NEC ProgrammableFlow: An Open and Programmable Network ...

NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud

NEC Corporation of Americawww.necam.com

White Paper

NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud White Paper

NEC Corporation of America © 2012 2

IntroductionNEC ProgrammableFlow Network Fabric leverages the OpenFlow

protocol to create a smart, simple, secure and scalable solution for

the enterprise datacenter. The ProgrammableFlow network fabric

provides an open data plane where OpenFlow enabled switches can

be interconnected with any traffic-optimized topology. In contrast to

existing fabric technologies, ProgrammableFlow provides multipath

at both layer-2 and layer-3 for interconnecting end systems and

delivering end-to-end high performance and reliability. The network

fabric operation is simplified by leveraging NEC’s unique network

virtualization solution and API based automation capabilities. Deployed

as either a data center fabric or as a virtualization layer for a variety

of service specific, Programmable Network Fabric is an agile solution

to incrementally grow the network to fit traffic patterns and business

needs.

OpenFlow: Open Software-defined Networking OpenFlow is an open Software-Defined Networking architecture

designed primarily to separate the data path and the control path. In

OpenFlow, all networking logic and policies are handled by a controller

running in a Commercial-off-the-shelf (COTS) server while the hardware

switches only execute the data plane tasks. OpenFlow enables a

network to be built using multi-vendor switches wherein application-

specific network functionalities can be programmed into the controller

software and deployed using multi-vendor hardware switches. The

OpenFlow specification is standardized by the Open Networking

Foundation (ONF),). The ONF Board of Directors includes Deutsche

Telekom, Facebook, Google, Microsoft, NTT, Verizon and Yahoo!.

Founding member NEC, along with 50 other leaders in the networking

industry, have closely collaborated to develop the OpenFlow

specification.

OpenFlow-based Networks feature Programmable Network

In a standard network, the packets being forwarded (the data path)

and the forwarded decisions (the control path) are both handled by

the router or switch. In the OpenFlow approach, these functions are

separated. The router or switch handles the data path while the control

path is handled by a separate, programmable controller. The switch

and the controller communicate via the OpenFlow standard. This

architecture introduces a lot of flexibility into the network and simplifies

management, provisioning, and configuration of the network devices.

Adoption of an OpenFlow architecture results in reduced cost

and complexity and accelerated innovation, while increasing security,

stability, and availability of the cloud and other network-enabled

services.

OpenFlow also enjoys the benefits of an open architecture approach.

While the Ethernet standard is well-established, each vendor’s

implementation is somewhat different, and commercial switches and

routers of today typically do not provide an open software platform

that supports innovation or customization. An open-systems overlay

over Ethernet, OpenFlow lowers the entry barrier for new ideas, allows

customers to avoid vendor lock-in, and could help increase the rate of

innovation in the network infrastructure space.

OpenFlow and the NEC ProgrammableFlow Solution deliver

operational simplicity and flexibility

The NEC ProgrammableFlow network architecture and product family

is a datacenter class networking fabric developed by NEC. Designed

as a simplified architecture for data center and cloud networks,

ProgrammableFlow leverages the OpenFlow protocol to create

Software-Defined Network (SDN) virtualization, allowing customers to

easily deploy and manage virtualized network infrastructure. The NEC

ProgrammableFlow product family is comprised of a high-performance

controller, an integrated network visualization monitor, and multi-layer

packet-forwarding hardware switches. ProgrammableFlow offers an

open network fabric solution which enables a programmable and

dynamic approach to create, deploy, and edit virtualized networks over

OpenFlow-enabled switches. Operational simplicity, flexible and smart

network programming, network agility to support virtual infrastructure,

scale-out performance, and reliability are some of the key characteristic

advantages of the ProgrammableFlow network fabric.

NEC ProgrammableFlow: An Open And Flat Network Fabric ProgrammableFlow provides an open architecture to build the network

fabric. In this architecture, all switches are programmed leveraging

the OpenFlow interface and protocol. One can build the fabric using

switches from any vendor as long as they support the OpenFlow

protocol. ProgrammableFlow controller also has a unique virtualization

ability to create a fabric over heterogeneous switches supporting

different port densities and speed. Further, the fabric is open in terms of

switch interconnection topology. Depending on the traffic type, traffic

policies, and bandwidth or delay requirements, one can build an open

fabric with the right switch combination and interconnection topology.



