Network Function Virtualization

What NFV is, its benefits, and how to design it in Enterprise organizations


Most of the enterprise customers have connectivity to the cloud for IaaS, SaaS or PaaS services. The cloud offers enterprise customers many benefits. It is very common for an enterprise to adopt cloud-based services to:

  • Increase agility
  • Provide on-demand services for computing resources
  • Reduce CAPEX


Enterprise architects prefer having control of the services in their tenant space within the cloud infrastructure. The concept of network function virtualization (NFV) comes up here. NFV elements are prevalent in IaaS cloud services. NFV brings a simple concept of implementing network service elements such as routing, load balancers, VPN services, WAN optimization, and firewalls in software. This is possible due to the new capability of provisioning memory and server facility to the network service elements. The NFV elements can be automated enabling faster provisioning of service. These virtual services enable an enterprise to have these network functions in an on-premises data center, in the provider cloud, or at a branch location.


NFV offers new ways to design, orchestrate, and manage network services. NFV decouples network functions from underlying hardware so these functions can run as software images on commodity hardware as well as custom-built hardware. NFV is a framework that provides virtualization of network services such as routing, load balancing, firewall services, intrusion detection and prevention, and network address translation into building blocks. These services can be chained together to create network service chains tailored for different use cases.


The concept of NFV originated from service providers looking to increase the agility and flexibility of deploying new network services to support growing customer demands. NFV is complementary to SDN, and there is no dependency between SDN and NFV. NFV can be implemented using non-SDN mechanism leveraging techniques commonly deployed in many data centers. However, combining SDN with NFV simplifies deployment, operation and maintenance procedures.


Branch Virtualization with NFV

The NFV approach to branch virtualization opens up new technology avenues by providing a platform for customers to deploy virtualized network elements as required. Coupling this with an easy-to-use end-to-end orchestration and management framework, enterprises are able to significantly reduce costs and get better return on investment (ROI) by avoiding expensive truck rolls (technician dispatch costs) to enable services at their branches. These are the key aspects of branch virtualization:

  • Programmability—You can leverage open APIs to enable better automation of network services while improving visibility.
  • Agility—You gain flexibility in deploying services quickly in a timely manner. You can improve business efficiency in capital and operations by meeting the evolving business requirements, including traffic growth, diversity of traffic types, performance, reliability demands, and expectations.
  • Simplicity—You can reduce complexity from services and operations and endorse more nimble business models. You gain the ability to manage all branches with a single pane of glass.


Branch virtualization leverages a specialized platform customized to take care of NFV requirements and offload special functions, such as encryption and customized drivers, to provide increased performance for different NFV elements. You will see the terms NFV and VNF (Virtual Network Functions). It is good to understand the difference between the two terminologies. NFV is a complete virtual service paradigm, while VNF is a virtual network element or service that is part of the NFV framework. These are the foundation blocks for building this next-generation branch network:

  • Customized x86 hardware to host VNF elements
  • Optimized hypervisor platform to launch VNF elements
  • Solid foundation of orchestration engine
  • Flexible options for I/O


Design Considerations for Branch Virtualization with NFV

Now that you are familiar with the concept of network function virtualization and its benefits, what are some of the areas you should consider when planning for branch virtualization with NFV?

Hardware Hosting Platform:

The hardware platform can be any x86-based server, a server blade that runs inside your existing routing platform, or a customized x86-based platform that provides options for specialized interfaces for WAN and 4G/LTE access.  Additionally, data encryption has become table stake for providing data privacy and security.  To ensure high performance encryption capability, one may want to consider a hardware platform that includes crypto offload module or CPU chipsets that are include an enhanced crypto function such as the Advanced Encryption Standard New Instruction (AES-NI) library from Intel.



