ntt i3 at_open_stack summit - may 20 2015

DELIVERING A CARRIER-CLASS NFV USE-CASE

INTRODUCTION Ichiro Fukuda, Chief Architect, Infrastructure, NTT I3 §  NTT Innovation Institute for 5 years working on realizing NTT's Cloud and Software-Defined

networking vision §  NTT Communications over 10 years. He led various development projects including ATM and

IP/MPLS technology based network services §  M.E. and B.E. degree from Waseda University §  Member of CTO Council of Open Networking Foundation(ONF), and OpenContrail Advisory

Board.

Pratik Roychowdhury, Director, Product Management, Contrail (Juniper) §  Juniper for last 5 years leading product management activities for Juniper’s Network Virtualization

Platform and Network Programmability products and taking some of those products from concept to release

§  15 yrs in the hi-tech industry assuming various roles including product development at Citrix, strategy & marketing at early stage start-ups and technology investment banking at UBS

§  B.Tech in EE from Indian Institute of Technology; MBA from Univ of Michigan, Ann Arbor

OpenStack Summit, May 18-22, 2015, Vancouver BC CANADA, ©NTT INNOVATION INSTITUTE, INC.

AGENDA

ENTERPRISE WAN : CHALLENGES & TRENDS

ESI SOLUTION OVERVIEW

DEMO

Q&A

1

2

3

4


CHALLENGES & TRENDS

ENTERPRISE WAN OVERVIEW


ENTERPRISE CUSTOMERS’ CHALLENGES

COMPLIANCE OVERHEAD

INSUFFICIENT VISIBILITY

OPERATIONAL INSECURITY

SLOW NETWORK PROVISIONING

OVERWHELMING WORKLOAD

§ Too many types of devices to manage

§ Too many sites to manage

§ Lot of customization § Network provisioning for a new application is slow

§ Provisioning a VPN circuit takes 60-90 days

§ Lack of expertise to properly configure security devices to address their requirements

§ Lack of expertise to find meaningful events from logs

§ Limited ability to correlate data during downtimes

§ Hard to identify dependencies between applications and infrastructure elements

§ Must comply with multi-regional policies

§ Rigid change management is required to enforce and maintain policies


High Expectation to Software-Defined Wide Area Network (SD-WAN)

PROBLEM STATEMENT (ONUG SD-WAN WG )

1.  Significant delays and cost in provisioning cycles of remote sites

2.  Operational and management complexities, resulting in provisioning and remediation inefficiencies

3.  The proliferation of required network and security services has resulted in a 1:1 ratio mapping of multi-vendor appliances not optimal for remote sites

4.  Complexity and inefficiency for managing security and compliance controls

5.  High cost and low control of the wide area network

Source: Open Networking User Group (ONUG) white paper https://opennetworkingusergroup.com/wp-content/uploads/2015/05/ONUG-SD-WAN-WG-Whitepaper_Final1.pdf


CONVERGED

INFRASTRUCTURE

AS A SERVICE

AS A SERVICE PROVIDER, WHAT DO WE DO?

New revenues from a managed enterprise

Network appliance (re)-selling accelerated by NFV and an as-a-service consumption model

Differentiate Service Provider’s Data Centers and Cloud collocated with a SDN/NFV Service enabled POP

‘Share of Customer Wallet’ shifting from Carrier Circuits & Networking Hardware to Managed Value Added Software and Services. We Will Provide An End to End Solution to Capture this Opportunity

IT Outsourcing

Network Integration

DC Hosting Cloud


STRATEGY AND APPROACH

ELASTIC SERVICE INFRASTRUCTURE (ESI)


ESI : ELASTIC SERVICE INFRASTRUCTURE

Cloud DC (for Hosting/Cloud services)

POP WITH NFVI

Network POP

CPE WITH NFVI

Customer Premises

CLOUD/DC WITH NFVI

§  Service Infrastructure for SDN/NFV-Enabled Programmable Enterprise Networking §  NFVI Distributed over Multiple Locations in Three Altitudes: Cloud, Fog, and Ground §  Creates an Open Market for VNF Providers to Deliver Leading-Edge NFV Solutions to Customers §  Currently under Internal Product Evaluation within NTT Group

