plnog 13: sławomir słowiński: the real potential of network virtualization

Copyright 2013 Alcatel-Lucent. All rights reserved.CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW

PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTIONNuage Networks

Sławomir Słowiń[email protected]+48 783 948 102

Prawdziwy potencjał wirtualizacji sieci

@slowinskis

mailto:[email protected]

• Czym jest Nuage Networks

• Omówienie komponentów rozwiązania

• Pokaz demo

Agenda

Alcatel-Lucent venture

Headquartered in Mountain View, CA – Silicon Valley

Staffed by IP Routing and Virtual Compute experts

Nuage Networks

Software Defined Networking

VPN

VPN

VPN

VPN Internet

Network Virtualization

Massive IPScale

Policy BasedEndpoint Attachment

Best in class, proven technologies and software development

A Powerful Ecosystem

Datacenter Network

Compute is Virtualized

Available in Minutes

Network is Partially Virtualized

Configuration takes Days/Weeks

Static addressing = chained resources

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request completed in

Minutes

Help DeskChange Control

IP Address

VLAN Address

FirewallConfiguration

LAN (VLAN)Configuration

WAN (IP)Configuration

Security / QATeam

ProjectCoordinator

Network Changecompleted in days/Weeks

Service velocity is hindered by manual network process

00:01

Nuage Networks policy templates and role-based workflow

Compute Management

Tenant / Application RequestNetworking

Security/ Compliance

Service velocity is not hindered by manual network process

Auto-instantiation

Compute Request completed in Minutes

00:01

IP address

WAN interconnect

Policy / Security Zones

L2 /L3 Service AD

Service chaining

Templates

Nuage Networks VSP

Policy Instantiation• IP address 10.x.y.z• VLAN configuration• WAN configuration• Security / FW settings• QoS parameters• …

Network ChangeCompleted automatically

00:01

Nuage Networks Virtualized Services Platform

Cloud Service Management Plane

VirtualizedServicesDirectory

Datacenter Control Plane

VirtualizedServicesController

Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics

Nuage NetworksVirtualized Services Platform (VSP)

Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets

Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set

Edge Router

MP-BGP

MP-BGP

DatacenterData Plane

VirtualRouting & Switching

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Brooklyn Datacenter - Zone 1

IP Fabric

Hardware GW for

Bare Metal

From ALU SR7750 to Nuage VSP

Server 1

Server n

NUAGE VIRTUAL SERVICE NODE (vPE)

Server 2 Ope

nflow

Mixing proven SROS & cloud technologiesProven 7750 SROS technology

VRS

VRS

VRS

VirtualizedServicesController (VSC)

Line card

Line card

7750 (SROS) or any Switch, Router, PE

Line card

Control Plane Card

Prop

rieta

ry P

roto

col

Virtualized Services Directory (VSD)

IP Traffic

XMPP

Virtualized Services Directory(VSD)

• VIRTUAL MACHINE BASED• SERVICE DEFINITION• POLICY ESTABLISHMENT• SERVICE TEMPLATING• ANALYTICS ENGINE &

REPORTING

NETWORKS

SECURITY

QoS

STATISTICS

ZONE POLICIES:WEB ACCESSBACKEND LOGICETC.

CRM APP :- VM“80MBPS – REAL TIME”

