TFI2014 Session I - State of SDN - Scott Sneddon
•Download as PPTX, PDF•
0 likes•351 views
TFI2014 Session I - State of SDN - Scott Sneddon
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to TFI2014 Session I - State of SDN - Scott Sneddon
Similar to TFI2014 Session I - State of SDN - Scott Sneddon (20)
More from Colorado Internet Society (CO ISOC)
More from Colorado Internet Society (CO ISOC) (8)
Recently uploaded
Recently uploaded (20)
TFI2014 Session I - State of SDN - Scott Sneddon
- 1. A Policy Driven Approach to Software Defined Networking Scott Sneddon Principal Solutions Architect, APAC Business Development Lead Nuage Networks Copyright 2013 Alcatel-Lucent. @ssneddon All rights reserved.
- 2. SDN in 2014 OpenFlow Controllers Network Virtualization White Box Switching Open Source Projects Network as a Service Plenty of Innovation and Disruption…
- 3. Why SDN? Reduce Cost Asset Utilization Self Service Automation Make the network more “Cloud” like We’re making great progress
- 4. The “Consumption shift” Cloud is changing the way technology is being consumed From “order and wait” To “instant gratification” Single user Multiple personas On-demand personalized catalogue Consumer expectations are shifting
- 5. Compute is Virtualized Available in Minutes Network is Partially Virtualized Configuration takes Days/Weeks New Tenant / Application Request Network Configuration Compute Management Auto-instantiation Compute Request completed in Minutes Help Desk Change Control VLAN Address IP Address LAN (VLAN) Configuration WAN (IP) Configuration Firewall Configuration Project Coordinator Security / QA Team Network Change completed in days/Weeks 00:01 Datacenter Network Service velocity is hindered by manual network process
- 6. Network is “more” virtualized Some things available in minutes – Some not so much Many network elements are manually configured Manual per-tenant network configurations New Tenant / Application Request Network Configuration Compute Management 00:01 00:01 Auto-instantiation Compute Request completed in Minutes SDN Controller Some Network Change completed In Minutes Software Defined Datacenter Network Service velocity accelerated, but…
- 7. Committees still build “networks” Audits/reviews In a NaaS environment (OpenStack Neutron, AWS, etc) this is delegated to the tenant Is this what your DevOps team should be doing? IP Address WAN (IP) Configuration DevOps Team Network Configuration Software Defined Network Configuration VLAN Address Firewall Configuration Network Configuration created in days/Weeks We’ve only addressed part of the automation problem
- 8. OpenStack Neutron Networks Current Neutron Networking provides building blocks to create logical topologies Networks, Ports, Subnets ,Routers, Security Groups neutron net-create web neutron subnet-create web 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web … Not abstracted into a consumable model web app db VM VM VM VM VM VM Puts the burden of topology design on the DevOps team
- 9. VM VM VM VM VM VM DevOps has an understanding of the specific application needs Segmentation, Port numbers, Connectivity goals Should not be burdened with the implementation details Routes, Subnets, VLANs The DevOps team needs an Abstracted view A DevOps View web app VM VM VM db
- 10. A Network Admin View Network Administrators need to… Define connectivity models Paths QoS Access Control Deploy service elements Firewall Load Balancer IPS Audit compliance Audit usage chain 1 chain 2 chain 3 Firewall Parental Ctl IPS Policy Selector Firewall Parental Ctl IPS Internet chain 4
- 11. Policy approach to networking Policy Templates Users Application Types Business Rules Policy Evaluation Firewall Firewall W W Firewall BL BL W W Firewall Firewall W W BL BL Firewall Firewall W W BL BL BL BL Application Networks Design once, re-use multiple times
- 12. What is a network Policy? OpenStack Group Based Policy Abstractions for Neutron https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction • An Application-centric approach to networking • Moving away from traditional network constructs • ports, subnets, routers, etc • Aiming for a highly abstracted interface for application developers to • express desired connectivity of application components • and express high-level policies governing that connectivity • Without imposing constraints on the underlying implementation
- 13. Policy Abstractions for Neutron VM VM OpenStack Group Based Policy Abstractions for Neutron https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction Outside EPG Web EPG App EPG DB EPG VM VM VM VM VM VM Web Contract App Contract App Contract Public Network Private Networks • Endpoint (EP) – an IP addressable entity • Endpoint Group (EPG) – a grouping of Endpoints • Policy Rule – individual rule that defines communication criteria • Contract – a collection of Policy Rules that are applied to traffic between EPG’s
