Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lessons from 5 Years of Network Function Virtualization | Interop NY Presentation from Chris Swan

828 views

Published on

Network Function Virtualization (NFV) is a relatively new term in the industry. There have however been virtual appliances in production for over five years serving as routers, switches, firewalls, VPN concentrators and protocol redistributors. Customer case studies for the use of NFV include partner networks, the cloud as a common meeting place, cloud bursting, virtual private cloud, and extending traditional networks into the cloud. The overlap between Software Defined Networking (SDN) and Network Function Virtualization (NFV) will also be explored. How things change at scale - what happens when you try to manage hundreds of virtual networks. A glimpse into the future, and the virtual telco.

Published in: Technology
  • Be the first to comment

Lessons from 5 Years of Network Function Virtualization | Interop NY Presentation from Chris Swan

  1. 1. copyright 2013 Lessons from 5Years of Network FunctionVirtualization Chris Swan, CTO - CohesiveFT @cpswan 1 Tuesday, October 8, 13
  2. 2. copyright 2013 Agenda Introducing Network FunctionVirtualization (NFV) The Networking Declaration of Independence Business use cases: • Wave 1 - bursting and containment • Wave 2 - hubs and spokes • Wave 3 - winning back control Technical use cases Summary 2 Tuesday, October 8, 13
  3. 3. copyright 2013 What is Network FunctionVirtualization? 3 Tuesday, October 8, 13
  4. 4. copyright 2013 NFV is a networking Swiss Army knife Firewall Dynamic & Scriptable SDN Protocol Redistributor IPsec/SSLVPN concentrator Router Switch NFV Hybrid virtual device able to extend to multiple sites Application SDN (Software Defined Network) Appliances • Allow control, mobility & agility by separating network location and network identity • Control over end to end encryption, IP addressing and network topology 4 Tuesday, October 8, 13
  5. 5. copyright 2013 A technical use case overview 5 Customer Data CenterCustomer Remote Office NFV Overlay Network Subnet: 172.31.0.0/22 Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21 Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F Active IPsec Tunnel Active IPsec Tunnel Failover IPsecTunnel 192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24 Firewall / IPsec Cisco 5505 Firewall / IPsec Cisco 5585 Data Center Server Data Center Server LAN IP: 192.168.4.50 LAN IP: 192.168.4.100 User Workstation LAN IP: 192.168.3.100 User Workstation LAN IP: 192.168.3.50 Chicago, IL USA Remote Subnet: 192.168.3.0/24 London, UK Remote Subnet: 192.168.4.0/24 Public IP: 184.73.174.250 Overlay IP: 172.31.1.250 Public IP: 54.246.224.156 Overlay IP: 172.31.1.246 Public IP: 192.158.29.143 Overlay IP: 172.31.1.242 Peered Peered US East 1 EMEA NFV NFV APAC Tuesday, October 8, 13
  6. 6. copyright 2013 Providers and Customers have different concerns Layer 0 Layer 4 Layer 3 Layer 2 Layer 1 Layer 5 Layer 7 Layer 6 Virtualization Layer Hardware Ownership Layer Limits of access, control, & visibility Application Layer ProviderControl UserControl Service Provider SDN starts at the bottom of the network with the "device" and network flows. Application SDN (using NFV) begins at the top of the network with the enterprise application, its owner and their collective technical and organizational demands. 6 Tuesday, October 8, 13
  7. 7. copyright 2013 Positioning - NFV and SDN 7 Tuesday, October 8, 13
  8. 8. copyright 2013 Networking Declaration of Independence 8 Tuesday, October 8, 13
  9. 9. copyright 2013 Nicira’s “declaration of independence” from metal, freed NFV from OpenFlow 9 + http://nicira.com/sites/default/files/docs/Nicira%20-%20The%20Seven %20Properties%20of%20Virtualization.pdf Tuesday, October 8, 13
  10. 10. copyright 2013 These same properties free NFV from the “constraints” of OpenFlow (technology, timing and target) 10 Nicira defined the 7 Properties of network virtualization as: 1. Independence from network hardware 2. Faithful reproduction of the physical network service model 3. Follow operational model of compute virtualization 4. Compatible with any hypervisor platform 5. Secure isolation between virtual networks, the physical network, and the control plane 6. Cloud performance and scale 7. Programmatic networking provisioning and control Tuesday, October 8, 13
