Transcript
Embracing SDN in Next Generation Networks Introduction and Use Cases Moving SDN Beyond the Hype Craig Hill
Eric Voit
Distinguished Systems Engineer U.S. Federal, CCIE #1628
[email protected]
Principal Engineer Core Software Group (CSG)
[email protected] Cisco Public
Day at the Movies February 25, 2015
1
• Introduction…Evolution, Why and What is SDN, Control Plane Architecture Models • SDN Controller and Open Daylight Deep Dive • SDN in the WAN – Overview and Use Cases • What is YANG? Overview and Direction… • Network Function Virtualization (NFV) Overview and Use Case • Data Center Fabric Overlay Solutions – Intro to ACI • Summary Cisco Public
2
“A way to optimize link utilization in my network enhanced, application driven routing”
“An open solution for customized flow forwarding “A platform for developing new control in and between Data Centers”
“An open solution for VM mobility in the Data-Center” “A way to reduce the CAPEX of my network and leverage commodity switches”
control planes” “A solution to automated network configuration and control”
“A means to get assured quality of experience for my cloud service offerings”
“A solution to build a very large scale layer-2 network”
“A solution to build virtual topologies with optimum multicast forwarding behavior”
“A means to scale my fixed/mobile “A way to optimize broadcast TV delivery gateways and optimize by optimizing cache placement and their placement” cache selection” “A way to distribute policy/intent, e.g. for DDoS prevention, in the network”
“Develop solutions at software speeds: I don’t want to work with my network vendor or go through lengthy standardization.”
“A way to configure my entire network as a whole rather than individual devices”
“A means to do traffic engineering without MPLS”
“A way to build my own security/encryption solution” “A solution to get a global view of the network – topology and state”
Key Drivers: Device/Network Virtualization, Automation, Open Programmability, Simplified Operations , Central orchestration Cisco and Customer NDA Only © 2013 Cisco Systems, Inc. All rights reserved.
“A way to scale my firewalls and load balancers”
in·flec·tion point Noun 1. MATHEMATICS a point of a curve at which a change in the direction of curvature occurs 2. BUSINESS a time of significant change in a situation; a turning point
Cisco Public
4
#1
August 3, 2006 Cisco Public
5
#2 – STANFORD “CLEAN SLATE PROJECT” OPENFLOW • Original Motivation Driven out of Stanford’s Clean Slate Project Research community’s desire to be able to experiment with new control paradigms • Base Assumption Providing reasonable abstractions for control requires the control system topology to be decoupled from the physical network topology (as in the top-down approach) • OpenFlow was designed to facilitate separation of control and data planes in a standardized way • Current spec is both a device model and a protocol OpenFlow Device Model: An abstraction of a network element (switch/router); currently (versions <= 1.3) focused on Forwarding Plane Abstraction. OpenFlow Protocol: A communications protocol that provides access to the forwarding plane of an OpenFlow Device © 2013 Cisco Systems, Inc. All rights reserved.
Cisco and Customer NDA Only
What is SDN? (per Wikipedia definition)
Software defined networking (SDN) is an approach to building computer networks that separates and abstracts elements of these systems Cisco Public
7
Software defined networking (SDN) is an approach to building computer networks that separates and abstracts elements of these systems
In other words… In the SDN paradigm, not all processing happens inside the same device
Cisco Public
8
Why SDN? What is the focus and target for SDN? Cisco Public
9
INFRASTRUCTURE AND OPERATIONS IS EVOLVING Managed
Automated, “IT-less”
Configurable (CLI)
Orchestrated (Programmatic API)
Apps Independent of Network
Tight App Linkage to Network
Private vs Public Cloud
Hybrid Cloud
Proprietary
Open & Interoperable
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
Cost per Object must
Agility must
Operations must Adapt
Virtualization = explosion in Objects 50%+ of outages from mis-config Speed to activation too slow
Peering of Controller & Network Element Intelligence
Mechanization of logic in CCIE brains Evolving choices in abstraction CLI
API
GUI
Easy Button Cisco Public
11
…to “Automate” and “Simplify” the centralized provisioning administration of the network… Cisco Public
12
…and for the network to have greater awareness of “Application” needs Cisco Public
13
CUSTOMER TARGET AREAS AND USES TO LEVERAGE SDN
Research/Academia
Massively Scalable Data Center
§ Experimental OpenFlow/SDN components for production networks
§ Customize with Programmatic APIs to provide deep insight into network traffic
Ø Network “Slicing”, experimentation with network programming
Ø Network flow management, Rapid provisioning and rich set of services
Cloud (Ent/SP/H) § Automated provisioning and programmable overlay Ø Scalable “Multitenancy” XaaS, Automated and rapid provisioning, multi functions, elastic up/ down services, scale
Service Providers
Enterprise
§ Broad service offering, Policybased control, analytics, optimized to monetize service delivery
§ Virtualization of workloads, Hybrid cloud, specific functions, security and user focused
Ø NFV, Agile service delivery (XaaS), network wide service orchestration, cross domain
Ø Private Cloud Automation, WAN optimizing, TE, simpler mgmt and provisioning for QoS, policies…
Not a single “one size fits all”. Diverse functionality, outcomes, required across segments Cisco Public
14
“…In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications…” Open source project formed by industry leaders and others under the Linux Foundation. “…OpenDaylight's mission is to facilitate a community-led, industrysupported open source framework, including code and architecture, to accelerate and advance a common, robust Software-Defined Networking platform…”
Opensource software for building public and private Clouds; includes Compute (Nova), Networking (Neutron) and Storage (Swift) services.
