Enterprise Grade Networking with OpenStack
-
Upload
nuage-networks -
Category
Technology
-
view
315 -
download
2
Transcript of Enterprise Grade Networking with OpenStack
![Page 1: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/1.jpg)
![Page 2: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/2.jpg)
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
![Page 3: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/3.jpg)
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
Nuage Networks Enterprise-‐Grade Networking in OpenStack
@martenhauville @jonasvermeulen
Marten Hauville Principal Solu-ons Architect ANZ
Jonas Vermeulen Product Line Manager EMEA
![Page 4: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/4.jpg)
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
…or how enterprise IT needs to deliver networking with High Availability, Scalability &
Interoperability across complex multi site environments; seamlessly with existing heterogeneous infrastructure & vendors.
Oh, and interconnect OpenStack private clouds
with external public clouds too.
![Page 5: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/5.jpg)
What does Enterprise want?
§ Faster Tme to market § Lower cost, higher quality § Reduced OpEx § Ubiquitous, easy to manage, maintain, consume
![Page 6: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/6.jpg)
Enterprise technology drivers § Self service from catalogue § On demand Service § OpEx model for charging (charge-‐back) § Pool of resources that can be easily adjusted § Availability of integrated applicaTons in shared
environment – ApplicaTon PaaS § Short cycle provisioning
![Page 7: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/7.jpg)
Enterprise requires complexity
§ ExisTng hardware, hypervisors, pla]orms § Pla]orms, Apps that cannot be virtualised § MulTple Data Centres, remote branches § Remote workers § OperaTonal & Maintenance costs
![Page 8: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/8.jpg)
Enterprise requires complexity
§ Pressure from business to perform § Hidden IT – AWS workloads § ReporTng, compliance § Limited highly skilled staff
![Page 9: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/9.jpg)
Enterprise networking needs
Scalable Up and Out, resilient and federated
AbstracDon AbstracTon of the network topologies and
complexiTes, offers service velocity
Flexibility IntegraTon with third-‐party
physical networking infrastructure
Extensibility Services need to be extended across data
centers, public or private
Enterprise ConsumpDon
![Page 10: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/10.jpg)
Consumable Enterprise IT
![Page 11: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/11.jpg)
OpenStack delivers to Enterprise § Enable faster turn up for business § Enable efficiency, minimise cost § DevOps, DevOps, DevOps § Open ecosystem of vendors & soaware § Freedom of choice § Strong(er) enterprise vendor support
![Page 12: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/12.jpg)
Enterprise networking can be complex
![Page 13: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/13.jpg)
ApplicaTon Networks Policy Templates
Users
ApplicaTon Types
Business Rules
Policy EvaluaTon
Firewall
Firewall
W
BL BL
W
Firewall W W
Firewall
Firewall
W
BL BL
W
Firewall
Firewall
W
BL BL
W
BL BL
Design once, re-‐use mulDple Dmes
Policy Approach to Networking
![Page 14: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/14.jpg)
Networks need Flexibility
§ DHCP, DNS § IPAM § Load Balancing § Firewalls § Traffic Flows: Edge, North-‐South, East-‐West § AuthenTcaTon: users & elements § Security, reporTng, compliance
![Page 15: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/15.jpg)
Enterprises deploy services across datacenters
Network Services
• Layer 2 Extension? • True L2/L3 DR? • Dynamic Service
Provisioning?
![Page 16: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/16.jpg)
Enterprise Environment Physical/Virtual Servers, Global Distribution, Multi Cloud Platform
> Nuage VSC
> T1 RedHat OSP >> Compute 2 >> Compute 3 > F5 > Palo Alto Networks > Nuage VSD
> T1 RedHat OSP >> Controller >> Compute 1 > Infoblox
> T2 Canonical OS [MaaS Setup] >> Controller >> Compute 1 >> Compute 2 > Avi Networks
SJC
TOR
WDC
HKG
![Page 17: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/17.jpg)