  11. 11. copyright 2013 WithVM-based network devices you can use the cloud network as “bulk transport” and are indifferent to all else. Independence from network hardware 11 Customer Data Center NFV Standard IPsec Tunnel Firewall / IPsec Device Data Center Servers Overlay IP: 172.31.11.xx Public CloudRegion 1 IP: 192.168.1.xx LAN Cloud Server Cloud Server Overlay Network Tuesday, October 8, 13
  12. 12. copyright 2013 NFV devices “look” and “feel” like the same networking devices customers have used for ever, without boundaries Reproduction of physical network model 12 Customer Data Center Standard IPsec Tunnel Data Center Servers Virtual Network Cloud Server Public CloudRegion 1 Overlay Network Data Center Servers Cloud Server NFV Tuesday, October 8, 13
  13. 13. copyright 2013 Follow operational model of compute virtualization 13 NFV NFV NFV NFV NFV functions can be dynamically brought on-line, up to the elastic limits of the total infrastructure available (!!) Tuesday, October 8, 13
  14. 14. copyright 2013 Compatible with any hypervisor platform 14 NFV does more than “follow” the model of compute virtualization, it exists via compute virtualization. Public Clouds Virtual Infrastructure Private Clouds Cloud Tuesday, October 8, 13
  15. 15. copyright 2013 Secure isolation 15 Isolation takes many forms: from underlying infra, allow my protocols, keep my “chattiness” in, keep others out, etc.. Public CloudRegion 1 Cloud Server Cloud Server Overlay Network Public CloudRegion 3 Cloud Server Cloud Server Overlay Network Public CloudRegion 2 Cloud Server Cloud Server Overlay Network Public CloudRegion 4 Cloud Server Cloud Server Overlay Network Tuesday, October 8, 13
  16. 16. copyright 2013 Secure isolation 16 Isolation takes many forms: from underlying infra, allow my protocols, keep my “chattiness” in, keep others out, etc.. User Workstation User Workstation Data Center Server Tuesday, October 8, 13
  17. 17. copyright 2013 Cloud performance and scale 17 Where NFV really shines today, create a WAN in minutes, use cloud as points of presence for your business Customer Data CenterCustomer Remote Office NFV Overlay Network Subnet: 172.31.0.0/22 Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21 Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F Active IPsec Tunnel Active IPsec Tunnel Failover IPsecTunnel 192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24 Firewall / IPsec Cisco 5505 Firewall / IPsec Cisco 5585 Data Center ServerData Center Server LAN IP: 192.168.4.50 LAN IP: 192.168.4.100User Workstation LAN IP: 192.168.3.100 User Workstation LAN IP: 192.168.3.50 Chicago, IL USA Remote Subnet: 192.168.3.0/24 London, UK Remote Subnet: 192.168.4.0/24 Public IP: 184.73.174.250 Overlay IP: 172.31.1.250 Public IP: 54.246.224.156 Overlay IP: 172.31.1.246 Public IP: 192.158.29.143 Overlay IP: 172.31.1.242 Peered Peered US East 1 EMEA APAC NFV NFV Tuesday, October 8, 13
  18. 18. copyright 2013 Programmatic networking provisioning & control 18 + http://maxoffsky.com/code-blog/building-restful-api-in-laravel-start-here/ Cloud Compute and Network APIs + NFV Device APIs allow previously unimaginable flexibility and power Public Clouds Virtual Infrastructure Private Clouds Cl Tuesday, October 8, 13
  19. 19. copyright 2013 Business Use Cases 19 Tuesday, October 8, 13
  20. 20. copyright 2013 Wave 1 Bursting and Containment 20 Tuesday, October 8, 13
  21. 21. copyright 2013 Mutual fund securely extends HPC grid resource Highlights: Automatically flex existing HPC solution up and down by bursting into public cloud. Image management tool configured and contextualized nodes in custom cloud environment. Used existing workload manager / grid engine software / vendor to extend their grid. Significantly reduced infrastructure costs, while increasing flexibility and responsiveness. The Goals: Large Mutual Fund (LMF) must reduce the time to results.They seek an on-demand, lower cost capacity expansion. Security & Compliance: • Guaranteed customer control of the network layer •Visibility, insight and control over the infrastructure • Swapped out physical infrastructure with IaaS on a pay as you go basis •Vendor neutral, more than one cloud • Natural look and feel of a existing grid extension • Encrypted data in motion, end- to-end LMF needed more security and control than public cloud to “extend” their existing grid on the same IP network. Outcome: LMF seamlessly flexes their grid up and down with an overlay network for the EC2 grid compute nodes with NFV. Fund bursts into public cloud to extend HPC Private Data Center NFV US-east-1 Active IPsec Tunnels Firewall / IPsec Data Center Node Boston, USA Node US-west-1 Overlay Network Peered Node Node NFV 21 Tuesday, October 8, 13
