NEC ProgrammableFlow: An Open and Programmable Network ...
Transcript of NEC ProgrammableFlow: An Open and Programmable Network ...
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud
NEC Corporation of Americawww.necam.com
White Paper
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper
NEC Corporation of America © 2012 2
IntroductionNEC ProgrammableFlow Network Fabric leverages the OpenFlow
protocol to create a smart, simple, secure and scalable solution for
the enterprise datacenter. The ProgrammableFlow network fabric
provides an open data plane where OpenFlow enabled switches can
be interconnected with any traffic-optimized topology. In contrast to
existing fabric technologies, ProgrammableFlow provides multipath
at both layer-2 and layer-3 for interconnecting end systems and
delivering end-to-end high performance and reliability. The network
fabric operation is simplified by leveraging NEC’s unique network
virtualization solution and API based automation capabilities. Deployed
as either a data center fabric or as a virtualization layer for a variety
of service specific, Programmable Network Fabric is an agile solution
to incrementally grow the network to fit traffic patterns and business
needs.
OpenFlow: Open Software-defined Networking OpenFlow is an open Software-Defined Networking architecture
designed primarily to separate the data path and the control path. In
OpenFlow, all networking logic and policies are handled by a controller
running in a Commercial-off-the-shelf (COTS) server while the hardware
switches only execute the data plane tasks. OpenFlow enables a
network to be built using multi-vendor switches wherein application-
specific network functionalities can be programmed into the controller
software and deployed using multi-vendor hardware switches. The
OpenFlow specification is standardized by the Open Networking
Foundation (ONF),). The ONF Board of Directors includes Deutsche
Telekom, Facebook, Google, Microsoft, NTT, Verizon and Yahoo!.
Founding member NEC, along with 50 other leaders in the networking
industry, have closely collaborated to develop the OpenFlow
specification.
OpenFlow-based Networks feature Programmable Network
In a standard network, the packets being forwarded (the data path)
and the forwarded decisions (the control path) are both handled by
the router or switch. In the OpenFlow approach, these functions are
separated. The router or switch handles the data path while the control
path is handled by a separate, programmable controller. The switch
and the controller communicate via the OpenFlow standard. This
architecture introduces a lot of flexibility into the network and simplifies
management, provisioning, and configuration of the network devices.
Adoption of an OpenFlow architecture results in reduced cost
and complexity and accelerated innovation, while increasing security,
stability, and availability of the cloud and other network-enabled
services.
OpenFlow also enjoys the benefits of an open architecture approach.
While the Ethernet standard is well-established, each vendor’s
implementation is somewhat different, and commercial switches and
routers of today typically do not provide an open software platform
that supports innovation or customization. An open-systems overlay
over Ethernet, OpenFlow lowers the entry barrier for new ideas, allows
customers to avoid vendor lock-in, and could help increase the rate of
innovation in the network infrastructure space.
OpenFlow and the NEC ProgrammableFlow Solution deliver
operational simplicity and flexibility
The NEC ProgrammableFlow network architecture and product family
is a datacenter class networking fabric developed by NEC. Designed
as a simplified architecture for data center and cloud networks,
ProgrammableFlow leverages the OpenFlow protocol to create
Software-Defined Network (SDN) virtualization, allowing customers to
easily deploy and manage virtualized network infrastructure. The NEC
ProgrammableFlow product family is comprised of a high-performance
controller, an integrated network visualization monitor, and multi-layer
packet-forwarding hardware switches. ProgrammableFlow offers an
open network fabric solution which enables a programmable and
dynamic approach to create, deploy, and edit virtualized networks over
OpenFlow-enabled switches. Operational simplicity, flexible and smart
network programming, network agility to support virtual infrastructure,
scale-out performance, and reliability are some of the key characteristic
advantages of the ProgrammableFlow network fabric.
NEC ProgrammableFlow: An Open And Flat Network Fabric ProgrammableFlow provides an open architecture to build the network
fabric. In this architecture, all switches are programmed leveraging
the OpenFlow interface and protocol. One can build the fabric using
switches from any vendor as long as they support the OpenFlow
protocol. ProgrammableFlow controller also has a unique virtualization
ability to create a fabric over heterogeneous switches supporting
different port densities and speed. Further, the fabric is open in terms of
switch interconnection topology. Depending on the traffic type, traffic
policies, and bandwidth or delay requirements, one can build an open
fabric with the right switch combination and interconnection topology.
