9th sdn expert group seminar - session3

Confiden'al

Netvisor - “The” Network Hypervisor

Pluribus Networks NetvisorOS Open Fabrics, Analytics, and Virtualizations

Robert Drost, Ph.D. Founder and COO

Pluribus Networks – What Do We Do?

A Network (Hypervisor) OS: Netvisor !Designed to build the easiest to use networks

Leaf and Spine Switches

Turn-‐key HW+SW ! SW on ODM switches!

Is The Life of Netops GeIng Any Easier?

!  complex�� to�� manage…⋯too�� many�� protocols,�� too�� many�� boxes��

!  Complex�� to�� troubleshoot…⋯box-by-box��

!  Expensive�� to�� monitor�� and�� secure…⋯no�� visibility�� into�� application�� flows�� and�� behavior�� of�� end�� points��

Network Monitoring and Security Challenges

�� !  N-S�� perimeter:�� protected�� by�� security�� tools�� and�� packet�� brokers��

!  E-W�� fabric:�� Expensive�� infrastructure�� to�� tap�� …⋯leads�� to�� E-W�� fabric�� blind�� spots��

!  E-W�� fabric:�� lack�� of�� global�� visibility�� of�� end�� points�� connected�� to�� the�� fabric��

!  E-W:�� lack�� of�� any�� visibility�� of�� application�� flows��

Internet�� router DDOS

Firewall IPS

WAF�� (port�� 80/443) Packet�� brokers��

Malware/Email/DNS…⋯

Open,�� interoperable�� networking��

Agility�� w/o�� exploding�� cost�� for�� physical�� &�� virtual�� network�� End-to-end�� visibility�� to�� enhance�� security,�� application�� performance,�� troubleshooting..��

The Promise Of Netvisor

Netvisor Architecture Layers At-‐a-‐Glance

Integrated Analytics For Security and Monitoring Plug&Play Fabric Orchestration

Network Virtualization Orchestration

Netvisor® - L2/L3/MLAG/VXLAN

Open Networking hardware

CLI, Python Ansible Puppet/Chef

OpenStack RESTful

API

Common orchestration, tools and automation

C, Java

Open,�� interoperable�� Networking��

Simplify�� automation�� (physical�� &�� virtual)�� Simplify�� end-to-end�� visibility�� (ports,�� VMs,�� app�� flows)��

Netvisor�� plug&play�� Fabric�� orchestration��

Netvisor Control Plane Fabric

Single�� point�� of�� mgmt��

Single�� fabric�� CLI/API��

Open,�� interoperable�� Network�� L2/L3��

Controller�� cluster�� over�� TCP/IP�� Distributed��

Controller��

Integrated�� In�� the�� Switch��

Netvisor Server-‐Style Distributed Architecture

“A computer cluster consists of a set of loosely or 'ghtly connected computers that work together so that, in many respects, they can be viewed as a single system”

Servers�� relied�� on�� scalable�� and�� highly�� available�� cluster�� technologies…⋯��

Single�� point�� of�� mgmt��

!

!!

��

��

…⋯then�� someone�� invented�� centralized�� controllers��

��

Netvisor�� leverages�� scalable�� and�� highly�� available��

server�� cluster�� technologies��

Netvisor Server-‐Style Control Plane Architecture

vSwitch

ovsdb openflow

controller��

Orchestration��

…⋯then�� the�� “controller”�� folks�� Invented�� new�� southbound�� i/f��

Server�� relied�� on�� PCIe�� southbound�� control�� i/f…⋯��

PCIe Secure�� High-perf PCIe

PCIe�� is�� in�� every�� switch!�� Netvisor�� just�� uses�� it�� exactly�� like�� a�� server�� OS!��

