Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)

4,697 views

Published on

Presentation by Mohamad Ali Fahmi

Published in: Technology

Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)

  1. 1. Mohamad Ali Fahmi (mofahmi@cisco.com) Released: March 21st, 2016 Cisco SDN/NFV Innovations
  2. 2. 2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Introduction • Architecture • Innovations • Summary Agenda
  3. 3. 3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • …a new approach* • …transforming the networking industry - challenging the way we think about engineering, implementing and managing networks • …providing new methods to interact with equipment/services – controllers, APIs • …empowering external influencers to network design and operations • …generating a LOT of ‘buzz’ and attention • …providing a catalyst for traditional Route/Switch engineers to branch-out SDN is… * […not the first attempt!]
  4. 4. 4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • …an easy button… but is intending to make things easier for all! • …a panacea or end-state • …well or narrowly defined • …meaning the death of network engineers • …a mandate for all network engineers to become C and Java programmers • …a new attempt at network evolution… SDN is not… I Wants SDN
  5. 5. 5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Emerging Technologies Motivations and Strategy Service Orchestration Service Orchestration NFVNFV SDNSDN SDN – Open and Programmable at all Layers Simplify / Reduce Complexity SDN – Open and Programmable at all Layers Simplify / Reduce Complexity NFV – Elastic Resource Capacity Reduce Total Costs Across all Services NFV – Elastic Resource Capacity Reduce Total Costs Across all Services Service Orchestration – Customized Delivery Automation / Accelerate Time to Revenue Service Orchestration – Customized Delivery Automation / Accelerate Time to Revenue BUSINESS AGILITY BUSINESS AGILITY OPERATIONAL SIMPLICITY OPERATIONAL SIMPLICITY PROFITABILITYPROFITABILITY¥£€$
  6. 6. 6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Strategy: Various models of programmability Vendor- specific APIs Applications Programmable APIs Control PlaneControl Plane Data PlaneData Plane Vendor Specific (e.g. onePK) 1 Applications Virtual Control PlaneVirtual Control Plane Virtual Data PlaneVirtual Data Plane Overlay Protocols (e.g. VXLAN) Vendor- specific APIs 3 Network Virtualization/ Virtual Overlays Control PlaneControl Plane Data PlaneData Plane ControllerController Data PlaneData Plane Applications Vendor- specific APIs OpenFlow 2a Classic SDN Vendor Specific (e.g. onePK) ControllerController Data PlaneData Plane Applications Vendor- specific APIs OpenFlow Control PlaneControl Plane 2b Hybrid “SDN” Vendor Specific (e.g. onePK) Control PlaneControl Plane Data PlaneData Plane CLI, SNMP, …
  7. 7. 7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ETSI: NFV Reference Architecture Computing Hardware Storage Hardware Network Hardware Hardware resources Virtualisation Layer Virtualised Infrastructure Manager(s) VNF Manager(s) VNF 2 OrchestratorOSS/BSS NFVI VNF 3VNF 1 Execution reference points Main NFV reference pointsOther reference points Virtual Computing Virtual Storage Virtual Network NFV Management and Orchestration EMS 2 EMS 3EMS 1 Service, VNF and Infrastructure Description Or-Vi Or-Vnfm Vi-Vnfm Os-Ma Se-Ma Ve-Vnfm Nf-Vi Vn-Nf Vl-Ha
  8. 8. 8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ETSI: NFV Architecture Computing Hardware Storage Hardware Network Hardware Hardware resources Virtualisation Layer Virtualised Infrastructure Manager(s) VNF Manager(s) VNF 2 OrchestratorOSS/BSS NFVI VNF 3VNF 1 Execution reference points Main NFV reference pointsOther reference points Virtual Computing Virtual Storage Virtual Network NFV Management and Orchestration EMS 2 EMS 3EMS 1 Service, VNF and Infrastructure Description Or-Vi Or-Vnfm Vi-Vnfm Os-Ma Se-Ma Ve-Vnfm Nf-Vi Vn-Nf Vl-Ha Infrastructure S/W Architecture Managemen t and Operations
