• Share
  • Email
  • Embed
  • Like
  • Private Content

Software Defined Networking: Why We Like It and How We Are Building On It



Software Defined Networking (SDN) is a compelling development for the public sector. It helps to simplify operations by automating and centralizing network management tasks. It makes the network more ...

Software Defined Networking (SDN) is a compelling development for the public sector. It helps to simplify operations by automating and centralizing network management tasks. It makes the network more responsive to dynamic business and institutional needs by coupling applications with network control. Finally, Software Defined Networking gives IT teams more agility, because they can quickly customize network behavior for emergent business needs.



Total Views
Views on SlideShare
Embed Views



1 Embed 7

https://twitter.com 7



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Software Defined Networking: Why We Like It and How We Are Building On It Software Defined Networking: Why We Like It and How We Are Building On It Document Transcript

    • 1 © 2013 Cisco and/or its affiliates. All rights reserved.White PaperSoftware-Defined Networking: Why We Like Itand How We Are Building On ItWhat You Will LearnAccording to the Open Networking Foundation (ONF), software-defined networking (SDN) is a network architecture thatdecouples the control and data planes, moving the controlplane (network intelligence and policy making) to an applicationcalled a controller. Cisco advocates a broader view of SDN thatincorporates multiple models for network programmability, inaddition to the controller/agent model defined by the ONF forOpenFlow.This white paper presents the Cisco perspective on SDN:• Programming network behavior is a valuable capability forpublic sector organizations, especially as they prepare forbig data, surging video traffic, Bring-Your-Own-Device(BYOD) environments, and cloud computing.• Academia and the scientific research community havesuccessfully applied network programmability to facilitatedata sharing across institutions, and to deploy new types ofdistributed computing applications. In several instances, theOpenFlow protocol has replaced more traditional ways ofsupporting these deployments.• Several Cisco®products have OpenFlow-capable imagesavailable, and there is a well-defined roadmap to expandOpenFlow support.• To broaden the possibilities for network programming, andto address a wider range of use cases, a more expansiveview of network programmability is needed. Cisco hasdeveloped the Cisco Open Network Environment (ONE)architecture as a multifaceted approach to networkprogrammability delivered across three pillars:• A rich set of application programming interfaces (APIs)exposed directly on switches and routers to augmentexisting OpenFlow specifications• A production-ready OpenFlow controller and OpenFlowagents• A suite of products to deliver virtual overlays, virtualservices, and resource orchestration capabilities in thedata centerOpenFlow: Where It Is Strong and Where It Is LimitedCisco is positive about OpenFlow. Cisco has developed afull-featured, production-ready OpenFlow Controller called theCisco Extensible Network Controller. Several Cisco switcheshave OpenFlow agents available, and our roadmap calls for fullysupported agents on the majority of Cisco routing and switchingproducts.OpenFlow is designed to support policy-based flowmanagement within a network. OpenFlow is particularly wellsuited to use cases satisfied by pushing predefined policies toimplement network segmentation. In addition to simple flow-matching and forwarding capabilities, later releases of theOpenFlow specification have introduced ways to implementsimple quality of service (QoS) and flow metering.In spite of these capabilities, there are several areas of networkprogrammability that are outside the current scope of OpenFlow:• Facilities for element device management and monitoring:Operating system image management, hardwaremanagement, zero-touch deployment, event triggering,element location information, and more• Capability to directly influence forwarding behavior of anetwork element: Routing Information Base/ ForwardingInformation Base (RIB/FIB) manipulation, route status, routingprotocol advertisements, add/delete routes, and broad-spanning tree support• Data packet payload manipulation: On-box encryptionand VPN, customized encryption algorithms, deep packetinspection, application awareness requiring payloadinspection, ability to inject packets into a network stream• Service deployment: OpenFlow has no ability to instantiatea service directly on a network element. Service examplesinclude firewall, Wide Area Application Services (WAAS),intrusion protection system (IPS) software, SDN Enabledbroadband network gate (BNG), video monitoring, etc.• Distributed control plane and APIs: OpenFlow’s reliance ona centralized control plane limits application run time options
    • 2 © 2013 Cisco and/or its affiliates. All rights reserved.A Broader Vision for Network ProgrammabilityThe Cisco vision for SDN is to provide true networkprogrammability, enabling developers to write applicationsthat extract real-time intelligence from the network, and applyanalytics and intelligence to determine the appropriate policy.Policy is then pushed to the network elements via OpenFlow,onePK, or other means (Figure 1).This closed-loop model provides a tight coupling of the network-to-business applications, giving the applications the ability tocoordinate network resources. This enables a scenario in whichthe network devices themselves provide analytics to detecttraffic changes that indicate a surge in a specific application’straffic. The orchestration application can then automaticallymodify policy to reconfigure the network to simultaneouslyoptimize both user experience and application performance.Figure 1 