- 14. To Achieve a Policy Driven Network In application development… We first define the application through source code We then compile the application into machine instructions Then we bind that application to a platform at run time Assigning compute registers and memory locations In a Policy driven network… We first define the application’s connectivity requirements and business rules Application Policy We then map this application to a network service Predefined network templates, network contracts Then we implement these network services when the application is deployed Automated, Dynamic
- 15. APPLICATION ATTRIBUTES SDN FRAMEWORK TOPOLOGY ATTRIBUTES Service Mapping Service Binding Application Request TECHNOLOGY ATTRIBUTES V M V M V M web V M V M V M app V M V M V M web web app db To Achieve a Policy Driven Network
- 16. Policy Driven Networking Delivered Nuage has provided policy abstractions for virtual and physical networks since our first release L2, L3, ACLs, QoS, Service Chaining, Traffic Statistics Difficult to express using existing Neutron constructs… Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron
- 17. Network Policy templates and role-based workflow Tenant / Application Request Compute Management Networking Security/ Compliance Auto-instantiation Policy / Security Zones 00:01 Service velocity is not hindered by manual network process 00:01 Compute Request completed in Minutes IP address WAN interconnect L2 /L3 Service AD Service chaining Templates Network Policy Engine (Nuage Networks VSP) Policy Instantiation • IP address 10.x.y.z • VLAN configuration • WAN configuration • Security / FW settings • QoS parameters • … Network Change Completed automatically
- 18. Conclusions • Creation of distributed virtual switches and virtual routers - great for virtual networks and better than VLAN’s, but … • Creates a distributed virtual configuration and management challenge • Provisioning and management of these endpoints can not be done with traditional methodology • Policy abstraction is a proven framework • Nuage Networks has been shipping Policy Driven SDN since May 2013
- 19. For more information… • Nuage Networks Virtualized Services Platform • http://www.nuagenetworks.net • OpenStack Neutron Group Based Policy Abstraction • https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction • OpenDaylight Application Policy Plugin • https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin
- 20. 20 8/29/2014 Network Policy NOW @nuagenetworks @ssneddon
Editor's Notes
- - Controllers, white box switches, switches, open flow. Yes, all of these things are SDN. But wasn’t the goal all along to simplify network operation? To make the network more “cloud” like?
- - Controllers, white box switches, switches, open flow. Yes, all of these things are SDN. But wasn’t the goal all along to simplify network operation? To make the network more “cloud” like?
- - The problem with Data Center network automation was the complexity of the architecture. If I wanted to configure connectivity for a set of applications I had to have awareness of every element involved in that connectivity, and usually had to configure something on each element. So the database required to support end to end automation could become very large, with many many dependencies. Add to that a heterogeneous environment, and I’ve just compounded the problem.
- - So we’re getting to a point where you can configure connectivity for a set of applications by only touching one “controller”.
- - But we’re not quite there yet. The steps to provision these solutions is largely manual. We went from provisioning switches, routers, firewalls to provisioning a controller based vSwitch environment plus vRouters and vFirewalls. We only addressed part of the problem. And worse, We may have just pushed this problem onto my app teams (refer to the AWS model)
- - The future for SDN is in the development of a Policy driven approach to consuming these new networking models.
- http://keepingitclassless.net/2013/10/opendaylight-and-those-pesky-southbound-apis/ Kyle Mestery has put forward a blueprint for OpenStack Neutron that really simplifies the existing network provisioning model. Instead of worrying about network-specific things like subnets, routers, and networks, the application developers specify things like application relationships, and general policies – which is all they care about. Neutron then works with an external entity like ODL that takes care of the network-specific stuff. I’ve written in the past about the benefit of abstraction like this. There’s a few examples of this today – think about port profiles in VMware vSphere, or virtual NIC templates in Cisco UCS – the details concerning the network connectivity aren’t important to those consuming these policies – they just want to be able to select them from a drop-down. That’s essentially what we’re getting, only with this, we’re abstracting the entire network and the services it provides.
- Endpoint Endpoint Groups – common Policy Contracts define connectivity rules between EPGs