Secure�� High-perf

One�� CLI/API�� to�� orchestrate�� the�� fabric�� from�� any�� switch…⋯��

Scalable�� (distributed)��

Highly-available�� (peer-to-peer)��

Transaction�� based�� (easy�� to�� automate)��

Secure�� control�� plane�� (PCIe�� like�� a�� server!)��

One�� CLI/GUI�� to�� orchestrate�� the�� fabric�� from�� any�� switch…⋯��

Netops��

Fabric API For Netops and Devops

Netvisor API

…⋯or�� from�� any�� Linux�� server!!��

devops��

1,000s�� concurrent�� API�� calls�� For�� visibility�� &�� mgmt!��

Restful,�� C,�� java,�� cli,�� python

CLI (network-‐admin@Leaf2) > vrouter-‐routes-‐show network 101.101.19.0 vrouter-‐name network type interface next-‐hop distance metric -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐ leaf2 101.101.19.0/24 bgp eth0.21 99.99.3.1 200 1 leaf3 101.101.19.0/24 bgp eth0.19 99.99.5.1 200 1 leaf4 101.101.19.0/24 bgp eth0.17 99.99.7.1 200 1 leaf5 101.101.19.0/24 bgp eth0.15 99.99.15.1 200 1 leaf6 101.101.19.0/24 bgp eth0.5 99.99.16.1 200 1 leaf1 101.101.19.0/24 connected eth0.2220 CLI (network-‐admin@Leaf2) > vrouter-‐routes-‐show network 108.108.108.108 vrouter-‐name network type interface next-‐hop distance metric -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐ leaf2 108.108.108.108/32 connected lo0 leaf1 108.108.108.108/32 bgp eth0.38 99.99.17.1 200 1 leaf3 108.108.108.108/32 bgp eth0.36 99.99.19.1 200 1 leaf4 108.108.108.108/32 bgp eth0.40 99.99.21.1 200 1 leaf5 108.108.108.108/32 bgp eth0.22 99.99.117.1 200 1 leaf6 108.108.108.108/32 bgp eth0.8 99.99.119.1 200 1 CLI (network-‐admin@BGP-‐Leaf2) >

ONE “FABRIC CLI” -‐ example

troubleshoot�� if�� routes�� are�� learned�� across�� all�� routers�� in�� the�� fabric��

ssh�� into�� one�� switch!��

ONE “FABRIC CLI” -‐ example admin@Leaf3:~# cli -‐-‐quiet vlan-‐show switch id scope name active stats ports untagged-‐ports active-‐edge-‐ports -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ Leaf3 1 local default-‐1 yes yes 1-‐6,9-‐104,254 1-‐6,9-‐104,254 29,101 Leaf3 4091 local vlan-‐4091 yes yes 8,89-‐104,254 8 8,101 Leaf3 4092 local vlan-‐4092 yes yes 7,89-‐104,254 7 7,101 admin@Leaf3:~# ./vlancreate.sh 500 510 Vlan 500 created Vlan 501 created Vlan 502 created Vlan 503 created Vlan 504 created Vlan 505 created Vlan 506 created Vlan 507 created Vlan 508 created Vlan 509 created Vlan 510 created switch id scope name active stats ports untagged-‐ports active-‐edge-‐ports -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ Leaf3 1 local default-‐1 yes yes 1-‐6,9-‐104,254 1-‐6,9-‐104,254 29,101 Leaf3 500 fabric vlan-‐500 yes yes 89-‐104,254 none none Leaf3 501 fabric vlan-‐501 yes yes 89-‐104,254 none none Leaf3 502 fabric vlan-‐502 yes yes 89-‐104,254 none none Leaf3 503 fabric vlan-‐503 yes yes 89-‐104,254 none none Leaf3 504 fabric vlan-‐504 yes yes 89-‐104,254 none none Leaf3 505 fabric vlan-‐505 yes yes 89-‐104,254 none none Leaf3 506 fabric vlan-‐506 yes yes 89-‐104,254 none none Leaf3 507 fabric vlan-‐507 yes yes 89-‐104,254 none none Leaf3 508 fabric vlan-‐508 yes yes 89-‐104,254 none none Leaf3 509 fabric vlan-‐509 yes yes 89-‐104,254 none none Leaf3 510 fabric vlan-‐510 yes yes 89-‐104,254 none none Leaf3 4091 local vlan-‐4091 yes yes 8,89-‐104,254 8 8,101 Leaf3 4092 local vlan-‐4092 yes yes 7,89-‐104,254 7 7,101 admin@Leaf3:~#

Create�� vlans�� in�� seconds�� across�� the�� fabric��

ssh�� into�� one�� switch!��

Fabric�� operations�� are�� atomic�� transactions��

!

