Sophisticated networking devices have enough resources to support multiple logical instances of the networking device. Thus, a networking device may be logically partitioned to into multiple sets of resources so that each set of resources can be operated independently with its own operating system and/or applications. Issues may arise when segmented networks are used with logically partitioned networking devices.
Many enterprises wish to run multiple network segments within the same campus, wide area network (WAN), or data center environment. A network segment may be associated with a virtual local area network (VLAN). A VLAN may include a group of servers and/or hosts with a common set of requirements that communicate via broadcasting on the data link layer. The data link layer maps to the second level (L2) of an open systems interconnect (OSI) networking model. A network segment may be represented by a label or tag. In one example, the label may be a VLAN identifier (VLAN ID). While a VLAN ID is described, one skilled in the art will appreciate that more generally a segment identifier may be employed. The use of VLAN technology to create numerous L2 parallel network-wide segments may be cumbersome, unreliable, and prone to configuration errors. Thus, the scope of L2 network segmentation may be constrained to the campus environment to avoid establishing large L2/VLAN broadcast domains (e.g., network segment) over a wide area network (WAN) like the Internet. Constraining L2 network segmentation may prevent proliferation of parallel networks over large public networks that cannot be configured to accept the VLAN segmentation. Proliferation may be a problem because a large number of networking devices in the WAN would have to be configured to accept the segmentation of the network. In some instances, creation of parallel networks may not be allowed on public networks, while creation of parallel networks may be allowed on smaller campus networks.
Typically, enterprises used level three (L3) routing to process packets crossing into a WAN and to limit the size of the L2 domains in a campus network. These typical embodiments also use L3 segmentation processes including virtual route forwarding (VRF) and virtual routing (VR) to preserve the network segment information when transmitting data across the WAN. These processes may be performed without creating a parallel network on a WAN. Enterprises distribute internet protocol (IP) services, for example, voice over Internet protocol (VoIP) end-points, security controls, and quarantine segments, throughout the campus or data center environment. As a result, VLAN technology has become increasingly complicated.
The use of L2 access control lists between the VLAN segments may have complicated management and security. Thus, enterprises turned to L3 Internet Protocol (IP) aware routing and security technologies to manage the IP applications and assets associated with network segments. As a result, distribution of L3 routing segmentation processes has gone deeper into campus networks and/or local data centers. Typical L3 segmentation employs parallel L2 VLAN segments, dedicated interfaces for VLAN segments, and per segment routing processes and routing tables.
Virtual Networks (vNETs) may solve issues related to scalability and inter-segment traffic flows by allowing support for segmentation at the L2 level where previous embodiments required segmentation to be performed at the L3 level. A virtual private network (VPN) may be an example of a vNET that satisfies the issues related to scalability and inter-segment traffic flows. vNETs may include the coupling of Ethernet VLAN segments and virtual route forwarding (VRF) tables to facilitate dividing network segments through L2 switching entities (L2SE) and L3 routing entities (L3RE). This may allow segmentation at the L2 switching level and also allow L3 routing. For example, L2 switching may occur within a campus network and L3 routing may occur when crossing into a WAN including the Internet. This may prevent a need for configuring WAN networking devices with information associated with the parallel networks segments.
However, issues may occur with network segmentation schemes (e.g., vNETs and VPNs) that are used with network devices that are logically partitioned. Logically partitioned network devices may include different subsets of a networking device hardware and/or resource that may be virtualized as separate networking devices and/or separate computing devices. In effect, a computing device may be partitioned into multiple logical devices housing separate applications and/or operating systems. Network devices that are logically partitioned may employ VRF tables and/or routing tables for each logical partition to route information associated with network segments. Thus, it may be difficult to use logically partitioned network devices with vNET networking environments. One skilled in the art will appreciate that multiple virtual route forwarding tables and multiple VLANs may exist within a single virtual network device. Although there may be multiple virtual route forwarding tables and multiple VLANs in a virtual network device, and although there may be multiple virtual network devices in a single physical network device, the virtual route forwarding tables and the VLANS in a virtual network device are independent of other virtual route forwarding tables and VLANS in other virtual network devices, even if the virtual network devices are located in the same physical device.