Cloud

Fog Ground NTT’s Global Networks

(Internet Backbone / MPLS-VPN)

VNF

VNF Market Place

VNF VNF

VNF

VNF

VNF

VNF VNF

VNF VNF VNF

VNF Providers

VNF ORCHESTRATOR

Local Network


ESI SOLUTION OVERVIEW Solution Description Customer Needs

§ Multi-tenant LBaaS, FWaaS, WanOpt-aaS capability § Reduced TCO from low-cost CPE devices, (ê cust support costs) §  Improved agility in introducing new (& upgrading existing) services §  Self-service portal for service enablement

Scale-out and on-demand security and connectivity services to business customers with light-weight device at customer premise

1 Flexible Service Chaining §  Service Catalog / Marketplace with choice of services §  Service Chaining of Security and Network services §  Services run in POP or customer premises (ESE) §  APIs integration with self-service portal

4 Software Defined WAN §  Built on top of the Internet, using secure connection for data and

control traffic §  Integrates with existing L3VPN (wherever applicable)

2 Central management, monitoring, troubleshooting §  ESI Controller manages & monitors the environment centrally §  OpenStack Heat to create service templates

Customer Branch

Customer DC

Software Defined WAN (L3VPN)

ESI Controller

4

2

ESE ESE

ESE ESE ESE

ESI POP

ESE ESE ESE

ESI POP

ESE ESE Customer HQ

Customer Premise

ESI POP (NTT DC)

COTS HW (X86, ARM, )

SDN / NFV Software Stack VNFs MARKET PLACE

…

3

1

3 Open, interoperable Carrier-grade SDN Platform § OpenContrail - scalable, performant & available SDN platform §  BGP & other standards-based protocol for interoperability

Internet


ESI SOLUTION DETAILS

ESE Device (compute node)

Multiple LAN Interfaces (wired / wireless)

CUSTOMER SITE

…

POP

Analytics

INTERNET

Internet Access / Connectivity

On Premise Services

Services & Service Chaining on a Contrail Cloud Cluster

1

2b

2a

4

2a

Hypervisor

1.  Initial Provisioning à Once the CPE device comes up it calls home, gets info on which DC/POP to connect to, establishes a secure connection to the PoP. Contrail Controller running in the DC/POP, manages/provisions the CPE device, assigns IP, etc.

2.  CPE Device is just as another compute node à vRouter in the CPE device, and the DC compute nodes à a.  Service Chaining: Enable services to be chained on the CPE as well as the ones in the DC. (Note that for the CPE device which cannot run vRouter

in the data plane, vRouter agent could be running in the user space and programming the data plane for forwarding.) b.  Analytics: Granular flow statistics information is communicated back to the Controller (analytics node) from the vRouter (both from CPE & the DC

compute nodes), then aggregate/stream to global analytics backend 3.  Centralized Portal à Policy definition + Monitoring, diagnostics, analytics (aggregates statistics info across all POPs/DCs) 4.  Internet Connectivity à to the customer environment is provided from the DC or directly from the CPE device (through split tunneling)

3

Secure Connection over Internet

Centralized Operator Portal (management/provisioning + monitoring + Billing) + Customer Self Service Portal

Management & Provisioning

SSL Concentrator


© 2014 NTT i³ - Internal Only

ESI PRODUCT DEMO

LIVE DEMO


USE-CASE: BRANCH NETWORKING

§  Management of enterprise infrastructure o  E2E Automation and Network orchestration

o  Overcome overload and increased latency of private WAN and DC links

§  Spinning up new services on-demand, rapidly and stitching the services in a chain regardless of location of services

§  Achieving Carrier-grade infrastructure

o  Network Availability with NFV o  Scaling for unpredictable Network Utilization