Cisco Vision for Network Programmability: Expose Network Value byHarvesting Network Intelligence to Dynamically Direct Policy2 © 2013 Cisco and/or its affiliates. All rights reserved.Flexible Deployment ModelsOpenFlow requires a controller deployed on a server. The controlleruses the OpenFlow protocol to communicate over the networkwith agents on switches and routers. Applications use APIs on theOpenFlow controller to implement network policy. Cisco believes itis advantageous to support multiple application deployment modelsin addition to the OpenFlow controller/application approach.Centralized control planes offer the advantages of easy operationsand management. A centralized model also introduces scalabilityconcerns and limits options for application deployment. Directaccess to decentralized device APIs opens a broad range ofapplication possibilities that are not available in an OpenFlowcentralized model. A hybrid approach, combining direct API accesson a device to augment API access via a controller, may well bethe optimal balance between centralized and decentralized controlplanes.The ability to instantiate a service anywhere in the network basedon dynamic demands has significant value. Flexible applicationdeployment models are critical to delivering that capability. TheCisco approach supports multiple application deployment options:• Applications running within software containers on routers andswitches• Applications executing directly on x86 hardware deployed onrouters and switches• Applications running on standalone or virtualized serversFlexible deployment models provide several advantages:• Applications can be deployed on any network node in any locationthat needs services without requiring reachability between thenode and a central controller.• Distributed application deployment facilitates scalability andminimizes control-plane latency. The scalability of centralizedcontrollers is as yet untested in large-scale productionenvironments. Without appropriate controller scalability, large-scale events could overwhelm centralized controllers by theworkload generated when processing large volumes of messageswhile simultaneously sending updated policies to hundreds ofdevices. Clustered controllers are entering the market at the timeof this writing, which could mitigate these effects.• Network devices can more swiftly adjust service policies inresponse to fluctuating flow demands when distributed devicecontrol planes are closely coupled with applications. OpenFlowscales best in a proactive control model where flows arestatically defined and policies pushed to network elements.Controller scalability becomes a concern when there is a needto dynamically modify policy in reaction to dynamic networkconditions, such as device hardware errors or other eventsimpacting link or service availability.OrchestrationIntelligenceProgrammabilityPolicy AnalyticsNetworkExpose Network ValueHarvestNetworkIntelligenceProgramfor OptimizedExperienceWhat Does This Mean for the Public Sector?The public sector has led the way in the adoption of SDNtechnologies, including OpenFlow. The scientific researchcommunity has growing expertise in using OpenFlow andother network programmability methods to solve the problemspresented by moving, securing, and analyzing large data sets.SDN Use CasesThe public sector also has unique challenges involving dataencryption and secure network transport. These use cases areparticularly suited to SDN solutions. Here are some examples:
    • 3 © 2013 Cisco and/or its affiliates. All rights reserved.• Selectively protect sensitive information by dynamicallyencrypting flows using custom algorithms running on anetwork device. This capability has value for many federalIT organizations, and it is a critical capability in multitenantcloud architectures. As state government IT data centerscentralize, they have a common need to encrypt particularapplication traffic from specific tenants. Cisco onePK hasthe ability to implement very granular policies, limitingencryption to only those flows requiring it, in addition todynamically instantiating encryption services on relevantnetwork nodes.• In higher education residence halls, an application deployedon a router checks a database to determine a student’ssubscribed Internet service tier. The application thenmodifies the packet QoS markings accordingly to reflectthe appropriate traffic class for that user. This can beaccomplished on a single router deployed at a remotecampus or a dorm hall edge without the need for a campus-wide OpenFlow deployment.• An application deployed on a router connects to thereservation database for Cisco TelePresence®System.Seeing that a multipoint Cisco TelePresence sessionis scheduled for specific time, the application instructsthe network to reserve the needed bandwidth for theappropriate time period. Cisco TelePresence does not haveunique ports specific to the Cisco TelePresence application.Cisco onePK would use packet payload inspection toidentify relevant flows. When the session concludes, thereserved bandwidth is released. Cisco onePK extends thetraffic steering use cases described earlier by allowing flowidentification based on payload analysis to augment tuplematching.• Improving network economics by extending routingprotocols to consider business parameters (such as dollarcost) in addition to technical parameters (such as speed)when selecting a network path.Cisco Direction: Building on OpenFlow with Cisco onePKTo expand the possibilities of network programmability, Ciscohas developed the Cisco ONE architecture (Figure 2). CiscoONE builds on OpenFlow, adding new capabilities to addresschallenges of WANs and data centers, as well as campusnetworks.• Improving network performance and right-sizing expensiveservice appliances by dynamically sensing trusted flows atthe network edge to direct them around stateful servicessuch as firewalls, IPS sensors, or network addresstranslation (NAT) devices. This is a valuable capability whenmultiple research institutions share data.