Brocade Software Networking · 2018. 11. 19. · Brocade SDN Apps Brocade Flow Brocade Flow Brocade...
Transcript of Brocade Software Networking · 2018. 11. 19. · Brocade SDN Apps Brocade Flow Brocade Flow Brocade...
-
Brocade Software Networking
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
-
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 2
-
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 3
-
An Industry in Transition
© 2014 BROCADE COMMUNICATIONS SYSTEMS, INC.
4
1995
2015
7BMobile devices
2B Intern
et Users
1BWebsites
1975 Mainframes, PCs SNA Arch, Private Lines
1st Platform
Client-Server LAN/WAN ,Internet & IP Networks
2nd Platform
IT Relevance Gap
Exp
ecta
tions
Delivery
3rd PlatformCloudMobileSocialData Analytics
“Digital business”
-
What the 3rd Platform Looks Like
© 2014 BROCADE COMMUNICATIONS SYSTEMS, INC
5
7BMobile devices
2B Intern
et Users
1BWebsites
IT Relevance Gap
Exp
ecta
tions
Delivery
New IP
Storage
Overlay
UnderlayEdge
SDN
NFV
Orch
Fabrics
ComputeNetworkin
g
3rd PlatformCloudMobileSocialData Analytics
“Digital business”
From To
ClosedProprietary HWProprietary OSProprietary AppsReactiveIsolated elementsManualHigh costSlow innovation
OpenCommodity HWOpen Source OSInteroperable AppsProactiveIntegrated systemAutomatedLow costRapid innovation
-
New IP—Transformation of the NetworkA Customer Driven Disruption
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 6
The New Vision
Open with a purpose
Innovation at software speeds
Ecosystem-compatible
solutions
Your pace, your path
How You See It Today
Open source, interoperable protocols
Agility, Training, Partnering, Services
Legacy + NG Features, Open
Interfaces
Solutions with interoperable
components
-
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 7
-
Software Defined Networking (SDN)A Programmable Network—Design, Build, Manage
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 8
Data Plane
Control Plane
Basic Network Services: Topology Mgr, Switch Mgr, Host Tracker, Stats Mgr
Advantages• Network automation can
integrate with other disciplines
• Less lock-in; Users can choose features to suit their needs
• Networking control can innovate at software speeds
REST APIs
Network protocols like OpenFlow
Applications and Orchestration FrameworksKey Features• Network algorithms
decoupled from Hardware
-
Network Functions Virtualization (NFV)
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 9
Hardware Software
Router
VPN
Firewall
Advantages• Remove hardware lock-in
• Simplify resource planning
• Enable fast service innovation
• Soft upgrades Meet SLAs
• Reduce CAPEX/OPEX
Main Features• Complex networking functions
in software on commodity servers
• Simpler networking functions in commodity networking devices
-
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 10
-
Brocade Software NetworkingAgile, Open, Economics
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 11
Branch Cloud
IPsec
Brocade vRouter Brocade vRouterWeb Client
Brocade SDN Controller
Brocade vADC
Web Server 1
Web Server 2
Web Server 3
Data Center
Virtualized Core for Mobile
-
12
Brocade SDN Apps
Brocade Flow Brocade Flow Brocade Visibility
It delivers: Backbone Circuit Provisioning
Provides Network sensor services without disruption
Manages Brocade Packet
Use Cases: Software Defined Backbone
A) Threat MitigationB) Large Flow Monitoring
Optimization
A) Traffic aggregation, and load-balancing to
B) Advance/Expert Interface 3rd-party integration
Target Production Backbone- Enterprise- REN- Colo DC
Production Network:- Campus - DC Core/Border - ISP Peering Router - REN HPC
Visibility Network:- Large Enterprise- REN- DC
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
-
13
Brocade OpenFlow-capable Hardware FamiliesThe MLXe Router and ICX Campus product lines
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
ICX 7450 Switch ICX 7250 Switch ICX 6610 Switch
ICX 6450 Switch ICX 7750 Switch MLXe Series Routers
-
Agenda
• Industry Trends
• Quick SDN / NFV Overview
• Introduction of Brocade SDN / NFV Portfolio
• Brocade Flow Optimizer REN Use Cases
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 14
-
15
L2 / L3 Firewall BypassScience-DMZ Use Case
• HPC: High Performance Computing
• DTN: Data Transfer Nodes
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
WAN/Internet
1
HPC/DTNNetwork
Incoming flow from upstream network
Firewall
2
Sent to Firewall for processing
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and programs
Brocade MLXe using the controller to bypass the firewall for this flow
6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more
efficient
Brocade MLXeRouter• L3 MLXe:
• VRF (1 & 6) and OF, or
• PBR (2) for one arm FW traffic and OF (1 & 6)
• BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW)
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
-
16
Priority Data SuperhighwayCampus Slowpath-Bypass Use Case
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer1Incoming flow from
High Performance Workstation/server
2
Routed using normal routed/switched path
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and that it is either a “large flow” or “priority
application”. Programs Brocade ICX/MLXe using the controller to
re-direct the traffic to priority path for this flow
6”White-listed” flow now placed
on priority path and data transfer is faster and more
efficient
Brocade ICX or MLXe
• L2 or L3 redirect action
• Need to ensure flow in both directions is redirected via policy
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
-
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
17
Summary of Additional REN Use Cases
Internet
Brocade
MLXe
REST API
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
• L7 / Botnet Attack Mitigation
• L2-L4 Volumetric Attack Mitigation
• BGP Remote Triggered Black Hole (RTBH) Mitigation
• DC Flow Management for Policy-based Security
-
Thank you
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 18
-
Backup
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 19
-
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
20
L7 and Botnet Attack Mitigation
Incoming Attack Flow
Internet
Brocade
MLXe
Brocade
MLXe
Brocade
MLXe
1
Brocade Flow Optimizer initiates mirror action.