  22. 22. copyright 2013 Mobile provider creates secure dev/test environments Highlights: Wanted speed for dev/test but couldn’t sacrifice security Challenged to improve quality and amount of testing with multiple vendors Telco had insufficient hardware resources and lacked initial install media Guaranteed consistency with identical topologies in virtual network The Challenge: Our customer needed a solution when traditional dev/test processes created a 3 month bottle neck in getting services to market. The customer wanted to use cloud for dev/test environments on-demand, and to migrate 10 year old Oracle, StellentTibco, and Websphere images to AWS andVMware environments. They needed to securely connect two developer offices and dev partners in a third office. The Outcome: Functionally equivalent multi-tier distributed system ran both in AWS andVMware to give testing capacity on demand from a public cloud and production on premise. Ensured consistent topologies within secure virtual networks. AD Configuration with Dual NIDs Developer Office NFV US-east-1 Active IPsec Tunnels 192.168.4.0/24 - 172.31.1.0/24 Firewall / IPsec USA User WorkstationUser Workstation Partner Data Center Firewall / IPsec Data Center Servers Private Cloud Peered Hybrid Network Virtual MachineVirtual Machine NFV 22 Tuesday, October 8, 13
  23. 23. copyright 2013 UK non-profit reduces CO2 with IBM SmartCloud Highlights: Energy SavingsTrust (EST) needs to analyse data while keeping costs to a minimum Must gather, analyse, and compute big data sets and graphically display usage Non-profit securely connects and automates in Smart Cloud "The services we provide […] make it possible to achieve energy efficiency targets faster and at less cost." - Will Rivers, Housing Data Manager, Energy SavingTrust The Challenge: EST has over 20 years of energy data with 250M data points on 25M households, and wanted to both grown compute resource while saving costs. “IBM SmartCloud means that the services we can offer are no longer constrained by the limitations of our on-site hardware,” Simon Elam, Programme Manager, Energy Saving Trust The Goals: • Encourage energy efficiency through real-time data and energy maps • Collect and analyst large sets of public utility and energy data • Create maps with geographic information system (GIS) • Grow without impacting performance Outcome: CohesiveFT and Assimil8, both IBM Business Partners, helped migrate and connect EST’s IBM software running in IBM SmartCloud Enterprise. Energy SavingsTrust analyzes data in SmartCloud On-Site Hardware NFV Active IPsec Tunnel UK Firewall / IPsec Data Center Servers Virtual Machine Cloud Server Ehningen 23 Tuesday, October 8, 13
  24. 24. copyright 2013 US Sports Association flexes up and down during large annual events Highlights: Added capacity without the hardware, overhead and management costs Wanted to scale and control capacity Secure communication with partners, customers and media members with a cloud-based solution Secure, encrypted data in motion and access to data center with NFV The Situation: A US National Sports Association looked to public cloud to expand capacity for an annual live, international sporting event. Challenge: For a few days a year, the network and servers must react, scale quickly without any outages.  Information could not be unsecured beyond the DMZ - data in plain text was not an option.  Solution Featured: • Scalable with the capacity needed around global events • Encryption for all data in motion • Overlay network on top of public cloud infrastructure • Perpetual license to accommodate scaling needs Capacity expansion: meeting game day demand Main Offices NFV Active IPsec Tunnels NewYork, NY USA Data Center Virtual Machine Cloud Server us-east-1 Media Partners Firewall / IPsec EMEA, & US & ANZ Workstations 24 Tuesday, October 8, 13