!

Netvisor Fabric-Cluster For Simplified Mgmt!

!" !

L2!

L3!HA block!

Distributed peer-to-peer HA cluster. No single point of failure. Node hot-plug.!

Classic database !3-phase commit for

config changes!

One logical switch to manage!

–!

Every Node shares the same view of the Fabric:

MAC, IP, connections and app flows!

A distributed architecture based on a collection of compute clustering techniques to present !

an open, standard-based Ethernet fabric as !one logical switch. !

Fabric-wide ARP Suppression!

Customer Example: US Manufacturing Company Fabric VirtualizaWon For Private Cloud

Pluribus Architectural Value: !  Leaf-‐Spine Fabric simplificaWon !  Virtual network with HW vRouters !  Analy'cs w/ forensic recording !  Enable inser'on of new services w/o

HW sprawl (e.g. For'net FW)

Requirements: !  Consolida'on of legacy mul'-‐layer

design to leaf-‐spine !  Segmenta'on/mul'-‐tenancy w/o

dedicated HW (routers, services) !  E-‐W flow visibility, compliance,

audi'ng

Netvisor�� plug&play�� Real-time�� Analytics:�� Inline�� Forensic�� (Time�� Machine)�� Packet�� Broker�� and�� Packet�� Capture��

any�� end-point,�� any�� port,�� any�� flow,�� any�� time��

Netvisor Global Fabric Visibility

from�� any�� switch!��

The Technology Behind it: A Smarter TAP!

PCIe��

NO�� BLIND�� SPOTS:�� every�� connection,�� every�� VM,�� every�� port�� NO�� EXTERNAL�� TAPS��

Dynamic�� threat�� response��

Time�� machine��

Netvisor�� Flow�� Visibility�� At-a-Glance��

admin@F64LSpine1:~# cli client-‐server-‐stats-‐show | egrep 'syn|HDFS|MR|Cassandra’ switch vlan vxlan client-‐ip server-‐ip server-‐port syn est fin obytes ibytes total-‐bytes avg-‐dur avg-‐lat last-‐seen-‐ago Leaf2 103 0 103.103.103.10 103.103.103.20 HDFS-‐Namenode-‐WebUI 0 0 198 442G 198 442G 10.01s 157us 1m39s Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐Namenode-‐WebUI 0 0 198 445G 198 445G 10.01s 354us 1m39s Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐DataNode-‐Metadata 0 0 198 465G 198 465G 10.01s 229us 28s Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐Metadata-‐operations-‐8020 0 0 198 469G 198 469G 10.01s 207us 1m8s Leaf2 103 0 103.103.103.20 103.103.103.10 Cassandra-‐Client-‐Thrift 0 0 197 473G 197 473G 10.01s 277us 10m38s Leaf2 103 0 103.103.103.20 103.103.103.10 MR-‐History-‐WebUI 0 0 197 474G 197 474G 10.01s 199us 14m39s Leaf2 103 0 103.103.103.20 103.103.103.10 Cassandra-‐JMX-‐Monitoring 0 0 197 475G 197 475G 10.01s 253us 10m58s Leaf2 103 0 103.103.103.20 103.103.103.10 Cassandra-‐OpsCenter-‐Agent 0 0 197 476G 197 476G 10.01s 256us 10m18s Leaf2 103 0 103.103.103.20 103.103.103.10 MR-‐JobTracker 0 1 197 477G 197 477G 10.01s 258us 8s Leaf2 103 0 103.103.103.10 103.103.103.20 Cassandra-‐OpsCenter-‐Agent 0 0 197 477G 197 477G 10.01s 892us 10m18s Leaf2 103 0 103.103.103.20 103.103.103.10 MR-‐Tasktracket-‐WebUI 0 0 197 478G 197 478G 10.01s 222us 14m49s Leaf2 103 0 103.103.103.10 103.103.103.20 HDFS-‐Secondary-‐NameNode 0 0 198 480G 198 480G 10.01s 898us 19s Leaf2 103 0 103.103.103.20 103.103.103.10 Cassandra-‐InterNode-‐Cluster 0 0 197 482G 197 482G 10.01s 195us 11m18s