§  Monitoring, Debugging, Troubleshooting entire environment centrally

Technical / Operational Needs

§  Enterprise customers need to simplify Branch Networking

o  Need to quickly deploy new branch sites (slow VPN circuit delivery when opening new sites)

o  Expensive carrier VPN bandwidth to be used effectively

o  Netw. device mgmt. with limited IT resources

§  Lowering TCO o  Operational cost of managing and operating the

network

o  Very high price-per-bandwidth of enterprise WAN §  Rapid service delivery and application roll out to

accelerate business

Business Needs


DEMO SETUP

WAN

LAN

Management

Admin Portal @Palo Alto

Web Filter VNF

Overlay VPN

Demo Laptop

ESE Device

INTERNET

Go to Demo


DEMO MOVIE

Demo movie can be found in YouTube OpenContrail channel https://www.youtube.com/user/OpenContrail

ESI DEMO MOVIE

Demo: E2E Automation of Enterprise Branch Roll-out https://www.youtube.com/watch?v=tRYsALKtWfQ


https://www.youtube.com/watch?v=tRYsALKtWfQ


HOW DOES OPENSTACK FIT IN?

Back from Demo



ESI HIGH LEVEL ARCHITECTURE Global Service Orchestrator

Service Distribution Layer (ETCD)

Dashboard Model Importer

API

NFVI

VNF

Local Resource Orchestrator

SDN Controller (CONTRAIL)

Orchestration Engine (HEAT)

Virtual Network

Service Chain

Cloud Controller (OPENSTACK)

VNF Compute

VNF Manager

VNF Manager

VPN Controller

Overlay VPN VNF Image Repo.

Worker (Model Transformer / Resource Scheduler)

NFV Infrastructure Layer

SSL Forwarder vRouter

VNF

VNF VNF VNF VNF

COTS Hardware x86 SOC

ARM SOC NPU FPGA

KVM / Docker

Software-Defined WAN Fabric

(Overlay-VPN / MPLS)

ESE: Service Edge (Customer Premises)

Service / Network Model

Catalog Policy

End-customer

Analytic

SSL Concentrator KVM / Docker vRouter

VNF VNF VNF VNF VNF VNF VNF VNF

NFV Resource Pool

Underlay Infrastructure Server ToR Router Appliance

Micro Service Controllers

VNF VNF

Operator



CONTROLLER ARCHITECTURE Zero Coding Service Definition

JSON Schema

Schema Mapping

Heat Template SouthBound API

New OpenStack-like Service on the fly

Automatically Generate à UI /

API / DB / SOUTHBOUND

Policy (JSON based)



CONTROLLER ARCHITECTURE Model Definition by JSON Schema



CONTROLLER ARCHITECTURE Template Mapping and Heat Template



LOCAL

GLOBAL

ESI API Server (Go based)

etcd (pubsub) mysql

Heat worker

Heat

OpenStack OpenContrail VNF GW

VNF

Worker

JSON Schema

Schema Mapping

Heat Template

Keystone

CONTROLLER ARCHITECTURE Agile Service Development Engine



ESI-POP ESI-POP

Hosted Private Cloud

NETWORK ARCHITECTURE Virtual Network and L3-VPN as First Class Citizen à L3-VPN Based WAN Fabric

ESI CONTROLLER

ESI-POP

ESE

Existing L3VPN Sites

Scale Horizontally -- Coexistence with other L3 VPN Sites

SaaS

IaaS

ESE: Elastic Service Edge (Smart CPE w/ Distributed NFVI)

External Cloud Services

ESE ESE ESE ESE ESE ESE ESE ESE

L3VPN

Internet Pvt. Line

DYNAMIC OVERLAY-VPN

(TUNNEL MESH)

DYNAMIC OVERLAY-VPN

(TUNNEL MESH)

DYNAMIC OVERLAY-VPN

(TUNNEL MESH)



CPE FEATURE

NFV Infrastructure Layer

SSL Forwarder vRouter

VNF

VNF VNF VNF VNF

COTS Hardware x86 SOC

ARM SOC NPU FPGA

KVM / Docker

ESE: Service Edge (Customer Premises)