  25. 25. copyright 2013 SaaS vendor reaches customers without on-site data centers or physical networks Highlights: Large independent logistics firm wanted to move to SaaS delivery model without burdening clients Removed migration complexity without changing the business model or operations Solved end client’s issues with on- site data centers and large software clients Overlay network allows customer to deploy to any public cloud provider The Situation: Mobile banking solution provider wanted to connect many financial institution customers to a cloud- based common platform to connect partners and customers Challenges: • Limited multi-tenant environments for customers to pass industry-standards tests • Connectivity without the hurdles of traditional networks, data centers and enterprise rules • Managing apps across different public and private clouds • End customer security concerns Outcome: The customer can offer a SaaS version of their BPMS where end customers can access it as if it were a subnet on their network. The solution guarantees data in motion encryption. The BPMS firm can now connect their clients’ software to cloud- based data centers without up- front, capital intense processes. BPMS-as-a-SaaS without traditional complexity Home Data Center NFV Active IPsec Tunnels Firewall / IPsec Boston, MA USA us-east-1 Customer Data Center 2 Peered Federated Cloud Overlay Network NFV Virtual MachineVirtual Machine Customer Data Center 1 Cloud-based SaaS tool Failover IPsec Private Cloud Data Center Servers us-west-2 Berlin, DELondon, UK 25 Tuesday, October 8, 13
  26. 26. copyright 2013 Wave 2 Hubs and spokes 26 Tuesday, October 8, 13
  27. 27. copyright 2013 Connect customers in a shared, private environment. Highlights: Customer switched from on- premise to cloud-based data analysis SaaS for retail clients. Needed additional resources with secure, shared infrastructure. Offered multitenant cloud-based services to customers and partners. Created secure connections with both IPsec edge connectivity and SSL/TLSVPN A retail data analysis firm wanted to expand cloud-hosted resources while securely link customers to a new cloud-based service. Challenges: • Guaranteed encryption for all data in motion and at rest. • Overlay network to federate across any public cloud provider. • Secure connections with both IPsec edge connectivity and SSL/TLSVPN • Customer created a true Cloud WAN network with overlays and cloud providers. Customer now manages more than 100 cloud environments across a mix of dev, internal IT, and customer implementation categories in a seamless “single network” mix. Cloud “Meet Me Room” Data Center NFV Active IPsec Tunnels US Firewall / IPsec Data Center Servers Virtual Machine Customer Network UK Browser-based portal access SaaS App eu-west-1 Federated Multicloud Network Cloud Server 27 Tuesday, October 8, 13
  28. 28. copyright 2013 Firm extended offerings with global cloud points of presence Highlights: Offered global redundancy at dramatically lower cost than traditional infrastructure. Needed secure connections to existing data centers and networks. Access critical infrastructure “in region” without delays or capital of physical resources. Global reach for products and global redundancy for security. A global end point threat prevention company wanted to have global reach for cloud-based threat protection and virus scanning system. Additionally, they wanted to ensure global redundancy using multiple cloud providers. Customer Required: • Working with multiple cloud providers and cloud regions • Connections across clouds and down to existing physical data centers and networks Outcome: • Guaranteed encryption for all data in motion and at rest • Overlay network to federate across any public cloud provider • End customers can access critical resources without waiting for inter-continental lag times, at much lower costs. Cloud WAN for global reach and redundancy Data Center Active IPsec Tunnels Frankfurt, Germany Firewall / IPsec Data Center Server Customer 2 Tokyo, Japan Workstations APAC-1 CloudWAN Peered US East Coast NFV Peered Office London, UK Data Center Server NFV NFV Netherlands 28 Tuesday, October 8, 13
