Agile OpenStack Networking with Cisco Solutions

718 views

Published on

A session in the DevNet Zone at Cisco Live, Berlin. One of the key areas of contributions from Cisco within OpenStack has been in the evolution and the development of the OpenStack Networking Service - Neutron. Using Neutron's Modular Layer 2 (ML2) plug-in and advanced services framework, Cisco has integrated products and solutions with the networking service to simplify the deployment of highly scalable, manageable and performant networks. Through this session we will cover and provide details of reference as well as the various OpenStack Neutron plugins/drivers for hardware and software Cisco products including the Nexus 1k/3k/5k/6k/7k/9k, UCS FI, CSR 1kv, ASR1K, CPNR and Application Policy Infrastructure Controller (APIC). The audience will also learn about Group Based Policy API in OpenStack that is based on the ACI Policy model. We will further discuss different OpenStack networking architecture, deployments and understand Cisco’s community code contribution that enable and support IPv6 and NFV related features in Neutron.

Published in: Technology
  • Be the first to comment

Agile OpenStack Networking with Cisco Solutions

  1. 1. Agile OpenStack Networking with Cisco solutions Rohit Agarwalla, Technical Leader DEVNET-1107 roagarwa@cisco.com, @rohitagarwalla
  2. 2. • Introduction to OpenStack • Cisco and OpenStack • OpenStack Networking – Neutron • Neutron Network Architectures • Cisco Integrations into Neutron • IPv6 and NFV in OpenStack • Summary/Q&A Agenda
  3. 3. Introduction to OpenStack
  4. 4. OpenStack Overview Design tenets – scale & elasticity, share nothing & distribute everything Open source Cloud Computing Platform for Private and Public Clouds
  5. 5. OpenStack Projects Compute (Nova) Dashboard (Horizon) Database (Trove) Network (Neutron) Image (Glance) Orchestration (Heat) Object Storage (Swift) Identity (KeyStone) Data Processing (Sahara) Block Storage (Cinder) Telemetry (Ceilometer) Deployment (Triple O) Bare Metal (Ironic) DNS (Designate) Application Catalog (Murano) Containers (Magnum) Key Management (Barbican) Policy (Congress) File System (Manila) Messaging (Zaqar) ….
  6. 6. OpenStack Progress Austin – Oct 2010 Bexar – Feb 2011 Cactus– April 2011 Diablo – Sept 2011 Essex – April 2012 Folsom– Sept 2012 Grizzly– April 2013 Havana – Oct 2013 IceHouse– April 2014 Juno – Oct 2014 Kilo – May 2015 130 contributors 30 new features 2010 2011 2012 2013 2014 Started with Compute and Storage service 12th OpenStack release 1933 contributors 760 new features 8300 bugs fixed 164 companies Liberty – Oct 2015 24,000 people 495 companies Mitaka – April 2016 2015 Newton – Oct 2016
  7. 7. Cisco and OpenStack
  8. 8. Cisco and OpenStack • Cisco Validated Designs, UCSO • Work closely and jointly with customers to design and build OpenStack environment • OpenStack based Global Intercloud hosted across Cisco and partners data centers • Metapod (Formerly MetaCloud) • Neutron/Cinder/Ironic Plugins/Drivers for Cisco infrastructure – Nexus, APIC, CSR1K, ASR1K, UCS • Cisco Applications on OpenStack • Code contributions across several services – Network. Compute, Dashboard, Storage, Containers Community Participation Engineering Partners/ Customers Cloud Services • Incubating new OpenStack related Projects – GBP, PlaceWise, AVOS, VMTP
  9. 9. • Transport Layer Security • Sub-ordinate certificate feature OpenStack primary project code contributions by Cisco Kilo + Liberty release Gnocchi Kolla Magnum Neutron HorizonDevstack Metering Barbican Heat • Multiple IPv6 prefixes, IPv6 PD • IPv6 router support • VLAN trunking • UCSM, Nexus driver • ASR1000 driver • CSR1Kv VPN driver • Archive Policy per metric level • New resources for Neutron PCI Passthrough and Nova Flavor • Heat template improvements • Neutron IPv6 and L3 plugin support • Kafka Publisher • Alarms severity • Network services notification plugin • Resource metadata caching • Curvature panel • Ceph panel • Containers - Ceilometer, Mongo, Neutron • Container Sets - database-control, messaging-control, service-control, compute-control, compute- operation-nova • Kubernetes plugin • Python API for k8s CLI • Container Networking Model