“NfV- Network function Virtualisation is an ETSI ISG (Industry Specification Group). NfV is the transition of network infrastructure services to run on virtualised compute platforms – typically x86 Cisco Confidential
15
Traditional Control Plane Architecture (Distributed)
• Control plane is tightly coupled to the network device • Minimal application programmability of network devices (CLI, SNMP, NETCONF)
Application
• EX: Cisco router, Catalyst or Nexus switches
Distributed Control Plane Centralized Control Plane Data Plane
Cisco Public
APIs
16
SDN Control Plane Architecture (Centralized)
Control channel
• Control plane is centralized • Control plane abstracted from the forwarding HW • Communications channel exists between control plane and forwarding HW (OpenFlow agent on device) • EX: OpenFlow Model (controller, agent on HW)
Application Distributed Control Plane Centralized Control Plane Data Plane
Cisco Public
APIs
17
CENTRALIZED CONTROL PLANE CONCEPTS Implementation Perspective: Evolve Control-Plane and Network Programmability SDN Control Plane Architecture (Centralized) App
App
App
App
Applications layered on top
“North Bound” control and API Operating System controlling entire network
Controller
Communication Channel To Network element
“South Bound” control and API Packet Forwarding Hardware
Packet Forwarding Hardware © 2013 Cisco Systems, Inc. All rights reserved.
Packet Forwarding Hardware
Cisco and Customer NDA Only
Hardware controlled through Southbound API
Application Frameworks, Management Systems, Controllers, ... OnePK C/Java
Python
NETCONF
REST
OpenFlow ACI Fabric OpenStack
Puppet
Protocols
…
RESTful
Management
Puppet
Orchestra8on
Neutron “Protocols”
Network Services
BGP, PCEP,...
OpFlex
Control Forwarding
OpenFlow
onePK Plug-‐Ins API (OnePK) and Data Models (YANG) Opera8ng Systems – IOS / NX-‐OS / IOS-‐XR YANG
Device
…
Cisco Public
XML/JSON
19
THERE ARE MANY OPTIONS FOR PROGRAMMABILITY • PCEP • BGP-LS • OpenFlow • Netconf • Yang • I2RS • BGP-FlowSpec • ReST • onePK
• Puppet • Chef • Ansible • SNMP • NetFlow • CLI • Syslog • Others...
Yellow – directly to device Blue – either direct to device or controller (NB) Cisco Public
20
What is Openflow? (per Wikipedia definition)
OpenFlow is a Layer 2 communications protocol that gives access to the forwarding plane of a network switch or router over the network Cisco Public
21
4 Components to Openflow 1. 2. 3. 4.
Cisco Public
Openflow Controller Controller + NB API Openflow Device agent Openflow Protocol
22
Basic Flow Table and 12 Tuple example…
Openflow v1.0
FLOW TABLE HEADER FIELDS
COUNTERS
ACTIONS
…
…
…
…
…
…
HEADER FIELDS Ingress Port
Source MAC
Dest MAC
Ether Type
VLAN ID
VLAN Priority
IP SRC
IP DEST
IP Protocol
IP TOS
TCP/ UDP SRC
TCP/ UDP DEST
1
2
3
4
5
6
7
8
9
10
11
12
This is the “Famous” Openflow 12 Tuple Cisco Public
23
Required Actions Supported by “Openflow 1.0” Switch
Required Actions
OPENFLOW CONTROLLER
1
Switch
Openflow v1.0
2
5
FLOW TABLE 4
2
CPU
3 4
3
SWITCH FORWARDING ENGINE
6
Forward out all ports except input port Redirect to Openflow Controller Forward to local Forwarding Stack (CPU) Perform action in flow table
5
Forward to input port
6
Forward to destination port
7
Drop Packet
7
1 Cisco Public
24
HYBRID CONTROL PLANE MODELS
Source: ONF Hybrid WG
Centralize When Needed, Default Distributed Control Plane for All Else
Applications Network Middleware Network Devices: On-Box Control Plane
• Offers the best of both models • Utilizes existing distributed and central control plane • Central controller for optimized Behavior and performance • Leverage current routing innovations and services (IP/MPLS, TE, L2 VPN, convergence, OAM…) with benefits of central programmable orchestration Cisco Public
Application Distributed Control Plane Centralized Control Plane Data Plane APIs
25
KEY TARGET AREAS AND COMPONENTS FOR A SDN Mask Complexity, Virtualizing Network Functions, Central Orchestration, Open API’s • Open Innovation, Open Source, Open API’s to offer programmability and granular control from from applications beyond CLI
Hybrid Model - Collaborative Control Plane Architecture
• Centralized Programmability, Automation, and orchestration of network-wide functions Automate and orchestrate behavior to many devices… WAN BW, NFV, service chains, and XaaS
• Virtualization (NFV) capabilities of physical network elements Leverage service-chaining of Phy/Virt – routers, FW, LB, all elements
• Ability to orchestrate, provision, insert L4-L7 in real-time • Leverage the abstraction of SDN to solve real problems, not add more technology to the network © 2013 Cisco Systems, Inc. All rights reserved.