  9. 9. 9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco NFV Architecture Legend VNF Manager Cisco ESC Cisco CTCM 3rd Party NFV-O & Resource Orchestration NSO – Network Services Orchestrator enabled by Tail-f North Bound APIs Virtual Network Functions Cisco and 3 rd Party CSR ASAv vNAM vIPS vPC-DI vIMS Video Opt. 3rd Party Cisco Physical Infrastructure Network VIM Linux (RHEL 7.1), Hyper Visor (KVM), Host Packages, Software Defined Storage NFVI Scope NetworkCompute (UCS) Storage Ceph UnifiedManagement withassurance. UCSD API GUI Virtual Infrastructure Manager Mercury based on RHEL OSP 7 OpenStack Assurance APIC VTS OSCor or 3rd Party or 3rd Party or
  10. 10. 10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Innovations - vMS - vBranch - ACI - APIC-EM - Ultra Service Platform -ACE
  11. 11. 11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Managed Services Today: Network based VPNs + physical appliances PE PE PE PE Data Centre Today • Physical appliances in DC • Services in the branch – Appliances or integrated Two major disruptors • Cloud computing • Overlay VPNs • Different impacts ! IP/MPLS
  12. 12. 12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Managed Services evolution Option 1: Network based VPNs + cloud computing PE PE PE PE Data Centre • Simplification of the branch Basic routing L2 switching • Primarily an SP play • Service moves to DC Virtualized DCs spread across infrastructure • Benefits Reduced equipment costs Reduced onsite effort More flexibility IP/MPLS
  13. 13. 13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CPE Cust-A CPE Cust-A CPE Cust-B ASA Over The Top Access Flex-VPN Internet VR VR ASA CPE Cust-C CPE Cust-C NSO – NFV Orchestrator Cloud VPN Services § 3 Service Models for Enterprise deployment flexibility: § Cloud VPN Foundation § Cloud VPN Advanced § Cloud VPN Advanced w/Web Security § CSR1Kv: Virtual Router for Site-to-Site VPN with Secure IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels § ASAv: vFW with NAT and Policy (*) § ASAv: vFW with IPSec/SSL Remote Access (*) § WSAv for Enhanced Web Security (*) Management and Orchestration § Enterprise Admin Service Interface (Portal) driven service instantiation § Zero-Touch Deployment of enterprise CPE (ISR G2) § Model driven Network Services lifecycle management with Network Service Orchestrator (NSO) from Tail-f § VNF lifecycle management with Elastic Services Controller (ESC) § Virtual Infrastructure Managementwith Openstack featuring: OVS andODL/VPPas SDN Controllers Advanced VR Foundation CPE Cust-B ESC – VNF Manager VMS Release 2.0: Delivering Comprehensive Cloud VPN Services WSA ∂ ∂ ∂ Advanced w/Web Security PnP RFS VirTo RFS API CPE Managed Orchestration Link Foundation Service Direct Internet Access via “Split Tunnel” Access Model: Flex-VPN Links IPSEC VPN Service Access vRouter Internet Access/ Remote Access OpenStack – Virtual Infrastructure Manager
  14. 14. 14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CPE ISR 800, 1900, 2900, 3900, Series VPN Managed WAN Managed Security VMS 1.0.2 Services Branch Branch Firewall (ASAv) Web Security (WSAv) vRouter (CSR1Kv) CloudVPN (IPSec) Internet Remote Access CISCO CONFIDENTIAL – SHARED UNDER NDA ONLY Scope of Orchestration
  15. 15. 15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CPE ISR 800, 1900, 2900, 3900, 4000 Series VPN Managed WAN Managed Security VMS 2.0 Services Branch Branch Firewall (ASAv) Web Security (WSAv) vRouter (CSR1Kv) CloudVPN (IPSec) Internet Intrusion Prevention (IPSv) Remote Access CISCO CONFIDENTIAL – SHARED UNDER NDA ONLY Scope of Orchestration
  16. 16. 16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CPE ISR 800, 1900, 2900, 3900, 4000 Series VPN Managed WAN Managed Security VMS 2.1 Services Branch Branch Firewall (ASAv) Web Security (WSAv) vRouter (CSR1Kv) CloudVPN (IPSec) Internet Intrusion Prevention (IPSv) Remote Access VMS – Cloud VPN “as a Service” CISCO CONFIDENTIAL – SHARED UNDER NDA ONLY Scope of Orchestration