Applica'on Names Total Bytes in 198 Flows

On Avg how long the TCP Connec'ons lasted

Avg-‐Latency For 198 flows

When the flow was ac've

Last Seen TCP Packet(FLAG)

Indicates for 1 TCP flow TCP Syn <> SYN/ACK complete and session ongoing

ApplicaWon Flow AnalyWcs

CLI (network-‐admin@ursa-‐perf) > client-‐server-‐stats-‐show start-‐time 2015-‐06-‐01T16:29:00 end-‐time 2015-‐06-‐01T17:59:00 switch time vlan vxlan client-‐ip server-‐ip server-‐port syn est fin obytes ibytes total-‐bytes avg-‐dur avg-‐lat last-‐seen-‐ago -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐ -‐-‐-‐ -‐-‐-‐ -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ ursa-‐perf 06-‐01,16:29:54 1 0 1.1.4.1 1.1.4.2 http 0 0 1 2.96G 1 2.96G 10.01s 81.3us 18h40m33s ursa-‐perf 06-‐01,16:30:54 1 0 1.1.4.1 1.1.4.2 50010 0 0 1 2.96G 1 2.96G 10.00s 80.8us 18h39m18s ursa-‐perf 06-‐01,16:32:54 1 0 1.1.4.1 1.1.4.2 50010 0 0 10 11.0G 10 11.0G 10.02s 77.3us 18h37m27s ursa-‐perf 06-‐01,16:34:54 1 0 1.1.4.1 1.1.4.2 50010 0 0 10 11.0G 10 11.0G 10.02s 61.6us 18h35m3s ursa-‐perf 06-‐01,16:35:54 1 0 1.1.4.1 1.1.4.2 ssh 0 0 10 11.0G 10 11.0G 10.02s 63.3us 18h34m35s ursa-‐perf 06-‐01,16:36:54 1 0 1.1.4.1 1.1.4.2 50010 0 10 0 18h33m46s ursa-‐perf 06-‐01,16:38:54 1 0 1.1.4.1 1.1.4.2 50010 0 0 20 32.7G 20 32.7G 1.10m 50.8us 18h31m22s ursa-‐perf 06-‐01,16:40:54 1 0 1.1.4.1 1.1.4.2 50010 0 90 10 23.5G 10 23.5G 2.00m 6.64us 18h29m7s ursa-‐perf 06-‐01,16:42:54 1 0 1.1.4.1 1.1.4.2 nfs 0 0 100 131G 100 131G 2.00m 45.2us 18h27m7s ursa-‐perf 06-‐01,16:45:54 1 0 1.1.4.1 1.1.4.2 50010 0 1 0 18h24m20s ursa-‐perf 06-‐01,16:47:54 1 0 1.1.4.1 1.1.4.2 50010 0 0 1 3.99G 1 3.99G 2.00m 77.0us 18h22m20s ursa-‐perf 06-‐01,16:48:54 1 0 1.1.4.10 1.1.4.2 5001 1 0 0 18h21m33s ursa-‐perf 06-‐01,16:48:54 1 0 1.1.4.10 1.1.4.2 50010 0 1 0 18h21m10s ursa-‐perf 06-‐01,16:49:54 1 0 1.1.4.1 1.1.4.2 50010 0 1 0 18h21m ursa-‐perf 06-‐01,16:49:54 1 0 1.1.4.10 1.1.4.2 50010 0 4 1 2.96G 1 2.96G 10.00s 15.0us 18h20m18s ursa-‐perf 06-‐01,16:50:54 1 0 1.1.4.10 1.1.4.2 50010 0 0 5 10.8G 5 10.8G 30.01s 138us 18h19m27s ursa-‐perf 06-‐01,16:51:54 1 0 1.1.4.1 1.1.4.2 50010 0 0 1 1.64G 1 1.64G 2.00m 38.4us 18h19m ursa-‐perf 06-‐01,16:51:54 1 0 1.1.4.10 1.1.4.2 50010 0 0 5 13.7G 5 13.7G 30.01s 59.4us 18h18m57s