THRESHHOLD ALARM

UI

UI

REST API

MessageBus

Domain

Zones

Subnets

Policies

VPNPublic Internet



Virtual Routing &Switching

Hypervisor

VSD Service Abstractions

DOMAIN A logical distributed router that enables L2 & L3

communication

ZONE A set of network endpoints that must adhere to

the same security policies

SUBNET A layer 2 segment that allows communication

between VMs

POLICIES Security, QoS, Statistics,Service chainning

Routed Domain

Zones

Subnets

Policies

Managed VPN Network

Public Internet

SEPARATED PER ORGANIZATION/ENTERPRISE

VSD organizations - logical view

Firewall

Firewall

W

BLBL

W

Domain PROD

Prod Biz Logic Zone

Prod Web Zone

Subnet 2

Subnet 1

Subnet 3

WAN/Internet

Firewall

Firewall

W

BLBL

W

Domain TEST

Test Biz Logic Zone

Test Web Zone

Subnet 2

Subnet 1

Subnet 3

WAN/Internet

ENTERPRISE CUSTOMER A

Firewall

Firewall

W

BLBL

W

Domain PROD

Prod Biz Logic Zone

Prod Web Zone

Subnet 2

Subnet 1

Subnet 3

WAN/Internet

Firewall

Firewall

W

BLBL

W

Domain TEST

Test Biz Logic Zone

Test Web Zone

Subnet 2

Subnet 1

Subnet 3

WAN/Internet

ENTERPRISE CUSTOMER C

Firewall

Firewall

W

BLBL

W

Domain PROD

Prod Biz Logic Zone

Prod Web Zone

Subnet 2

Subnet 1

Subnet 3

WAN/Internet

Firewall

Firewall

W

BLBL

W

Domain TEST

Test Biz Logic Zone

Test Web Zone

Subnet 2

Subnet 1

Subnet 3

WAN/Internet

ENTERPRISE CUSTOMER B

• Service Provider Level– Service provider has full visibility of the

infrastructure state• Organization level

– Isolates different enterprises– Enterprise IT admins responsible for

enterprise policies• Group level

– Identifies groups of users with with similar requirements

– A user can belong to more than one groups

• User level– End user control of service creation

VSD User Hierarchy

UsersGroupsEnterpriseSP

Service Provider

Organization A

EngineeringUser4

User1

QAUser3

User2

OperationsUser1

User2

Organization BEngineering

User1

User3

OperationsUser1

User2

Service Provider

Enterprise A

Enterprise B

Engineering

Operations

QA

Operations

Engineering

User 2

User 1

User 3

User 2

User 1

User 2

User 1

User 3

User 1

User 2

Domain 2

App Container

Zones

Domain 1

App Container

Zones

ROLE BASED HIERARCHY FLEXIBLE ASSIGNMENT TO RESOURCES

Flexible Role-based Policy Design

ACL Designer

• Graphical selection of ACL entries to edit based on ACL endpoints

– Connect two endpoints to create rules between them

– Select an existing edge to edit the related ACL entries

– Order ACL entries in the priority list at the bottom

– Selected ACL entries are highlighted

• Supports additional ACL capabilities in 2.0

– ToEndpoint and FromEndpoint ACLs– vPort Tags– Port ranges– Redirect action

ACL Redirect action- service chaining

• Within a single routing domain, the network designer wants to force traffic to flow through other devices (e.g. Firewall, Load balancer)

• In addition to allow and drop actions, the Redirect action sends traffic to another VM, bypassing the routing table

• A vPort Container can be used used as redirect destination

• Lines A show standard routing• Lines B show ACL redirect

• VIRTUAL MACHINE BASED• SDN CONTROLLER• POWERED BY SERVICE

ROUTER OPERATING SYSTEM (SROS)

• PEERING & FEDERATION• AUTO-DISCOVERY• TENANT SLICING

Virtualized Services Controller(VSC)

SROS BASEDSMNP/CLIBGP/IGP

SERVICE MGRForwarding dBRIB/FIB

XMPP

Std. ProtocolControl pathto VRS

Message bus for:Event NotificationsPolicy Push

Security

Load Balancing

IP Traffic

XMPP




Hypervisor

Virtualized Services Controller (VSC)

Mechanics of VSC Requests policy from VSD at time of VM instantiation (XMPP)

Programs VRS with allowed forwarding entries and manipulation instructions (OpenFlow)

Runs MP-BGP (IP-VPN) with DC Router to advertise accessible VMs

Runs as federation for scalability reasons. Runs MP-BGP (EVPN) to exchange VXLAN ID/MAC/IP reachability information

Participates in IGP (ISIS/OSPF) with local DC fabric to ensure VMs can be reached

VSD

Hyper

Network Service Definintion

VSC

xmpp

VSC

VRS

VM VMVM

MP-BGP (EVPN)

OpenFlow

DCR

MP-BGP (IPVPN)

L2 or L3

(VLAN, VXLAN, GRE)

Virtual Routing and Switching(VRS)

VRS-H*

VRS-G

VRS-X

VRS-V

Citrix XEN Hypervisors

VMware vSphere Hypervisors

Microsoft Hyper-V Hypervisors

Gateway for Bare Metal Servers &Appliances

KVM Hypervisors

VRS-K

Support for Brand X Hypervisor

VRS-?

L2-L4 VIRTUAL SWITCH• OPEN V-SWITCH BASED • PROVIDES BOTH VXLAN

AND MPLSoGRE TUNNEL ENCAPSULATION OPTIONS

• PROGRAMMED THROUGH OPENFLOW FROM VSC, ENCAPSULATES VM FLOW INTO PREFERRED PROTOCOL (L2 OR L3)

• DETECTS VM INSTANTIATION AND TEARDOWN

IP Traffic

XMPP




Hypervisor


Hypervisor

*Hyper-V supported in an upcoming release

Virtualized Routing and Switching (VRS)

L3-Service – GUI + Data Model

L3 Domain(will be translated to VPRN

instance) Subnet(will be translated to R-VPLS

instance)

vPortHost/Bridge/Virtual Machine

= Attachment point

Actual Interface with IP/MAC

Virtual Network representation in VSC

SAP

VM

dVRS

dVPRN20013

R-VPLS 20015

R-VPLS 20016

VXLAN 2001 Tunnels

VRF Tunnels to DC PE GWs

UDP

GRE

UDP

VXLAN 2000 Tunnels

SAPSAPSAP

VM VM VM

Server 1

Server 2

Server n

Openflow

VRS

VRS

VRS VM

VM

VM

VM

dVRS

dVPRN X

dVRS

dVPRN X

VPLS 2000

VPLS 2001

VPLS 2000

VPLS 2001

VPRN X

R-VPLS/VXLAN 2000

W2

Subnet 10.1.0.0

10.1.0.1, M1

10.1.0.101

10.1.0.102

R-VPLS/VXLAN 2001

Subnet 10.2.0.0

10.2.0.101

10.1.0.102 B

10.1.0.2, M2

VSW1 VSWn

IF1 IF2

IF1 IF1IF2 IF2

dVRS Logical View across

VSCs

dVRS view in VSW Nuage VRS Agent

W1 B

dVPRN Default Gateway MAC & IP Assignment

Network Services Instantiation with Nuage NetworksNetwork policies defined in advanced (UI or API)







