branching out with sdn going beyond datacenters
TRANSCRIPT
Copyright 2015 Alcatel-Lucent. All rights reserved.
BRANCHING OUT WITH SDN GOING BEYOND DATACENTERS Alastair JOHNSON March 2015 – MPLS-SDN World Congress, Paris
Copyright 2015 Alcatel-Lucent. All rights reserved.
Automation
Constrained access options
Limited hardware
Limited Automation
Private Cloud
Public Clouds
Evolved Datacenter Infrastructure Automated
Instantaneous modifications
Simplified policy-driven management
Freedom of choice
Open
Status Quo at the Remote Location o Manual provisioning
o Costly moves, adds and changes
o Complex management
o Limited choice
o Proprietary hardware, vertically integrated
Unconstrained options
Branch offices Enterprise WAN DC Infrastructure
WAN Service
2
NETWORKING CONSUMPTION MUST EVOLVE END-TO-END
Copyright 2015 Alcatel-Lucent. All rights reserved.
VXLAN encapsulates Ethernet in IP IPv4 or IPv6
UDP-based, source port is a hash of MAC or IPs to provide load balancing entropy
8 byte VXLAN header provides 24 bit VXLAN Network Identifier (VNI) and flags
Total encapsulation overhead is ~50 bytes
VXLAN is routable: underlay network may be any network with existing resiliency and load balancing mechanisms ECMP
IGPs/BGP
IP FRR
VXLAN tunnel endpoints can be on network equipment or computing infrastructure Deliver a VPN straight to a compute resource
IP Network (IP FRR, ECMP, IGP)
IP Network
IP Network
3
TECHNOLOGY RECAP: VXLAN
Copyright 2015 Alcatel-Lucent. All rights reserved.
Data Plane
Control Plane
EVPN MP-BGP RFC7432
EVPN over MPLS for VLL, VPLS and E-Tree services All-active multihoming for VPWS RSVP-TE or LDP MPLS protocols
EVPN with PBB PE functionality for scaling very large networks over MPLS All-active multihoming for PBB-
VPLS
EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsulations Provides Layer 2 and Layer 3 DCI
Multiprotocol Label Switching
(MPLS) RFC7432
Provider Backbone Bridges
(PBB) draft-ietf-l2vpn-pbb-evpn
Network Virtualization Overlay
(NVO) draft-ietf-bess-evpn-overlay
4
TECHNOLOGY RECAP: EVPN
Copyright 2015 Alcatel-Lucent. All rights reserved.
Proven and inherent BGP control plane scalability to MAC routes
Consistent signaled FDB in any size network instead of flooding
Even more scalability and hierarchy with route reflectors
BGP advertises MACs and IPs for next hop resolution with EVPN NLRI
AFI = 25 (L2VPN) and SAFI = 70 (EVPN)
Fully supports IPv4 and IPv6 in the control and data plane
Offers greater control over MAC learning
What is signaled, from where and to whom
Ability to apply MAC learning policies
Maintains virtualization and isolation of EVPN instances
Enables traffic load balancing for multihomed CEs with ECMP MAC routes
Route Distinguisher (8 octets)
Ethernet Segment Identifier (10 octets)
Ethernet Tag ID (4 octets)
MAC Address Length (1 octet)
MAC Address (6 octets)
IP Address Length (1 octet)
IP Address (0 or 4 or 16 octets)
MPLS Label1 (3 octets)
MPLS Label2 (0 or 3 octets)
MAC Advertisement Route (Light Green Fields are Optional)
5
TECHNOLOGY RECAP: EVPN
Copyright 2015 Alcatel-Lucent. All rights reserved.
Existing model is cumbersome and inefficient
Manual configuration with some automation
Moves/Adds/Changes take weeks, not seconds
Compromising business efficiency
Network configuration, not business policy
NMS EMS CONFIG DB
SERVICE PROVIDER
Define policies and templates once, reuse many
Business logic defines network services
Realtime changes reflected to the network
Vetted against templates and security
Service velocity is not hindered by manual network process
BUSINESS LOGIC TEMPLATES
REALTIME CHANGES
6
POLICY IS KEY
Copyright 2015 Alcatel-Lucent. All rights reserved.
POLICY
Centralized Control plane abstraction Instantaneous Programmable Federation-ready
CONTROL PLANE
Scalable Controllable Efficient Federated Multi-topology/service
DATA PLANE
Ubiquitous Layer 2 Layer 3 Service independence from transport
7
PUTTING IT TOGETHER
Copyright 2015 Alcatel-Lucent. All rights reserved.
