Agile OpenStack Networking with Cisco

solutionsRohit Agarwalla, Technical Leader

BRKDCT-2445

roagarwa@cisco.com, @rohitagarwalla

3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

• Introduction to OpenStack

• Cisco and OpenStack

• OpenStack Networking – Neutron

• Neutron Network Architectures

• Cisco Integrations into Neutron

• Demo

• Advanced Neutron considerations

• Summary/Q&A

Agenda

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4BRKDCT-2445

Introduction to OpenStack

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 5

OpenStack Overview

Design tenets – scale & elasticity, share nothing & distribute everything

Open source Cloud Computing Platform for Private and Public Clouds

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

OpenStack Projects

Compute (Nova) Dashboard (Horizon) Database (Trove)

Network (Neutron) Image (Glance) Orchestration (Heat)

Object Storage (Swift) Identity (KeyStone) Data Processing (Sahara)

Block Storage (Cinder) Telemetry (Ceilometer) Deployment (Triple O)

Bare Metal (Ironic) DNS (Designate) Application Catalog (Murano)

Containers (Magnum) Key Management (Barbican) Policy (Congress)

File System (Manila) Messaging (Zaqar) ….

6

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 7

OpenStack Progress

Austin – Oct 2010

Bexar – Feb 2011

Cactus– April 2011

Diablo – Sept 2011

Essex – April 2012

Folsom– Sept 2012

Grizzly– April 2013

Havana – Oct 2013

IceHouse– April 2014

Juno – Oct 2014

Kilo – May 2015

130 contributors

30 new features

1400 contributors

342 new features

3,219 bugs fixed

133 companies

2010

2011

2012

2013

2014

Started with Compute

and Storage service

Infrastructure, Orchestration,

Data services and more

11th OpenStack release

1492 contributors

394 new features

7,257 bugs fixed

169 companies

Liberty – Oct 2015

24,000 people

495 companies

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKDCT-2445

Cisco and OpenStack

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 12

Cisco and OpenStack

• Cisco Validated Designs, UCSO

• Work closely and jointly with customers to design and build OpenStack environment

• OpenStack based Global Intercloud hosted across Cisco and partners data centers

• Cisco OpenStack Private Cloud (Formerly MetaCloud)

• Neutron/Cinder/Ironic Plugins/Drivers for Cisco infrastructure – Nexus, APIC, CSR1K, ASR1K, UCS• Cisco Applications on OpenStack

• Code contributions across several services – Network. Compute, Dashboard, Storage, Containers

Community Participation Engineering

Partners/ Customers

Cloud Services

• Incubating new OpenStack related Projects – GBP, PlaceWise, AVOS, VMTP

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

• Transport Layer Security• Validate certificate order

API request for PKCS10

OpenStack Kilo release contributions lead by Cisco

Kilo release

Gnocchi

Kolla

Magnum

Neutron

HorizonDevstack

Metering

Barbican

Heat

• Multiple IPv6 prefixes• IPv6 router support• VLAN trunking• MTU selection and advertisement

support• UCSM driver• CSR1Kv VPN driver

• Archive Policy per metric level

• New resources for Neutron PCI Passthrough and Nova Flavor

• Heat template improvements

• Neutron IPv6 and L3 plugin support

• Kafka Publisher• Alarms severity• Network services notification

plugin

• PCI Passthrough port configuration• Ceph panel

• Containers - Ceilometer, Mongo, Neutron

• Container Sets - database-control, messaging-control, service-control, compute-control, compute-operation-nova

• Kubernetes plugin• Python API for k8s CLI

13

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKDCT-2445

OpenStack Networking - Neutron

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 17

OpenStack Network Architecture

Tenant A Compute Node (s)

Running Compute and

Network agents

Controller Node(s)

Running Database, Message

Queue Server, API Services, Scheduler..

Router

Network Node(s)

Running Network Service Agents

API Network

External Network

Internet

Data Network

Management Network

Network Purpose IP Address

Management Network

Used for internal communication between OpenStack Components

Reachable only within the data center

External Network

Used to provide VMs with Internet access

Reachable by anyone from the Internet

API Network Exposes all OpenStack APIs, including the OpenStack Networking API, to tenants

Reachable to Tenants

Data Network Used for VM data communication within the cloud deployment.