Traditionally, a network is deployed as a multi-tiered architecture where

a Layer-3 tier connects to multiple Layer-2 tier networks running the

spanning tree protocol. Scaling becomes a critical concern for such

networks when there is a significant amount of east-west traffic. For

example, the bandwidth performance drops as the distance between

two servers increases within a datacenter.

ProgrammableFlow provides a flat network fabric architecture that

offers multiple advantages. The flat network fabric enables the use of

least cost routing between any pair of end hosts resulting in higher

bandwidth and lowest latency. This also circumvents any layer-

specific bottlenecks in terms of traffic handling capabilities. With

ProgrammableFlow, appliances and service modules can be attached

to any switch ports thereby avoiding the creation of multiple appliance-

specific layers. The ProgrammableFlow flat network fabric allows

location-independence, which lets the end hosts or virtual servers retain

their IP addressing scheme independent of the switch port assignment.

An important characteristic of the ProgrammableFlow flat network

fabric is that it is not restricted to just layer-2 network service as is the

case with other flat network solutions. One can define a combination of

layer-2 and layer-3 networks and create policies on top of the same flat

network fabric without introducing tiers.

Figure 1: ProgrammableFlow architecture

Network-wide AutomationThe need for network automation is fueled by the growth of data center

size, changing requirements, complexity in programming the network

and datacenter-wide virtualization. It is challenging to manage multiple

switch configurations, firmware upgrades, and vendor-specific CLI

scripts. OpenFlow offers a significant advantage by moving the complex

error-prone vendor-specific CLI interfaces into an open and standardized

programmable OpenFlow interface that works over switches from

various vendors.

ProgrammableFlow leverages the OpenFlow interface to add a network-

wide open automation framework. Instead of having a per-switch CLI

interface, ProgrammableFlow offers an entire network-level CLI interface.

Operators can create and deploy scripts to automate the entire network

without having to worry about potential switch-level configuration errors.

The network programming model defined in ProgrammableFlow is

robust to potential errors and ensures conflict-free switch configurations.

Furthermore, ProgrammableFlow offers both script and REST API-based

network automation framework where virtual networks can be created,

edited, and deleted. The richness of the model allows operators to

easily define topological properties such as packet forwarding policies.

The framework can be easily integrated with an external orchestration

system as well as with external appliances.

The key advantages of ProgrammableFlow’s network automation

framework are:

a) Integration flexibility with 3rd party systems

b) Reduced network provisioning time

c) Reduced change deployment time

d) Minimized human error

e) Policy compliance and security

f) Network-wide management interface standardization.

Figure 2: ProgrammableFlow controller management interface



Introducing Open, API-based Network Programming The ProgrammableFlow network provides a virtual network plane

through which network operators can define dynamic network

functionalities. Most of these functionalities are available through an

open standard-based API framework. The API framework allows third

party applications such as network management or orchestration

systems to directly interact with the network through a well-defined

functional approach. Third party systems can make on-demand calls

to the API to create, edit, and delete virtual networks, as well as to add

and remove policies.

A unique feature of the ProgrammableFlow solution is that the

APIs are defined at a network-level rather than at switch-level. The

controller ensures that the API commands are correctly interpreted and

appropriate flow-related commands are communicated to the switches

to realize the required network-level functionality.

Figure 3: ProgrammableFlow functional overview

A Multipath Scale-out Fabric With the increase in the east-west traffic, the available bandwidth

between servers, storage elements, and appliances is becoming a

critical ingredient in the network. The use of the traditional spanning

tree protocol at layer-2 creates a single path between end-points,

thereby putting limitations on the end-to-end bandwidth. Advanced

fabric routing protocols based on Trill, offer methods of leveraging

multiple paths but they also introduce new protocol-level complexities.

Further, Trill-based protocols are not standardized and may require

switches from a single vendor.

The ProgrammableFlow Multipath Fabric solution leverages OpenFlow

to control the switch plane. Multiple end-to-end paths are created

automatically without requiring any special switch-level configuration

or underlying protocol understanding. The data flows are automatically

balanced across multiple paths to provide high end-to-end bandwidth.