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Cloud Manager to H

ypervisor comm

unications


Domain

Zones

Subnets

Policies

VPNInternet

① Openstack receives request for compute assets

Request for compute assets by Cloud Manager







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

1

Cloud Manager to H

ypervisor comm

unications


Domain

Subnets

VPNInternet

ZonesPolicies

Network Services Instantiation with Nuage Networks

① Openstack receives request for compute assets② VM instantiated on hypervisors

Virtual Machine allocation by Compute Manager







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

2

2

Cloud Manager to H

ypervisor comm

unications


Domain

Subnets

VPNInternet

ZonesPolicies


① Openstack receives request for compute assets② VM instantiated on hypervisors③ Event triggers Nuage VRS which informs VSC of VM placement

a. VSC queries VSD on policyb. VSD issues VSC with network service templatec. VSC deploys policy to applicable VRS’s

Policy decision and network deployment







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

3c

3c

3

3b

3a

Cloud Manager to H

ypervisor comm

unications


Domain

Subnets

VPNInternet

ZonesPolicies


① Openstack receives request for compute assets② VM instantiated on hypervisors③ Event triggers Nuage VRS which informs VSC of VM placement

a. VSC queries VSD on policyb. VSD issues VSC with network service templatec. VSC deploys policy to applicable VRS’s

④ Network services are created based on policy from VSD

Network connectivity instantiated







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

NetworkServices

4

Cloud Manager to H

ypervisor comm

unications


Domain

Subnets

VPNInternet

ZonesPolicies


Domain

Subnets

VPNInternet

ZonesPolicies

Multi-zone (Intra-Datacenter)






HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Cloud Manager to H

ypervisor comm

unications HYPERVISOR

HYPERVISOR

HYPERVISOR

Network Services

Brooklyn Datacenter - Zone 1 Brooklyn Datacenter - Zone 2


Inter Datacenter with multiple Cloud Managers






HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Cloud Manager to H

ypervisor comm


HYPERVISOR

HYPERVISOR

Network Services

HYPERVISOR

HYPERVISOR

HYPERVISOR

Manhattan Datacenter - Zone 2Brooklyn Datacenter - Zone 1 Brooklyn Datacenter - Zone 2

Domain

Subnets

VPNInternet

ZonesPolicies


Inter Datacenter with multiple Cloud Managers







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Cloud Manager to H

ypervisor comm


HYPERVISOR

HYPERVISOR


HYPERVISOR

HYPERVISOR

HYPERVISOR

Network Services


Manhattan Datacenter - Zone 2

Federation of Controllers

Domain

Subnets

VPNInternet

ZonesPolicies


Federated Inter Datacenter Services (multiple CMS)







HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Cloud Manager to H

ypervisor comm


HYPERVISOR

HYPERVISOR


HYPERVISOR

HYPERVISOR

HYPERVISOR

Network Services


Federation of Controllers

EdgeRouter

MPLS(MP-BGP)

Service Provider Control Plane

Service Provider Data Plane

BusinessVPN Service

PrivateDatacenter

MP-BGPMP-BGP

Domain

Subnets

VPNInternet

ZonesPolicies


Seamless Enterprise - Datacenter connectivity






HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Cloud Manager to H

ypervisor comm


HYPERVISOR

HYPERVISOR

Brooklyn Datacenter - Zone 1 Brooklyn Datacenter - Zone 2

Domain

Subnets

VPNInternet

ZonesPolicies

CloudBand

HYPERVISOR

HYPERVISOR

HYPERVISOR



Network Services

EdgeRouter

MPLS(MP-BGP)

WAN Control Plane

WAN Data Plane

BusinessVPN Service

PrivateDatacenter

MP-BGP

CPE

VPN

CPE

VPN

CPE

VPN


SD VPN

Nuage Networks Covers Full Range of Options

High-Performance Gateways

Software Gateways

Third party/“White Boxes”

Nuage VRS-G

Recommended for small DCs Limited number of bare metal servers

Hardware VTEPs

OVSDB, VXLANOpen Ecosystem

L2 only, introducing L3 services Capability tradeoffs across various

options

Nuage Networks7850 VSG

Virtualized Services Gateway

Carrier grade OS, consistent feature set Recommended for large DCs Large number of bare metal assets

30.09.201433

NUAGE VSP DEMO

30.09.201434

www.nuagenetworks.net

@nuagenetworksSławomir Słowiń[email protected]+48 783 948 102

mailto:[email protected]

plnog 13: sławomir słowiński: the real potential of network virtualization

Documents

test biz logic zonesubnet

prod biz logic zonesubnet

bl blsubnet

bl bldomaintestsubnet

minutes network

datacenter network compute

manual network process00

set of network endpoints