Cisco and Customer NDA Only
• Utilizes existing control/data plane
model + abstracted control plane and API’s to leverage application programmability • Offers the best of current routing (IP/
MPLS, convergence, OAM) with benefits of programmable API’s, while leveraging network analytics
EXPOSE NETWORK INTELLIGENCE – BIDIRECTIONALLY Program for Optimized Experience
Applications
Workflow and Intent
Services Orchestration
Network Intelligence, Guidance
Policy (Application + Network + Security)
Programmability
Network
Cisco Public
Harvest Network Intelligence and Security
Analytics
Statistics, States, Objects and Events
27
“BUY”
“MAKE/BUILD”
More interested in Integrated Solution Sets
Open Source and Component Technologies 28
“Buy Solution” Customer Set
“Make/Build” Customer Set
APIC | APIC-EM | WAE
OpenDayLight Open Tool Sets
Cisco SDN Strategy
29
SDN CONTROLLER APPLICATIONS TARGETING CUSTOMER BUSINESS PROBLEMS
30
Customer Business Oriented Applications Data Center
Enterprise Network
SP WAN
NFV
APIs
APIC EM
WAE on ODL
Collector
Deployer
vCPE
ACI (N9K,UCS,FW,LB,IPS)
• Focus is on private DC and cloud deployments • Lead DC solution, integration with UCS, eco-system
ISR/ASR1K Router, Catalyst Switch
• Focus is on specific Ent campus and Branch applications on Cisco HW • SSH into platform
ASR9K,CRS, NCS6k/4k/2k
• Focus is on selfdeployed IP/MPLS WAN • ODL, open standard protocols
vFW
vIPS
VNF VM, Orchestration (vCPE,vPE,vFW,vIPS)
• Focus is providing NFV orchestration (vMS) • Targeting SP like agencies • Streamlined use cases
31
• Target all areas of customer network domains • Data Center, Enterprise (WAN, Campus), SP and/or large Enterprise WAN, SP Cloud offerings • Programmability, applications, open API’s, orchestration, virtualization, and automation
Customer Business Oriented Applications Data Center
Ent Network
SP WAN
NFV
APIs
APIC EM
ODL Controller
Collector
Deployer
vCPE
ACI (N9K,UCS,FW,LB,IPS)
ISR/ASR1K Router, Catalyst Switch
ASR9K,CRS, NCS6k/4k/ 2k
vFW
vIPS
VNF VM (vCPE,vPE,vFW,vIPS) 32
Customer Business Oriented Applications Data Center
Ent Network
SP WAN
NFV
APIs
APIC EM
ODL Controller
Collector
Deployer
vCPE
ACI (N9K,UCS,FW,LB,IPS)
ISR/ASR1K Router, Catalyst Switch
ASR9K,CRS, NCS6k/4k/2k
vFW
vIPS
VNF VM (vCPE,vPE,vFW,vIPS)
33
APIC-EM (Enterprise Module) QoS | ACLs | Topology | Inventory | ZTD 34
APIC-EM: QOS CLASSIFICATION APPLICATION (EXAMPLE)
35
Customer Business Oriented Applications Data Center
Ent Network
SP WAN
NFV
APIs
APIC EM
ODL Controller
Collector
Deployer
vCPE
ACI (N9K,UCS,FW,LB,IPS)
ISR/ASR1K Router, Catalyst Switch
ASR9K,CRS, NCS6k/4k/2k
vFW
vIPS
VNF VM (vCPE,vPE,vFW,vIPS)
36
Open Daylight © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37
Project OpenDaylight “Daylight is an open source project formed by industry leaders and others under the Linux Foundation with the mutual goal of furthering the adoption and innovation of Software Defined Networking (SDN) through the creation of a common vendor supported framework.”
OpenDaylight by the Numbers
https://www.openhub.net/p/opendaylight
Statistics per 24-Feb-2015
OpenDaylight by the Numbers
https://spectrometer.opendaylight.org
Statistics per 24-Feb-2015
OpenDaylight Architecture
Model Driven Controller Architecture
Controller naturally exposes all APIs: Devices and Network APIs Northbound API = SUM (Device APIs) + Controller-Services APIs APIs – Device, Network, Services User
API Network Policy
API Inventory
API Topology
API Rou7ng
API Device-‐ACL
API Device-‐QoS
…
Automatically generated APIs based on models Device, Network Service Models
Network Policy Model
Inventory Model
Topology Model
Network Rou8ng Model
Device-‐ACL Model
Device-‐QoS Model
…
Controller
Device models loaded into Controller
Device
Device Models
Device Inventory Model
Device Topology Model
Rou8ng Model
Device-‐ACL Model
Device-‐QoS Model
…
OpenDaylight Architecture Model Driven SAL
Applications Northbound APIs (Generated & Handcrafted) Network Service Plugin
Platform Service Plugin
Transformer/ Adapter
Internal Plugin
Java & REST SAL APIs (Generated)
Abstraction Layer
Network NE System
Table
…
Config Flow Flow
SB Protocol
Topology
NE
… Table …
Flows Table
Stats
…
NE
…
Table
Flow
Config Stats Flow Flow
…
Java SAL APIs (Generated)
OF-Config/OVSDB
OF x.y
Network Elements 43
Tunnels
Nodes Links Table
Flow
PCEP
Paths
…
BGP-LS
CISCO OPEN SDN CONTROLLER AKA “CISCO DAYLIGHT” (CDL 1.0)
44
OPEN SDN CONTROLLER • OpenDaylight Helium MD-SAL services • High availablity
REST APIs BASE NETWORK SERVICE FUNCTIONS
3rd PARTY NETWORK SERVICE FUNCTIONS
MODEL DRIVEN SERVICE ABSTRACTION LAYER OpenFlow
Other Industry Standard Interfaces
• • •
Clustering Data replication and persitance Distributed datastore
• Serviceablity enhancements (logs, metrics, monitoring & management) • OVA distrubtion & 1-click service addition • Karaf container support • Developer tools & samples apps • OpenFlow, NetConf/Yang, BGPLS, PCEP, OVSDB, etc 45
.
