Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
-
Upload
scott-sneddon -
Category
Internet
-
view
660 -
download
1
description
Transcript of Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
Copyright 2013 Alcatel-‐Lucent. All rights reserved. @ssneddon
Sco= Sneddon Principal Solu-ons Architect, APAC Business Development Lead Nuage Networks
A Policy Driven Approach to So6ware Defined Networking
SDN in 2014
§ OpenFlow Controllers § Network VirtualizaFon § White Box Switching
§ Open Source Projects § Network as a Service
Plenty of InnovaFon and DisrupFon…
Why SDN?
§ Reduce Cost § Asset UFlizaFon § Self Service § AutomaFon
§ Make the network more “Cloud” like
We’re making great progress
The “ConsumpFon shi6”
§ Cloud is changing the way technology is being consumed
§ From “order and wait”
§ To “instant graFficaFon”
Consumer expectaFons are shi6ing
MulBple personas
Single user
On-‐demand personalized catalogue
§ Compute is Virtualized
§ Available in Minutes
§ Network is ParBally Virtualized
§ ConfiguraBon takes Days/Weeks
Network ConfiguraBon
Compute Management
New Tenant / ApplicaBon Request
Auto-‐instanBaBon
Compute Request completed in
Minutes Help Desk Change Control
IP Address
VLAN Address
Firewall Configuration
LAN (VLAN) Configuration
WAN (IP) Configuration
Security / QA Team
Project Coordinator
Network Change completed in days/Weeks
00:01
Datacenter Network
Service velocity is hindered by manual network process
§ Network is “more” virtualized
§ Some things available in minutes – Some not so much
§ Many network elements are manually configured
§ Manual per-‐tenant network configuraBons
Network ConfiguraBon
Compute Management
New Tenant / ApplicaBon Request
Auto-‐instanBaBon
Compute Request completed in
Minutes
SDN Controller
Some Network Change completed In Minutes
00:01 00:01
So6ware Defined Datacenter Network
Service velocity accelerated, but…
§ Commi=ees sBll build “networks”
§ Audits/reviews
§ In a NaaS environment (OpenStack Neutron, AWS, etc) this is delegated to the tenant
§ Is this what your DevOps team should be doing?
Network ConfiguraBon
So6ware Defined Network ConfiguraFon
We’ve only addressed part of the automaFon problem
DevOps Team
VLAN Address
IP Address
WAN (IP) Configuration
Firewall Configuration
Network Configuration created in days/Weeks
§ Current Neutron Networking provides building blocks to create logical topologies § Networks, Ports, Subnets ,Routers, Security Groups
neutron net-‐create web neutron subnet-‐create web 10.0.0.0/24 neutron router-‐create router1 neutron router-‐add-‐interface router1 web …
§ Not abstracted into a consumable model
OpenStack Neutron Networks
web
VM VM VM VM VM VM
app db
Puts the burden of topology design on the DevOps team
§ DevOps has an understanding of the specific applicaBon needs § SegmentaBon, Port numbers, ConnecBvity goals
§ Should not be burdened with the implementaBon details § Routes, Subnets, VLANs
The DevOps team needs an Abstracted view
A DevOps View
web
VM
VM
VM
app
VM
VM
VM
web
VM
VM
VM
Network Administrators need to… § Define connecBvity models
§ Paths § QoS § Access Control
§ Deploy service elements § Firewall § Load Balancer § IPS
§ Audit compliance § Audit usage
A Network Admin View
Firewall
IPS
Parental Ctl
Firewall IPSParental Ctl
Internet
Policy Selector
chain 1 chain 2 chain 3 chain 4
Policy approach to networking
Policy Templates
Users
ApplicaBon Types
Business Rules
Policy EvaluaBon
Firewall
Firewall
W
BL BL
W
Firewall W W
Firewall
Firewall
W
BL BL
W
Firewall
Firewall
W
BL BL
W
BL BL
Design once, re-‐use mulFple Fmes
ApplicaBon Networks
ApplicaFon = Web
ApplicaFon = SAP
ApplicaFon = Database
Policy Based Network VirtualizaFon
Group applicaFons into “network sandboxes”
What is a network Policy?