  29. 29. copyright 2013 Cloud WAN connectivity without the expensive assets or contracts. Highlights: Global reach for products and global redundancy for security. Needed secure connections to existing data centers and networks. Access critical infrastructure “in region” without physical resources. Offered global redundancy at dramatically lower cost. A pharmaceutical information systems firm wanted to integrate US-based offices together and to integrate offices to their cloud infrastructure. Challenges: Offices had different hardware and software, networks and data needs. The firm did not want to invest in assets or long term contracts with vendors. Solution Featured: • Guaranteed encryption for all data in motion and at rest • Overlay network federates across public cloud providers • IPsec and data in motion encryption • Customer created a true Cloud WAN with overlays and cloud provider edges. Outcome: Each office connected to the cloud-based systems and also connected to each other using the cloud as network backbone. Pharmaceutical system federates infrastructure Data Center Active IPsec Tunnels NewYork, USA Firewall / IPsec Data Center Server Medical Office 2 San Francisco, USA US-west-1 CloudWAN Peered NFV Peered Medical Office 1 Customer Hospital Boston, USA Data Center Server NFV US-east-1 Salt Lake City, USA Private Cloud SaaS portal SaaS portal 29 Tuesday, October 8, 13
  30. 30. copyright 2013 Connecting mobile banking customers to a common cloud- based infrastructure Highlights: Online & mobile banking company needed connectivity solution to meet regulatory requirements. Financial customers could use a "security lattice" approach, encrypting all critical data in motion Enabled customer to server end customers from a common platform. Multitenancy model allowed customer to pass along cloud economies of scale. The Situation: Mobile banking solution provider wanted to connect many financial institution customers to a cloud- based common platform to connect partners and customers Challenges: Multi-tenant infrastructure required secure connectivity with minimal complexity and manpower expense. Public cloud flexibility and savings plus additional security and connectivity. Solution featured: • Connections with standard IPsec equipment • A connection “edge” to customer deployments and cloud infrastructure • Encrypted data in motion Outcome: Cloud-base banking platform brought customers online quickly at lower cost. Multitenant cloud-based partner network Data Center Server Home Network NFV Encrypted IPsec Tunnels USA Firewall / IPsec Data Center Server Virtual Machine Customer Data Center 2 USA Customer Data Center 1 UK Data Center Server Virtual Machine Mobile Banking Platform US-west-1 30 Tuesday, October 8, 13
  31. 31. copyright 2013 Mobile provider improved quality in secure dev/test environments Highlights: Wanted speed for dev/test but couldn’t sacrifice security Challenged to improve quality and amount of testing with multiple vendors Image management helped move existing images and templates into production-ready environments Guaranteed consistency with identical topologies in virtual network Problem:  Customer needed solution when traditional testing an dev/test created a three month bottle neck while getting services to market. Solution:  The customer used the cloud for dev/test environments on demand by migrating 10 year old Oracle, StellentTibco, Websphere images to AWS and VMware, and securely connected two developer offices and dev partners in a third office. Outcome:  Functionally equivalent multi-tier distributed system ran both in AWS andVMware to give testing capacity on demand from a public cloud and production on premise. The customer moved existing images and templates into production-ready environments. Leading global mobile telco service provider NFV EMEA Active IPsec Tunnel Firewall / IPsec Overlay Network Peered Private Cloud Partner Data Center London, UK Dev/Test 2 Data Center Servers Data Center Servers Dev/Test 1 Boston, USA Data Center Servers Cloud Server Virtual Machine NFV London, UK 31 Tuesday, October 8, 13
  32. 32. copyright 2013 Scalable, pay as you go solution connects cloud-based apps to partner networks. Highlights: Connected telco partners with partners’ exact IP addresses. Concerns over keeping customer and partner traffic separate and secure Needed to quickly scale up and down, with a price package to match Overlay network segmented partners to take control of security, addressing, and connection The Situation: A telco with mobile app needed to connect cloud-based app servers to APAC partners on the partners’ exact IP addresses. The solution required: •Overlay networks • Instance-based solution using pay- as-you-go virtual appliances • Customer-defined address pools • Guarantee encryption for all data in motion, including customer session tokens and payment information Outcome: Customer was able to create POPs in multiple regions with attestable security. The network can be abstracted from the cloud vendors’ address schemes to create a scalable, pay as you go solution to match their business model. Mobile app developer connects on overlay Data Center Server Virtual Network NFV Dedicated IPsec Tunnels Firewall / IPsec London, UK Partner LAN 1 Cloud-based SaaS tool Data Center Servers Virtual Machine Ehningen Partner LAN 2 NFV Customer Site Virtual Machine Peered Osaka, JapanHong Kong Asia Pacific (Tokyo) 32 Tuesday, October 8, 13
  33. 33. copyright 2013 Research groups connect to location- independent infrastructure Highlights: US-based research groups have global observatories and collaborations Platform would speed research, enhance collaboration Location-independent data collection and analysts NFV and image management helped the group create common, shared infrastructure Challenge: needed to create a new computing architecture based on virtualization to support collaborative efforts through multiple layers of research groups. The research groups had to have control over final output quality and virtual devices in complex sensor platform. Solution  New computing architecture needed to use virtualization, multiple separate research groups, and virtual devices in complex platform. Outcome  With NFV and image management, the customer created a common shared infrastructure that was location independent. Scientific research groups connect, migrate to cloud Research Campus Palo Alto, CA USA Observatory 2 Marshall Islands, USA NFV Observatory 1 Honalulu, HI USA Active IPsec Tunnels Firewall / IPsec Global Overlay Network WorkstationsWorkstations Virtual MachineVirtual Machine Node US-west-1 33 Tuesday, October 8, 13
  34. 34. copyright 2013 Wave 3 Winning back control 34 Tuesday, October 8, 13
  35. 35. copyright 2013 Overlay between public & private cloud Public IP: 194.42.93.145 Public IP: 194.42.93.146 Public IP: 194.42.93.147 Public IP: 194.42.93.148 Public IP: 194.42.93.149 Public IP: 194.42.93.150 Public IP: 194.42.93.151 Public IP: 194.42.93.152 Public IP: 194.42.93.153 Public IP: 194.42.93.154 Public IP: 5.23.25.66 Cloud Servers Peered Location 1 Cloud Servers Peered Location 2 Cloud Servers Peered Location 3 Cloud Servers Peered Location 4 Cloud Servers Peered Location 5 Peered Public IP: 5.23.25.12 Region: Europe-1 NFV Overlay Network 172.31.0.0/24 PeeredPeered Peered Peered Peered Peered • Not technically very different from bursting, but motivation is different • Get network (re)configured in minutes rather than waiting weeks for a change request to be implemented by the (outsourced) NOC • No need for new hypervisor or networking equipment 35 Tuesday, October 8, 13
  36. 36. copyright 2013 The first “process” customizable cloud transport network device NFV allows customers to embed features and functions provided by other vendors - or developed in house, safely and securely into cloud networks • Not just a scripting interpreter that allows control over known, existing features • Completely new functions, processes, computation delivered to the core of the customer cloud network (patent pending) 36 NFV Customer controlled, and co-created, for the best hybrid cloud experience Router Reverse Proxy Content Caching Load Balancing Intrusion Detection More.... Switch Firewall IPsec/SSLVPN Concentrator Protocol Redistributor Dynamic & Scriptable SDN Proxy Tuesday, October 8, 13
  37. 37. copyright 2013 Encrypted Overlay network in VPC NFV as a converged device gateway into cloud 37 NFV + Web App 2Web App 1 Web App 3 Single IP address • Customer created a customized reverse proxy application (NGINX) inside the NFV appliance • NFV provides end-to-end encryption, private address control, firewalling, and port forwarding • NGINX configuration files are completely customer controlled • NGINX app sits at the transport layer inside the NFV appliance   • Runs on the encrypted overlay network inVPC Tuesday, October 8, 13