VM VM
VM
Cloud
Data Access rate to/from the Cloud
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
46
Data Center 1
The Simplest Use Cases Conceivable
Data Center n
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Policer
VM
Dynamically adjust policers as traffic moves about the cloud Forward to DDoS Appliance if Bandwidth Threshold hit
Use cases described in draft-voit-netmod-peer-mount-requirements
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
47
Controller based Fast Feedback Loop Data Center 1
Data Center n
• Synchronization between SDN controller and routers/switches
enables data plane counters to be used in domain wide services • Effectively a Cloud Counter: many thresholds, custom actions
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
48
Data Center / Cloud
Bandwidth threshold recognition Continuous rebalancing of policers
Traffic Spike P
DC1
Policer values modified across Domain
Synchronized Counter Delivery (YANG)
DC
PE 1
P
PE 2
DC2
WAN
P
PE 3
VM Move P
In Profile Traffic Out of Profile Traffic Policed Traffic Policer © 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
49
10MB/s Max Cloud Usage
al co
Network
m Mini
Global Rule: Police ∑ traffic to 10 MBs
nfig
id ain W
lcu e Ca
PE3
Offered Downstream Traffic: 18 4 MB/s Traffic Spike
Interface E0 Network Element
Police 56.0.0.0/8 to 5.0 8 MB/s* 0.6
PE 1
Ingress interface stats PE 2
DC2 PE 3
VM Move
n
Dom
Subnet: 56.0.0.0/8
DC1
latio
56.0.0.0/8 = 129 MB/s
PE2 WAN
Interface E0
PE1 Policy continually upda
ted
Interface E0 Police 56.0.0.0/8 to 4.4 7 MB/s* 4.7 Ingress interface stats
Statistics from the PE
Police 56.0.0.0/8 to 0.6 7 MB/s* 4.7 Ingress interface stats 56.0.0.0/8 = 8.5 1 MB/s
81 MB/s 56.0.0.0/8 = 8.5 © 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
50
A9K: 30 Second updates (Hardware limit)
CSR : 2 Second updates (also A1K/ISR)
Device policers dynamically updated against Cloud SLA of 100Mb/s © 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
51
Network based Threshold Trigger Normal Traffic Pattern
Data Center / Cloud
Sustained out of Profile Traffic
Identification of suspect traffic spike Apply Action across Domain
WAN
DC DC Edge
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
52
“Bridge In” Scrubber when Threshold Trigger hit Data Center / Cloud
VM bound traffic thru existing DDoS Solutions
Sustained out of Profile Traffic Scrubbed flows
WAN
DC DC Edge
Policy can be automatically removed several ways: • Strict timeout (if DDoS is still underway, filters will reinstall) • Sum of ingress router flows falls below less than threshold • DDoS scrubber notifies end of attack (or there is no attack)
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
53
Loose Coupling with 3rd party scrubbing solutions Data Center / Cloud
(a) Instruct edge to discard DDoS sources (b) Instruct edge to cut through safe sources (c) Extract scrubber when DDoS effectively mitigated (very efficient usage of DDoS Apps and CPU) (d) retire ACLs when attack is over
WAN
DC DC Edge
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
54
PLANNED APPLICATIONS (PRELIMINARY VIEW) WAN Automation Engine
BGP-LS Topology Viewer
• Optimizes WAN bandwidth utilization via design and planning
• Provides BGP-LS network topology visualization
Cable Operator Apps
Path Manager
• Video Quality of Experience optimization • Maintenance & operations automation
• Enables PCEP based programming of tunnels across the network
OpenFlow Manager • • • •
NETCONF ACL Editor
Openflow Topology Visualization Advanced Flow Management Flow based Troubleshooting Cisco supported extensions
• Provides ACL view/edit capability to NETCONF enabled devices
HyperGlance • Visualizes, monitors and manages entire SDN network in a single view
55
SDN IN THE WAN
56
“
Vijay Gill – GM, Global Network Services, Microsoft https://twitter.com/vgill/status/227539039979446272 57
SDN in the WAN Delivers Critical Solutions Maximizing BW, Link Utilization, and Optimizing Engineering Cycles • WAN is a critical conduit between customers, content, NFV - User access to NFV resources and business applications
Business
- DC – to – DC
• Must support legacy infrastructure • WAN bandwidth is costly and limited… maximize %util • Capacity planning is challenging!!! Targeted at maximizing WAN optimization, orchestration, and automation for customers who own their own WAN elements (Federal)
Federal Owned WAN
Data Center #1
Data Center #2
• Must re-think how the WAN Engineering Cycles Evolve as the needs are On-Demand versus Days or Weeks Multi-Vendor, Multi-Environment
Flexible Infrastructure; New Classes of Applications © 2013 Cisco Systems, Inc. All rights reserved.