  17. 17. 17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4000 Series VPNCPE ISR 800, 1900, 2900, 3900, 4000 Series Managed WAN Managed Security VMS 2.2 Services Branch Branch vRouter (CSR1Kv) CloudVPN (IPSec) Branch Branch vPE (CSR1Kv) MPLS VPN (MPLS) Firewall (ASAv) Web Security (WSAv) Intrusion Prevention (IPSv) Remote Access Internet CPE Branch Headquarters IWANIWAN Internet (IPSec) MPLS VPN (MPLS) Internet DMVPN MPLS DMVPN IWAN (BR/MC) CISCO CONFIDENTIAL – SHARED UNDER NDA ONLY Scope of Orchestration
  18. 18. 18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Delivering services to the branch Today’s approaches Good Best in breed Customer choice Modular build-out Drawbacks Environmental(space / power / wiring) Onsite +complex installation Truck rolls Benefits Fully integrated solution No truck roll Simpler environmental Drawbacks Reduced customerchoice Upfront hardware investment Software inter-dependencies Integrated BranchSolution Rack and Stack
  19. 19. 19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What is vBranch Orchestration IP network X86 entity CSR1kvASAv vWAAS3rd party NFV Orchestration (NCS) User & Operator portal VNF EMS / NMS / Controller • Centrally orchestration branch level NFV solution • Central portal Infrastructure • NFV orchestrator - NCS • VNF EMS / NMS / Controller - choice • Elastic Services Controller @ branch GUI + Local life cycle management • x86 capability at the branch
  20. 20. 20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Customer Experience in Brief Order / Customize Your Services 1 CPE ships (if needed)2 CPE is connected (if needed) 3 Orchestration occurs Automatically! 4 10.12.162.x Internet Customer VPN Service is up and running Service Provider Cloud
  21. 21. 21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Self-Service User and Operator Portals – Customizable Service health-awareness resource utilization is integrated with service orchestration into the operator and end-customer portals.
  22. 22. 22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Virtual Managed Services Cloud VPN and Cloud MPLS Packages Customers Flexible CPE Cisco ISR Ethernet NID Self-Service PortalSelf-Service Portal Service Provider Cloud Cisco® Virtual Managed Services Platform Service CatalogService Catalog Orchestration Engine Orchestration Engine Open APIs StorageStorageNetworkNetwork ComputeCompute vFirewallvFirewall vWSAvWSA vIPSvIPS Cisco Evolved Programmable Network vRoutervRouter Secure Broadband Secure WAN IPsec / MPLS
  23. 23. 23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential OPEN RESTFUL APIS CENTRALIZED POLICY MODEL OPEN SOURCE CONTROLLER APIC ACI BUILDING BLOCKS NEXT GENERATION NEXUS—TRADITIONAL NETWORKS POLICY MODEL ACI BUILT-IN LINE RATE END POINT DIRECTORY INTEGRATED OVERLAY 40G NON-BLOCKING FABRIC SIMPLE, SECURE >_>_ 50% SIMPLER CODE BASE FUTURE PROOF UPGRADABLE TO ACI PROGRAMMABILITY AND AUTOMATION NETWORK VIRTUALIZATION SUPPORT RESILIENCY: IN SERVICE PATCHING, UPGRADE, FAST RESTART ACI BUILDING BLOCKS FUTURE PROOF—SOFTWARE UPGRADABLE TO ACI NEXUS 9500 and 9300 INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN PRICE POWER EFFICIENCYPROGRAMMABILITYPORT DENSITYPERFORMANCE OPTIMIZED NX-OSSCALE OUT WITHOUT COMPROMISE COMMON BUILDING BLOCKS -ACCESS AND CORE APIC
  24. 24. 24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential All forwarding in the fabric is managed through the application network profile • IP addresses are fully portable anywhere within the fabric • Security and forwarding are fully decoupled from any physicalor virtual network attributes • Devices autonomously update the state of the network based on configured policy requirements All forwarding in the fabric is managed through the application network profile • IP addresses are fully portable anywhere within the fabric • Security and forwarding are fully decoupled from any physicalor virtual network attributes • Devices autonomously update the state of the network based on configured policy requirements DB TierDB Tier StorageStorage StorageStorage Application Client Web Tier Web Tier App TierApp Tier Application policy model:Defines the application requirements (application network profile) Policy instantiation:Each device dynamically instantiates the required changes based on the policies VMVM VMVMVMVM 10.2.4.7 VMVM 10.9.3.37 VMVM 10.32.3.7 VMVMVMVM APIC