OpenStack Group Based Policy AbstracBons for Neutron h=ps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstracBon
• An ApplicaBon-‐centric approach to networking • Moving away from tradiBonal network constructs
• ports, subnets, routers, etc • Aiming for a highly abstracted interface for applicaBon developers to
• express desired connecBvity of applicaBon components • and express high-‐level policies governing that connecBvity
• Without imposing constraints on the underlying implementaBon
Policy AbstracFons for Neutron
OpenStack Group Based Policy AbstracBons for Neutron h=ps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstracBon
Outside EPG
Web EPG App EPG DB EPG
VM
VM
VM
VM
VM
VM
VM
VM
Web Contract
App Contract
App Contract
Public Network
Private Networks
• Endpoint (EP) – an IP addressable enBty • Endpoint Group (EPG) – a grouping of Endpoints • Policy Rule – individual rule that defines communicaBon criteria • Contract – a collecBon of Policy Rules that are applied to traffic between EPG’s
In applicaBon development… § We first define the applicaBon through source code § We then compile the applicaBon into machine instrucBons § Then we bind that applicaBon to a plaeorm at run Bme
§ Assigning compute registers and memory locaBons
In a Policy driven network… § We first define the applicaBon’s connecBvity requirements and business rules
§ ApplicaBon Policy
§ We then map this applicaBon to a network service § Predefined network templates, network contracts
§ Then we implement these network services when the applicaBon is deployed § Automated, Dynamic
To Achieve a Policy Driven Network
APPLICATION ATTRIBUTES
SDN FRAMEWORK
TOPOLOGY ATTRIBUTES
Service Mapping
Service Binding Application
Request
TECHNOLOGY ATTRIBUTES
web
VM
VM
VM
app
VM
VM
VM
web
VM
VM
VM
web app db
To Achieve a Policy Driven Network
Policy Driven Networking Delivered
§ Nuage has provided policy abstracBons for virtual and physical networks since our first release
§ L2, L3, ACLs, QoS, Service Chaining, Traffic StaBsBcs
§ Difficult to express using exisBng Neutron constructs…
§ Which is why we’re contribuBng to Group Based Policy Cleanly express applicaFon policy in Neutron
Cloud Service Management Plane
Datacenter Control Plane
Datacenter Data Plane
Virtual RouBng & Switching
R2.1 GA in April 2014
Virtualized Services Directory
Virtualized Services Controller
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
Brooklyn Datacenter -‐ Zone 1
Virtualized Services Directory (VSD) • Network Policy Engine – abstracts complexity • Service templates and analyBcs
Virtualized Services Controller (VSC) • SDN Controller, programs the network • Rich rouBng feature set
Virtual RouFng & Switching (VRS) • Distributed switch / router – L2-‐4 rules • IntegraBon of bare metal assets
Nuage Networks Virtualized Services Pla`orm (VSP)
IP Fabric
Edge Router
MP-‐BGP
MP-‐BGP
Hardware GW for Bare Metal
Nuage Networks Virtual Services Pla`orm
DATACENTER NETWORK
. . . .
Any Compute VirtualizaFon Environment
Any Datacenter Networking Hardware
Any Server or Hypervisor
Open soluFon
Consistent capabiliFes across
Nuage Networks policy templates and role-‐based workflow
Compute Management
Tenant / ApplicaBon Request Networking
Security/ Compliance
Service velocity is not hindered by manual network process
Auto-‐instanBaBon
Compute Request completed in Minutes
00:01
IP address
WAN interconnect
Policy / Security Zones
L2 /L3 Service AD
Service chaining
Templates
Nuage Networks VSP
Policy InstanFaFon • IP address 10.x.y.z • VLAN configuraBon • WAN configuraBon • Security / FW sekngs • QoS parameters • …
Network Change Completed automatically
00:01
Conclusions
• CreaBon of distributed virtual switches and virtual routers -‐ great for virtual networks and be=er than VLAN’s, but …
• Creates a distributed virtual configuraBon and management challenge • Provisioning and management of these endpoints can not be done
with tradiBonal methodology
• Policy abstracBon is a proven framework
• Successfully shipping since May 2013
For more informaFon…
• Nuage Networks Virtualized Services Plaeorm
• h=p://www.nuagenetworks.net
• OpenStack Neutron Group Based Policy AbstracBon • h=ps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstracBon
• OpenDaylight ApplicaBon Policy Plugin • h=ps://wiki.opendaylight.org/view/Project_Proposals:ApplicaBon_Policy_Plugin
While at Interop Tokyo…
• Visit the Nuage Networks booth in the SDI ShowCase
24 6/16/14
Network Policy NOW
@nuagenetworks
@ssneddon