View
144
Download
4
Embed Size (px)
DESCRIPTION
TFI2014 Session I - State of SDN - Scott Sneddon
Citation preview
Copyright 2013 Alcatel-Lucent. All rights reserved.@ssneddon
Scott SneddonPrincipal Solutions Architect, APAC Business Development LeadNuage Networks
A Policy Driven Approach to Software Defined Networking
SDN in 2014
OpenFlow Controllers
Network Virtualization
White Box Switching
Open Source Projects
Network as a Service
Plenty of Innovation and Disruption…
Why SDN?
Reduce Cost
Asset Utilization
Self Service
Automation
Make the network more “Cloud” like
We’re making great progress
The “Consumption shift”
Cloud is changing the way technology is being consumed
From “order and wait”
To “instant gratification”
Consumer expectations are shifting
Multiple personas
Single user
On-demand personalized catalogue
Compute is Virtualized
Available in Minutes
Network is Partially Virtualized
Configuration takes Days/Weeks
NetworkConfiguration
Compute Management
New Tenant / Application Request
Auto-instantiation
Compute Request
completed in
Minutes
Help Desk
Change Control
IP
Address
VLAN
Address
Firewall
Configuration
LAN (VLAN)
Configuration
WAN (IP)
Configuration
Security / QA
Team
Project
Coordinator
Network Change
completed in
days/Weeks
00:01
Datacenter Network
Service velocity is hindered by manual network process
Network is “more” virtualized
Some things available in minutes – Some not so much
Many network elements are manually configured
Manual per-tenant network configurations
NetworkConfiguration
Compute Management
New Tenant / Application Request
Auto-instantiation
Compute Request
completed in
Minutes
SDN Controller
Some Network
Change completed
In Minutes
00:01 00:01
Software Defined Datacenter Network
Service velocity accelerated, but…
Committees still build “networks”
Audits/reviews
In a NaaS environment (OpenStackNeutron, AWS, etc) this is delegated to the tenant
Is this what your DevOps team should be doing?
NetworkConfiguration
Software Defined Network Configuration
We’ve only addressed part of the automation problem
DevOps Team
VLAN
Address
IP
Address
WAN (IP)
Configuration
Firewall
Configuration
Network
Configuration
created in days/Weeks
Current Neutron Networking provides building blocks to create logical topologies Networks, Ports, Subnets ,Routers, Security Groups
neutron net-create web
neutron subnet-create web 10.0.0.0/24
neutron router-create router1 neutron router-add-interface router1 web
…
Not abstracted into a consumable model
OpenStack Neutron Networks
web
VM VM VM VM VM VM
app db
Puts the burden of topology design on the DevOps team
DevOps has an understanding of the specific application needs Segmentation, Port numbers, Connectivity goals
Should not be burdened with the implementation details Routes, Subnets, VLANs
The DevOps team needs an Abstracted view
A DevOps View
web
VM
VM
VM
app
VM
VM
VM
db
VM
VM
VM
Network Administrators need to…
Define connectivity models Paths
QoS
Access Control
Deploy service elements Firewall
Load Balancer
IPS
Audit compliance
Audit usage
A Network Admin View
Firewall
IPS
Parental Ctl
Firewall IPSParental Ctl
Internet
Policy Selector
chain 1 chain 2 chain 3chain 4
Policy approach to networking
Policy Templates
Users
Application Types
Business Rules
Policy Evaluation
Firewall
Firewall
W
BLBL
W
FirewallW W
Firewall
Firewall
W
BLBL
W
Firewall
Firewall
W
BLBL
W
BLBL
Design once, re-use multiple times
Application Networks
What is a network Policy?
OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• An Application-centric approach to networking• Moving away from traditional network constructs
• ports, subnets, routers, etc• Aiming for a highly abstracted interface for application developers to
• express desired connectivity of application components• and express high-level policies governing that connectivity
• Without imposing constraints on the underlying implementation
Policy Abstractions for Neutron
OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
Outside EPG
Web EPG App EPG DB EPG
VM
VM
VM
VM
VM
VM
VM
VM
Web Contract
App Contract
App Contract
Public Network
Private Networks
• Endpoint (EP) – an IP addressable entity• Endpoint Group (EPG) – a grouping of Endpoints• Policy Rule – individual rule that defines communication criteria• Contract – a collection of Policy Rules that are applied to traffic between EPG’s
In application development…
We first define the application through source code
We then compile the application into machine instructions
Then we bind that application to a platform at run time Assigning compute registers and memory locations
In a Policy driven network…
We first define the application’s connectivity requirements and business rules Application Policy
We then map this application to a network service Predefined network templates, network contracts
Then we implement these network services when the application is deployed Automated, Dynamic
To Achieve a Policy Driven Network
APPLICATIONATTRIBUTES
SDN FRAMEWORK
TOPOLOGYATTRIBUTES
Service Mapping
Service Binding
Application Request
TECHNOLOGYATTRIBUTES
web
V
M
V
M
V
M
app
VM
VM
V
M
web
V
M
VM
VM
web app db
To Achieve a Policy Driven Network
Policy Driven Networking Delivered
Nuage has provided policy abstractions for virtual and physical networks since our first release
L2, L3, ACLs, QoS, Service Chaining, Traffic Statistics
Difficult to express using existing Neutron constructs…
Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron
Network Policy templates and role-based workflow
Compute Management
Tenant / Application RequestNetworking
Security/
Compliance
Service velocity is not hindered by manual network process
Auto-instantiation
Compute Request
completed in Minutes
00:01
IP address
WAN interconnect
Policy / Security Zones
L2 /L3 Service AD
Service chaining
Templates
Network Policy Engine
(Nuage Networks VSP)
Policy Instantiation• IP address 10.x.y.z• VLAN configuration• WAN configuration• Security / FW settings• QoS parameters• …
Network Change
Completed automatically
00:01
Conclusions
• Creation of distributed virtual switches and virtual routers - great for virtual networks and better than VLAN’s, but …
• Creates a distributed virtual configuration and management challenge
• Provisioning and management of these endpoints can not be done with traditional methodology
• Policy abstraction is a proven framework
• Nuage Networks has been shipping Policy Driven SDN since May 2013
For more information…
• Nuage Networks Virtualized Services Platform
• http://www.nuagenetworks.net
• OpenStack Neutron Group Based Policy Abstraction
• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• OpenDaylight Application Policy Plugin
• https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin
208/29/2014
Network Policy NOW
@nuagenetworks
@ssneddon