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper
NEC Corporation of America © 2012 3
Traditionally, a network is deployed as a multi-tiered architecture where
a Layer-3 tier connects to multiple Layer-2 tier networks running the
spanning tree protocol. Scaling becomes a critical concern for such
networks when there is a significant amount of east-west traffic. For
example, the bandwidth performance drops as the distance between
two servers increases within a datacenter.
ProgrammableFlow provides a flat network fabric architecture that
offers multiple advantages. The flat network fabric enables the use of
least cost routing between any pair of end hosts resulting in higher
bandwidth and lowest latency. This also circumvents any layer-
specific bottlenecks in terms of traffic handling capabilities. With
ProgrammableFlow, appliances and service modules can be attached
to any switch ports thereby avoiding the creation of multiple appliance-
specific layers. The ProgrammableFlow flat network fabric allows
location-independence, which lets the end hosts or virtual servers retain
their IP addressing scheme independent of the switch port assignment.
An important characteristic of the ProgrammableFlow flat network
fabric is that it is not restricted to just layer-2 network service as is the
case with other flat network solutions. One can define a combination of
layer-2 and layer-3 networks and create policies on top of the same flat
network fabric without introducing tiers.
Figure 1: ProgrammableFlow architecture
Network-wide AutomationThe need for network automation is fueled by the growth of data center
size, changing requirements, complexity in programming the network
and datacenter-wide virtualization. It is challenging to manage multiple
switch configurations, firmware upgrades, and vendor-specific CLI
scripts. OpenFlow offers a significant advantage by moving the complex
error-prone vendor-specific CLI interfaces into an open and standardized
programmable OpenFlow interface that works over switches from
various vendors.
ProgrammableFlow leverages the OpenFlow interface to add a network-
wide open automation framework. Instead of having a per-switch CLI
interface, ProgrammableFlow offers an entire network-level CLI interface.
Operators can create and deploy scripts to automate the entire network
without having to worry about potential switch-level configuration errors.
The network programming model defined in ProgrammableFlow is
robust to potential errors and ensures conflict-free switch configurations.
Furthermore, ProgrammableFlow offers both script and REST API-based
network automation framework where virtual networks can be created,
edited, and deleted. The richness of the model allows operators to
easily define topological properties such as packet forwarding policies.
The framework can be easily integrated with an external orchestration
system as well as with external appliances.
The key advantages of ProgrammableFlow’s network automation
framework are:
a) Integration flexibility with 3rd party systems
b) Reduced network provisioning time
c) Reduced change deployment time
d) Minimized human error
e) Policy compliance and security
f) Network-wide management interface standardization.
Figure 2: ProgrammableFlow controller management interface
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper
NEC Corporation of America © 2012 4
Introducing Open, API-based Network Programming The ProgrammableFlow network provides a virtual network plane
through which network operators can define dynamic network
functionalities. Most of these functionalities are available through an
open standard-based API framework. The API framework allows third
party applications such as network management or orchestration
systems to directly interact with the network through a well-defined
functional approach. Third party systems can make on-demand calls
to the API to create, edit, and delete virtual networks, as well as to add
and remove policies.
A unique feature of the ProgrammableFlow solution is that the
APIs are defined at a network-level rather than at switch-level. The
controller ensures that the API commands are correctly interpreted and
appropriate flow-related commands are communicated to the switches
to realize the required network-level functionality.
Figure 3: ProgrammableFlow functional overview
A Multipath Scale-out Fabric With the increase in the east-west traffic, the available bandwidth
between servers, storage elements, and appliances is becoming a
critical ingredient in the network. The use of the traditional spanning
tree protocol at layer-2 creates a single path between end-points,
thereby putting limitations on the end-to-end bandwidth. Advanced
fabric routing protocols based on Trill, offer methods of leveraging
multiple paths but they also introduce new protocol-level complexities.
Further, Trill-based protocols are not standardized and may require
switches from a single vendor.
The ProgrammableFlow Multipath Fabric solution leverages OpenFlow
to control the switch plane. Multiple end-to-end paths are created
automatically without requiring any special switch-level configuration
or underlying protocol understanding. The data flows are automatically
balanced across multiple paths to provide high end-to-end bandwidth.