Reachable within the Tenant address space

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 18

Neutron Overview

Tenant A Router

Subnet Red Subnet Blue

VM 1

Tenant A

VM 2 VM 1

Logical Model

Physical implementation

Compute Node

Compute Node

VM1 Controller Node(s)

Router

Network Node(s)

External Network

VM2 VM1

Internet

vswitch vswitchvswitch

Data Network

Namespace

Management Network

API Network

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

OpenStack Neutron Architecture

Neutron Server

REST API

Neutron Core plugins

Neutron Service plugins

• Core + Extension REST API’s

• Message Queue for communicating with Neutron Agents

• Core and Service Plugins

• Different vendor core plugins

• Different network technology support

• ML2 plugin with Type and Mechanism Drivers

• Service plugins with backend drivers

Core APINetwork Port Subnet

Resource and Attribute Extension APIProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS ….

Lo

ad B

ala

nce

r

Fir

ewa

ll

VP

N

HA

Pro

xy

IPTa

ble

s

Str

on

gS

wa

n

L3

Se

rvic

esN

ame

spa

ceType Drivers Mechanism Drivers

VLA

N

GR

E

VX

LA

N

Cis

co N

exu

s

OV

S

Ope

nD

ayL

igh

t

AP

IC

Mo

re v

end

or

dri

vers

ML

2

Oth

er

ven

do

r p

lugi

ns

DHCP Agent

L3 Agent

Message Queue

IPTables on Network

Node

L2 Agent

vSwitch

dnsmasq

19

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKDCT-2445

Neutron Architectures

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 23

Layer 2 network tenant topologies

Compute Node

Compute Node

VM3 VM4 VM2

vswitch vswitch

Data Network

VM1

Fabric Leaf, Top of Rack

Compute Node

Compute Node

VM3 VM4 VM2

vswitch vswitch

Data Network

VM1

Fabric Leaf, Top of Rack

Host and Network based VLAN

Host based overlays

Compute Node

Compute Node

VM3 VM4 VM2

vswitch vswitch

Data Network

VM1

Fabric Leaf , Top of Rack

Network based overlays

VLAN Overlay

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 24

Layer 2 network tenant topologies – Design Considerations

• Number of Tenant Network Segments• VLAN based tenant networks

• Host • Host and Network

• VXLAN based tenant networks• Host• VXLAN offload - Network• Multicast v/s Controller

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 26

Compute Node

vswitch

Layer 3 tenant network topologies

Linux Host

Compute Node

VM1

Network Node(s)

VM2

vswitchvswitch

Data Network

Namespace

Service VMs

Fabric, Top of Rack

VM1

Compute Node

VM2

vswitch

Data Network

Service VMs

Fabric, Top of Rack

Compute Node

VM1

Network Node(s)

VM

vswitch

Data Network

Fabric, Service Node

Fabric or Service Node

vswitch

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 27

Layer 3 network tenant topologies – Design Considerations

• Number of Tenant Routers• External connectivity for tenant networks• Floating IPs• L3 Traffic Pattern E-W and N-S Routing

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKDCT-2445

Cisco integrations into Neutron

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 29

Neutron Layer 2 Default Implementation

Neutron Server

Neutron Core plugin (ML2)

Network REST API requests

Open vSwitch/Linux Bridge

Mechanism Drivers

Compute Node

Network and Compute Nodes

VM VM

vswitchRPC message to agent on nodes

• Implements Neutron Core Resources

• Open vSwitch and Linux Bridge Mechanism Drivers

• Agents on Network and Compute Nodes

• Host based VLAN or Overlay (VXLAN, GRE) Type Drivers

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

Nova HostNova HostNova Host

Neutron Reference – East-West L2 (Switched) Traffic

30

VM1 Controller Host(s)

Router

NeutronHost(s)

DHCP ports

API NetworkExternal Network

Management Network

VM6VM5VM2 VM3 VM4

Internet

vswitch vswitch vswitchvswitch

Data Network

PKT

Packet path animation for packet

traveling from VM1 VM3.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

VM on a Compute Nodes

Neutron Cisco Nexus Driver

Neutron Server

Neutron Core plugin (ML2)

