Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga...
Transcript of Hardware Acceleraon in an SDN/NFV World: MRV … · pfSense Firewall OpenStack Compute 4 Quagga...
Confiden(al–notfordistribu(on
HardwareAccelera+oninanSDN/NFVWorld:
MRVPOCwithCharterCommunica+ons
AusNOG2016LightningTalkJohnJones([email protected])
Sept2,2016
Confiden(al–notfordistribu(on 2
§ MRVNFVPOCwithCharterinDenver,Colorado.
§ WetookanMRVCarrierEthernetswitch,whichhasasiliconbasedpacketprocessorfor1and10GbpswirespeedCarrierEthernetservices,andweaddedanx86boardwhereweranmanagedrouter,managedsecurity,andmanagedSIPservices.
§ TheadvantagetoperformingNFVattheCPEisthatthesevirtualisednetworkfunc+onscanbehardwareacceleratedusingthepacketprocessorontheCPEitself.
Overview
Confiden(al–notfordistribu(on
MRV’sMetro-Op1mizedSDN/NFVVision
Op+Packet®SDNIntelligentaggrega+onCOgatewayMul+-tenantVNFhos+ng
Op+Switch®AccessvCPEwith
Hardwareaccelera+on
Op+Switch®Liteprogrammable
CPEOp+Driver®SDNProgrammableOp+calTransport
Pro-Vision®applica+onsandcustomerportal
Pro-Vision®mul+-layerorchestra+onwithopeninterfacestoOSS,SDNcontrollersandNFVorchestrators
Op+Switch®CloudvCPE
Confiden(al–notfordistribu(on
§ Access-op+mizedservercoupledwithpacketprocessorhardwareassist.
§ LatestIntelserverprocessors-lesspower,moreprocessingpower
- Performanceop+ons:Low(ATOM)/Medium(I7)/High(XEON+DPDK,SR-IOV)
- ExtendableRAM,SSD
• Latestpacketprocessinghardwareassist,100M-10Gplaaormcapableofbringingupto44GfullwirespeedtotheNFVenvironment
§ BasedonOPNFVlatestrelease–Brahmaputra
– Linux(Ubuntu14.10LTScloudserver)– KVM,OVSforimprovedvirtualnetworking– OpenStackLibertyRelease
§ ServiceChainingSupport
§ IntelligentoffloadofVNFforwardingtothehardware
§ Op+onfor4G/LTEwirelessbackup
EdgeNFV–vCPEattheCustomer’sPremises
4
Differen1a1ngelements:
• Hardwareaccelera+onforVML2-L4forwarding
• Fine-grainedQoS
• Hardware-basedflowclassifierforefficientservicechaining
• Zero-touch,remotedeploymentandserviceprovisioning
OS-VSeries
Confiden(al–notfordistribu(on 5
OS-V6ComputeNodeEnvironment
Ubuntu+vRouter-Quagga
VNF
PfSenseFirewallVNF
Ubuntu+vRouter
QuaggaVNF(Internet+IPSec)
FreePBX+AsteriskSIP
VNF
Ubuntu+KVM
OVS
Confiden(al–notfordistribu(on 6
§ ManagedWAN(router)– Mul+plehubandspokesitesviaL3VPNservicesprovidedatCharterPE– Mul+pleWANconnec+ons;combina+onofCharterandthird-partyconnec+ons– BGP– OSPF/IS-IS– Dual-homedinternetservices
– Aneyetoward/toSD-WANconcepts/capabili+es,e.g.,viaSD-WANVNFsuite(future)
§ Managedsecurity– Unifiedthreatmanagementcapabili+es
• An+virus• Contentfiltering• An+-spam
– Off-footprintIPSectunnels,e.g.,overtheInternet
§ Managedvoiceservices– SIPtrunksupport,e.g.,toChartervoiceservices– OthersrequirementsTBD
§ ManagedCarrierEthernetMEFservices(op1onal)– Valueaddovertheabovelayer3andsecurityfunc+ons,e.g.,viaHWaccelera+ontoMRVOp+Switch
• MEFCE2.0Services–EPL,E-LINE,E-LAN,E-Access
ChartervCPEUseCase
Confiden(al–notfordistribu(on
Demosetup
7
OpenStackController
OSv6CPE
BGP/VLANtoInternet
BGP/VLANtoInternet
pfSenseFirewall
OpenStackCompute 4
Quagga(Internet)
Quagga(L3VPN)
IXIATester
FreePBX+AsteriskSIP
BGP/VLANtoL3VPN
Labnetwork
PatchPanelSwitch
CO/POP1Emula1on
FuelJumpBox
CO/POP2Emula1on
Confiden(al–notfordistribu(on 8
Setup
vCPE POP1POP2Fuel Ixia
SIPPhone1
SIPPhone2
POPPatchPanelSwitch
Confiden(al–notfordistribu(on
OpenStackusedastheVirtualInfrastructureManager(VIM)ofthesetup.UsingOpenStackHorizondashboard:§ Defineloca+onspereachcustomerandPoPsite
§ Images–whichimagesareinstalledandcanbeinstan+atedasVMs
§ Runninginstances–whichVMinstancerunsonwhichcomputenodeinwhichloca+on,ShowthatontheOS-V6wehave4VMsrunning:
TwoinstancesofQuagga,pfsenseFWandFreePBX§ Networktopology–howthevirtualtopologylookslike
OpenStackVIM
Confiden(al–notfordistribu(on
Connec+ontothemanagementconsoleofthepfSensefirewallVM:§ Showtherules§ ShowtheIPSectunnel§ Disable/EnabletheIPSectunnel§ Enable/Disabletherules
Demo–VirtualFirewallFunc1onality
Confiden(al–notfordistribu(on
DemonstrateFreePBXfunc+onalitybydialingtotheIPphonesconnectedtothesetup
Demo–VirtualPBXFunc1onality
Confiden(al–notfordistribu(on
Demo–Layer2Protec1on
12
BGP/VLANtoInternetSTP
BGP/VLANtoInternet
DemonstrateL2protec+on.Whenoneofthephysicaluplinksisdisconnected,theL2protec+onswitchisperformedbySTPontheOS-V6andtrafficismovedtotheremaininguplink
Confiden(al–notfordistribu(on
DemoStep5–L3Protec1on
1313
BGP1.1.1.1
BGP1.1.1.2
BGP1.1.1.3
eth1
eth2
L3protec+onu+lizingBGPfailover.WhenoneoftheVM’sBGPsessionsisdisconnected,theL3rerou+ngisperformedbyOS-V6VMLinuxandtrafficmovedtotheremainingBGPsession
Confiden(al–notfordistribu(on
Demo–Mul1plevRoutersforSD-WAN
1414
BGP1.1.1.1 BGP1.1.1.2
BGP1.1.1.3
eth1
eth2
Demonstra+onoftheabilitytoruntwoindependentvRouterinstances,eachofwhichbuildsadifferentroute.OneQuaggainstanceservesasaL3-VPNendpointandcreatesarouteviaPoP1,whereasthesecondQuaggainstanceservesasanInternetconnec+vityendpointandcreateadifferentrouteviaPoP2.SincetheInternetconnec+vitymustbesecured,theInternetQuaggaischainedtothevFirewallthatencapsulatesthetrafficinanIPSectunnel.
IP-VPN
InternetoverIPSec
BGP1.1.1.4
Confiden(al–notfordistribu(on