The ProgrammableFlow approach to multipath routing inherently
offers several advantages over other solutions. In contrast to the
legacy distributed equal-cost-multipath (ECMP) based approaches,
the ProgrammableFlow solution is built on centralized flow routing
decisions resulting in global traffic routing optimization. Flows-to-paths
mapping can be determined dynamically based on theclass-based
policies as well as link weights/costs. Furthermore, the alternate path
computation process is based on the underlying topology and existing
load conditions and is not limited to the equal cost metric. Hence,
ProgrammableFlow can discover a larger number of end-to-end paths
and achieve better flow-level load balancing thereby resulting in a high
end-to-end fabric bandwidth.
ProgrammableFlow Fabric also provides automatic scale-out ability. The
fabric can be built with a few core switches and then be expanded to a
large number of switches while supporting any complex interconnection
topology. When a new switch is added, the controller detects both
the existence of the new switch and the additional links and updates
the set of paths to enable re-optimization of the traffic distribution.
Consequently, fabric size expansion and reduction are automatically
handled without requiring any explicit configurations.
Figure 4: The ProgrammableFlow Multipath Fabric enables multiple end-to-end paths to provide high end-to-end bandwidth.
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper
NEC Corporation of America © 2012 5
Multiclass Interference-free Fabric Routing In a typical legacy network, the traffic from multiple applications shares
the same physical network infrastructure (links, ports, and forwarding
capacity) and follows a single path. In contrast to the traditional network
design, NEC’s fabric provides multiple end-to-end paths connecting
end hosts. While end-to-end paths can provide high bandwidth to
applications, there are specific requirements wherein application-
specific traffic needs to be separated at the routing level. For example,
large bulk data file transfers can interfere with the delay- sensitive
messaging traffic for trading applications when sharing the same
network fabric and the two should follow separate paths.
ProgrammableFlow Fabric offers a unique feature in which the network
fabric can compute multiple non-interfering paths while enabling
application-specific mapping to paths. Application traffic can be
identified or classified based on packet header field matching rules.
Each application class can be dynamically mapped to a corresponding
path routing policy. For example, the network can compute two end-to-
end paths and map FTP bulk data traffic to one path while the delay-
sensitive messaging traffic is mapped to the other path. In essence,
ProgrammableFlow fabric allows creation of multiple end-to-end lanes
and policies to route traffic classes on corresponding lanes.
With the multiclass fabric routing feature, one physical underlying
network can be provisioned to optimally support the QoS and
bandwidth requirements of heterogeneous applications.
Figure 5: ProgrammableFlow’s Multiclass interference-free routing
End-to-end Reliable Fabric Existing legacy layer-2 networks offer a limited level of reliability. For
example, Link Aggregation Group (LAG) can ensure link-level reliability.
However, LAG cannot recover from a switch failure since traditional
LAG cannot be defined across links connecting one switch to multiple
switches. The alternative is to use the Spanning Tree Protocol (STP).
However, all variants of STP take time of the order of seconds to
recover from a link or switch failure resulting in increased downtime.
ECMP-based solution can provide fast recovery from such failures by
maintaining alternate paths and executing fast switch over in case of
failure. However, current legacy implementation does not provide a
100% failure-proof solution. Furthermore, vendor-specific proprietary
solutions require all switches and routers to be from the same vendor,
resulting in a vendor lock-in.
ProgrammableFlow provides a highly reliable end-to-end fabric that
works over any type of switches from any vendor as long as they
support OpenFlow. The controller is a vantage point that monitors the
entire network fabric and ensures that the backup paths always exist
at an end-to-end level. This is in contrast to the distributed protocols
where failure detection and response is at the local switch level.
ProgrammableFlow not only detects multiple failures quickly but can
also rapidly shift flows to the respective backup paths, enabling fast
recovery from even multiple switch or link failures. Typical turn-around
time for failure detection to flow switching is around 100-200 msec.
ProgrammableFlow also provides Multi-switch LAG (MLAG) where a
LAG group can be created from one switch to multiple switches. MLAG
can be effective in connecting servers to multiple Top-of-the-Rack
(TOR) switches or in connecting to WAN facing gateway routers. MLAG
takes care of reliability at the end points thereby providing true end-to-
end reliable connectivity.
Figure 6: Multi-switch Link Aggregation Group(MLAG) for end-to-end reliability
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper
NEC Corporation of America © 2012 6
Secure Multi-tenant Fabric VLANs are still the de facto standard for providing secure isolation in
the present data center networks. Today, VLANs are used for various
types of isolations: isolating infrastructure resources, application
servers, tenants or customers. However, VLAN is a characteristic of
the legacy layer-2 networks which has severe limitations in terms of
performance, reliability as well as virtual machine migration. Therefore,
it is critical that any fabric solution offer the same security and isolation
features as provided by VLANs, while alleviating all the limitations of a
traditional layer-2 network.