Cisco Nexus Driver

Ncclient

Nexus

Nova

Compute Nodes

create/update port request sent to Neutron

Features

• Works with multiple Nexus platforms

• VLAN configuration

• VXLAN configuration• Nexus_VXLAN Type Driver • Multicast• VLAN to VNI association

Benefits

• No Trunk all tenant VLANs on compute node interfaces on ToR

• Dynamic provisioning/deprovisioning on ToR

• Network based overlays

Nexus ToR

VM VM

31

netconf

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 32

Sample Nexus Mechanism Driver configuration for VXLAN

• [ml2_type_vlan]

network_vlan_ranges = physnet1:10:500

• [ml2_type_nexus_vxlan]

vni_ranges=50000:55000

mcast_ranges=225.1.1.1:225.1.1.2

[ml2_mech_cisco_nexus:192.168.1.1]

ComputeHostA=1/10

username=admin

password=secretPassword

ssh_port=22

physnet=physnet1

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 33

Demo Topology – Neutron ML2 Nexus Driver

Private1 Subnet Private2 Subnet

VM 1

Tenant A

VM 2 VM 3

Logical Model

Physical implementation

Compute Node

Compute Node

VM1

Controller + Network

Node

VM2 VM4

vswitch vswitchvswitch

Data Network

Management Network

DHCP NS

DHCP NS

ra-node11 ra-node13 ra-node14

Nexus 9K

1/6 1/3

1/4VM 4

VM3

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

VMs on Compute Node

N1Kv VEM

Compute Nodes

Neutron Cisco Nexus1000v Driver (KVM) Neutron Server

Neutron Core plugin (ML2)

Cisco N1Kv Driver

N1Kv VSM

Features:

• Associate Network Profiles to Neutron Networks

• Associate Policy Profiles to Neutron Ports

• Supports VLAN and VXLAN (unicast and multicast) network segmentation

• Horizon integration

Benefits

• Logical grouping of network segments

• Security, Monitoring, Quality of Service (QoS)

• Enhanced visibility and manageability of virtual machine traffic

REST API

Nova

Network Profile:Network Segment Pool

Policy Profile:Port Profile

VM VM

N1Kv VSM

34

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 35

neutron cisco-network-profile-create PROFILE_NAME vlan --segment_range 400-499

neutron net-create NETWORK_NAME --n1kv:profile PROFILE_ID

Neutron API extensions for N1Kv

Network Profile (admin)

Policy Profile defined in VSM (periodic polling)

Policy Profile

neutron cisco-policy-profile-list

neutron port-create NETWORK_NAME --n1kv:profile PROFILE_NAME

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

VMs on Compute Node

Neutron Cisco UCSM Driver (KVM)

Neutron Server

Neutron Core plugin (ML2)

Cisco UCSM driver

UCS Fabric Interconnect

UCSM SDK

Compute Nodes

Nova

create/update portFeatures:

• Nova and Neutron enhancements to support SR-IOV

• Supports VLAN configuration of SR-IOV ports (using port profiles) and vNIC ports (using Service Profiles)

• Enables configuration of VLAN profiles and automatic association with network ports

Benefits

• SR-IOV and non SR-IOV based UCS Fabric Interconnect configurations

VM VM

36

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

Neutron DHCP Implementation

Neutron Server

Neutron DHCP Service

Network REST API requests

Compute Node

Network Node

DNSMASQRPC message to agent on nodes

• Namespace and dnsmasq for every network

• Dnsmasq Reloads with every port add/delete

DHCP agent

37

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

Nova HostNova HostNova Host

Neutron Reference – DHCP Traffic

38

VM1 Controller Host(s)

Router

NeutronHost(s)

DHCP ports

API NetworkExternal Network

Management Network

VM6VM5VM2 VM3 VM4

Internet

vswitch vswitch vswitchvswitch

Data Network

DHCP request/response animation for

packet traveling from VM1 DHCP port.

