sdn in cloudstack

SDN in CloudStack

About me

Hugo TrippaersEmail: htrippaers@schubergphilis.comTwitter: @Spark404Freenode: Spark404

I’ve been working in IT for over two decades, mainly at ISP ands hosting companiesMission Critical Engineer at Schuberg Philis for almost 6 years.

Responsible for the 100% availability of our customers application landscapesCurrently part of the internal development team

PMC member for Apache Cloudstack

»–––

»»––

»

CloudStack networking - the five minute version

CloudStack networkingBasic, isolation using security groups (L3)Advanced, isolation using network isolation (L2)

SDN was introduced to create isolated networks in Advancedzones

By now it can do much more... (Routing, Firewall, NAT)

»––

»

»

3

Isolation with VLAN

4

CloudStack takes care off the configurationof hypervisor switches.

Who takes care of thenetworking gear?

Isolation with VLAN

5

CloudStack takes care off the configurationof hypervisor switches.

Who takes care of thenetworking gear?

He does...

Isolation with Software Defined Networking

6

Who takes care of thenetworking gear?

CloudStack takes care off the configurationof hypervisor switches and L2 networking.

Isolation with Software Defined Networking

7

Who takes care of thenetworking gear?

CloudStack takes care off the configurationof hypervisor switches and L2 networking.

Software defined networking - core concepts

Decouples the control plane (what data is going where) from the data plane (how to get datathere)

Makes network management easier by abstracting low-level functionality into virtual services.Independent of hardware and/or vendor

Provides a Northbound APIAllows administrators to use automated tooling to provision services

Scale?

»

»–

»–

»

8

Software Defined Networking - advanced

Where can we go if we have a software based network infrastructure.Distributed routing?Integrated security framework?Application controlled networking?

Endless possibilities, it’s all software anyway

»–––

»

9

SDN in CloudStack

Where is it?»

10

SDN in CloudStack

Where is it?»

11

Implemented in the core ofCloudStack.

“Movable parts” configured perplugin.

Controlled by existing offeringmodel.

SDN implementations

12

Isolation DHCP Firewall NAT SecurityGroups VPC

GRE isolation Pre ACS - - - - -

SDN implementations - GRE isolation

Uses the existing implementation of OpenVSwitch in XenServer andXCP

Uses the OpenVSwitch GRE tunnels to “link” OpenVSwitch bridgesbetween hypervisors

Entirely controlled by CloudStack

ProsDoesn’t require external components

ConsBandwidth is limited due to lack of offloadingLarge deployments require a lot of tunnelsLimited set of hypervisors supported (XenServer)

»

–

–

»–

»–––

13

SDN implementations

14

Isolation DHCP Firewall NAT SecurityGroups VPC

GRE isolation Pre ACS - - - - -

Nicira NVP >= 4.0 - - - - -

SDN implementations - Nicira NVP

A commercial SDN solution developed byNicira. Uses both OpenVSwitch andOpenFlow to build overlay tunnels on anexisting network.

ProsSTT tunnel protocol is optimized for

high-bandwidthIncludes a gateway to link existing L3

or L2 networks to the virtual switchCons

Requires custom OpenVSwitch onhypervisors.

»

»–

–

»–

15

SDN Implementations

16

Isolation DHCP Firewall NAT SecurityGroups VPC

GRE isolation Pre ACS - - - - -

Nicira NVP >= 4.0 - >= 4.1 >= 4.1 - >= 4.1

Big Switch VNS >= 4.1 - - - - -

SDN implementations - Nicira NVP (>= ACS 4.1)

Nicira NVP plugin is updated to supportL3 functionality. With this functionalitythe existing VRouter can be replaced with aSDN based construct.Several changes have been made to the

VPC setup to support SDN based networksin VPCs.

»

»

17

SDN implementations - BigSwitch VNS

The Big Switch Networks plugin is a CloudStack SDNplugin using the BigSwitch VNS platform. WhileBigSwitch VNS is a commercial solution, it iscompletely based on open standards like OpenFlow

ProsUses open standards

ConsRequires hypervisors are switches to support

OpenFlow

»

»–

»–

18

SDN Implementations

19

Isolation DHCP Firewall NAT SecurityGroups VPC

GRE isolation Pre ACS - - - - -

Nicira NVP >= 4.0 - >= 4.1 >= 4.1 - >= 4.1

Big Switch VNS >= 4.1 - - - - -

Midokura Midonet master master master master - -

Stratosphere SSP review - - - - -

SDN implementations - Midokura Midonet

Midokura Midonet is implemented as aCloudStack plugin. It offeres a complete set ofadvanced features like DHCP, L3 Routing andvarious NAT options.

ProsComplete solution for building standard

networks including L3 functions.

ConsCan only be used with the KVM hypervisor.

»

»–

»–

20

SDN implementations - Stratosphere

Stratosphre SSP is an SDN controller thatcontrols or brokers physical and or virtual networkdevices. Stratosphere SSP will build a vxlanbacked overlay network. The plugin makes L2connectivity service provided by SSP.

Not much information available yet.

»

»

21

SDN implementations - next steps?

Support for VPCIncluding private gateways

Common configuration and setup

Security Groups

»–

»

»

22

SDN in CloudStack - how does it work

Preparing a SDN solution for use requires someconfiguration work up front

»

23

Preparation - Configure physical network

The physical network defines the type of L2 isolation used.»

24

Preparation - Setup Providers

The provider is the place toconfigure the SDN controller

Not used by the GRE tunnels, thatis configured using configurationparameters.

»

»

25

Preparation - Setup network offerings

Connectivity is key

Services define where and how SDN is used inthe offering

»

»

26

SDN in CloudStack - how does it work

Preparing a SDN solution for use requires someconfiguration work up front

Using the SDN solution is as straight forward as anynetworking in CloudStack

»

»

27

Usage - Creating a new network

The role of Network Guruseach guru supports a specific type of networkselect based on a number of criteria, of which

isolation type is only one

Selected guru is stored in the database for thisparticular network.

»––

»

28

Usage - Creating a new network

The role of Network Elementstriggered when ever a new NIC is attached to a networkconfigure devices like firewall, routers, etc..

Elements are selected based on the network offering used tocreate the network.

»––

»

29

Usage - My first VM

Multiple actions happen at the same timenetwork elementshypervisor resources

The NIC is the linking pin between a VM and the SDN implementation

The hypervisor sets flags to allow the VIF to be found

The network element tells the SDN solution what to look for

Not a generic way of doing things, depends on the SDN in use.

»––

»

»

»

»

30

Usage - Ready

31

Thats all there is to it

http://apache.cloudstack.org

http://www.nicira.comhttp://www.bigswitch.comhttp://www.midokura.comhttp://www.iij.ad.jp/en/

Email: htrippaers@schubergphilis.comTwitter: @Spark404IRC Freenode: Spark404

»

»»»»

–––

32