• Automated provisioning of network bandwidth toaccommodate scheduled data transfers. SDN is usedto interface data management applications with thenetwork to set up and tear down required transport pathsto support large data set migrations. Distributed, high-throughput compute applications like HTCondor benefitby having a programmatic way to provision network pathsfor job distribution and workload management. Theseare frequently occurring use cases among scientificresearchers.• Isolation of network slices to segment the network byproactively pushing policy via a centralized controller tocordon off research traffic.• Many large institutions, university systems, and stategovernments are adopting converged data centerarchitectures to optimize application availability whilereducing costs. SDN enables organizations to simplify thetransition from multiple data centers to a single, multitenantarchitecture through the use of programmatic control ofvirtualized Layer 2 topologies and service orchestration.Use Cases Based on OpenFlow with Cisco onePK APIs• Direct access to device APIs to implement zero-touchinitial configuration as well as to automate configurationchanges. The Cisco onePK has the ability to use protocolssuch as Puppet to instruct a newly deployed device to pullits configuration from the appropriate server. Programmaticdelivery of network device configurations is desirable tominimize human error and to ease large-scale changes.Current methods are cumbersome and difficult to maintainacross products and releases. Cisco onePK introducesa common set of APIs across operating systems andproduct sets to allow a single application to manage aheterogeneous installed base.• Minimize the risk of new cyber-security threats that emergefrom the need to support BYOD. A student-owned tabletintroduces a known piece of malware onto the network. Anetwork device could use a Cisco onePK application withpacket payload inspection abilities to detect the malwareand automatically mitigate the threat by quarantining thedevice or updating routing advertisements to black hole theoffending traffic.
    • Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and anyother company. (0313R)Figure 2 Cisco ONE ArchitectureProgrammaticAPIsAgents andControllersNetworkVirtualizationInfrastructureSimplified Operations Enhanced AgilityOpen Network EnvironmentCisco believes that the problem domains of the WAN, campus,and data center differ enough that no single technology willbe an optimum fit for all realms. In addition, different customersegments have very different problems to address.Cisco ONE reflects that belief and lays out an approach tonetwork programmability incorporating a variety of technologies.Public sector organizations can use any or all of its components:• The rich programmatic interface of Cisco onePK. The CiscoonePK APIs give Cisco and third-party controllers directprogrammatic access to Cisco IOS®Software. They supporthundreds of programmatic actions, including device discov-ery, device management, and policy and routing control. Inaddition, Cisco onePK Data Path APIs allow programmaticaccess to extract, modify, and reinsert packets in an activeflow. The roadmap for Cisco onePK includes support forCisco IOS, IOS-XE, IOS-XR, and NX-OS operating systemsacross nearly all Cisco Catalyst®and Cisco Nexus®SeriesSwitches.• OpenFlow support on the Cisco production-ready control-lers: Unlike other OpenFlow controllers, the Cisco controllerprovides role-based access control, troubleshooting sup-port, topology-independent forwarding, the ability to injectsynthesized traffic, and trace routing. The controller hasbeen in field trials since the beginning of 2012.• Virtual overlays: Cisco virtual overlay technologies providemultitenant support and service orchestration using theVirtual Extensible LAN (VXLAN), and vPath features of CiscoNexus 1000V Series Switches. Virtual overlays use familiarSDN models of centralized control, but transport is ac-complished by encapsulating frames over a fixed, Layer 3topology.Conclusion and RecommendationsSDN is a compelling development for the public sector. It helpsto simplify operations by automating and centralizing networkmanagement tasks. It makes the network more responsiveto dynamic business and institutional needs by couplingapplications with network control. Finally, SDN gives IT teamsmore agility, because they can quickly customize networkbehavior for emergent business needs. The increasing velocityof application development will continue to drive IT organizationsto deploy technologies that allow them to scale and respond torapidly changing demands.We recommend that public sector organizations:• Develop a strategy to adopt network programmability withthe goal of reducing operational expense while providinga high-quality user experience when many traffic typescompete for bandwidth.• Take a phased approach to validate value and retire riskprior to large-scale deployment. Cisco is introducing SDNsupport across most of its switching and routing portfolio.This means you can conduct small-scale, proof-of-conceptpilots without investing in new hardware. In many cases, youcan deploy validated applications in production on existinghardware, with only a code upgrade.• If you use OpenFlow, consider the Cisco ONE Controller.This controller has many unique capabilities thatare necessary for production deployment, includingtroubleshooting features, role-based access control, andtopology-independent forwarding.For More InformationTo learn more about the Cisco Open Network Environment(ONE), visit: www.cisco.com/go/one.To learn more about Cisco onePK, visit: www.cisco.com/en/US/prod/iosswrel/onepk.html.To learn more about Cisco Nexus 1000V Series Switches, visit:www.cisco.com/go/nexus1000v.