How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投...
Transcript of How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投...
![Page 1: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/1.jpg)
備註:� 若要變更此投影片的圖像,請選取該圖片點選變更圖片,已插入自訂圖像。�
How SDN Works
SDN/NFV Core Network
Department of Computer Science & Information Engineering National Cheng Kung University
2015 Fall�
![Page 2: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/2.jpg)
Forerunners of SDN
2
![Page 3: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/3.jpg)
Precursors of SDN
3
Prior to OpenFlow/SDN, forward-thinking researchers and technologists were considering fundamental changes to current world of autonomous, independent devices and distributed networking intelligence. �
• DCAN separates the forwarding and control planes in ATM switching (1997).�
• Open signaling separates the forwarding and control planes in ATM switching (1999).�
• IP switching controls layer two switches as a layer three routing fabric (late 1990s).�
![Page 4: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/4.jpg)
Precursors of SDN (cont.)
4
• MPLS separates control software and establishes semi-static forwarding paths for flows in traditional routers (late 1990s).�
• Active networking separates control and programmable switches (late 1990s).�
• RADIUS/COPS dynamically provisions policy through admission control (2010).�
• Orchestration automates configuration of networking equipment by using SNMP and CLI (2008).�
• Ethane achieves complete enterprise and network access and control using separate forwarding and control planes and utilizes a centralized controller (2007).�
![Page 5: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/5.jpg)
Early Efforts
5
• Some of the earliest work in programmable networks began not with Internet routers and switches but with ATM switches, including Devolved Control of ATM Networks (DCAN) and open signaling.�
ü DCAN prescribes the separation of the control and management of the ATM switches, where the control is assumed by an external device (like controller in SDN).�
ü Open signaling proposed a set of open, programmable interfaces (e.g., General Switch Management Protocol or GSMP in RFC 1987) to separate control software from the ATM switching hardware.�
![Page 6: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/6.jpg)
Early Efforts (cont.)
6
• IP Switch, proposed by Ipsilon Networks, utilized GSMP for TCP/IP flows.�
• Multiprotocol Label Switching (MPLS; also called tag switching in Cisco) is a deviation from the autonomous and distributed forwarding decisions characteristic for traditional Internet router.�
• Active Networking assumes that switches could be programmed by out-of-band management protocol with small downloadable programs called capsules that would travel in packets to reprogram router/switch on the fly.�
![Page 7: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/7.jpg)
Network Access Control
7
• Remote Authentication Dial-In User Service (RADIUS) provides automatic reconfiguration of the network.�
• Via RADIUS, networking attributes would change based on the network node that just appeared.�
Source: Huawei Cloud Fabric Solution�
![Page 8: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/8.jpg)
Orchestration
8
• Orchestration applications, called orchestrators, utilize common device APIs (CLI or SNMP) for automation.�
• Vendor-specific plugins are used to convert the higher-level policy requests into the corresponding native SNMP or CLI request specific to each vendor.�
• Since no capability exists in legacy equipment for network-wide coordination, virtual network management remains hard.�
Source: https://www.netiq.com/documentation/cloudmanager2/ncm2_install_plan/data/bx4b665.html�
![Page 9: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/9.jpg)
Controller
Flow Switch
Host A Host B
Flow Switch
Flow Switch
Flow Switch
9
Ethane: Centralized, reactive, per-‐‑flow control�
![Page 10: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/10.jpg)
Birth of OpenFlow
2
![Page 11: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/11.jpg)
OpenFlow: a pragmatic compromise • + Speed, scale, fidelity of vendor hardware • + Flexibility and control of so>ware and simulaAon
• Vendors don’t need to expose implementaAon
• Leverages hardware inside most switches today (ACL tables)
11
![Page 12: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/12.jpg)
Working Groups in ONF�
![Page 13: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/13.jpg)
Members in ONF�
![Page 14: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/14.jpg)
Three Layers in SDN�
![Page 15: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/15.jpg)
Data Path (Hardware)
OpenFlow Client
OpenFlow Controller
OpenFlow Protocol (SSL/TCP)
15
Switch
OpenFlow: the Southbound Interface
![Page 16: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/16.jpg)
Controller
PC
Hardware Layer
So>ware Layer
Flow Table
MAC src
MAC dst
IP Src
IP Dst
TCP sport
TCP dport AcAon
OpenFlow Client
* * 5.6.7.8 * * * port 1
port 4 port 3 port 2 port 1
1.2.3.4 5.6.7.8 16
OpenFlow Example
![Page 17: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/17.jpg)
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IP Dst
IP Prot
L4 sport
L4 dport
Rule AcAon Stats
1. Forward packet to zero or more ports 2. Encapsulate and forward to controller 3. Send to normal processing pipeline 4. Modify Fields 5. Any extensions you add!