Hardware OptionsProsCons
Generic x86-based Server
  • Low cost
  • Readily available
  • Can leverage crypto library from CPU vendors like Intel AES-NI
  • Ideal for proof of concept
  • Wider vendor selections
  • Average server lifespan is 3-5 years
  • Require external device for specialized WAN connections and/or 4G/LTE access
Server Blade in existing routers/switches
  • Server Blade in existing routers/switches
  • Simple integration into existing infrastructure
  • Supports integrated special WAN and 4G/LTE access
  • Longer lifespan and support  for the hardware (7-10 years average)
  • Supports embedded crypto offload module
  • Ideal for brownfield deployments
  • Additional cost for the server blade
  • Limited vendor selection
Customized x86-based Server
  • Customized x86-based Server
  • Optimized for NFV environment
  • Can have optional support for specialized WAN and 4G/LTE access
  • Supports optional crypto offload module
  • Ideal for greenfield deployments
  • Longer lifespan and support  for the hardware
  • Higher initial CAPEX
  • Limited vendor selection


Hypervisor Platform for VNF elements:

A hypervisor is similar to an operating system in some ways, and it is different in others. A hypervisor is a software that provides operating system services to virtual machines running on it.  There are two types of hypervisors.  A type 1 hypervisor runs over bare-metal x86 hardware architecture, as an operating system does, but it also enables other operating systems to run on it. A type 2 hypervisor runs on an OS as a hosted environment. Type 1 hypervisors have direct access to hardware and hence provide better performance than type 2 hypervisors which run on an OS.


The common types of hypervisors in the market today are:

  • VMWare ESXi
  • KVM
  • Microsoft Hyper-V
  • Xen


To successfully host network function virtualizations and meet the throughput and latency requirements of the hosted VNFs, there are considerations you have to factor in for hypervisor selection.

  • Data plane latency variation for VNFs
  • High performance network I/O for all packet sizes
  • Control plane timing variations and correctness for real-time VNFs
  • Inter-VM communication


To that end, Single Root I/O Virtualization (SR-IOV) is a mean to minimize latency for networking of virtual machines that are latency sensitive or require more CPU resources.  To make use of SR-IOV, the hardware (PCIe devices), hypervisor platform, and VNF all have to support the capability.


Additionally, Data Plane Development Kit (DPDK) is a set of libraries and drivers that is used to improve packets processing performance while optimizing CPU cycle usage for network I/O intensive VNFs.  The DPDK increases the network I/O throughput of the VNFs that support it.


Hypervisor OptionsType of HypervisorOpen SourceSR-IOV SupportDPDK SupportPara-virtualization Capable
ESXiType 1No


ESXi 5.1 or later


ESXi 5.5 or later

KVMType 1Yes



Hyper-VType 1No


Windows Server 2012 or later

XenType 1YesYesYesYes



NFV enables on-demand service and centralized orchestration for integrating the new service into the existing ones—in essence creating a service chain. For example, a customer who desires firewall functionality can use a portal to choose among a list of VNFs (ASAv, vWAAS, and so on), which will then be deployed dynamically on the platform. Enterprises gain the ability to choose “best of breed” VNFs to implement a particular service. By using NFV, you can spawn virtual devices to scale to new feature requirements.  For example, the branch router has a security gateway (firewall and Sourcefire) that provides functionalities such as firewall services, Advanced Malware Protection (AMP), Application Visibility and Control (AVC), and URL filtering. Instead of using firewall functionality in the router, you have an option of using an NFV element that provides additional security functionality.


About the Author

pic Stephen Lynn.png


pic Stephen Lynn book.jpg

Stephen Lynn is CCDE #20130056 and triple CCIE #5507 (Routing and Switching/WAN/Security). He is an architect at Cisco working with US federal government customers. He specializes in large-scale enterprise designs for campus, WAN, and data center. Most of the contents are covered in more detail in the Cisco Press book he recently published Virtual Routing with Cisco Cloud Services Router (CSR 1000V).




Here are a few additional ways for us to engage and keep the conversation going: