This document discusses user defined networks and how SDN can be used to provide network services. It describes how an SDN controller can configure virtual network functions to provide services like firewalls, intrusion detection, caching, and more. Services can be easily added and configured through a portal to create customized, on-demand networks for users.

1. USER DEFINED NETWORK
Jacek Wosz JNCIE #877

2. •Wykorzystanie SDN u operatora telekomunikacyjnego
•Wymagania do świadczenia usług w chmurze z wykorzystaniem SDN
•User DefinedNetwork jako kolejny krok?
•User SelfCarePortal
•Architektura blokowa
•Co właściwie dzieje się w sieci
Agenda

3. •Zwiększenie marżowości świadczonych usług
•Możliwość świadczenia zaawansowanych serwisów dla klientów biznesowych (ManagedSecurity)
•Możliwość oferowania coraz to nowych usług w bardzo krótkim czasie
•Możliwość łatwej skalowalności usług
•Wyróżnik względem konkurencji
Współczesne potrzeby operatorów telekomunikacyjnych

4. SDNController
Configuration
Analytics
Control
Server(Compute)
VM
VM
VM
Server(Compute)
VM
VM
VM
IP fabric(underlay network)
Juniper Qfabric/QFX/EX or 3rd party underlay switches
Juniper MXor 3rd party gateway routers
Tenant VMs(NVF ie. FireflyPerimeter)
ContrailController
REST
XMPP
Orchestrator
XMPP
BGP + Netconf
Contrail vRouter(L2 & L3) on KVM, Xenand ESXi/HyperV
2014
CloudSystems Components

5. •Network Address Translation (Firefly)
•StatefulFirewall (Firefly)
•Unified Threat Management (Firefly)
•Intrusion Detection / Prevention (Firefly)
•vCPE(Firefly)
•Caching (JunosContent Encore)
•SSL VPN Gateway (vSA)
•DDoS(JDDS)
•Web Intrusion Deception (JunosWebAppSecure)
NAT
IntrusionDeception
Caching
DDoS
vCPE
SSLGW
Video
Conf.
…
DPI
Analytics
WAN Opt.
CDN
Virtual SBC
Juniper Services
3rdParty Services
FWIDP
•Anything !!
User DefinedNetworks
Centralized Cloud
Data Centers
GW Router
MOBILE
Physical Network
BUSINESS
CUSTOMER
VMs / NFV
VMs / NFV
NFV
NFV
Edge Clouds
MX 3D
Portal

6. Scripts
SyslogServer
Web Portal
REST/JSON API
Block Architecture –creating a Service Instance
OpenStackControler
ContrailController
JunosSpace/ Security Director
CreatingService Instance

7. Scripts
SyslogServer
Web Portal
REST/JSON API
OpenStackControler
ContrailController
JunosSpace/ Security Director
AddingFireflyto Space
Bind predefinedpolicy
(WF/Appsec/AV)
Block Architecture-adding Firefly Perimeter to Security Director

8. Scripts
SyslogServer
Web Portal
REST/JSON API
OpenStackControler
ContrailController
JunosSpace/ Security Director
Requestinfo to drawstatistics
Block Architecture –LoggingSystem

9. GW Router
MOBILE
Physical Network
BUSINESS
VMs / NFV
VMs / NFV
NFV
NFV
Edge Clouds
MX 3D
eBGP
Centralized Cloud
Data Centers

10. Centralized Cloud
Data Centers
GW Router
MOBILE
Physical Network
BUSINESS
VMs / NFV
VMs / NFV
NFV
NFV
Edge Clouds
MX 3D
eBGP
Reports

11. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
CONTRAIL ELEMENTS

12. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
BGP (XMPP)
BGP

13. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
1.CREATE VN NET#1 , ROUTE TARGET ASN:10000
VRF #1 RT ASN:10000
2.CREATE VM#1 in NET#1
3. VM #1 HOST ROUTE RT ASN:10000
4. ADVERTISE VM#1 HOST ROUTE with RT ASN:10000,
NH > COMPUTE NODE
5. DYNAMIC GRE
6. INSTALL VM#1 HOST ROUTE in VRF#1
ROUTE ADVERTISE BETWEEN MPLS NETWORK AND CONTRAIL

14. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAIL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
1.CREATE vSRXSERVICE INSTANCE
IFL #1 WAN NETWORK
IFL #2 LAN NETWORK
IFL #3 MGMT NETWORK
VRF WAN RT ASN:66600666
2. VM vSRXHOST ROUTE RT ASN:66600666
3. ADVERTISE vSRXHOST ROUTES
6. INSTALL vSRXHOST ROUTES in VRFs
VRF CUSTOMER #1 RT ASN:10001
VRF CARRIER MGMT RT ASN:950001
2. VM vSRXHOST
ROUTE RT ASN:10001
2. VM vSRXHOST
ROUTE RT ASN:950001
CREATING vSRX SERVICE INSTANCE

15. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
VRF WAN RT ASN:66600666
WAN. 0/0 -> WAN GW (CONTRAIL)
VRF CUSTOMER #1 RT ASN:10001
VRF CARRIER MGMT RT ASN:950001
LAN BGP SESSION TERMINATED on MX
CONNECTING vSRX SERVICE INSTANCE TO INFRASTRUCTURE
MGMT 10.10.100/24 -> MGMT GW (CONTRAIL)
ADVERTISE -> CUSTOMER ROUTE FROM VRF
ADVERTISE -> 0/0 to MX VRF (BY CONTRAIL NOTvSRX)

16. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
VRF WAN RT ASN:66600666
VRF CUSTOMER #1 RT ASN:10001
VRF CARRIER MGMT RT ASN:950001
PRECONFIGURING vSRXSERVICE INSTANCE TO NEW ROLE
DISOVER NEW vSRX
Security Director
PRECONFIGURE PROFILE ROLE(NGFW/WEB-FILTERING ETC)

17. MX GATEWAY
CONTRAIL vROUTER
xe-2/0/0.96
10.10.96.253
CONTRAL/OPENSTACK
CONTROLER
CONTRAL/OPENSTACK
COMPUTE NODE
VRF WAN RT ASN:66600666
VRF CARRIER MGMT RT ASN:950001 VRF CUSTOMER #1 RT ASN:10001
FLOW FROM CUSTOMER IN VRF
FIREWALL/APPLICATION VISIBILITY/WEB FILTERING/AV

18. Q & A