  10. 10. OpenStack Networking - Neutron
  11. 11. OpenStack Network Architecture Tenant A Compute Node (s) Running Compute and Network agents Controller Node(s) Running Database, Message Queue Server, API Services, Scheduler.. Router Network Node(s) Running Network Service Agents API Network External Network Internet Data Network Management Network Network Purpose IP Address Management Network Used for internal communication between OpenStack Components Reachable only within the data center External Network Used to provide VMs with Internet access Reachable by anyone from the Internet API Network Exposes all OpenStack APIs, including the OpenStack Networking API, to tenants Reachable to Tenants Data Network Used for VM data communication within the cloud deployment. Reachable within the Tenant address space
  12. 12. Neutron Overview Tenant A Router Subnet Red Subnet Blue VM 1 Tenant A VM 2 VM 1 Logical Model Physical implementation Compute Node Compute Node VM1 Controller Node(s) Router Network Node(s) External Network VM2 VM1 Internet vswitch vswitchvswitch Data Network Namespace Management Network API Network
  13. 13. OpenStack Neutron Architecture Neutron Server REST API Neutron Core plugins Neutron Service plugins • Core + Extension REST API’s • Message Queue for communicating with Neutron Agents • Core and Service Plugins • Different vendor core plugins • Different network technology support • ML2 plugin with Type and Mechanism Drivers • Service plugins with backend drivers Core API Network Port Subnet Resource and Attribute Extension API ProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS …. LoadBalancer Firewall VPN HAProxy IPTables StrongSwa n L3ServicesNamespace Type Drivers Mechanism Drivers VLAN GRE VXLAN CiscoNexus OVS OpenDayLight APIC Morevendor drivers ML2 Othervendor plugins DHCP Agent L3 Agent Message Queue IPTables on Network Node L2 Agent vSwitch dnsmasq
  14. 14. Neutron Architectures
  15. 15. Layer 2 network tenant topologies Compute Node Compute Node VM3 VM4 VM2 vswitch vswitch Data Network VM1 Fabric Leaf, Top of Rack Compute Node Compute Node VM3 VM4 VM2 vswitch vswitch Data Network VM1 Fabric Leaf, Top of Rack Host and Network based VLAN Host based overlays Compute Node Compute Node VM3 VM4 VM2 vswitch vswitch Data Network VM1 Fabric Leaf , Top of Rack Network based overlays VLAN Overlay
  16. 16. Layer 2 network tenant topologies – Design Considerations • Number of Tenant Network Segments • VLAN based tenant networks • Host • Host and Network • VXLAN based tenant networks • Host • VXLAN offload - Network • Multicast v/s Controller
  17. 17. Compute Node vswitch Layer 3 tenant network topologies Linux Host Compute Node VM1 Network Node(s) VM2 vswitchvswitch Data Network Namespace Service VMs Fabric, Top of Rack VM1 Compute Node VM2 vswitch Data Network Service VMs Fabric, Top of Rack Compute Node VM1 Network Node(s) VM vswitch Data Network Fabric, Service Node Fabric or Service Node vswitch
  18. 18. Layer 3 network tenant topologies – Design Considerations • Number of Tenant Routers • External connectivity for tenant networks • Floating IPs • L3 Traffic Pattern E-W and N-S Routing
  19. 19. Cisco integrations into Neutron
  20. 20. Neutron Layer 2 Default Implementation Neutron Server Neutron Core plugin (ML2) Network REST API requests Open vSwitch/Linux Bridge Mechanism Drivers Compute Node Network and Compute Nodes VM VM vswitch RPC message to agent on nodes • Implements Neutron Core Resources • Open vSwitch and Linux Bridge Mechanism Drivers • Agents on Network and Compute Nodes • Host based VLAN or Overlay (VXLAN, GRE) Type Drivers
  21. 21. Nova HostNova HostNova Host Neutron Reference – East-West L2 (Switched) Traffic VM1 Controller Host(s) Router Neutron Host(s) DHCP ports API NetworkExternal Network Management Network VM6VM5VM2 VM3 VM4 Internet vswitch vswitch vswitchvswitch Data Network PKT Packet path animation for packet traveling from VM1  VM3.