The ProgrammableFlow approach to multipath routing inherently

offers several advantages over other solutions. In contrast to the

legacy distributed equal-cost-multipath (ECMP) based approaches,

the ProgrammableFlow solution is built on centralized flow routing

decisions resulting in global traffic routing optimization. Flows-to-paths

mapping can be determined dynamically based on theclass-based

policies as well as link weights/costs. Furthermore, the alternate path

computation process is based on the underlying topology and existing

load conditions and is not limited to the equal cost metric. Hence,

ProgrammableFlow can discover a larger number of end-to-end paths

and achieve better flow-level load balancing thereby resulting in a high

end-to-end fabric bandwidth.

ProgrammableFlow Fabric also provides automatic scale-out ability. The

fabric can be built with a few core switches and then be expanded to a

large number of switches while supporting any complex interconnection

topology. When a new switch is added, the controller detects both

the existence of the new switch and the additional links and updates

the set of paths to enable re-optimization of the traffic distribution.

Consequently, fabric size expansion and reduction are automatically

handled without requiring any explicit configurations.

Figure 4: The ProgrammableFlow Multipath Fabric enables multiple end-to-end paths to provide high end-to-end bandwidth.



Multiclass Interference-free Fabric Routing In a typical legacy network, the traffic from multiple applications shares

the same physical network infrastructure (links, ports, and forwarding

capacity) and follows a single path. In contrast to the traditional network

design, NEC’s fabric provides multiple end-to-end paths connecting

end hosts. While end-to-end paths can provide high bandwidth to

applications, there are specific requirements wherein application-

specific traffic needs to be separated at the routing level. For example,

large bulk data file transfers can interfere with the delay- sensitive

messaging traffic for trading applications when sharing the same

network fabric and the two should follow separate paths.

ProgrammableFlow Fabric offers a unique feature in which the network

fabric can compute multiple non-interfering paths while enabling

application-specific mapping to paths. Application traffic can be

identified or classified based on packet header field matching rules.

Each application class can be dynamically mapped to a corresponding

path routing policy. For example, the network can compute two end-to-

end paths and map FTP bulk data traffic to one path while the delay-

sensitive messaging traffic is mapped to the other path. In essence,

ProgrammableFlow fabric allows creation of multiple end-to-end lanes

and policies to route traffic classes on corresponding lanes.

With the multiclass fabric routing feature, one physical underlying

network can be provisioned to optimally support the QoS and

bandwidth requirements of heterogeneous applications.

Figure 5: ProgrammableFlow’s Multiclass interference-free routing

End-to-end Reliable Fabric Existing legacy layer-2 networks offer a limited level of reliability. For

example, Link Aggregation Group (LAG) can ensure link-level reliability.

However, LAG cannot recover from a switch failure since traditional

LAG cannot be defined across links connecting one switch to multiple

switches. The alternative is to use the Spanning Tree Protocol (STP).

However, all variants of STP take time of the order of seconds to

recover from a link or switch failure resulting in increased downtime.

ECMP-based solution can provide fast recovery from such failures by

maintaining alternate paths and executing fast switch over in case of

failure. However, current legacy implementation does not provide a

100% failure-proof solution. Furthermore, vendor-specific proprietary

solutions require all switches and routers to be from the same vendor,

resulting in a vendor lock-in.

ProgrammableFlow provides a highly reliable end-to-end fabric that

works over any type of switches from any vendor as long as they

support OpenFlow. The controller is a vantage point that monitors the

entire network fabric and ensures that the backup paths always exist

at an end-to-end level. This is in contrast to the distributed protocols

where failure detection and response is at the local switch level.

ProgrammableFlow not only detects multiple failures quickly but can

also rapidly shift flows to the respective backup paths, enabling fast

recovery from even multiple switch or link failures. Typical turn-around

time for failure detection to flow switching is around 100-200 msec.

ProgrammableFlow also provides Multi-switch LAG (MLAG) where a

LAG group can be created from one switch to multiple switches. MLAG

can be effective in connecting servers to multiple Top-of-the-Rack

(TOR) switches or in connecting to WAN facing gateway routers. MLAG

takes care of reliability at the end points thereby providing true end-to-

end reliable connectivity.

Figure 6: Multi-switch Link Aggregation Group(MLAG) for end-to-end reliability



Secure Multi-tenant Fabric VLANs are still the de facto standard for providing secure isolation in

the present data center networks. Today, VLANs are used for various

types of isolations: isolating infrastructure resources, application

servers, tenants or customers. However, VLAN is a characteristic of

the legacy layer-2 networks which has severe limitations in terms of

performance, reliability as well as virtual machine migration. Therefore,

it is critical that any fabric solution offer the same security and isolation

features as provided by VLANs, while alleviating all the limitations of a

traditional layer-2 network.