Open & Interoperable Solutions; Standards & Open Source
Cisco and Customer NDA Only
Modular & Reusable Components
TIGHTENING THE ENGINEERING CYCLE Years/Months
Weeks/Days
Minutes/Seconds
Must Increase Service Velocity provisioning, Increase Link utilization, Limit Time to Deploy 59
SDN WAN ORCHESTRATION PLATFORM • Application platform for placing traffic demands and paths across an IP/MPLS WAN
Client Apps
MATE Apps
APIs
• North-Bound API: Java/REST • South-Bound (Bi-Directional): BGP-LS (update link-state TO controller), stateful PCEP (programs network elements FROM controller), Netc/YANG • Intelligent collector, planner, and optimizer engine and can leverage “what if” exercises for load placement • Multi-vendor enabled & extensible • Leverages OpenDaylight Infrastructure with “WAN Orchestration” applications (uses REST to controller)
Cross Domain Orchestration
SDN WAN Application Engine
Databases
Programming
Collector
PCEP configlet
BGP-LS
WAN IP/MPLS
MultiLayer
Segment Routing
60
1 - Can I place this requested BW load on my network? 2 - If I do, which link(s) is outside my network capacity threshold?
… In Real-Time!!!
WAN IP/MPLS
MultiLayer
Segment Routing
61
WAN ORCHESTRATION FRAMEWORK EXAMPLE: BANDWIDTH CALENDARING
1. Network conditions reported to collector consistently 2. WAN Orch pulls latest Plan File every 20 min from existing MATE Collector 3. Customer App requests DC #1 – DC #2 bandwidth at Future Date/Time (in app) 4. Demand admission response:
5. Customer App confirms booking 6. Two hours prior to activation placement APP applies config in Traffic Mgr (app) 7. Traffic Mgr programs the LSP on devices 8. LSP setup for traffic
3 4
NB API
5
6
WAN App
Customer App
2 Collector
BGP-LS
Program
PCEP 7
1
Congested
WAN
R2 R1 Data Center #1
8
Data Center #2 R3 62
62
63
WAN AUTOMATION ENGINE (WAE) CUSTOMER USE CASES AND DEPLOYMENTS
64
USE CASE: DEMAND ADMISSION & PLACEMENT Problem: Demand placement requirement must take in account LOCATION as well as network impact (link over-subscription)
BW Demand App
Solution: Application places demand on the suggested path/location and the network remains healthy leveraging under-subscribed links
Simple REST API Hides Complexity; Utilizes Infrastructure Intelligence
RESTful APIs
WAN Application Collection
Programming
WAN R2 Cloud Consumer Customer Site
R1
Content Sites
R3 65
Use Case: Bandwidth Scheduling (Calendaring) Problem: Provider’s customer has an “on demand” need for nightly DC backup or to move workloads
BW Calendar App
Solution: After determining a best path, Platform programs an LSP via PCEP.
RESTful APIs
WAN Application Collection
Programming
Simple REST API Enables Faster Solution without Complexity
PCEP
WAN
Congested!! R2
R1 Data Center #1
R3
Data Center #2 66
Use-Case: TE Load Balancing Problem: A customer needs to efficiently use expensive BW links (EX: high cost links, perhaps transoceanic) and must optimize usage.
TE Tunnel Builder App
Solution: The most expensive network resources are fully optimized by calculation assigning best load share metrics using PCEP (extensions).
RESTful APIs
WAN Application Collection
Programming
REST API Enables Solution; Hides Complexity
PCEP
AS Foo
R1
WAN
67
INTEGRATING OPENFLOW CLASSIFICATION WITH WAN SDN 68
Controlling Path BW Per flow with WAN SDN and OpenFlow WAN Application Campus/DC Application
Leveraging OF for packet-match traffic steering into TE tunnels setup by WAE
BGP-LS PCEP
Open Source Controller
OpenFlow 1.3
REST API
PCEP BGP-LS
OF 1.3 Congested Link
P4
TE 1
Flow 1
50 Mb Si
Data Center #1
DC Edge Router
Si
Flow 2
Open Standard SDN Switch
PE1
PE2
Data Center #2
P1 P3
75 Mb
TE 2
P2
Si
PE3 Congested Link
Data Center #3
Cisco Confidential
69
Controlling Path BW Per flow with WAN SDN and OpenFlow WAN Application
Leveraging OF “set FCID” action for packetmatch traffic steering into TE tunnels setup by WAE
REST API
DC Application
BGP-LS
OF 1.3
Open Source Controller
BGP-LS PCEP OpenFlow 1.3
Signaled FCID 1 = Tunnel 1 FCID 2 = Tunnel 2
PCEP
Flow 1
TE 1
50 Mb
TE 2
75 Mb
Si
Data Center #1
DC Edge Router
Flow 2
Open Standard SDN Switch
PE1
OPENFLOW - FLOW TABLE HEADER FIELDS
COUNTERS
ACTIONS
Flow 1
…
Set FCID 1
FCID Group 1 = Tunnel 1
Flow 2
…
Set FCID 2
FCID Group 2 = Tunnel 2
Egress Forwarding Match
70
YANG AND PUBLISH/SUBSCRIBE 71
others…
Hierarchical Object Oriented
Flat file Relational
YANG Model
Distributed
Network Element Interfaces Rule 1 Peers Router A Router B Topology Link A-B
Networks and network elements are constructed upon a variety of distributed data management mechanisms.