  25. 25. 25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco ACI Introduces Logical Network Provisioning of Stateless Hardware Cisco® ACI Fabric Scale-Out Penalty-Free Overlay App DBWeb QoS Filter Filter ServiceService QoS Filter Outside (Tenant VRF) Cisco Application Policy Infrastructure Controller (APIC)
  26. 26. 26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential TWO TYPES OF LANGUAGES Infrastructure Language App Language Human Translator • Application Tier Policy and Dependencies • Security Requirements • Service Level Agreement • Application Performance • Compliance • Geo Dependencies • VLAN • IP Address • Subnets • Firewalls • Quality of Service • Load Balancer • Access Lists
  27. 27. 27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential APIC-EM: Common Policy Model from Branch to Data Center Application Network Flow Profile SLA, Security, QoS, LoadBalancing User and Things Network Profile QoS, Security, SLA, Device, Location,Role Cloud Data Center WAN Access POLICY DATACENTER WAN AND ACCESS CISCO® ADVANTAGE BROWNFIELD AND GREENFIELD END TO END POLICY FRAMEWORK: FOCUS ON APPLICATION AND USER ENABLEMENT
  28. 28. 28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Virtual Mobile Network Firewall vPolicy Pkt. Core Voice DPI Physical Mobile Network Services Core Ultra Service Platform : From Physical to Virtualized Mobile Networks Firewall vPolicy Pkt. Core Voice DPIVoice Infrastructure NFV Services Virtual Functions VNFM VIM MANO NFVO InternetVoice VPC Voice SecurityvDPI vPolicy EMS EMS EMS
  29. 29. 29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Service: Controller Minimal but “Sufficient” distributed control plane on network nodes Centralized intelligence on the SDN service controller Transport: Segment Routing Auto-discovery Agile Carrier Ethernet - ACE • Transport: Autonomic self-deployed and self-protected, dynamic, ECMPs, flexible traffic engineering • Service: SDN + BGP for service, programmable Agile Carrier Ethernet SDN Controller Netconf/yang
  30. 30. 30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Agile Carrier Ethernet - ACE Autonomic Networking Autonomic Networking Segment Routing Segment Routing SDN Orchestration SDN Orchestration Virtual Out of Band Channel Autonomic Control Plane Secure & Zero Touch deployment Auto IP / IP unnumbered Reduced Protocols Application Integration TI-LFA Simplified TE NSO / Tail-F for Service and static Label provisioning XRv for central control plane Open SDN Controller and WAE as add-ons for SR TE
  31. 31. 31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Autonomic Networking: Secure, Plug-n-Play RegistrarDark Layer 2 Cloud Michael Steve AAA Misconfig / Routing Misconfig ` • Plug-n-Play: New node use v6 link local address to build adjacency with existing nodes,no initial configuration is required • Secure: New node is authenticated using its ID, and then build encrypted tunnel with its adjacent nodes • Always-on VOOB: Consistentreachability between Controller and network devices over Virtual Out-of-band managementVRF. Even with user mis-configuration,the VOOB will still remain up
  32. 32. 32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Transport Evolution with Segment Routing (SR) • Application Enabled Forwarding - Each engineered application flow is mapped on a path - A path is expressed as an ordered list of segments - The network maintains segments • Simple: less Protocols, less Protocol interaction, less state - No requirement for RSVP, LDP • Scale: less Label Databases, less TE LSP - Leverage MPLS services & hardware • Forwarding based on Labels with simple ISIS/OSPF extension • 50msec FRR service level guarantees • Leverage multi-services properties of MPLS Millions of Applications flows A path is mapped on a list of segments The network only maintains segments No application state The state is no longer in the network but in the packet