Packet + byte counters
17
VLAN pcp
IP ToS
OpenFlow Basics: Flow Table Entries�
![Page 18: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/18.jpg)
Examples Switching
*
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IP Dst
IP Prot
TCP sport
TCP dport AcAon
* 00:1f:.. * * * * * * * port6
Flow Switching
port3
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IP Dst
IP Prot
TCP sport
TCP dport AcAon
00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6
Firewall
*
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IP Dst
IP Prot
TCP sport
TCP dport AcAon
* * * * * * * * 22 drop
18
![Page 19: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/19.jpg)
Examples (cont.) RouAng
*
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IP Dst
IP Prot
TCP sport
TCP dport AcAon
* * * * * 5.6.7.8 * * * port6
VLAN Switching
*
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IP Dst
IP Prot
TCP sport
TCP dport AcAon
* * vlan1 * * * * * port6, port7, port9
00:1f..
19
![Page 20: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/20.jpg)
Centralized vs Distributed Control
Centralized Control
OpenFlow Switch
OpenFlow Switch
OpenFlow Switch
Controller
Distributed Control
OpenFlow Switch
OpenFlow Switch
OpenFlow Switch
Controller
Controller
Controller
20
Both models are possible with OpenFlow�
![Page 21: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/21.jpg)
Flow Routing vs. Aggregation
Flow-‐Based • Every flow is individually set up by controller
• Exact-‐match flow entries • Flow table contains one entry per flow
• Good for fine grain control, e.g. campus networks
Aggregated • One flow entry covers large groups of flows • Wildcard flow entries • Flow table contains one entry per category of flows • Good for large number of flows, e.g. backbone
21
Both models are possible with OpenFlow�
![Page 22: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/22.jpg)
Reactive vs. Proactive (pre-‐‑populated)
ReacAve • First packet of flow triggers controller to insert flow entries
• Efficient use of flow table • Every flow incurs small addiAonal flow setup Ame
• If control connecAon lost, switch has limited uAlity
ProacAve
• Controller pre-‐populates flow table in switch • Zero addiAonal flow setup Ame • Loss of control connecAon does not disrupt traffic • EssenAally requires aggregated (wildcard) rules
22
Both models are possible with OpenFlow�
![Page 23: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/23.jpg)
Usage examples
• Alice’s code: • Simple learning switch • Per Flow switching • Network access control/firewall • StaAc “VLANs” • Her own new rouAng protocol: unicast, mulAcast, mulApath
• Home network manager • Packet processor (in controller) • IPvAlice
– VM migraAon – Server Load balancing – Mobility manager – Power management – Network monitoring and visualizaAon
– Network debugging – Network slicing
… and much more you can create!
![Page 24: How!SDN!Works140.117.164.12/data/SDN_NFV_class/03_HowSDNWorks.pdf備註:q 若要變更此投 影片的圖像,請選取該圖片 點選變更圖片,已插入自訂圖 像。q](https://reader036.fdocuments.net/reader036/viewer/2022071504/6123e99c699d421603585298/html5/thumbnails/24.jpg)
Intercon8nental VM Migra8on Moved a VM from Stanford to Japan without changing its IP. VM hosted a video game server with acAve network connecAons.
S+.'&:"+L+'+.%4(VF(FEC&%L"+(Moved a VM from Stanford to Japan without changing its IP.
VM hosted a video game server with active network connections.