It is possible to represent network objects via hierarchical namespace, fully decoupled from the underlying database technologies. YANG is the modeling language being used by both the IETF and OpenDaylight for this.
72
RFC 6022: YANG Module for NETCONF Monitoring RFC 6991: Common YANG Data Types RFC 6087: Guidelines for Authors and Reviewers of YANG … RFC 6095: Extending YANG with Language Abstractions RFC 6110: Mapping YANG to Document Schema Definition… RFC 6241: Network Configuration Protocol (NETCONF) RFC 6243: With-defaults Capability for NETCONF
Publish/Subscribe Requirements for Subscription to YANG Datastores draft-i2rs-pub-sub-requirements Subscribing to datastore push updates draft-netmod-clemm-datastore-push
RFC 6470: Network Configuration Protocol (NETCONF) … RFC 6536: NETCONF Access Control Model… RFC 6643: Translation MIB Modules to YANG Modules RFC 7223: A YANG Data Model for Interface Management RFC 7224: IANA Interface Type YANG Module RFC 7277: A YANG Data Model for IP Management RFC 7317: A YANG Data Model for System Management RFC 7407: A YANG Data Model for SNMP Configuration Dozens of Models currently under development © 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
73
Taking YANG beyond being a programmatic replacement for SNMP /CLI Anything different? Application
fetch push
new stuff
No. NO! Yeah.
Traditional Device
YANG Datastore
Application
Subscribed Device
Applications have access to up-to-date network objects without Polling or Redundant Fetching • Application performance benefits • Processing reductions © 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
74
What we have today: On Demand: ask for Object every time
Application
What YANG Publish/Subscribe enables: Periodic: Push Object every ‘X’ seconds
On Change: Push on Object change
Application
Application
Subscriber
fetch
Subscriber regular stream
Network Element
Node object 1 object 2
Datastore
Publisher
Network Element
Datastore
Node object 1 (Subscribed) object 2
random notification
Publisher
Network Element
Datastore
Node object 1 (Subscribed) object 2
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
75
Controller Application Application
Subscriber
Application
Node object 1 object 2
Datastore
Peer Network Element
Subscriber
Subscriber
Publisher
Network Element
NMS
Subscriber
Transport
Point-to-point & point-to-multipoint options
e.g., Netconf, ZeroMQ, HTTP
Datastore
Node (Subscribed) object 1 object 2
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
76
Filtering Events
Maintaining Filtered Remote State Application
knows something happened
Subscriber
Publisher if Stateless Filteror Push Orange Yellow
Node object 1 object 2
Datastore
Application
Subscriber
Network Element
Publisher
X
can maintain subset of datastore
Network Element
Push if Orange Stateful Filteror Yellow state change
Node object 1 object 2
Datastore
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
77
Send Update if… Filter Type Object A exists
Complexity
n/a
if Object A currently has property
or
Simple query
if Object A currently has property
and different property
Complex query
if Object A currently has property
and Object B has property
Multi-object query
if Object A currently has property
then run process
Distributed Analytics
Intermittent Reporting
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
78
Send Update if… Complexity
Filter Type Object A property just changed Object A has been created/deleted Object A has been created with property or if Object A property just changed to if Object A property just changed to and has different property if Object A property just changed and Object B has property if Object A property just changed, run process
if Object A property just changed/deleted away from if Object A property just changed from to if Object A property just changed from and Object B has property if Object A property just changed/deleted away from , run process
n/a Stateless simple simple complex multi-object
Filtering Events
distributed analytics Stateful simple complex multi-object distributed analytics
Maintaining filtered remote state
© 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
79
NETWORK FUNCTION VIRTUALIZATION & CLOUD VPNS
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
80
• Target all areas of customer functions and networks • Data Center (Enterprise & SP), Enterprise (WAN, Campus), SP and/or large Enterprise WAN, SP Cloud offerings • Programmability and open API’s, orchestration, virtualization, rapid provisioning and automation
Customer Business Oriented Applications Data Center
Ent Network
SP WAN
NFV
APIs
APIC EM
WAE
Collector
Deployer
vCPE
ACI (N9K,UCS,FW,LB,IPS)
ISR/ASR1K Router, Catalyst Switch
ASR9K,CRS, NCS6k/4k/2k
vFW
vIPS
VNF VM (vCPE,vPE,vFW,vIPS)
81
NFV - Network Functions Virtualization
NFV extends the ”VIRTUAL” to L4-7 Services
82
NFV
Creating Virtual versions of Services that traditionally ran on standalone appliances… 83
NFV
Some NFV Examples… Network Address Translation (NAT) Firewall Intrusion Detection (IDS/IPS) Domain Name Service (DNS) WAN Acceleration Load Balancing Deep Packet Inspection (DPI) Content Delivery (CDN) Broadband Remote Access (BRAS) Provider Edge (PE Router)
84
CISCO DYNAMIC SERVICES COMPOSER INTRODUCTION Dynamic Services Composer … an open, standards-based, modular architecture and platform for services orchestration … manages the physical & virtual network, as well as the compute & storage infrastructure to deliver carrier-class services … which range from VPC to NFV services
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
85
Open Standards Based
DYNAMIC SERVICES COMPOSER – OVERALL ARCHITECTURE RT-OSS or Upper layer Orchestrator
Service Catalog
REST API
Virtual Topology System MPBGP
CE1
Service Routing
DCI Routing
VNF Manager Service Provisioning
Address Mgmt.