PKT

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 39

CPNR

Neutron DHCP Implementation with Cisco Prime Network Registrar (CPNR)

Neutron Server

Neutron DHCP Service

Network REST API requests

Compute Node

Network Node

DHCP Relay

CPNR

• DHCP configuration includes CPNR API end point configuration

• Mapping –• Network to Virtual Private Network

(VPN) • Subnet to Scope

• Request and Responses handled using UDP ports

• Benefits• Relay is stateless and can be run in

Active-Active• Highly Available CPNR Server for all

tenants

REST API DHCP Traffic

RPC message to agent on nodes

DHCP agent

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 41

Neutron Routing Implementation

Neutron Server

Neutron Service plugin (L3)

Routing REST API requests

L3 agent on Network Node

L3 agent on Network Nodes

Default Gateway, Namespace and

IPTables

Namespace maps to a Neutron logical router. IPTables handle address translations

Agent Scheduler

Picks a L3 agent on a Network Node

Compute Node

Compute Nodes

L3 traffic goes through Network node

VM VM

Neutron router HA capabilities using VRRP

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

Nova HostNova HostNova Host

Neutron Reference – East-West L3 (Routed) Traffic

42

VM1 Controller Host(s)

Router

NeutronHost(s)

API NetworkExternal Network

Management Network

VM6VM5VM2 VM3 VM4

Internet

vswitch vswitch vswitchvswitch

Data Network

PKT

Routing

Packet path animation for packet

traveling from VM1 VM4

Virtual Router

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

Nova HostNova HostNova Host

Neutron Reference – North-South L3 Traffic (NAT)

43

VM1 Controller Host(s)

Router

NeutronHost(s)

API NetworkExternal Network

Management Network

VM6VM5VM2 VM3 VM4

Internet

vswitch vswitch vswitchvswitch

Data Network

PKT

NAT

Packet path animation for packet

traveling from VM1 Internet

Virtual Router

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 44

Issues in Neutron Reference L3 and ASR1K Solutions • NAT for External Connectivity:

• Issue - Scale limitation in Linux iptables software NAT.

• Solution - ASR1K can scale up to 4 million dynamic NAT entries and 16K static NAT entries.

• Tenant Routing:

• Issue - Scale limitations in Linux namespaces based software tenant networking.

• Solution - ASR1K uses Virtual Routing and Forwarding (VRF) instances for tenant routers. ASR1K can scale up to 4k VRFs (8k in upcoming release).

• Tenant Networks:

• Issue- Scale limitations in Linux software based interfaces.

• Solution - ASR1K plugin maps tenant networks to sub-interfaces on ASR1K. ASR1K supports up to 64k sub-interfaces.

• Data Throughput:

• Issue - Performance limitations with software packet forwarding and NAT on generic compute hardware.

• Solution - ASR1K can perform packet forwarding and NAT at rates upto 230 Gbps.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 45

Neutron Cisco ASR1000 for Neutron L3 Service• Mapping of Neutron reference L3

implementation - • Linux namespaces - ASR1K VRF• Internal Router ports – ASR1K VLAN

or Port Channel sub interfaces• External Gateway ports – ASR1K

VLAN or Port Channel sub interfaces

• Linux IPTables – ASR1K NAT

Neutron Server

Neutron Service plugin (L3)

Routing Device Driver (ASR1K)

Config AgentCisco Config Agent

NexusASR1K

netconf

• Benefits• Routing using physical

infrastructure• Support for HSRP and Port

Channel

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 46

OpenStack Neutron + Nexus + ASR : Physical Topology Example

Layer-3 Network Core

ASR 1000 Routers

OpenStack ControllerNeutron Server withCisco Config Agent

Nova Compute Nodes

Nexus Layer-2 FabricTenant VLANs and

External Traffic

Management Network (NETCONF provisioning)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

ASR1K

NeutronHost(s)

Nova HostNova HostNova Host

ML2 Nexus and ASR1K - East-West L3 (Routed) Traffic

47

VM1Controller Node(s)

RouterAPI NetworkExternal Network

Data Network

(L3 routed)

Management Network

VM6VM5VM2 VM3 VM4

Internet

ML2 Nexus Driver

vSW vSW vSW

Nexus TOR Nexus TOR

ASR1K

L3

Plugin

VRF with default GW and NAT (to global routing).