ProgrammableFlow provides a fabric that enables VLAN-type

separation by defining a concept called “vBridge” in the virtual network

plane. One can simply map VLANs to vBridge and provide the same

level of isolation in the fabric. Packets can be tagged either by the

end host such as by using port groups in ESX vSwitch or by the

fabric switch itself. Isolation for security and underlying data plane

optimization is completely decoupled in a ProgrammableFlow fabric.

In many cases, a user wants isolation not only at layer-2 but also in

layer-3. For example, in a multi-tenant scenario, a tenant may wish

to have multiple VLANs for application-level separation. The cloud or

hosting provider may want to have isolation at a tenant-level where

each tenant is using a set of VLANs. Security requirements can also

become stringent in cases where there is inter-VLAN traffic which

utilizes Layer-3 routers. Policies deployed at layer-3 routers to ensure

tenant-level isolation are prone to mis-configurations. In summary, there

exist no comprehensive isolation solutions which can secure a tenant at

a network level in the legacy world.

ProgrammableFlow Fabric has defined multi-tenant virtual networks

where tenants are isolated at the network level. With true traffic isolation

between tenants, end systems belonging to one tenant network cannot

reach end systems belonging to another tenant network. At the same

time, each tenant can define his own customized layer-2 or layer-3

network and leverage inter-tenant isolation to effectively create a

secured slice of the underlying physical network.

Figure 7: ProgrammableFlow provides Network-level VTN isolation

Disaster Recovery Disaster recovery (DR) has become critical for enterprises that are

running mission-critical applications or services. In order to provide

DR, enterprises have to create backup sites in separate geographical

regions. ProgrammableFlow solution provides several features to assist

the DR process.

ProgrammableFlow solution allows creation of a virtual network that can

span multiple sites over layer-2 pipes. Within such a virtual network, the

virtual machines or even virtual storage can be migrated from primary

site to the backup site seamlessly. The network policies for routing and

forwarding are automatically applied to the migrated servers or storage.

This automation results in fast recovery in case of any failure on the

primary site.

The ProgrammableFlow approach also avoids switch-level

configuration complexities. All network-level functionalities are defined

in a single template-based script. Such a template can be applied to a

new backup site to quickly get the service up and running. Furthermore,

the template definitions are decoupled from the actual physical network

topology. Consequently, one has the flexibility to design the primary

and the backup physical networks differently to optimize the total cost

of operation.



Smart Conditional Routing In many cases, the packet forwarding decision is based on the result

derived from evaluating a condition on a subset of header fields rather

than just the destination MAC or IP address. Furthermore, the final

destination of a packet need not be the destination IP address but an

intermediate appliance or service module such as a firewall or load

balancer. Such functionalities are not available in legacy networks.

The closest solution to such functionality is the policy-based routing

capability that is available in high-end routers. However, policy-based

routing is limited to simple header field matches and can only map the

packet to a specific router interface as opposed to an end-system.

ProgrammableFlow Fabric allows complex conditions to be defined

over a combination of multiple packet header fields such as MAC

addresses, IP Address, Port number, protocol type enabling intelligent

routing decisions. The conditions are declared in a virtual network

construct called “vFilter” and can be applied to any virtual node

interface (vBridge or vRouter). Each vFilter is associated with three

action items: a) Drop the packet; b) Forward the packet to original

destination; c) Forward the packet to a specified destination. There are

various use cases of conditional routing. Some of these are described

below.

Dynamic intelligent ACLs

The virtual filters (“vFilters”) defined in ProgrammableFlow solution

can be leveraged to define Access Control Lists (ACLs) of various

degrees of complexity. Simple ACLs can be based on direct packet

header matching to decide whether to drop or pass the packets.

Complex ACLS can consist of complex predicates defined on multiple

packet header fields. The ACLs can be deployed dynamically on the

virtual network. The controller takes the responsibility of pushing the

associated flow table entries to all the switches in the fabric.

Appliance layer compaction

In traditional layer-2 data center design, appliances such as firewalls

and load balancers are deployed as separate layers thereby creating

multiple layers at the logical level. With the use of conditional routing,

appliances can be connected to any switch port and traffic can be

explicitly routed to specific appliances using appropriate condition

definition. In other words, there are no physical connectivity constraints

in attaching the appliance.

