Applied to servers or storage, virtualisation lets users host dozens or hundreds of server operating system instances, or divide and control the amounts of storage on different disks, both from a few large machines. The technology provides lower operational costs and less complexity, proponents say.

Network vendors say virtualisation also can apply to enterprise core and edge routing. For segmenting an enterprise into various subnetworks -- with different rules and controls -- users can tap into virtual routing features in switches instead of buying and plugging in new chassis or boxes to do this separation.

The concept of virtual networking is nothing new, as virtual LAN technology for years has been a tried and tested way to set up secure, separate LAN segments on a single Ethernet switch or across multiple switches.

Many vendors now are touting the virtualised routing features inside their core chassis switches as a similar tool for segmenting parts of an enterprise at Layer 3 and providing more security and control over internal and external network traffic.

Segregation via VRF
In MPLS carrier networks, Virtual Routing and Forwarding (VRF) is used to segregate customer traffic into separately routed segments, sometimes operating on the same box.

For corporate use, VRF-lite (a smaller-scale implementation that does not require MPLS), carves a single router into multiple virtual boxes, vendors say. Extreme, for instance, includes virtual router configuration as a feature in its modular ExtremeWare XOS switch operating system.

Juniper supports the technology on its ISG line of security router/firewalls, as well as other routing platforms. Cisco includes support for VRF and VRF-lite in the IOS version of its Catalyst 6500 switch.

Foundry Networks' NetIron switches support Multi-VRF, which lets users create virtual routing domains in a box. These domains, similar to Layer 2 VLANs, segregate traffic flows. Users can install firewalls outside the box or internal access-control lists to regulate what traffic is shared among virtual router segments.

"If you have four or five network segments, you can create four or five different routing tables for each of these" using technologies such as VRF, says Hasan Siraj, a product manager for Cisco's Catalyst 6500 switch family.

"These routing tables will be maintained throughout the network, and you can even have overlapping IP addresses between these two networks, and they would not know about it."

VRF and VRF-lite are activated and configured through commands in Cisco IOS, which is required to run virtualised, routed segments on a Catalyst 6500, according to Marie Hattar, marketing director for Cisco's router and switch products.

"What we're looking for, in terms of a future implementation, is how we can evolve the IP-based technology to make it easier to do virtualisation," Hattar says.

She says Cisco is working on new technologies that will help make virtual routing configurations easier to set up. She didn't say whether this technology will take the form of a GUI for configuring protocols such as VRF or Generic Route Encapsulation, or some other method.

"This will leverage components of VRF," Hattar says. "We're attempting to give enterprise customers a way to set up virtualised services without having to use an MPLS-based implementation, which is more complicated."

Virtualised routers
Amica Insurance uses virtual routing features on its Extreme BlackDiamond 10K in concert with a Juniper ISG router/firewall, which is segmented into virtual routers.

This set-up collapses a complex edge infrastructure of Web, VPN and extranet traffic into two physical boxes, according to Ron Rivet, director of IT for the company.

In Amica's network the BlackDiamond 10K is split into six virtual routers, each with its own routing tables, IP address, and access controls and rules. One virtual router handles all incoming and outgoing Internet traffic, with multiple DS-3 connections.

This router connects to the Juniper firewall and also is divided into multiple virtual routers. The ISG filters the packets and determines if traffic goes to one of several DMZs -- which front extranet applications or public Web sites -- or to VPN segments that host applications running on the company's internal network.

The ISG sends the segmented traffic to a second virtual router, which routes traffic to a virtual router segment in the ISG -- where firewall rules are applied a second time. From there, the traffic is sent to one of the virtual routers in the BlackDiamond 10K, which handles traffic for the various network segments.

"We don't have to have as many routers to configure because we're handling all of this essentially with two boxes," Rivet says. "And because one of the boxes is a firewall, you keep passing through firewall rules... so between the two boxes we really feel we're protecting ourselves, because all traffic is getting checked twice. You can't get anywhere you're not supposed to go."

Rivet says putting in individual boxes from different vendors to handle traffic at each step of Amica's network security set-up would be costly -- he estimates US$50,000 to $100,000 more in hardware -- and harder to manage.

"We don't have to have multiple pieces of equipment from lots of different companies to configure," which eliminates "all that back-and-forth, whose-problem-is-it-really kind of thing" among vendors, Rivet says.

Most enterprises, however, probably won't tap into the kinds of virtual routing features used by Amica or offered by Cisco, Foundry and the others, industry observers say.

"These types of network virtualisation features are really for telcos and high-end enterprises that have multiple customers or departments to serve and need this type of virtualisation to scale," says Zeus Kerravala, an analyst with Yankee Group.

"The concept of virtualisation is still mostly popular in the server and computing area," where many individual Windows, Unix or Linux servers are turned into virtual machines and run from a single, larger mainframe or multiprocessor box.

Others say adding an additional router and segmenting the network on physical boxes is an easier and more secure method for carving out network segments in a large enterprise.