  38. 38. copyright 2013 NFV Technical Capabilities 38 Tuesday, October 8, 13
  39. 39. copyright 2013 Problem: • Applications may be hard wired to specific IP addresses • Cloud providers cannot provide portability of internal IPs Cloud Address Control Customer Data Center NFV Standard IPsec Tunnel Firewall / IPsec Device Data Center Servers Overlay IP: 172.31.11.xx Public Cloud Region 1 IP: 192.168.1.xx LAN NFV Solution: • Control static addressing • Local Area Network (LAN) address extension to the cloud • Servers andTopologies behave as though the are running locally • Application centric network is portable Cloud Server Cloud Server Overlay Network 39 Tuesday, October 8, 13
  40. 40. copyright 2013 Problem: • Enterprise software uses multicast protocols for service election and service discovery • Most public cloud providers block multicast NFV Solution: • Send multicast traffic via NFV based overlay network before it is rejected by underlying network infrastructure Cloud Protocol Control: Multicast Standard IPsec Tunnel Public Cloud Region 1 Customer Data Center Data Center Servers LAN Cloud Server Cloud Server Firewall / IPsec Device Overlay Network NFV 40 Tuesday, October 8, 13
  41. 41. copyright 2013 Cloud Security Control: IPsecTunneling Data Center Standard IPsec Tunnel Data Center Servers Public CloudRegion 1 LAN Cloud Server Cloud Server NFV Firewall / IPsec Device Overlay Network 41 Problem: • Public Cloud is accessed via Internet • HTTPS is fine for web apps and services but isn't always appropriate for other use cases NFV Solution: • Connect networks with industry standard IPsec • Use existing network edge security appliances (Cisco, Juniper, Netscreen, SonicWall etc.) • Use existing secure communication methods/ practices - the same as currently used to connect offices, data centers or partners/customers Tuesday, October 8, 13
  42. 42. copyright 2013 Cloud Security Control: Multiple IPsec Standard IPsec Tunnel Public CloudRegion 1 Cloud Server Cloud Server NFV Overlay Network 42 Problem: • Cloud providers limit the number of IPsec connections NFV Solution: • NFV Manager enables multiple IPsec connections to a cloud-based overlay network segment • Serves as user-controlled, virtualized switch/router inside the provider cloud • Cloud deployed servers can communicate with multiple IPsec gateways via endpoint-to-endpoint encrypted connections Customer Site N Multiple IPsec Devices Customer Site 2 Customer Site 1 Tuesday, October 8, 13
  43. 43. copyright 2013 Problem: • Cloud deployments cannot be connected to existing network operations center Use Existing MonitoringTools NFV Solution: • Use your existing monitoring tools for cloud deployments • NFV allows the use of an existing NOC to monitor and manage devices in the data center and the cloud Customer Data Center Standard IPsec Tunnel Data Center Servers Virtual Network Cloud Server Public CloudRegion 1 Overlay Network Data Center Servers Cloud Server NFV Firewall / IPsec Device 43 Tuesday, October 8, 13
  44. 44. copyright 2013 Problem: • Securely connect customers, partners or branches to specific servers in shared infrastructure Customer-Partner Networks in Public Cloud NFV Solution: • Industry standard secure connectivity to isolated servers in public cloud • Data in motion in the public cloud is encrypted Partner Data Center EMEA Customer 2 USA Customer 1 APAC Active IPsec Tunnels Firewall / IPsec Customer - Partner Network Phsyical Data CenterPrivate Cloud Server Node Cloud Deployment Public Cloud Region 1 NFV 44 Tuesday, October 8, 13
  45. 45. copyright 2013 45 Summary Tuesday, October 8, 13
  46. 46. copyright 2013 46 NFV allows networks to be built out of the cloud Users get control over their: • addressing • topology • security • protocols When you give people a networking Swiss Army knife to run in the cloud they do all kinds of stuff that you might not have expected Summary Tuesday, October 8, 13
  47. 47. copyright 2013 Questions? CohesiveFT Americas Chicago, IL USA ContactMe@cohesiveft.com 888.444.3962 CohesiveFT Europe London, UK ContactMe@cohesiveft.com   +44 208 144 0156 47 Tuesday, October 8, 13

×