  22. 22. VM on a Compute Nodes Neutron Cisco Nexus Driver Neutron Server Neutron Core plugin (ML2) Cisco Nexus Driver Ncclient Nexus Nova Compute Nodes create/update port request sent to Neutron Features •Works with multiple Nexus platforms •VLAN configuration •VXLAN configuration • Nexus_VXLAN Type Driver • Multicast • VLAN to VNI association Benefits •No Trunk all tenant VLANs on compute node interfaces on ToR •Dynamic provisioning/deprovisioning on ToR •Network based overlays Nexus ToR VM VM netconf
  23. 23. VMs on Compute Node N1Kv VEM Compute Nodes Neutron Cisco Nexus1000v Driver (KVM) Neutron Server Neutron Core plugin (ML2) Cisco N1Kv Driver N1Kv VSM Features: •Associate Network Profiles to Neutron Networks •Associate Policy Profiles to Neutron Ports •Supports VLAN and VXLAN (unicast and multicast) network segmentation •Horizon integration Benefits •Logical grouping of network segments •Security, Monitoring, Quality of Service (QoS) •Enhanced visibility and manageability of virtual machine traffic REST API Nova Network Profile:Network Segment Pool Policy Profile:Port Profile VM VM N1Kv VSM
  24. 24. VMs on Compute Node Neutron Cisco UCSM Driver (KVM) Neutron Server Neutron Core plugin (ML2) Cisco UCSM driver UCS Fabric Interconnect UCSM SDK Compute Nodes Nova create/update port Features: •Nova and Neutron enhancements to support SR-IOV •Supports VLAN configuration of SR-IOV ports (using port profiles) and vNIC ports (using Service Profiles) •Enables configuration of VLAN profiles and automatic association with network ports Benefits •SR-IOV and non SR-IOV based UCS Fabric Interconnect configurations •Configures multiple UCSMs VM VM
  25. 25. Neutron DHCP Implementation Neutron Server Neutron DHCP Service Network REST API requests Compute Node Network Node DNSMASQ RPC message to agent on nodes • Namespace and dnsmasq for every network • Dnsmasq Reloads with every port add/delete DHCP agent
  26. 26. Nova HostNova HostNova Host Neutron Reference – DHCP Traffic VM1 Controller Host(s) Router Neutron Host(s) DHCP ports API NetworkExternal Network Management Network VM6VM5VM2 VM3 VM4 Internet vswitch vswitch vswitchvswitch Data Network DHCP request/response animation for packet traveling from VM1  DHCP port. PKT
  27. 27. CPNR Neutron DHCP Implementation with Cisco Prime Network Registrar (CPNR) Neutron Server Neutron DHCP Service Network REST API requests Compute Node Network Node DHCP Relay CPNR • DHCP configuration includes CPNR API end point configuration • Mapping – • Network to Virtual Private Network (VPN) • Subnet to Scope • Request and Responses handled using UDP ports • Benefits • Relay is stateless and can be run in Active-Active • Highly Available CPNR Server for all tenants REST API DHCP Traffic RPC message to agent on nodes DHCP agent
  28. 28. Neutron Routing Implementation Neutron Server Neutron Service plugin (L3) Routing REST API requests L3 agent on Network Node L3 agent on Network Nodes Default Gateway, Namespace and IPTables Namespace maps to a Neutron logical router. IPTables handle address translations Agent Scheduler Picks a L3 agent on a Network Node Compute Node Compute Nodes L3 traffic goes through Network node VM VM Neutron router HA capabilities using VRRP
  29. 29. Nova HostNova HostNova Host Neutron Reference – East-West L3 (Routed) Traffic VM1 Controller Host(s) Router Neutron Host(s) API NetworkExternal Network Management Network VM6VM5VM2 VM3 VM4 Internet vswitch vswitch vswitchvswitch Data Network PKT Routing Packet path animation for packet traveling from VM1  VM4 Virtual Router