2
3 4
IDS detects L7 attack (Example; SYN Flood). API to
BFO to discard flow.
MLXe mirrors flows to IDS.
OF “mirror+normal” action.
OF discard action.
5
6
• Adds ability for advanced DDoS detection, up to L7
• Based upon the IDS (Palo Alto, Arbor etc.) detection capability
• API from IDS to BFO initiates additional discard actions
REST API
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
-
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
21
L2-L4 Volumetric Attack Mitigation
Incoming Attack Flow
Local Mitigation: Discard Flow (Redirect Optional)
Internet
Brocade
MLXe
Brocade
MLXe
Brocade
MLXe
1
2
Brocade Flow Optimizer recognizes this as a L2-L4 Volumetric Attack.
3
4 5
• Recommended when incoming aggregate attack traffic is 50% or less
• L2 – L4 local mitigation, based on sFlow sampling and DDoS policy
• OF discard action (Automated, Manual)
• 1/10GbE, 40GbE and 100GbE support
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
-
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
22
BGP Remote Triggered Black-Hole (RTBH) Mitigation
Incoming Attack Flow
Mitigation: Discard Flow
Internet
Brocade
MLXe
(Triggering
Device)
Brocade
MLXe
Brocade
MLXe
1
2
Brocade Flow Optimizer recognizes this as a L2-L4 Volumetric Attack.
3
4 5
6
Flow Optimizer initiates CLI static route to MLXe.
MLXe advertises BGP Route (ex: /32, /28, /24, /23)
7
8
Upstream BGP router:A) Discards flow to null0, or
B) Re-directs traffic to cleaning site
• L2 – L4 local mitigation does not protect upstream link
• If upstream link is congested above 50% by DDoS, add ability for RTBH to uncongest
• RTBH is a well known Internet operation
• Automated RTBH reduces mitigation time from 15 minutes or hours ->
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
-
23
L2 Firewall BypassScience-DMZ Use Case
• HPC: High Performance Computing
• DTN: Data Transfer Nodes
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
WAN/Internet
1
HPC/DTNNetwork
Incoming flow from upstream network
Firewall
2
Sent to Firewall for processing
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and programs
Brocade MLXe using the controller to bypass the firewall for this flow
6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more
efficient
Brocade MLXeRouter
• L2 MLXe
• BFO 1.2 can ignore, push, pop or modify VLAN ID
• BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW)
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC
-
24
L3 Firewall BypassScience-DMZ Use Case
• HPC: High Performance Computing
• DTN: Data Transfer Nodes
Brocade SDN Controller
Open Daylight
Brocade Flow Optimizer
WAN/Internet
1
HPC/DTNNetwork
Incoming flow from upstream network
Firewall
2
Sent to Firewall for processing
3
4
Brocade Flow Optimizer recognizes this as a trusted flow and programs
Brocade MLXe using the controller to bypass the firewall for this flow
6 ”White-listed” flow now bypasses Firewall and data transfer is faster and more
efficient
Brocade MLXeRouter• L3 MLXe:
• VRF (1 & 6) and OF, or
• PBR (2) for one arm FW traffic and OF (1 & 6)
• BFO 1.2 can ensure flow in both directions is redirected via two action policies (stateful FW)
5
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
-
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Enterprise DC Flow Management for Policy-Based SecurityOperator driven or sFlow threshold driven policy enforcement for large trusted flows
Enterprise Datacenter 1One-armed Firewall
Trusted Traffic Flow
WAN
Inline Firewall
Enterprise Datacenter 2
Default Traffic FlowBrocade
SDN Controll
er
Brocade Flow
Optimizer
Internet