SDN Applications and Use Casespas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/講員...X1 X2 X3 X4 X5...

工研院資通所寬頻網路與系統整合技術組

許名宏

SDN Applications and Use Cases

講者簡歷

台灣大學資訊系 Bachelor B87

台灣大學資訊工程所 Ph.D資訊檢索 (IR)

工業技術研究院(ITRI) Engineer 2011至今

竹東-中興院區六甲-南分院

Outline

SDN Basics SDN Use Cases & Applications

Google B4 WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration

Concluding Remarks

Outline

SDN Basics SDN Use Cases & Applications

Concluding Remarks

What is SDN ?

OpenFlow 1.0

• Forward packet to a port list• Add/remove/modify VLAN Tag• Drop packet• Send packet to the controller

Packet counters, byte counters, and etcPacket counters, byte counters, and etc

Matching Fields Actions Stats

Flow Entry

IngressPort

EtherTypeEtherTypeVLAN

IDVLAN

IDIPSrcIPSrc

IPDstIPDst

IPProtocol

TCP/UDPsrc port

TCP/UDPdst port

TCP/UDPdst portP-bitsP-bits

IPDSCP

IngressPort

EtherTypeVLAN

IDIPSrc

IPProtocol

TCP/UDPsrc port

TCP/UDPdst portP-bits

IPDSCP

OpenFlowprotocol

SDN Controller(software)

SDN = OpenFlow ?

OpenFlowClient

Flow Table

Not Exactly

OpenFlow-EnabledSwitch

SDN = Still Don’t kNow?

SDN is All about…

Network Programmability API interaction with network elements

Separated Control Plane and Forwarding Plane Forwarding Plane can be Software or Hardware Control Plane –agnostic to the underlying hardware

Network topology derived from the application This is how SDN is different from switched networks.

Vendor Independence Open and standardized interface

How does SDN work?

Traditional Interaction Model

Every Network Device can be understood to have an INDEPENDENT•Intelligence Entity and a •Functional Engine

Configuration, Command & Control uses a communicationchannel between the Network Administrator and the Intelligence Entity on-board theNetwork Device.

BrocadeICX 6610-24P

XL2-XL5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LIN K 10 /1 0 0/1 0 0 0 A C T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

Network Command & Control

source: Brocade–SDN–creating intelligent lan infrastructures

B rocadeIC X 6610-24P

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

XL2-XL5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

The larger the network… … … … … … …the more INDEPENDENT devices you need to manage.

What’s the Problem with the Traditional Model?

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

XL2-XL5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

The larger the network… … … … … … …the more INDEPENDENT devices you need to manage.

What’s the Problem with the Traditional Model?

- they make their switching & routing decisions independently - they make their fowarding & filtering decsions independently- they treat security policies, VLANs, QoS policies, port policies, etc… … .. INDEPENDENTLY

How Can We Make this Easier? Is there a way to make them all operate as a cohesive group?

What’s the Solution?

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

XL2-XL5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

Software Defined NetworkingSeparates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control “proxy” in the form of a Controller. SDN Controller

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

XL2-XL5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

RE SET

X L2-X L5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

Software Defined NetworkingSeparates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control “proxy” in the form of a Controller. SDN Controller

What’s the Solution?

Outline SDN Basics SDN Use Cases & Applications

Concluding Remarks

Google B4 WAN

Motivation: WAN Cost Components

HardwareRoutersTransport gearFiber

Standard practice: overprovisioningShortest path routingSlow convergence timeMaintain SLAs despite failuresNo traffic differentiation

Operational expenses/human costsBox-centric versus fabric-centric views

Google’s WAN: B4

Google inter-datacenter traffic: a. User data copyb. Remote storage accessc. large-scale data push for state synchronizing Volume: a＜b＜c Latency sensitivity: a＞b＞c Priority: a＞b＞c

B4 characteristics Elastic bandwidth demands Moderate number of sites End application control Cost sensitivity

B4 Overview

Source: B4 (SIGCOMM’13)

B4 Operations Simultaneously support standard

routing protocols and centralized traffic engineering.

Control at network edge to adjudicate among competing bandwidth demands.

Use multiple forwarding paths to leverage available network capacity.

Dynamically reallocate bandwidth in the face of link/switch failures or shifting application demands

Link utilization:Traditional 30-40% B4 around 95%

B4 Usage & TE Example

Flow Group (FG) Site-to-site flow aggregation Multipath forwarding

Tunnel Group (TG) A fraction of FG forwarded

along each tunnel

Source: B4 (SIGCOMM’13)

Source: OpenFlow @ Google (ONS 2012)

NEC ProgrammableFlow VTN

VTN Information Model

Source: “NEC’s ProgrammableFlow NBI: VTN Model & Use-cases”

VTN Example

Source: “NEC’s ProgrammableFlow NBI: VTN Model & Use-cases”

VTN Feature Sets & Policies Virtual Network Provisioning

VTN design (Add/Delete/Change) VTN model operation (Add/Delete/Change)

vFilter: Flow Control in VTN 12-tuple based Flow filter QoS Control in Virtual Network ACL (e.g. drop) Redirect (service chaining) Apply to whole VTN or

Virtual Network Monitoring VTN information collection (Traffic /port/link

statistics, Failure Events & Alarms, Controller status)

Port/VLAN/MAC mapping

ProgrammableFlow VTN Use Case

VTN for Kanazawa University Hospital

OpenDefenseFlow(Defense4All in OpenDaylight)

DDoS Impact on Business

zombie

DDoS Overview Distributed denial-of-service (DDoS) attacks target network

infrastructures or computer services by sending overwhelming number of service requests to the server from many sources.

Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served

Addressing DDoS attacks Detection –Detect incoming fake requests Mitigation

Diversion –Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets

Return –Send back the clean traffic to the server

OpenDefenseFlow Overview

Controller

DefensePro(mitigation devices)

SDN Data PlaneSDN Data Plane

SDN ControllerSDN Controller

SDN ApplicationsSDN Applications

The SDN Application That Programs Networks for DDoS Protection

OpenFlow API

Source: OpenDefenseFlow proposal overview for OpenDaylight

OpenDefenseFlowApplication

(Defense4All)

SDN Controller

DefenseFlow

DefensePro (or equivalent)

Internet

“Flow Diversion”- Control

Detection Analyze & Decide

Programmable Probe –Collect

Security Service provisioning

Attack!!!Create baselines per: IP Address, Protocol &

Service (Port)

OpenDefenseFlow — Anti-DDoS SDNSecurity Application

Configure DefensePro with learned baselines

Source: OpenDefenseFlow proposal overview for OpenDaylight

SDN Controller

servers

OpenDefenseFlow onOpenDaylight

OpenDefenseFlow Architecture

Match Fields Priority Counters

Flow Entry in OpenFlow v1.0

Statistics Service•addCounter(selector)

•readCounter(selector)

•removeCounter(selector)

•resetCounter(selector)

Statistics Service —Counter Smart Placement

Redirection Service•redirectTraffic(selector, devices[])

•mirrorTraffic(selector, devices[])

(a) Redirection (b) Mirroring

Traffic Redirection for AttackMitigation

Anomaly Detection Builds peace time (normal) traffic

baselines

Identifies deviations from normal traffic baselines

Pluggable system to support: Multiple vendors Different detection techniques Extensibility (detect new attacks) etc.

Mitigation Driver Configures external mitigation device(s)

– E.g., pass to device baseline to expedite detection

Configuring the network such that the suspicious traffic (and only the suspicious traffic) is diverted to suitable mitigation device

Monitoring of external mitigation device(s) – e.g., attack ended

After attacks, restores the network to original configuration

Vendor Independent Interested vendors can connect to the

system by written a Mitigator Driver (think device drivers in OS)

OpenDefenseFlow –Unique Value Proposition

Scalable, precise and fast attack/anomaly detection

Utilize native SDN programming for attack traffic diversion

Lower solution costs Statistical collection without costly specialized hardware detectors Simple attack diversion (no need to use BGP injection, GRE tunnel)

Centralized control allows efficient management of mitigation resources, monitoring and reporting

Extensible Add detection algorithms Add mitigation devices

Flow Information Collection inConventional Network

NetFlow record (extended as IETF IPFIX) Input interface index used by SNMP

Output interface index

Timestamps for the flow start and finish time

Number of bytes and packets observed

Layer 3 headers: Source & destination IP addresses Source and destination port numbers for TCP, UDP, SCTP ICMP Type and Code. IP protocol Type of Service (ToS) value

The union of all TCP flags observed over the life of the flow.

Layer 3 Routing information: IP address of the immediate next-hop along the route to the destination Source & destination IP masks (prefix lengths in the CIDR notation)

Conventional DDoS Mitigationwith Netflow

Records of all flows passing through specific router interface

CapabilityNetflow based

MitigationOpen-DefenseFlow

Detection Network DDoS flood attacks Full coverage Full Coverage

Mitigation Mitigation response time Slow –5 MinImmediate –

seconds

Network Operation

Requires BGP announcement, GRE tunneling and several detectors Complicated

Simple - diversion is a network

service

Diversion Traffic granularity Low GranularityHigh Granularity–divert only suspicious traffic

Cost Effective

Requires hardware detectorsRequires scrubbing centerConsumes routers CPU and ports

Expensive Low cost

Netflow vs. OpenDefenseFlow

Complicated

Inaccurate

Expensive

(Conventional network vs. SDN)

OpenDefenseFlow Scope

The OpenDefenseFlow (Defense4All) will provide the following: An implementation of the Anomaly Detection subsystem

including a vendor independent framework for plugging different detection algorithms and a reference implementation of such a detection plug-in. This sample detector will be able to handle common DoS attacks, and it will serve as an example for developers of more sophisticated detectors.

An implementation of the Mitigation Driver subsystem including a vendor independent framework for plugging different mitigation devices

and a reference implementation of such mitigator plugin.