  30. 30. Nova HostNova HostNova Host Neutron Reference – North-South L3 Traffic (NAT) VM1 Controller Host(s) Router Neutron Host(s) API NetworkExternal Network Management Network VM6VM5VM2 VM3 VM4 Internet vswitch vswitch vswitchvswitch Data Network PKT NAT Packet path animation for packet traveling from VM1  Internet Virtual Router
  31. 31. Issues in Neutron Reference L3 and ASR1K Solutions • NAT for External Connectivity: • Issue - Scale limitation in Linux iptables software NAT. • Solution - ASR1K can scale up to 4 million dynamic NAT entries and 16K static NAT entries. • Tenant Routing: • Issue - Scale limitations in Linux namespaces based software tenant networking. • Solution - ASR1K uses Virtual Routing and Forwarding (VRF) instances for tenant routers. ASR1K can scale up to 4k VRFs (8k in upcoming release). • Tenant Networks: • Issue- Scale limitations in Linux software based interfaces. • Solution - ASR1K plugin maps tenant networks to sub-interfaces on ASR1K. ASR1K supports up to 64k sub-interfaces. • Data Throughput: • Issue - Performance limitations with software packet forwarding and NAT on generic compute hardware. • Solution - ASR1K can perform packet forwarding and NAT at rates upto 230 Gbps.
  32. 32. Neutron Cisco ASR1000 for Neutron L3 Service • Mapping of Neutron reference L3 implementation - • Linux namespaces - ASR1K VRF • Internal Router ports – ASR1K VLAN or Port Channel sub interfaces • External Gateway ports – ASR1K VLAN or Port Channel sub interfaces • Linux IPTables – ASR1K NAT Neutron Server Neutron Service plugin (L3) Routing Device Driver (ASR1K) Config Agent Cisco Config Agent Nexus ASR1K netconf • Benefits •Routing using physical infrastructure •Support for HSRP and Port Channel •Neutron Multi-region Support
  33. 33. OpenStack Neutron + Nexus + ASR : Physical Topology Example Layer-3 Network Core ASR 1000 Routers OpenStack Controller Neutron Server with Cisco Config Agent Nova Compute Nodes Nexus Layer-2 Fabric Tenant VLANs and External Traffic Management Network (NETCONF provisioning)
  34. 34. ASR1K Neutron Host(s) Nova HostNova HostNova Host ML2 Nexus and ASR1K - East-West L3 (Routed) Traffic VM1 Controller Node(s) Router API NetworkExternal Network Data Network (L3 routed) Management Network VM6VM5VM2 VM3 VM4 Internet ML2 Nexus Driver vSW vSW vSW Nexus TOR Nexus TOR ASR1K L3 Plugin VRF with default GW and NAT (to global routing). PKT Note : Packet animation included – VM1  VM4 Virtual Router
  35. 35. ASR1K Neutron Host(s) Nova HostNova HostNova Host ML2 Nexus and ASR1K - North-South L3 Traffic (NAT) VM1 Controller Node(s) Router API NetworkExternal Network Data Network (L3 routed) Management Network VM6VM5VM2 VM3 VM4 Internet ML2 Nexus Driver vswitch vswitch vswitch Nexus TOR Nexus TOR ASR1K L3 Plugin VRF with default GW and NAT (to global routing). PKT Note : Packet animation included – VM1  Internet Virtual Router
  36. 36. Neutron Cisco CSR1000v for Neutron L3 Service • Mapping of Neutron reference L3 implementation - • Linux namespaces - CSR1Kv VRF • Router ports (qr) on bridge – CSR1Kv VLAN sub interfaces • Gateway ports (qg) on bridge - CSR1Kv VLAN sub interfaces • Linux IPTables – CSR1Kv NAT • Benefits • Virtual Form Factor • Integrates with N1Kv and OVS • Device that can offer more services REST API/netconf Neutron Server Neutron Service plugin (L3) Cisco CSR1Kv Device Driver Device Manager Scheduler Config Agent VMs on Compute Node Cisco Config Agent Nova Compute Nodes CSR1Kv VM