Service Lifecycle management
Openstack / Jcloud API
VRF1
RESTCONF/ YANG EPN SP WAN
VRF2
CE2
VRF1
VM Orchestrator SW Overlay MPLSoGRE, L2TPv3, VXLAN
VRF2
DC gateway VTF VRF1
Tenant 1 VNF1
VTF VRF2
Tenant 2 VNF1
Tenant 1 VNF2
VTF VRF2
VRF1
Tenant 2 VNF2
Tenant 2 VNF3
VRF1
Tenant 1 VM1
VRF2
System Management, High Availability Service Assurance Framework
Network Service Orchestrator
End-User
Tenant 2 VM1
Servers 86
DYNAMIC SERVICES COMPOSER (DSC) MULTI-TENANTED SERVICE INSTANTIATION & SERVICE CHAINING Managed Services Internet/VPN (Managed CPE)
Security
WAAS
NAT
(Managed FW)
Dynamic Services Composer
System Management and High Availability
Service Orchestrator DSC Services Controller
DSC Network Controller
Multi-tenanted service chains
Customer 1 Wants FW, NAT
vCPE
Customer 2 Wants vCPE, vFW, vWAAS
NAT
vFW
vFW
vWAAS
SP Managed Service POD
SP Datacenter
Customer service is instantiated as a virtual service in the managed service POD. Multiple services combined into a service chain
External WAN, access to Cloud (IaaS, Storage,…) 87
SERVICES IN A CHAIN • Network Services can be daisy chained • No restriction on the number of services in a chain • Services can be dynamically inserted in the chain
VM Foo Web
Virtual Topology
VM Foo DB
DCI
SP WAN (L3VPN, L2VPN, Internet)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NAT
FW
Cisco Confidential
88
SERVICES IN A CHAIN • Network Services can be daisy chained • No restriction on the number of services in a chain • Services can be dynamically inserted in the chain
VM Foo Web
Virtual Topology
VM Foo DB
L3
DCI
NAT
SP WAN (L3VPN, L2VPN, Internet)
VM Foo DB
FW MPLS-over-GRE (or) VXLAN Tunnels
L3
L3
vPE-F
VM Foo NAT
VM Bar
L3
L3
vPE-F
VM Foo FW
VM Bar
Server 1
Server 2
VM Bar
Server 4
L3
vPE-F L3 vPE-f L2/L3 VRF FIB VM Foo Web VM Bar
L2
VM WALMART © 2013-2014 Cisco and/or its affiliates. All rights reserved.
L3
vPE-F
VM1 GE-WEB
Server-2
Server 3
Cisco Confidential
89
One-Stop-Shop Tenant Portal: Search by Product or Category
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
90
APPLICATION CENTRIC INFRASTRUCTURE (ACI)
91
• Target all areas of customer functions and networks • Data Center (Enterprise & SP), Enterprise (WAN, Campus), SP and/or large Enterprise WAN, SP Cloud offerings • Programmability and open API’s, orchestration, virtualization, rapid provisioning and automation
Customer Business Oriented Applications Data Center
Ent Network
SP WAN
NFV
APIs
APIC EM
WAE
Collector
Deployer
vCPE
ACI (N9K,UCS,FW,LB,IPS)
ISR/ASR1K Router, Catalyst Switch
ASR9K,CRS, NCS6k/4k/2k
vFW
vIPS
VNF VM (vCPE,vPE,vFW,vIPS)
92
ACI is Cisco’s attempt to solve the most significant and important problems facing data center managers: how to more closely link the provisioning of data center networks with the applications running over those networks (i.e. “how do the apps talk to each other). … the goal is to reduce human error, shorten application deployment times, and minimize the confusion that can occur when application managers and network managers speak very different vocabularies. JOEL SNYDER NETWORK WORLD
93
WHAT ARE THE KEY COMPONENTS OF ACI? APPLICATION-CENTRIC INFRASTRUCTURE HARDWARE - FABRIC
CONTROLLER
ECOSYSTEM
(NEXUS 9000 SERIES)
(APPLICATION POLICY INFRASTRUCTURE CONTROLLER)
(INDUSTRY LEADING, OPEN)
APIC
OPEN STANDARDS OPEN SOURCE 94
APPLICATION CENTRIC INFRASTRUCTURE
MULTI-FUNCTIONAL, HYPERVISOR AGNOSTIC, VIRTUAL/PHY • Encapsulation agnostic • Controller (APIC) driven with open API’s, broad Eco System • Simplified L4-L7 insertion, open vendor support
TERTIARY APIC CLUSTER INTEGRATED LINE-RATE HOST DIRECTORY
− Third-party integration (Layer 4 - 7 services, storage, compute, WAN, etc.) − Image management (spine and leaf)
APIC
• Embedded “White list” security
− Fabric inventory
• Open API’s “north” of APIC • Data plane “de-coupled” from the APIC controller
Physical Networking
Hypervisors and Virtual Networking
40G FABRIC
Compute (virtual/ physical)
L4–L7 Services
Storage
Multi DC WAN and Cloud
Nexus 7K
Nexus 2K
Integrated WAN Edge
95
Define Intent: How do apps talk to each other?