Applica'on Port Total Output Bytes per flow

How long the TCP Connec'on lasted

Avg-‐Latency When the flow was ac've

Last Seen TCP Packet(FLAG)

Client-‐Server AnalyWcs w/ Time Machine

admin@F64LSpine1:~# cli client-‐server-‐stats-‐show | egrep 'syn|HDFS|MR|Cassandra|Nutanix’ switch vlan vxlan client-‐ip server-‐ip server-‐port syn est fin obytes ibytes total-‐bytes avg-‐dur avg-‐lat last-‐seen-‐ago

Leaf2 103 0 103.103.103.10 103.103.103.20 HDFS-‐Namenode-‐WebUI 0 0 197 441G 197 441G 10.01s 158us 1m58s Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐Namenode-‐WebUI 0 0 197 444G 197 444G 10.01s 351us 1m58s

Leaf2 103 0 103.103.103.20 103.103.103.10 Nutanix-‐Stats Aggregator-‐Monitor 0 0 196 463G 196 463G 10.01s 258us 8m56s Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐DataNode-‐Metadata 0 0 197 464G 197 464G 10.01s 230us 48s

Leaf2 103 0 103.103.103.20 103.103.103.10 Nutanix-‐Transfer-‐Manager 0 0 196 465G 196 465G 10.01s 240us 9m37s

Leaf2 103 0 103.103.103.20 103.103.103.10 Nutanix-‐Chronos-‐Node 0 0 196 466G 196 466G 10.01s 248us 9m47s <snip>….

Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐Secondary-‐NameNode 0 0 197 487G 197 487G 10.01s 247us 38s

Leaf2 103 0 103.103.103.20 103.103.103.10 HDFS-‐DataNode-‐WebUI 0 0 197 487G 197 487G 10.01s 255us 1m18s

0 200 400 600 800 1000

avg-‐latency

avg-‐lat

cli client-‐server-‐stats-‐show no-‐show-‐headers parsable-‐delim , | egrep 'syn|HDFS|MR|Cassandra|Nutanix' >> bigdata1.csv

Excel ReporWng using CSV format export

Tracing CongesWon Along The Path Of A Flow

./flowtrace_new.py -‐n aquila02 -‐c 10.9.18.249 -‐s 10.9.9.73 ==================================vport info=============================== The packet enters fabric through pn-‐dev01 port 15 The packet leaves pn-‐dev01 through port 63 and enters aquila02 through port 10 The packet leaves aquila02 through port 129(36,40) and enters spine02 through ports 4,5 The packet leaves fabric through spine02 port 17

pn-‐dev01

aquila02

spine02

15

63

Visibility into conges'on sta's'cs on each port along the path of the applica'on flows