ProgrammableFlow provides a fabric that enables VLAN-type
separation by defining a concept called “vBridge” in the virtual network
plane. One can simply map VLANs to vBridge and provide the same
level of isolation in the fabric. Packets can be tagged either by the
end host such as by using port groups in ESX vSwitch or by the
fabric switch itself. Isolation for security and underlying data plane
optimization is completely decoupled in a ProgrammableFlow fabric.
In many cases, a user wants isolation not only at layer-2 but also in
layer-3. For example, in a multi-tenant scenario, a tenant may wish
to have multiple VLANs for application-level separation. The cloud or
hosting provider may want to have isolation at a tenant-level where
each tenant is using a set of VLANs. Security requirements can also
become stringent in cases where there is inter-VLAN traffic which
utilizes Layer-3 routers. Policies deployed at layer-3 routers to ensure
tenant-level isolation are prone to mis-configurations. In summary, there
exist no comprehensive isolation solutions which can secure a tenant at
a network level in the legacy world.
ProgrammableFlow Fabric has defined multi-tenant virtual networks
where tenants are isolated at the network level. With true traffic isolation
between tenants, end systems belonging to one tenant network cannot
reach end systems belonging to another tenant network. At the same
time, each tenant can define his own customized layer-2 or layer-3
network and leverage inter-tenant isolation to effectively create a
secured slice of the underlying physical network.
Figure 7: ProgrammableFlow provides Network-level VTN isolation
Disaster Recovery Disaster recovery (DR) has become critical for enterprises that are
running mission-critical applications or services. In order to provide
DR, enterprises have to create backup sites in separate geographical
regions. ProgrammableFlow solution provides several features to assist
the DR process.
ProgrammableFlow solution allows creation of a virtual network that can
span multiple sites over layer-2 pipes. Within such a virtual network, the
virtual machines or even virtual storage can be migrated from primary
site to the backup site seamlessly. The network policies for routing and
forwarding are automatically applied to the migrated servers or storage.
This automation results in fast recovery in case of any failure on the
primary site.
The ProgrammableFlow approach also avoids switch-level
configuration complexities. All network-level functionalities are defined
in a single template-based script. Such a template can be applied to a
new backup site to quickly get the service up and running. Furthermore,
the template definitions are decoupled from the actual physical network
topology. Consequently, one has the flexibility to design the primary
and the backup physical networks differently to optimize the total cost
of operation.
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper
NEC Corporation of America © 2012 7
Smart Conditional Routing In many cases, the packet forwarding decision is based on the result
derived from evaluating a condition on a subset of header fields rather
than just the destination MAC or IP address. Furthermore, the final
destination of a packet need not be the destination IP address but an
intermediate appliance or service module such as a firewall or load
balancer. Such functionalities are not available in legacy networks.
The closest solution to such functionality is the policy-based routing
capability that is available in high-end routers. However, policy-based
routing is limited to simple header field matches and can only map the
packet to a specific router interface as opposed to an end-system.
ProgrammableFlow Fabric allows complex conditions to be defined
over a combination of multiple packet header fields such as MAC
addresses, IP Address, Port number, protocol type enabling intelligent
routing decisions. The conditions are declared in a virtual network
construct called “vFilter” and can be applied to any virtual node
interface (vBridge or vRouter). Each vFilter is associated with three
action items: a) Drop the packet; b) Forward the packet to original
destination; c) Forward the packet to a specified destination. There are
various use cases of conditional routing. Some of these are described
below.
Dynamic intelligent ACLs
The virtual filters (“vFilters”) defined in ProgrammableFlow solution
can be leveraged to define Access Control Lists (ACLs) of various
degrees of complexity. Simple ACLs can be based on direct packet
header matching to decide whether to drop or pass the packets.
Complex ACLS can consist of complex predicates defined on multiple
packet header fields. The ACLs can be deployed dynamically on the
virtual network. The controller takes the responsibility of pushing the
associated flow table entries to all the switches in the fabric.
Appliance layer compaction
In traditional layer-2 data center design, appliances such as firewalls
and load balancers are deployed as separate layers thereby creating
multiple layers at the logical level. With the use of conditional routing,
appliances can be connected to any switch port and traffic can be
explicitly routed to specific appliances using appropriate condition
definition. In other words, there are no physical connectivity constraints
in attaching the appliance.