  37. 37. VMs on Compute Nodes Neutron Cisco Application Policy Infrastructure Controller (APIC) Driver Neutron Server Neutron Core plugin (ML2) Cisco L2 APIC Driver APIC VMs on Compute Nodes Cisco L3 APIC Driver ACI Spine/Leaf Switches REST API Network:EPG, Router:Contract Provides distributed L2,L3 functionality Neutron L3 Plugin  Neutron API: Network, Router, Subnet, Security Group  L2 / L3 enforced in fabric, security groups enforced on hypervisor
  38. 38. Group-Based Policy Model Policy Group: Set of endpoints with the same properties. Often a tier of an application. Policy RuleSet: Set of Classifier / Actions describing how Policy Groups communicate. Policy Classifier: Traffic filter including protocol, port and direction. Policy Action: Behavior to take as a result of a match. Supported actions include “allow” and “redirect” Service Chains: Set of ordered network services between Groups. L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter L3 Policy: An isolated address space containing L2 Policies / Subnets Policy Rule Set Policy Rule Policy Rule Service Chain Classifier Action Classifier Action L2 Policy Policy Group Policy Target Policy Target Policy Target Policy Group Policy Target Policy Target Policy Target L2 Policy provide consume Node Node L3 Policy
  39. 39. Group Based Policy and Neutron VMs on Compute Nodes Group Based Policy (GBP) GBP Neutron Driver Neutron APIC VMs on Compute Nodes APIC GBP Driver ACI Spine/Leaf Switches REST API Policy Group, Ruleset Provides distributed L2,L3 functionality GBP Driver Neutron Plugins/Driv ers Network, Router Create Classifier/ Rule gbp policy-classifier-create web-traffic – protocol tcp –port-range 80 –direction in gbp policy-rule-create web-policy-rule – classifier web-traffic –actions allow Create Policy RuleSet gbp ruleset-create web-ruleset –policy- rules web-policy-rule Create Group gbp group-create web Group Association gbp group-update web –provided-rulesets web-ruleset Launch Web Server VM using Endpoint in EPG gbp member-create –group web web-1 vswitch
  40. 40. Purpose Using Cisco Product Kilo Code Availability Liberty Status Network Layer 2 Virtual Switch Nexus 1000v StackForge Networking-Cisco Kilo OpenStack Cisco Networking Liberty Preview SR-IOV, non-SR- IOV UCS Fabric Interconnect StackForge Networking-Cisco Kilo OpenStack Cisco Networking Liberty Preview Physical Switch Nexus StackForge Networking-Cisco Kilo OpenStack Cisco Networking Liberty Preview DHCP IPAM Prime Network Registrar Not upstream Preview Network Layer 3 Virtual Router Cloud Services Router 1000v StackForge Networking-Cisco Kilo OpenStack Cisco Networking Liberty Preview Physical Router ASR 1000 Not upstream OpenStack Cisco Networking Liberty Preview Network Services Virtual Firewall and VPN Cloud Services Router 1000v Firewall – OpenStack Neutron Firewall Kilo VPN- OpenStack Neutron VPN Kilo Firewall – OpenStack Neutron Firewall Liberty VPN- OpenStack Neutron VPN Liberty Preview Network Layer2, Layer3, Services Controller Application Policy Infrastructure Controller APIC L2 – StackForge Networking- Cisco Kilo APIC L3 – StackForge Networking- Cisco Kilo APIC L2 – OpenStack Cisco Networking Liberty APIC L3 – OpenStack Cisco Networking Liberty Released Declarative Policy Model Group Based Policy Framework Group Based Policy OpenStack Group Based Policy Kilo OpenStack Group Based Policy Liberty Released Summary of OpenStack integration with Cisco Networking Solutions Presented
  41. 41. IPv6 and NFV in OpenStack
  42. 42. Neutron IPv6 for tenant data network • IPv6 addressing using two attributes - • ipv6_ra_mode – Determines who sends RA • ipv6_address_mode – Determines how instances obtain IPv6 address, default gateway, and/or optional information. • Support for different IPv6 addressing schemes • SLAAC • DHCPv6-stateless • DHCPv6-stateful • Dual Stack Support • IPv6 Routing