36,40

4,5

17

10

Top Talkers App

Client Server Loca'on

Latency

Top Talkers

Server

Dura'on Device

Manufacturer

Built-‐in PCAP Capture Of Any Flow In The Fabric

admin@S68-‐Leaf1:~# snoop -‐v -‐d igb0 Using device igb0 (promiscuous mode) ETHER: -‐-‐-‐-‐-‐ Ether Header -‐-‐-‐-‐-‐ ETHER: ETHER: Packet 1 arrived at 18:25:15.03827 ETHER: Packet size = 66 bytes ETHER: Destination = 64:e:94:30:2:4b, ETHER: Source = 78:da:6e:65:1d:58, ETHER: Ethertype = 0800 (IP) ETHER: IP: -‐-‐-‐-‐-‐ IP Header -‐-‐-‐-‐-‐ IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) <snip> IP: Header checksum = 2ba6 IP: Source address = 50.203.11.18, 50-‐203-‐11-‐18-‐static.hfc.comcastbusiness.net IP: Destination address = 192.168.1.53, EBC-‐Leaf-‐1 IP: No options IP: TCP: -‐-‐-‐-‐-‐ TCP Header -‐-‐-‐-‐-‐ TCP: TCP: Source port = 63469 TCP: Destination port = 22 TCP: Sequence number = 3984394763 TCP: Acknowledgement number = 3169545619 TCP: Data offset = 32 bytes TCP: Flags = 0x10 TCP: 0... .... = No ECN congestion window reduced TCP: .0.. .... = No ECN echo TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP: .... 0... = No push <Snip>

�� !  Multi-gig�� flow�� capture�� with�� vflow��

!  Integrated�� wireshark�� decoding��

Customer Example: US Insurance Company Large Scale BGP Fabric For Big Data ApplicaWon

Pluribus Architectural Value: !  Fabric management simplificaWon !  Monitoring and visibility of Hadoop

cluster performance

Requirements: !  BGP fabric with 144 racks !  Economics !  Interop w/ third party modular spine

switch with rapid failover

Integrated AnalyWcs Use Cases: Financial Company Fabric AnalyWcs For AudiWng, Compliance

Pluribus Architectural Value: !  Fabric management simplificaWon !  E-‐W flow analy'cs w/ forensic

recording and inline PCAP capture !  Granular flow control (vflow)

Requirements: !  Three Data Centers Chicago-‐New

York-‐London !  Leaf-‐Spine architecture !  Audi'ng, compliance, forensic flow

visibility

Netvisor�� plug&play�� Network�� Virtualization�� VNET�� Microsegmentation�� And�� multi-user�� control�� VxLan�� orchestration�� in�� the�� network�� (no�� tunnel�� tax)��

ONUG (Open Networking User Group) Overlay Working Group

VxLan Lab Test Setup and Results May 13-14, 2015

Test Configura'on

VXLAN Tunnel

L3 CORE

Automatic tunnel provisioning (Zero

Config)! On-demand, dynamic VXLAN Encap/Decap!

VLAN 100 VLAN 100

VLAN 300 VLAN 300

100K VMs •  95% line rate@10Gbps

•  0% packet drop •  Convergence: •  Cold: 25.54sec •  Warm: 7.35sec

F64 (Intel FM6000) E28 (Broadcom Trident 2)

VLAN 400

VLAN 500

VLAN 500

VLAN 400

VLAN 500

VLAN 500

Unified Overlay and Underlay w/ Switch VTEP Off-‐load

VXLAN over BGP fabric or VXLAN for L2 POD extension !  Netvisor SDN Fabric to orchestrate

and automate VXLAN tunnel offload on Leaf switches

!  Keep server networking simple and eliminate VXLAN encap/decap performance tax

!  ONE fabric with seamless overlay-‐underlay (VXLAN) visibility

!

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

L3#

L2#$#VLAG# L2#$#VLAG# L2#$#VLAG# L2#$#VLAG#

IP/ECMP'Fabric'

!

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

L3#


IP/ECMP'Fabric'VXLAN Tunnel

POD #1 POD #2 L3 CORE

!

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

L3#


IP/ECMP'Fabric'VXLAN Tunnel

100K VMs •  95% line rate@10Gbps

•  0% packet drop •  Convergence:

•  Cold: 25.54s •  Warm: 7.35s

L3 CORE route

route

route

route

route route

route

route

route

route

route

route

route route

route

POD

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

POD

POD

POD

TradiWonal Server Overlays

Centralized Controller

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

L3 CORE

POD

POD

POD

Netvisor Dynamic Switch Overlays

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

①  Dynamic switch-‐based VXLAN encap/decap

②  Reduce # of tunnels (e.g. ~3K+!12) and remove servers encap/decap

Distributed Cluster w/ Overlay OrchestraOon

L3 CORE

POD

Netvisor OFV Architecture Unify Overlay & Underlay

!