PKT

Note : Packet animation included –

VM1 VM4

Virtual Router

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

ASR1K

NeutronHost(s)

Nova HostNova HostNova Host

ML2 Nexus and ASR1K - North-South L3 Traffic (NAT)

48

VM1Controller Node(s)

RouterAPI NetworkExternal Network

Data Network

(L3 routed)

Management Network

VM6VM5VM2 VM3 VM4

Internet

ML2 Nexus Driver

vswitch vswitch vswitch

Nexus TOR Nexus TOR

ASR1K

L3

Plugin

VRF with default GW and NAT (to global routing).

PKT

Note : Packet animation included –

VM1 Internet

Virtual Router

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 49

Neutron Cisco CSR1000v for Neutron L3 Service

• Mapping of Neutron reference L3 implementation - • Linux namespaces - CSR1Kv VRF• Router ports (qr) on bridge –

CSR1Kv VLAN sub interfaces• Gateway ports (qg) on bridge -

CSR1Kv VLAN sub interfaces• Linux IPTables – CSR1Kv NAT

• Benefits• Virtual Form Factor• Integrates with N1Kv and OVS• Device that can offer more services

REST API/netconf

Neutron Server

Neutron Service plugin (L3)

Cisco CSR1Kv Device Driver

Device Manag

er

Scheduler

Config AgentVMs on Compute

Node

Cisco Config Agent

Nova

Compute Nodes

CSR1KvVM

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 50

Demo Topology – Neutron L2 Nexus Driver and L3 CSR1Kv Driver

Private SubnetPrivate1 Subnet

VM 1

Tenant A

VM 2 VM 3

Logical Model

Physical implementation

Compute Node

Compute Node

VM1

Controller + Network

Node

VM2 VM4

vswitch vswitchvswitch

Data Network

Management Network

DHCP NS

DHCP NS

ra-node11 ra-node13 ra-node14

Nexus 9K

1/6 1/3

1/4

CSR1Kv VM

Router

VM3

VM 4

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 55

VMs on Compute Nodes

Neutron Cisco Application Policy Infrastructure Controller (APIC) Driver

Neutron Server

Neutron Core plugin (ML2)

Cisco L2 APIC Driver

APIC

VMs on Compute Nodes

Cisco L3 APIC Driver

ACI Spine/Leaf Switches

REST APINetwork:EPG, Router:Contract

Provides distributed L2,L3 functionality

Neutron L3 Plugin

Neutron API: Network, Router, Subnet, Security Group

L2 / L3 enforced in fabric, security groups enforced on hypervisor

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 56

Group-Based Policy ModelPolicy Group: Set of endpoints with the same properties. Often a tier of an application.

Policy RuleSet: Set of Classifier / Actions describing how Policy Groups communicate.

Policy Classifier: Traffic filter including protocol, port and direction.

Policy Action: Behavior to take as a result of a match. Supported actions include “allow” and “redirect”

Service Chains: Set of ordered network services between Groups.

L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter

L3 Policy: An isolated address space containing L2 Policies / Subnets

Policy Rule Set

Policy Rule

Policy Rule

Service Chain

Classifier Action

Classifier Action

L2 Policy

Policy Group

Policy Target

Policy Target

Policy Target

Policy Group

Policy Target

Policy Target

Policy Target

L2 Policy

provide consume

Node Node

L3 Policy

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 57

Group Based Policy and Neutron

VMs on Compute Nodes

Group Based Policy (GBP)

GBP Neutron Driver

NeutronAPIC

VMs on Compute Nodes

APIC GBP Driver

ACI Spine/Leaf Switches

REST APIPolicy Group, Ruleset

Provides distributed L2,L3 functionality

GBP Driver

Neutron Plugins/Dri

vers

Network, Router

Create Classifier/ Rulegbp policy-classifier-create web-traffic –protocol tcp –port-range 80 –direction in

gbp policy-rule-create web-policy-rule –classifier web-traffic –actions allow

Create Policy RuleSetgbp ruleset-create web-ruleset –policy-rules web-policy-rule

Create Groupgbp group-create web

Group Associationgbp group-update web –provided-rulesets web-ruleset

Launch Web Server VM using Endpoint in EPGgbp member-create –group web web-1

vswitch

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 58

Purpose Using Cisco Product Juno Code Availability Kilo Code Availability Status

Network Layer 2 Virtual Switch Nexus 1000v OpenStack Neutron Juno StackForge Networking-Cisco Kilo Preview