§  Self-service SSL-VPN On-boarder §  Dynamic SSL-VPN Configuration

o  Create tunnel dynamically when NH Update §  Simple and Robust Service Insertion and Chaining

o  No Nova-Compute in ESE o  Instantiate VM / Docker container via vRouter-agent

§  Granular Log/Metric Collection for Analytics §  Automatic OS Update

o  Pull and Update OS if needed §  Software Portability Across Different Hardware

o  Network Appliance, ToR Switch, x86 Server

Linux and Open-Source Software Allow us to Develop Managed Service Device that is Tailored to our Business and Operational Processes



OPENCONTRAIL - SOFTWARE NETWORKING SYSTEM

Physical IP Fabric (no changes)

OPENCONTRAIL CONTROLLER

ORCHESTRATOR

Host O/S vRouter

Network Orchestration Compute / Storage orchestration

Gateway

Config Plane: Bi-directional real-time message bus using XMPP

…

Scale-out Multi-vendor VNFs can run on the same platform

Interoperates with different Orchestration systems

Integrates with §  different Linux Hosts, §  multiple hypervisors, Containers §  multi-vendor X86, ARM servers

Multi-vendor SDN Gateway (any router that can talk BGP and the dynamic tunneling protocols)

Data Plane: Overlay Tunnels (MPLSoGRE, MPLSoUDP, VXLAN)

Control Plane: BGP Control Plane (logically centralized, physically distributed Controller elements)

Automation: REST APIs to integrate with different Orchestration Systems

Internet / WAN or Legacy Env.

(Config, Control, Analytics)

Control /Config Plane: for Bare Metal support - OVSDB or EVPN + Netconf

Multi-vendor TOR support to connect Bare Metal Servers, using standard control plane & config plane protocols

(Windows, Linux ….) on BMS

TOR

Neutron



OPENCONTRAIL BENEFITS

PERFORMANCE: vRouter provides Multi-tenant Routing, Switching, Firewall, and Load Balancing

SCALABILITY: No Shared State or Per Flow Computation

AVAILABILITY: All components (Controller and OpenStack) are highly available

INTEROPERABILITY: with multi-vendor physical infrastructure for investment protection

ANALYTICS: Application and Network state for rich Diagnostics, Monitoring, Reporting

SECURITY: Inherent security from L3VPN, enhanced with further control/data plane sec. features



ESI SOLUTION – CO-CREATION EFFORTS

Driving Requirements

Features

§  ESE Device management / control / data traffic over the Internet on a secure channel §  P + V Interconnect (Bare Metal TOR integration) §  Container integration (running on the ESE devices) §  Centralized portal allowing

o  Initial provisioning of CPE device including à policy definition once CPE device comes up (creating OpenStack Heat-based templates)

§  Service Chaining capabilities between services running at the Customer site (i.e. on CPE) with services in the POP

§  Centralized security policy creation with distributed policy enforcement §  vRouter running on the ESE device (ESE device just another compute node) – analytics from the ESE device §  Carrier-grade platform …

Collaboration

§  Co-creation / Agile development of solution between OpenContrail and NTT §  Partner relation more than a customer relation §  Architectural support on using Contrail and OpenStack components within ESI Solution



PRESS RELEASE OF THE SOLUTION

Press Release: http://www.ntti3.com/blog//ntt-i3-introduces-elastic-service-infrastructure-to-enable-the-cloud-ready-enterprise

ESI, an infrastructure for NFV-enabled enterprise networking, leverages Juniper Networks’ Contrail™ Cloud Platform, an OpenStack-based cloud orchestration platform

“NTT Communications is committed to launching new services which create strong ROI for our customers. NTT i3's R&D approach demonstrates that NTT Group is an industry-leading innovator for IT services.”

- Takashi Ooi, Director, Member of the Board , Senior Vice President , NTT Communications


THANK YOU!

ntt i3 at_open_stack summit - may 20 2015

Technology

network services

vancouver bc canada

sd openstack summit

policies openstack summit

wide area network source

slow provisioning

agenda enterprise wan

ann arbor openstack