  43. 43. Neutron Addressing Schemes ipv6_ra_mode ipv6_address_mode Result SLAAC N/S Address using Neutron router N/S SLAAC Address using external router SLAAC SLAAC Address using Neutron router ipv6_ra_mode ipv6_address_mode Result DHCPv6- stateless N/S Address using Neutron router and optional information using external service N/S DHCPv6-stateless Address using external router and optional information using Neutron DHCP implementation DHCPv6- stateless DHCPv6-stateless Address and optional information using Neutron router and DHCP implementation respectively ipv6_ra_mode ipv6_address_mode Result DHCPv6-stateful N/S Address and optional information using external service N/S DHCPv6-stateful Address and optional information using Neutron DHCP implementation DHCPv6-stateful DHCPv6-stateful Address and optional information using Neutron DHCP implementation Address Configuration Flags Value Auto 1 Managed 0 Other 0 Address Configuration Flags Value Auto 1 Managed 0 Other 1 Address Configuration Flags Value Auto 0 Managed 1 Other 1
  44. 44. Network Function Virtualization Tenant A Compute Node Compute Node VM1 Network Node(s) VM2 VM1 vswitch vswitchvswitch Data Network Namespace 10.1.0.4 10.1.0.5 10.1.0.1 10.1.1.1 10.1.1.4 Admin provisioned Service Compute Node Compute Node VM1 VM2 VM1 vswitch vswitch Data Network 10.1.0.4 10.1.0.5 Tenant provisioned Service Service VM 10.1.1.4
  45. 45. Neutron and NFV • Issue • Anti-spoofing rules to ensure traffic originates and terminates as expected • Doesn’t work for NFV VNF use cases • Solution • Added Port Security Extension • Adds new “Port Security enabled” attribute to Network and Port Resources • Only tenant owner can set this attribute on the resources • Security Group and Allowed Address Pair are not allowed to be set • Issue • VXLAN for tenant isolation and VLAN for app traffic isolation within the tenant • No means to identify VLAN transparent networks • Solution • Added Network Resource Extension • Adds new “Vlan Transparent” attribute to Network Resource • Only tenant owner can set this attribute on the resources • No firewalling on VLAN tagged packets
  46. 46. Summary
  47. 47. Summary • OpenStack rapidly becoming the de-facto standard for data center orchestration • Cisco’s broad-based OpenStack strategy spans products, partners and services • Cisco is leading contribution in projects such as Neutron and others in the OpenStack community • Wide range of Cisco solutions available for integration with OpenStack Networking • Still lots to do….. • More information can be found at • www.cisco.com/go/openstack • https://developer.cisco.com/openstack/
  48. 48. Collateral Release Date Deploying RedHat Enterprise Linux OpenStack Platform 3.0 on Flexpod with Cisco UCS, Cisco Nexus and NetApp Storage Nov 2013 Suse Cloud Integration with Cisco UCS and Cisco Nexus Platforms March 2014 Accelerate Cloud Initiatives with Cisco UCS and Ubuntu OpenStack May 2014 Ubuntu OpenStack Architecture on Cisco UCS Platform June 2014 RedHat Enterprise Linux OpenStack Platform 4.0 on Cisco UCS and Cisco Nexus July 2014 Hadoop as a Service (HaaS) with Cisco UCS Common Platform Architecture (CPA v2) for Big Data and OpenStack August 2014 RedHat OpenStack Architecture on Cisco UCS Platform Sept 2014 InterCloud Data Center ACI 1.0 Implementation Guide Feb 2015 FlexPod Datacenter with Red Hat Enterprise Linux OpenStack Platform Sept 2015 Partner OpenStack Distributions on Cisco Infrastructure
  49. 49. Thank you

×