SR-IOV, non-SR-IOV

UCS Fabric Interconnect

Cisco OpenStack Neutron Juno Plus Tech Preview

StackForge Networking-Cisco Kilo Preview

Physical Switch Nexus OpenStack Neutron Juno StackForge Networking-Cisco Kilo Preview

DHCP IPAM Prime Network Registrar - Not upstream yet Preview

Network Layer 3 Virtual Router Cloud Services Router 1000v OpenStack Neutron Juno StackForge Networking-Cisco Kilo Preview

Physical Router ASR 1000 - Not upstream yet Preview

Network Services Virtual Firewall and VPN

Cloud Services Router 1000v

Firewall - Cisco OpenStack Juno Tech PreviewVPN - Cisco OpenStack Juno Plus Tech Preview

Firewall – OpenStack Neutron Firewall KiloVPN- OpenStack Neutron VPN Kilo Preview

Network Layer2, Layer3, Services Controller

Application Policy Infrastructure Controller

APIC L2 - OpenStack Neutron JunoAPIC L3 - OpenStack Neutron Juno

APIC L2 – StackForge Networking-Cisco KiloAPIC L3 – StackForge Networking-Cisco Kilo

Released

Declarative Policy Model

Group Based Policy Framework Group Based Policy StackForge Juno Not upstream yet Released

Summary of OpenStack integration with Cisco Networking Solutions Presented

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 59BRKDCT-2445

Advanced Neutron considerations

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 60

Neutron IPv6 for tenant data network

• IPv6 addressing using two attributes - • ipv6_ra_mode – Determines who sends RA • ipv6_address_mode – Determines how instances obtain IPv6 address, default gateway,

and/or optional information.

• Support for different IPv6 addressing schemes• SLAAC• DHCPv6-stateless• DHCPv6-stateful

• Dual Stack Support

• IPv6 Routing

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 61

Neutron Addressing Schemesipv6_ra_mode ipv6_address_mode ResultSLAAC N/S Address using Neutron routerN/S SLAAC Address using external routerSLAAC SLAAC Address using Neutron router

ipv6_ra_mode ipv6_address_mode ResultDHCPv6-stateless

N/S Address using Neutron router and optional information using external service

N/S DHCPv6-stateless Address using external router and optional information using Neutron DHCP implementation

DHCPv6-stateless

DHCPv6-stateless Address and optional information using Neutron router and DHCP implementation respectively

ipv6_ra_mode ipv6_address_mode ResultDHCPv6-stateful N/S Address and optional information using

external serviceN/S DHCPv6-stateful Address and optional information using

Neutron DHCP implementationDHCPv6-stateful DHCPv6-stateful Address and optional information using

Neutron DHCP implementation

Address Configuration Flags

Value

Auto 1Managed 0Other 0

Address Configuration Flags

Value

Auto 1Managed 0Other 1

Address Configuration Flags

Value

Auto 0Managed 1Other 1

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 64

Neutron IPv6 routing

Tenant Router

Tenant Network

Tenant VM

IPv4 and multiple IPv6 subnets associated

External NetworkIPv4 and IPv6 subnets associated

Dual stack external router port with IPv4 and IPv6 addresses

IPv4 internal router port and separate IPv6 internal router port with multiple IPv6 addresses

Tenant Router

Tenant Network

Tenant VM

IPv6 subnet with GUA prefix

External NetworkNo IPv6 subnet association required

External Router

Gateway port configured with a IPv6 LLA

LLA advertised to Neutron tenant router

Tenant router has next hop information to external router

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 65

Network Function Virtualization

Tenant ACompute

NodeCompute

Node

VM1

Network Node(s)