THE PAST DECADE OR TWO… THE BRANCH UNSHACKLED
Control plane
ETH/IP
BRANCH NETWORKING DEVICE
Management plane
Forwarding plane
GENERAL PURPOSE COMPUTE
OPEN OS
Virtual Routing & Switching
Flo
w e
ntr
ies
PROPRIETARY HARDWARE
Security Traffic
Steering QoS
OPEN CPE
Copyright 2015 Alcatel-Lucent. All rights reserved.
Controller programs forwarding plane for all CPEs Aware of all L2/L3 topology behind each CPE Calculate once, program many
CPE becomes service instantation point Smart edge principle VXLAN service transport
Traffic is carried encapsulated over underlay network Underlay network could be any infrastructure Unaware of topology of overlay service
CPE
Site 1
LA
N CPE
Site 3
LA
N
CPE
Site 2
LA
N
Underlay
Policy DB
SDN Controllers
SP Central Functions
9
A NEW WAY OF DELIVERING VPNS
Copyright 2015 Alcatel-Lucent. All rights reserved.
OpenFlow provides a mechanism to program the L2/L3 forwarding information base (FIB) and provide notifications to the controller MAC/IP address learning on LAN ports are
alerted to the controller Controller determines whether the
MAC/IP is to be programmed into FIB
Federation of topology between controllers via BGP-EVPN MAC and IP reachability signaled VXLAN VNI information combined with
NEXT_HOP
CPE
SDN Controller
OpenFlow OVSDB
BGP EVPN
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
10.2.0.0/24 10.2.0.1/32 aa:bb:cc:dd:ee:ff
10
A NEW WAY OF DELIVERING VPNS
Copyright 2015 Alcatel-Lucent. All rights reserved.
CPE forward directly between each other using VXLAN as overlay 10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI
123456 10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI
xyz
Underlay network sees only VXLAN traffic between endpoints Traffic management = IP Transport = IP
Dataplane can be further encapsulated if needed
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
VNI = 123456
11
A NEW WAY OF DELIVERING VPNS
Copyright 2015 Alcatel-Lucent. All rights reserved.
Overlays simplify network topology
SP network needs to know less about customer topology
Increases flexibility of delivery – L2 services over L3, On Net, Off Net, Internet, etc
Provisioning simplified
VRF VRF
Many provisioning touch points
BGP
Routing Policy
RIB scale Failover Redundancy LAN ports
WAN ports Aggregation network
GRT GRT
Dynamic Provisioning
One-time Provisioning
12
VPN FLEXIBILITY
Copyright 2015 Alcatel-Lucent. All rights reserved.
Centralized policy enforcement Firewall
Between zones/subnets/branch types Extranet applications To Internet through central functions
Content filtering Selective content filtering (schools –
teacher/student; public WiFi in retail environments bypasses)
Network analytics and monitoring Tap and mirror IDS/IDP DPI and DLP
LAN
WAN
CPE DC
LAN CPE
LAN
WAN
CPE DC
LAN CPE
13
OVERLAYS ENABLE SERVICE CHAINING
Copyright 2015 Alcatel-Lucent. All rights reserved.
How do I connect the new to the existing? 1. EVPN with VXLAN termination direct into existing
MPLS PE routers End-to-end network is BGP and VXLAN aware allowing
for PE routers to act as VXLAN/MPLS interworking function
Streamlined and simplified routing
2. Use CPE as gateway Break VXLAN services out to Ethernet VLANs at PE
router Faster to deploy but less flexible
GRT VRF Internet
IP/MPLS VRF
VRF
Internet
IP/MPLS VRF
Traditional VPN environment Overlay VPN Environment IWF
Traditional VPN environment Overlay VPN Environment
14
INTERWORKING
Copyright 2015 Alcatel-Lucent. All rights reserved.
Branches
Fixed and Mobile Networks
SINGLE SERVICE NETWORK FOR APPLICATION
Internet Private IP
Business Internet
Global Workforce
IP-VPN
SERVICE NETWORK PER CUSTOMER/APPLICATION
Public Cloud
Network Policy Engine
Network Policy Engine
15
FINAL VIEW: NETWORKS WITHOUT BORDERS
ONE COHESIVE ENVIRONMENT: FROM BRANCH TO WAN TO DATACENTER
Automated
Instantaneous policy-driven modifications
Simplified fulfillment & management
Freedom of choice
Open
Private Cloud
Copyright 2015 Alcatel-Lucent. All rights reserved.
nuagenetworks.net/vns @nuagenetworks