

• Includes basic L2 and L3 device support

• Allows simple programming with Python or IoT modules

Pros and Cons:

• Great for absolute beginners

• Supports basic routing, switching, and wireless labs

• Limited features (no BGP, no real command-line syntax)

• Not ideal for CCNP/CCIE level labs

Example Use Case:

Building a lab with:

• 3 VLANs

• A trunk link

• A router-on-a-stick configuration

• Testing inter-VLAN routing

Summary Comparison Table

Tool	Platform	Uses Real IOS?	Best For
EVE-NG	Browser (Linux backend)	Yes	Advanced labs, CCNP/CCIE prep
GNS3	Desktop App (Windows/macOS/Linux)	Yes	Medium to advanced labs
Packet Tracer	Desktop App (Cisco Academy)	Simulated IOS	Beginners, CCNA students

Virtualization (Additional Content)

1. VRF Lite vs MPLS VRF

VRF (Virtual Routing and Forwarding):

A technology that allows multiple routing tables to coexist on the same router, logically separating traffic without physical separation.

Comparison Table:

Feature	VRF Lite	MPLS VRF (VPN)
MPLS Required	No	Yes
Common Use Case	Enterprise segmentation	Service provider VPNs
Routing Isolation	Yes	Yes
Control Plane	Local static/dynamic routing	MPLS label-based routing
Deployment Example	Separate dev/test/prod in one network	MPLS VPN customers on a provider edge

Summary:

• VRF Lite is ideal for intra-company segmentation without MPLS.

• MPLS VRF is used in carrier-grade environments for customer isolation.

2. GRE with IPsec Integration

Key Points:

• GRE (Generic Routing Encapsulation) is a tunneling protocol used to carry different Layer 3 protocols over an IP network.

• GRE does not provide encryption or confidentiality.

Recommendation:

In production, GRE is often encapsulated inside IPsec to combine the tunneling capability of GRE with the encryption and authentication of IPsec.

Example Use Case:

• Site-to-site VPN with dynamic routing over GRE, secured via IPsec.

3. Overlay vs Underlay Networks

Understanding the difference between these two layers is crucial in virtualization and SDN topics.

Type	Description	Examples
Underlay	The physical network used to transport data between endpoints. It provides IP connectivity.	OSPF, BGP, Ethernet, MPLS
Overlay	A logical network built on top of the underlay. It abstracts routing/forwarding using encapsulation.	GRE, VXLAN, SD-WAN tunnels

Summary:

• Overlay networks ride on top of underlay networks, often using encapsulation technologies.

• This separation allows flexible segmentation, policy enforcement, and multi-tenancy without changes to the physical topology.

4. SDN Controller Examples and Clarification

SDN Controllers:

An SDN controller is a central software component that manages the control plane of a network by using southbound APIs to push configurations and policies.

Examples:

Controller	Description
Cisco DNA Center	Offers policy-based automation, telemetry, and northbound REST APIs. It’s not a traditional SDN controller, but it exhibits SDN-like behavior.
Cisco APIC	Application Policy Infrastructure Controller — used in Cisco ACI (data center SDN)
OpenDaylight	Open-source SDN controller supporting multiple southbound protocols
Cisco vSmart	Used in SD-WAN for policy and control distribution

Clarification:

DNA Center supports policy abstraction, intent-based networking, and southbound interface control, hence can be considered partially SDN-compliant.

5. vSwitch Control Plane: Distributed vs Standard

Types of vSwitches in Virtualized Environments:

Type	Management	Description
Standard vSwitch (vSS)	Managed per host	Configured locally on each ESXi host
Distributed vSwitch (vDS / DvSwitch)	Managed centrally via vCenter	Provides consistent policy across multiple hosts

Key Clarification:

“Distributed switches require centralized platforms like vCenter for deployment and control.”

This is important because candidates may assume the DvSwitch is a standalone component, when in reality it depends entirely on VMware vCenter.