Selective appliance routing
One can easily define flexible conditions on how traffic should be
forwarded to different types of appliances. For example, one can set
rules to decide whether to forward a given traffic flow to the firewall
or not, and whether to add a particular appliance such as an intrusion
detection system along the flow path or not.
Appliance or Service composition
Appliance or service composition can be done by chaining or
sequencing multiple rules or vFilters. For example, one can define a set
of filters with corresponding actions to define a forwarding path for a
particular flow that consists of a firewall, an intrusion prevention system
and a load balancer before reaching a destination host.
Appliance availability
ProgrammableFlow’s ping-based monitoring feature in the controller
can be used in conjunction with conditional routing to improve
appliance availability. For example, if a given appliance becomes
unavailable, the network fabric can detect the fault and assist in
redirecting the traffic flow to a standby or backup appliance.
Selective traffic steering
Selective traffic steering refers to the application scenarios where
traffic is steered towards a given egress port of the fabric based on
certain matched conditions. An example scenario is when policies
are set to steer traffic through the right WAN interface. Such policies
can be reactive as well. For example, in case a WAN access becomes
unavailable, the traffic needs to be steered through a backup interface.
Cloud Infrastructure Portability And Repeatability Infrastructure virtualization is a critical element of the cloud. As a part
of virtualization, virtual servers and storage can be easily migrated
from one physical location to another either in the same data center
or across datacenters. Unfortunately, any such migration requires
significant changes in the underlying network configurations.
Depending on the physical network topology, such migration may even
lead to redesigning the network policies and changing the switch-level
configurations.
White Paper
© 2012 NEC Corporation. All rights reserved. NEC, NEC logo, and UNIVERGE are trademarks or registered trademarks of NEC Corporation that may be registered in Japan and other jurisdictions. All trademarks identified with ® or ™ are registered trademarks or trademarks respectively. Models may vary for each country. Please refer to your local NEC representatives for further details.
About NEC Corporation of America Headquartered in Irving, Texas, NEC Corporation of America is a leading provider of innovative IT, network and communications products and solutions for service carriers, Fortune 1000 and SMB businesses across multiple vertical industries, including Healthcare, Government, Education and Hospitality. NEC Corporation of America delivers one of the industry’s broadest portfolios of technology solutions and professional services, including unified communications, wireless, voice and data, managed services, server and storage infrastructure, optical network systems, microwave radio communications and biometric security. NEC Corporation of America is a wholly-owned subsidiary of NEC Corporation, a global technology leader with operations in 30 countries and more than $42 billion in revenues. For more information, please visit www.necam.com.
Europe (EMEA)NEC Philips Unified Solutionswww.nec-philips.com
Corporate Headquarters (Japan)NEC Corporationwww.nec.com
Oceania (Australia)NEC Australia Pty Ltdwww.nec.com.au
North America (USA & Canada)NEC Corporation of Americawww.necam.com
Asia
NEC Corporationwww.nec.com
WP12018 | v.4.25.12
NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud
ProgrammableFlow network virtualization provides a unique advantage
to address the above challenge. Virtual networks in ProgrammableFlow
are independent of the underlying physical network and can be defined
or edited using template-based scripts. Therefore, subsequent to
migration or launch of a virtualized server or storage environment,
one can easily apply the existing virtual network templates for a
seamless deployment of the network without having to worry about the
underlying new physical network.
The decoupling of the physical and virtual networks and the use
of virtual network templates enables repeatability in a multi-tenant
environment where the underlying cloud infrastructure is shared.
Template-based virtual networks can be applied with minimal
modification to suit individual tenant requirements thereby providing an
on-demand networking model for servers and storage.
Conclusion
NEC ProgrammableFlow Network Fabric leverages the OpenFlow
protocol to create a smart, simple, secure and scalable solution for
the enterprise datacenter. The ProgrammableFlow network fabric
provides an open data plane where multi-vendor OpenFlow enabled
switches can be interconnected with any traffic-optimized topology. In
contrast to existing fabric technologies, ProgrammableFlow provides
multipath at both layer-2 and layer-3 for interconnecting end systems
and delivering end-to-end high performance and reliability. The network
fabric operation is simplified by leveraging NEC’s unique network
virtualization solution and API based automation capabilities. In terms
of building and architecting a data center fabric, Programmable
Network Fabric is an agile solution to incrementally grow the network to
fit traffic patterns and business needs.