VM2 VM1

vswitch vswitchvswitch

Data Network

Namespace

10.1.0.4 10.1.0.5

10.1.0.1 10.1.1.1

10.1.1.4

Admin provisioned Service

Compute Node

Compute Node

VM1 VM2 VM1

vswitch vswitch

Data Network

10.1.0.4 10.1.0.5

Tenant provisioned Service

ServiceVM

10.1.1.4

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 66

Neutron and NFV

• Issue• Anti-spoofing rules to ensure traffic

originates and terminates as expected• Doesn’t work for NFV VNF use cases

• Solution• Added Port Security Extension

• Adds new “Port Security enabled” attribute to Network and Port Resources

• Only tenant owner can set this attribute on the resources

• Security Group and Allowed Address Pair are not allowed to be set

• Issue• VXLAN for tenant isolation and VLAN for

app traffic isolation within the tenant • No means to identify VLAN transparent

networks

• Solution• Added Network Resource Extension

• Adds new “Vlan Transparent” attribute to Network Resource

• Only tenant owner can set this attribute on the resources

• No firewalling on VLAN tagged packets

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKDCT-2445

Summary

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 68

Summary• OpenStack rapidly becoming the de-facto standard for data center orchestration

• Cisco’s broad-based OpenStack strategy spans products, partners and services

• Cisco is leading contribution in projects such as Neutron and others in the OpenStack community

• Wide range of Cisco solutions available for integration with OpenStack Networking

• Still lots to do…..

• More information can be found at • www.cisco.com/go/openstack• https://developer.cisco.com/openstack/

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 69

Reading Material• Cisco Nexus Driver for OpenStack Neutron -

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/openstack-at-cisco/data_sheet_c78-727737.html

• Cisco Virtual Networking Solution for OpenStack - http://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000v-kvm/datasheet-c78-730833.pdf

• Cisco Application Policy Infrastructure Controller Driver for OpenStack - http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/openstack-at-cisco/datasheet-c78-732353.pdf

• Group-Based Policy for OpenStack - http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-733126.pdf

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 70

Configuration Guides• OpenStack/UCS Mechanism Driver for ML2 Plugin - http://docwiki.cisco.com/wiki/OpenStack/UCS_Mechanism_Driver_for_ML2_Plugin_-_Juno_Plus

• OpenStack/ML2NexusMechanismDriver - http://docwiki.cisco.com/wiki/OpenStack/ML2NexusMechanismDriver

• Juno Plus Install and Setup of Cloud Services Router(CSR) for OpenStack VPN- http://docwiki.cisco.com/wiki/Juno_Plus_Install_and_Setup_of_Cloud_Services_Router(CSR)_for_OpenStack_VPN

• Cisco Nexus 1000V for KVM OpenStack REST API Configuration Guide - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/kvm/config_guide/os_rest_api/5x/b_Cisco_N1KV_KVM_OpenStack_REST_API_Config_5x.html

• Cisco Nexus 1000V for KVM Installation Guide on RedHat - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/kvm/install_guide/521SK321_RH/b_Cisco_N1KV_KVM_Install_Guide_521SK321.html

• Cisco Nexus 1000V for KVM Installation Guide on Ubuntu - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/kvm/install_guide/521SK122/b_Cisco_N1KV-KVM_Install_Guide_521SK122.html

• Installing the Cisco APIC OpenStack Driver on RedHat, Ubuntu - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/api/openstack/b_Cisco_APIC_OpenStack_Driver_Install_Guide.html

• Installing Group Based Policy on RedHat - https://www.rdoproject.org/Neutron_GBP

• Installing Group Based Policy on Ubuntu - https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallUbuntu

• Installing and Running GBP with Cisco APIC - https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallCiscoACI

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 71

Collateral Release Date

Deploying RedHat Enterprise Linux OpenStack Platform 3.0 on Flexpod with Cisco UCS, Cisco Nexus and NetApp Storage

Nov 2013

Suse Cloud Integration with Cisco UCS and Cisco Nexus Platforms March 2014

Accelerate Cloud Initiatives with Cisco UCS and Ubuntu OpenStack May 2014

Ubuntu OpenStack Architecture on Cisco UCS Platform June 2014

RedHat Enterprise Linux OpenStack Platform 4.0 on Cisco UCS and Cisco Nexus July 2014

Hadoop as a Service (HaaS) with Cisco UCS Common Platform Architecture (CPA v2) for Big Data and OpenStack

August 2014

RedHat OpenStack Architecture on Cisco UCS Platform Sept 2014

InterCloud Data Center ACI 1.0 Implementation Guide Feb 2015

Partner OpenStack Distributions on Cisco Infrastructure

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 72

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include • Your favorite speaker’s Twitter handle @rohitagarwalla• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

73

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 74

Continue Your Education• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

75© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445