ACI Goal: Automate the instrumentation of intent
96
APPLICATION CENTRIC INFRASTRUCTURE SERVICE GRAPH FOR THE APPLICATION
Web
App
DB
Outside Network
97
web
app
VM
VM
…
…
Application Profile
db
…
The Outside
a set of network requirements Policy (Contracts) specifying how application Access Control components communicate with QoS each other Firewall L4 – L7 Services
VM VM Application Level Metadata
VM
application-centric network policy
VM
application
rules of how application communicates to the external private or public networks
Describes Application infrastructure dependencies a collection of end-points connecting to the network… VMs, physical compute, …
Component Tier
End Point Group Or VMware Port Group 98
APPLICATION CENTRIC INFRASTRUCTURE
SERVICE GRAPH ABSTRACTION FROM THE NETWORK App
Web Outside (Tenant VRF)
QoS Policy
QoS Policy
QoS Policy
LB Service Policy
FW Service Policy
Access Policy
Decouple Application from Infrastructure
APIC
DB
Decouple Application from Infrastructure
99
Intranet
APIC
APIC
APIC
External IP/MPLS WAN
Extranet WAN
Standard Routing Protocol
Border Leaf
Web
DB LB
App FW
100
• Elastic service insertion architecture for physical and virtual services Application Admin
Web App Server
Server
Server
Chain “Security 5”
Stage 1
Service Admin
…..
Stage N
…….. ASA
end
Netscaler VPX
Service Profile
begin
Service Graph
“Security 5” Chain Defined
• Automation of service bring-up / tear-down through programmable interface
• Service enforcement guaranteed, regardless of endpoint location
App Tier B
Web Web Server
• APIC as central point of network control with policy coordination
• Supports existing operational model when integrated with existing services
Policy Redirection
Providers
• Helps enable administrative separation between application tier policy and service definition
App Tier A
101
FULL APPLICATION VISIBILITY
A SINGLE VIEW OF YOUR APPLICATION IN A DISTRIBUTED ENVIRONMENT HEALTH SCORE
96% LATENCY
5 Microsecond(s) DROP COUNT
25 Packets Dropped VISIBILITY 7 VMs 3 Physical Cisco Confidential
Application Delivery Controller Firewall 102
OVERLAY TAXONOMY Overlay Control Plane Service = Virtual Network Instance (VNI) Identifier = VN Identifier (VNID) NVE = Network Virtualization Edge VTEP = VXLAN Tunnel End-Point
VTEPs
Encapsulation
Edge Device (NVE) Underlay Network
Edge Devices (NVE) Hosts (end-points)
Underlay Control Plane
103
VXLAN IS AN OVERLAY ENCAPSULATION Data Plane Learning Flood and Learn over a multidestination distribution tree joined by all edge devices
Protocol Learning Advertise hosts in a protocol amongst edge devices
Overlay Control Plane
Encapsulation
VXLAN t 104
VXLAN PACKET STRUCTURE
16
72
Src VTEP MAC Address
32
32
16
16
16
16
UDP 4789
Next-‐Hop MAC Address
50 (54) Bytes of overhead
Hash of the inner L2/L3/L4 headers of the original frame. Enables entropy for ECMP Load balancing in the Network.
8
24
24
Ethernet Payload
Reserved
VNI
Reserved
8 Bytes VXLAN Flags RRRRIRRR
VXLAN Port
16
Original Layer 2 Frame
8 Bytes Source Port
8
Src and Dst addresses of the VTEPs
Dest. IP
IP Header Misc. Data
Ether Type 0x0800
16
Header Checksum
16
VLAN ID Tag
VLAN Type 0x8100
48
20 Bytes Protocol 0x11 (UDP)
48
Src. MAC Address
Dest. MAC Address
14 Bytes (4 Bytes Op8onal)
VXLAN Header
Checksum 0x0000
Outer UDP Header
UDP Length
Outer IP Header
Source IP
Outer MAC Header
FCS
Ethernet in IP with a shim for scalable segmentation
8
Allows for 16M possible segments
Large scale segmentation
Tunnel Entropy
105
VXLAN EVOLUTION BGP EVPN CONTROL PLANE https://tools.ietf.org/html/draft-ietf-l2vpn-evpn-11 BGP Route Reflector
Route Reflector
Route Reflector
VXLAN Overlay
BGP Peers on VTEPs
VTEP
VTEP
VTEP
VTEP
VTEP
VTEP
VTEP
• Uses Multi-Protocol BGP w EVPN Address Family for Dynamic Tunnel Discovery and Host reachability
• Supported across the product line: All Nexus and ASR 106
HTTPS://DEVELOPER.CISCO.COM
107
“ .. In order to implement an SDN solution, it will be imperative for enterprises to firstly make themselves familiar with the technology and its components, create cross functional IT teams that include applications, security, systems and network to (1) get an understanding what they wish to achieve and, (2) investigate best-of-breed vendor solutions that can deliver innovative and reliable SDN solutions which leverage existing investments without the need to overhaul longstanding technologies… ” Ben Rossi – InformationAge.com January 16, 2015 108
Trivia Question What are the names, of the two IETF protocols used on the OpenDaylight Controller, supporting the WAN Application Engine (WAE) app, to PULL link-state information, and PUSH MPLS-TE configuration and attributes? © 2014 Cisco - Cisco INTERNAL only – All Rights Reserved
109
THANK YOU 110