Themes Addressed from a technical perspecDve
AbstracTon
Scalability
Flexilibity
Extensibility
Enterprise Needs
Networks in Dev/Test/Prod
# Endpoints / # subnets / #...
XaaS ConnecTvity
Stretched / Hybrid Cloud
Examples
![Page 18: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/18.jpg)
Internet/Intranet
Dev
Management
Dev Environment Networking needs
Exportable Policy for each App
Lots of (Distributed) RouTng Instances
PotenTal overlap of IP space
AbstracDon and Velocity across Dev/Test/Prod
![Page 19: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/19.jpg)
Internet/Intranet
Dev
Management
Test Environment Networking needs
Re-‐Usable Policy from Dev
Very large Distributed RouTng Instance
Unique IP space
Test
AbstracDon and Velocity across Dev/Test/Prod
![Page 20: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/20.jpg)
Internet/Intranet
Dev
Management
Prod Environment Networking needs
Re-‐Usable Policy from Test
Very large Distributed RouTng Instance
Unique IP space
Test
AbstracDon and Velocity across Dev/Test/Prod
Prod
![Page 21: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/21.jpg)
AbstracDon and Velocity across Dev/Test/Prod
Desire to re-‐use policy, but network structure is different between Dev <-‐> Test/Prod
1. Modify cookbooks between environments 2. Use external system for defining topology and enforcing
policies è Nuage Networks allows external definiTon and mapping into tenant-‐structure
![Page 22: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/22.jpg)
AbstracDon and Velocity across Dev/Test/Prod
§ Distr Router can span across mulTple tenants
§ Tenants only see their own subnets
§ Security-‐groups to limit E-‐W traffic flows
1 Logical Router
1 Project maps to >=1 Tenant
Example for Test-‐Environment
![Page 23: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/23.jpg)
AbstracDon and Velocity across Dev/Test/Prod CM-‐Tools
Define Policies per ApplicaTon
Apply, Merge, Finetune & Get
Approval
Commit Final
Test PROD
Design Once, Re-‐Use
DEV
![Page 24: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/24.jpg)
AbstracDon and Velocity across Dev/Test/Prod Top PolicyList Owner: Net Admin
Bomom PolicyList Owner: Net Admin
B2CSitePolicyList Priority: 5
Owner: B2BSite-‐Admin
StockApp PolicyList Priority: 10 Owner: StockNW
Rule 1: Port SSH allow
Rule 2: Port Telnet drop
Rule 3: Port HTTP drop
Rule 2: Port 8080 Allow to App
Rule 6: Port SQL Allow Internal
Rule 11: Port 443 drop
Rule 7: Port 70 allow
Rule 888: Port 80 allow
Rule 1: All drop
Infrastructure Policies
ApplicaTon Policies
Infrastructure Policies Design Once, Re-‐Use
![Page 25: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/25.jpg)
AbstracDon and Velocity across Dev/Test/Prod CM-‐Tools
Test PROD
Design Once, Re-‐Use
DEV
Backout / Roll-‐Back
Re-‐Test
Roll-‐Back to N-‐1
![Page 26: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/26.jpg)
Scaling network primiDves § Large Difference between Dev <-‐> Test/Prod § Scaling impact
§ Virtual Routers – Highest for Dev à ~1500 § Subnets – Highest for Test / Prod à 400+ per router § Security/Policy Groups – Highest for Test / Prod à 2000+
![Page 27: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/27.jpg)
Scaling network primiDves
Nuage VSC
…
Servers as VMs in AWS VPC
Nuage VSD § Scaling Test in AWS
§ 80 subnets / 40 routers § 20K instances (500/server)
§ Instances are Docker containers § 140K ACLs (7 ACLs per VM)
§ ConfiguraTon § VSD running as C3.4xlarge (16-‐core) § VSC running as C3.2xlarge ( 8 core) § VRS running as M3.xlarge
§ Time to create: 8 minutes * *(when AWS VPC behaves)
![Page 28: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/28.jpg)
Default = Centralized – Virtualized -‐ Single-‐Tenant
core plugin service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VM VM
Compute-‐Node
VM VM
Network-‐Node
LB
FW
VPN
LB
FW
VPN
Logical Tenant Network 1
Logica Tenant Network 2
Flexibility to connect XaaS
![Page 29: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/29.jpg)
Flexibility to connect XaaS
Compute-‐Node
§ Typically for Legacy Non-‐Virtualized Appliances
§ ConnecTvity § Interface to gateway § Per-‐Tenant service provided through
Provider-‐Networks (VLAN) § Examples
§ LBaaS: F5 § FWaaS: PaloAlto
Centralized -‐ Non-‐Virtualized -‐ MulD-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VRS
Logical Tenant Network 1
VM VM
Logica Tenant Network 2
nuage-‐gateway
FW / LB
Context 1
Context 2
VM VM VM VM
VLAN = Provider Network
![Page 30: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/30.jpg)
§ Services as Tenant-‐VM’s § Tenant-‐VMs are distributed using
OpenStack placement algorithm § Management via XaaS Plugin
§ Example: AVI LB
Distributed – Virtualized – Single-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Logical Tenant Network 1
Compute-‐Node
VRS
VM VM VM LB1
Compute-‐Node
VRS
VM VM
Compute-‐Node
VRS
VM LB2
Logica Tenant Network 2
Flexibility to connect XaaS
![Page 31: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/31.jpg)
§ Traffic gets locally redirected to an Agent running in the HV § VM, process, docker
§ Example Agent tasks § Proxy ARP / DHCP § Meta-‐data Agent § Storage Proxy for Swia § L5-‐L7 (Eg IDS/DPI)
Distributed – Agent – MulD-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VRS
Tenant Network 1
VM VM
Tenant Network 2
VM VM VM VM
Compute-‐Node
VRS
VM VM VM VM VM VM
Agent 1 2
Agent 1 2
Flexibility to connect XaaS
![Page 32: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/32.jpg)
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users Users Users
Network Network Network
Extending clouds to other sites
![Page 33: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/33.jpg)
IdenTty FederaTon
Can I federate the network ? = Can I have a single subnet across sites ?
= Can I amach a new subnet to a router defined in another site ? = Can my VM communicate with a VM at a different site ?
= Can my security policies encompass VMs from different sites ?
Kilo
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Network Network Network
Users
Extending clouds to other sites
![Page 34: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/34.jpg)
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 1 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users IdenTty FederaTon
Network FederaTon with Nuage
nuage nuage nuage Network
Centralized definiTon, sharing policy
Kilo
Extending clouds to other sites
![Page 35: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/35.jpg)
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users IdenTty FederaTon
Network FederaTon with Nuage
nuage nuage nuage Network
Federated Policy: Policy requested from “Home VSD” for the router
ü Stretched subnets ü New subnet amached to router of other site ü VMs can communicate across sites ü Security policies across sites
Kilo
Extending clouds to other sites
![Page 36: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/36.jpg)
Conclusions
AbstracTon
Scalability
Flexilibity
Extensibility
Enterprise Needs
Network Policies
Distr Control Plane
Any XaaS Topology
Network FederaTon
Delivered through
![Page 37: Enterprise Grade Networking with OpenStack](https://reader030.fdocuments.net/reader030/viewer/2022032618/55b5b81cbb61ebf8278b456b/html5/thumbnails/37.jpg)
THANK YOU
See Nuage Networks in acTon at 4:15PM Avi Networks Booth T9 OpenStack Private Cloud Case Study by Nuage Networks & Avi Networks