!" !

L3!

VXLAN !Tunnel endpoint!

VXLAN! Eliminate host perf. penalty!(as high as 65% drop) by off-loading tunneling to switch ASIC @ line rate!

0!1!2!3!4!5!6!7!8!9!

10!

64Bytes! 512Bytes! 1450Bytes!

Gb

ps!

OVS to OVS performance!

Baseline!Switch Overlays!Server Overlays!

Fabric-based Overlay tunnel orchestration and segmentation " one fabric for physical and virtual!

Uncompromised physical/virtual visibility!

Netvisor Fabric MulW-‐tenancy And SegmentaWon

!  Rapid provisioning of secure virtual networks (aka VNETs) with management, control and data plane isola'on

!  Provision in minutes per tenant virtual routers with management, control, data plane isola'on

!  Per tenant virtual services: vSLB, vFW, vCLI, DNS, DHCP, Pixie, NTP…

!  Per tenant visibility of flows, services, VMs…

VLAN%10(12% VLAN%20(22% VLAN%30(32%

App 1 App 100

Customer Example: US Financial Company Fabric VirtualizaWon For Cloud App. Delivery

PN Arch. Value: !  Consolidate 100 vRouters under

netops control on 2 devices !  VNET for app developers control !  Analy'cs to monitor applicaWon

performance

Requirements: !  Per tenant/app virtual routers for BGP

peering with AWS vRouters !  Visibility and ease of troubleshoo'ng

cloud connec'on !  Allow each tenant to manage and

monitor its own router/virtual network

App 2

Netvisor�� has�� Mature�� Enterprise�� HA�� Adds�� value�� to�� rest�� of�� your�� IaaS�� and�� PaaS��

High-‐Availability

!  Peer-‐to-‐peer highly available cluster technology for the fabric !  Distributed, no central controller, single point of failure !  Most fabric opera'ons as atomic transac'ons, either they

succeed or fail across the en're fabric cluster

!  Networking: !  Mul'-‐chassis LAG with sub < 200 ms failover !  Ac've-‐Ac've VRRP with sub < 200 ms failover (no VRRP

'mer dependency) !  BFD for BGP for sub-‐second failover !  ISSU across the en're fabric of switches (rolling upgrade)

!  Netvisor drivers support ML2 based neutron plugin qualified for Juno/Icehouse. The plugin repo is publicly available at hkps://github.com/PluribusNetworks/pluribus_neutron/tree/master/neutron-‐plugin-‐pluribus

!  The ML2 plugin supports: !  Na've neutron APIs for logical networks/subnets/port management !  L3 agent APIs for logical router management !  NAT capability on the switches !  Loadbalancer API support

!  In addi'on the ML2 plugin supports Netvisor specific advanced extensions: !  HW based rouWng !  High availability (VRRP) for logical routers !  NFS backed store for glance to deliver sta'c image content !  Host analyWcs /visibility into tenant traffic !  Flow programming (vflow) across the fabric (vflow) !  Full PCAP vflow packet capture !  Per-‐tenant QOS/SLA !  Tracking VM lifecycle using virtual ports concept on Netvisor

Netvisor OpenStack Highlights

Summary – Pluribus Netvisor Differentiation

Fabric-wide !Multi-box!

management!

Simple to Manage! Simple to Monitor!

Fabric-wide!Application and VM Visibility/Analytics!w/ Time Machine!

Fabric-wide!Programmability,!

NFV, Flow !Programmability!

Simple to Program!And Secure!

Simple to Virtualize!

Fabric-wide! Unified Overlay/

Underlay +!Penalty-free VXLAN

Tunnel Orchestration!!

Netvisor Server-Style Distributed Cluster ! ONE “Touch Point” For The Entire Fabric!

Thank�� you��

www.pluribusnetworks.com��

9th sdn expert group seminar - session3

Technology

condenal netvisor

virtualizations robert