  33. 33. 33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential AggregationAccess AccessAggregationCore DC Unified MPLS with SR ß Simplified MPLS Transport • Isolated network domains with common IP/MPLS technology using segment routing • Autonomic: auto-discovery, plug-n-play • Intra-domain routing: shortest-path, TI-FRR, anycast node SID for node redundancy • Inter-domain routing: SDN controlled inter-domain end-to-end routing • Back compatible: with existing unified MPLS network, LDP/RSVP-TE, RFC 3107 Metro IGP domain Metro IGP domain DC domain Core IGP domain A B GW1 GW1 GW2 GW2 Controller ACE Transport: Unified MPLS with Segment Routing
  34. 34. 34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CoreMetro1 Metro2 A B GW21 1002 GW22 1002 GW11 1001 GW12 1001 IGP/SR metro island IGP/SR metro island Core IGP NSO Low latency path SR-TE binding SID: 16888 à [SID list for the SR-TE RED] SR label: [1001, 16888,B] OSC/WAE WAE calculate the path and provide the information to NSO ACE Transport Architecture: SDN controlled end-to-end LSP (SR segment list) SR-TE SR binding SID provide an enhanced inter-domain TE without require deep label stack support on the access nodes BGP-LS
  35. 35. 35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential AggregationAccess AccessAggregationCore Unified VPN simple service model • P2P L2VPN: static PW provisioned by NSO • MP L2VPN: static PW within the domain, EVPN between domains • L3VPN: centralized on the GW node using PWHE virtual interface IP-VPN A B GW1 GW1 GW2 GW2 ACE Service Architecture: Unified VPN Service Model PW PW PWHE PWHE EVPNPW PW PW P2P L2VPN MP L2VPN L3VPN VPN service provisioning NSO
  36. 36. 36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Automate Service Provisioning through SDN A B C M N O Z D P § Label stack between service nodes is provided through Segment Routing § SDN controller pushes static service labels on the end nodes through e.g. Netconf/Yang, optionnally stitching may be used on the mid-nodes § Service nodes implement forwarding service (L3/L2 based), distributed or centralized Controller Service Provisioning CE Automation through open API’s VRF Static PW LabelStatic PW Label Node Anycast GW A 101 Z 101 Service Label PW-123 123 PW-234 234 VRF VRF SP’s OSS/BSS
  37. 37. 37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Optimize Infrastructure with SDN WAE Controller Path AZ expressed as {66, 68, 65} A B C M N O Z D P FULL 66 68 65 § SDN controller, such as WAN Automation Engine, monitors and re-optimizes the infrastructure according to Service Provider business rules (h, link cost, delay) § SDN controller modifies instantaneously network flows by pushing label stack to source node only § PCEP provides programmatic interfaces to the source nodes while BGP-LS provides network state to the controller PCEP BGP-LS
  38. 38. 38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential From device-centric to network-as-platform Orchestration SDN Controller Orchestration Orchestration SDN Controller Centralized service provisioning Work with existing network devices On Device Minimal but sufficient AN: Autonomic Networking SR: Segment Routing VPN services: eVPN + static PW Network as Platform Fully programmable Device is PnP component NSO NSO WAE NSO XRv+ODL WAE Next: ACE Network-as-PlatformNow NSO: Network Service Orchestrator WAE: Wan Automation Engine ODL: Open Daylight
  39. 39. 39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Summary § SDN NFV is evolving , Cisco is developing solutions based on Open Standard and Market Requirements § SDN NFV is coveringAll segments in the network § NFV is getting mature and a lot of deployment in production § Need more Development in SDN Solutions § IT Engineers also need to evolve from hardware centric to software centric § Basic knolwledge of IT (OS, Network, Hypervisor, etc) is a foundation of SDN NFV § Cisco provides development portal for engineers, http://Devnet.cisco.com

×