An OSGI bundle for the Statistics Service subsystem including a REST API

An OSGI bundle for the Traffic Redirection Service subsystem including a REST API

The OpenDefenseFlow API.

Firewall Migration

Firewall and Firewall Migration

Firewall (FW)Comprehensive powerful functions: packet-filtering, NAT,

routing, proxy, VPN… etcProduct-dependent configuration/management

Firewall migrationA challenging task where “the devil is in the details”Challenges come from:

Many and many rulesDifferent policy definition manner

Ex: zone-based vs. single zone policies Interpretation errors of migration toolHuman errors

Manual rule translation & validationUnfamiliar with the firewall default behavior

Conventional Firewall MigrationStrategies

Big bang strategy A new firewall completely replaces the old one. Higher risk

Finished progress = 0% or 100%

Lower complexity Unpredictable migration time

Due to high risk

Re-addressing strategy The new firewall coexists with the old one. Lower risk

Migrating services step by step

Higher complexity Require topology re-design and IP re-addressing

Time-consuming

Is there a novel strategy with lower risk and lower complexity?

A Simple Network

Conventional network with a firewall

Rule subset of the firewall

Firewall Rules

SRC IP DEST IP DST Port Action

155.66.77.11 172.32.32.32 80 Drop

155.66.77.12 172.32.32.32 80 Drop

155.66.77.13 172.32.32.32 80 Permit

Target Flow

Source: Ethereal.com

Goal of Firewall MigrationHow to divert target flow to the new path?

Most routers do not support policy-based routing (PBR) with line-rateforwarding.

Idea: firewalls and SDN are both about flows

OpenFlow for Firewall Migration

Introduce SDN-enabled switches & controller

SDN-based Firewall Migration

Build FW Migration App1. App reads the configuration from

the old firewall, and parses the configuration into rules. Manual selection

2. App translates the rules then loads the firewall rules into the new firewall. Manual checking and validation

3. Flow cutover: the OpenFlow forwarding rules are sent to the OpenFlow switches Manual testing

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP Src

IP Prot

TCP sport

TCP dport

Action

* * * * * * 172.32.32.32 * * 80 port2

Example Flow entry in OF1

ITRI VLAN Migration

Motivation of VLAN Migration

Rich services/departments WiFi, U-bike, surveillance system, access control system, …

Legacy L2 switch generally supports (only) port-based VLAN

Managing port-based VLAN is complex and time-consuming

VLAN Migration— ITRI ITSCGoal: to reduce operational expense (OPEX)

Flexible VLAN partition ruleport, MAC address, IP address, …

One-shot configurationReplacing access switches

Outline SDN Basics SDN Use Cases & Applications

Concluding Remarks

Potential Innovative Issues

Wired/Wireless network resource management “IEEE tutorial –wireless SDN in access and backhaul”

Application-aware traffic engineering

Efficient/scalable network state monitoring Device, application, switch/link loading, flow table usage …

Protocol independent forwarding “P4: programming protocol-independent packet processors”

Security applications Unified access control, IDS, DDoS protection …

Security of SDN “OpenFlow: A Security Analysis”

SDN BringsNetwork Programmability,

Flexibility and Agility

There will be much moreSDN/NFV innovations!!

Thank You !

SDN Applications and Use Casespas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/講員...X1 X2 X3 X4 X5...

Documents

Transcript of SDN Applications and Use Casespas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/講員...X1 X2 X3 X4 X5...

Software-Defined Network for Enterprise - pas…pas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/講員_林志哲_E... · 94% time on Trouble-shooting ... 13B in 2020. L4-L7 Network Function

Software Defined Network Briefs & Trendspas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/講員- … · · 2015-08-04Std. Org. 2-6 Years Demand Drive Standardise Implement Sell Deploy

Cisco UCS C210 M1 범용 랙 장착형 서버 · UCS C210 M1 또는 C210 M1 랙 장착형 서버를 위한 650W 전원공급장치 R2X0-PSU2-650W UCS C-Series 랙 장착형 서버를

CHALLENGER - MTL Instruments · Operating Principles of Challenger Option: Cascading IN OUT TCV2i IN OUT TCV2i IN OUT TCV2i IN OUT TCV2i PSU2 CHALLENGER Ex LAN 100-240 V AC REMOTE

軟體定義網路控制器 RYU 20150721 Public.ppt [相容模 …pas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/...Ryu: Firewall ‧Use flow entries to forward/drop the packets. 37.

VG4-A-PSU0, VG4-A-PSU1, VG4-A-PSU2

軟體定義網路簡介與發展趨勢pas.csie.ntu.edu.tw/SDN2015Workshop/SDN_info/講員- … · · 2015-08-04Network App SDN Controller App ... P4 Language’s Three Goals ...

CONDICIONES PARA SOLICITUD DE COTIZACIÓN · 2020. 9. 11. · 1 Monitor Full HD Pieza 4 2 Fuente de Poder secundaria para Multiviewer Predator ZPU-PSU2 Pieza 3 ... 8.3 Carta bajo