A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner...
-
Upload
nuage-networks -
Category
Technology
-
view
441 -
download
3
Transcript of A Policy Driven Approach to Software Defined Networking by Amir Sharif at SUSE OpenStack Partner...
Copyright 2013 Alcatel-Lucent. All rights reserved.@amir_sharif
Amir SharifBusiness DevelopmentNuage Networks
A Policy Driven Approach to Software Defined Networking
SDN in 2014
OpenFlow Controllers
Network Virtualization
White Box Switching
Open Source Projects
Network as a Service
Plenty of Innovation and Disruption…
Why SDN?
Reduce Cost
Asset Utilization
Self Service
Automation
Make the network more “Cloud” like
We’re making great progress
The “Consumption shift”
Cloud is changing the way technology is being consumed
From “order and wait”
To “instant gratification”
Consumer expectations are shifting
Multiple personas
Single user
On-demand personalized catalogue
Compute is Virtualized
Available in Minutes
Network is Partially Virtualized
Configuration takes Days/Weeks
NetworkConfiguration
Compute Management
New Tenant / Application Request
Auto-instantiation
Compute Request
completed in
Minutes
Help Desk
Change Control
IP
Address
VLAN
Address
Firewall
Configuration
LAN (VLAN)
Configuration
WAN (IP)
Configuration
Security / QA
Team
Project
Coordinator
Network Change
completed in
days/Weeks
00:01
Datacenter Network
Service velocity is hindered by manual network process
Network is “more” virtualized
Some things available in minutes – Some not so much
Many network elements are manually configured
Manual per-tenant network configurations
NetworkConfiguration
Compute Management
New Tenant / Application Request
Auto-instantiation
Compute Request
completed in
Minutes
SDN Controller
Some Network
Change completed
In Minutes
00:01 00:01
Software Defined Datacenter Network
Service velocity accelerated, but…
Committees still build “networks”
Audits/reviews
In a NaaS environment (OpenStackNeutron, AWS, etc) this is delegated to the tenant
Is this what your DevOps team should be doing?
NetworkConfiguration
Software Defined Network Configuration
We’ve only addressed part of the automation problem
DevOps Team
VLAN
Address
IP
Address
WAN (IP)
Configuration
Firewall
Configuration
Network
Configuration
created in days/Weeks
Current Neutron Networking provides building blocks to create logical topologies Networks, Ports, Subnets ,Routers, Security Groups
neutron net-create web
neutron subnet-create web 10.0.0.0/24
neutron router-create router1 neutron router-add-interface router1 web
…
Not abstracted into a consumable model
OpenStack Neutron Networks
web
VM VM VM VM VM VM
app db
Puts the burden of topology design on the DevOps team
DevOps has an understanding of the specific application needs Segmentation, Port numbers, Connectivity goals
Should not be burdened with the implementation details Routes, Subnets, VLANs
The DevOps team needs an Abstracted view
A DevOps View
web
VM
VM
VM
app
VM
VM
VM
db
VM
VM
VM
What is a network Policy?
OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• An Application-centric approach to networking• Moving away from traditional network constructs
• ports, subnets, routers, etc• Aiming for a highly abstracted interface for application developers to
• express desired connectivity of application components• and express high-level policies governing that connectivity
• Without imposing constraints on the underlying implementation
Policy Abstractions for Neutron
OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
Outside EPG
Web EPG App EPG DB EPG
VM
VM
VM
VM
VM
VM
VM
VM
Web Contract
App Contract
App Contract
Public Network
Private Networks
• Endpoint (EP) – an IP addressable entity• Endpoint Group (EPG) – a grouping of Endpoints• Policy Rule – individual rule that defines communication criteria• Contract – a collection of Policy Rules that are applied to traffic between EPG’s
APPLICATIONATTRIBUTES
SDN FRAMEWORK
TOPOLOGYATTRIBUTES
Service Mapping
Service Binding
Application Request
TECHNOLOGYATTRIBUTES
web
V
M
V
M
V
M
app
VM
VM
V
M
web
V
M
VM
VM
web app db
To Achieve a Policy Driven Network
Policy Driven Networking Delivered
Nuage has provided policy abstractions for virtual and physical networks since our first release
L2, L3, ACLs, QoS, Service Chaining, Traffic Statistics
Difficult to express using existing Neutron constructs…
Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron
Cloud Service Management Plane
Datacenter Control Plane
DatacenterData Plane
VirtualRouting & Switching
R3.0 GA in September 2014
VirtualizedServicesDirectory
VirtualizedServicesController
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
Brooklyn Datacenter - Zone 1
Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics
Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set
Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets
Nuage NetworksVirtualized Services Platform (VSP)
IP Fabric
Edge Router
MP-BGPMP-BGP
Hardware GW for Bare Metal
Nuage Networks Virtual Services Platform
DATACENTERNETWORK
. . . .
Any Compute Virtualization Environment
Any Datacenter Networking Hardware
Any Server or Hypervisor
Open solution
Consistent capabilities across
Nuage Networks policy templates and role-based workflow
Compute Management
Tenant / Application RequestNetworking
Security/
Compliance
Service velocity is not hindered by manual network process
Auto-instantiation
Compute Request
completed in Minutes
00:01
IP address
WAN interconnect
Policy / Security Zones
L2 /L3 Service AD
Service chaining
Templates
Nuage Networks VSP
Policy Instantiation• IP address 10.x.y.z• VLAN configuration• WAN configuration• Security / FW settings• QoS parameters• …
Network Change
Completed automatically
00:01
Conclusions
• Creation of distributed virtual switches and virtual routers - great for virtual networks and better than VLAN’s, but …
• Creates a distributed virtual configuration and management challenge
• Provisioning and management of these endpoints can not be done with traditional methodology
• Policy abstraction is a proven framework
• Successfully shipping since May 2013
For more information…
• Nuage Networks Virtualized Services Platform
• http://www.nuagenetworks.net
• OpenStack Neutron Group Based Policy Abstraction
• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• OpenDaylight Application Policy Plugin
• https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin
2111/10/2014
Network Policy NOW
@nuagenetworks
@amir_sharif