Selective appliance routing

One can easily define flexible conditions on how traffic should be

forwarded to different types of appliances. For example, one can set

rules to decide whether to forward a given traffic flow to the firewall

or not, and whether to add a particular appliance such as an intrusion

detection system along the flow path or not.

Appliance or Service composition

Appliance or service composition can be done by chaining or

sequencing multiple rules or vFilters. For example, one can define a set

of filters with corresponding actions to define a forwarding path for a

particular flow that consists of a firewall, an intrusion prevention system

and a load balancer before reaching a destination host.

Appliance availability

ProgrammableFlow’s ping-based monitoring feature in the controller

can be used in conjunction with conditional routing to improve

appliance availability. For example, if a given appliance becomes

unavailable, the network fabric can detect the fault and assist in

redirecting the traffic flow to a standby or backup appliance.

Selective traffic steering

Selective traffic steering refers to the application scenarios where

traffic is steered towards a given egress port of the fabric based on

certain matched conditions. An example scenario is when policies

are set to steer traffic through the right WAN interface. Such policies

can be reactive as well. For example, in case a WAN access becomes

unavailable, the traffic needs to be steered through a backup interface.

Cloud Infrastructure Portability And Repeatability Infrastructure virtualization is a critical element of the cloud. As a part

of virtualization, virtual servers and storage can be easily migrated

from one physical location to another either in the same data center

or across datacenters. Unfortunately, any such migration requires

significant changes in the underlying network configurations.

Depending on the physical network topology, such migration may even

lead to redesigning the network policies and changing the switch-level

configurations.

White Paper

© 2012 NEC Corporation. All rights reserved. NEC, NEC logo, and UNIVERGE are trademarks or registered trademarks of NEC Corporation that may be registered in Japan and other jurisdictions. All trademarks identified with ® or ™ are registered trademarks or trademarks respectively. Models may vary for each country. Please refer to your local NEC representatives for further details.

About NEC Corporation of America Headquartered in Irving, Texas, NEC Corporation of America is a leading provider of innovative IT, network and communications products and solutions for service carriers, Fortune 1000 and SMB businesses across multiple vertical industries, including Healthcare, Government, Education and Hospitality. NEC Corporation of America delivers one of the industry’s broadest portfolios of technology solutions and professional services, including unified communications, wireless, voice and data, managed services, server and storage infrastructure, optical network systems, microwave radio communications and biometric security. NEC Corporation of America is a wholly-owned subsidiary of NEC Corporation, a global technology leader with operations in 30 countries and more than $42 billion in revenues. For more information, please visit www.necam.com.

Europe (EMEA)NEC Philips Unified Solutionswww.nec-philips.com

Corporate Headquarters (Japan)NEC Corporationwww.nec.com

Oceania (Australia)NEC Australia Pty Ltdwww.nec.com.au

North America (USA & Canada)NEC Corporation of Americawww.necam.com

Asia

NEC Corporationwww.nec.com

WP12018 | v.4.25.12

NEC ProgrammableFlow: An Open and Programmable Network Fabric for Datacenters and the Cloud

ProgrammableFlow network virtualization provides a unique advantage

to address the above challenge. Virtual networks in ProgrammableFlow

are independent of the underlying physical network and can be defined

or edited using template-based scripts. Therefore, subsequent to

migration or launch of a virtualized server or storage environment,

one can easily apply the existing virtual network templates for a

seamless deployment of the network without having to worry about the

underlying new physical network.

The decoupling of the physical and virtual networks and the use

of virtual network templates enables repeatability in a multi-tenant

environment where the underlying cloud infrastructure is shared.

Template-based virtual networks can be applied with minimal

modification to suit individual tenant requirements thereby providing an

on-demand networking model for servers and storage.

Conclusion

NEC ProgrammableFlow Network Fabric leverages the OpenFlow

protocol to create a smart, simple, secure and scalable solution for

the enterprise datacenter. The ProgrammableFlow network fabric

provides an open data plane where multi-vendor OpenFlow enabled

switches can be interconnected with any traffic-optimized topology. In

contrast to existing fabric technologies, ProgrammableFlow provides

multipath at both layer-2 and layer-3 for interconnecting end systems

and delivering end-to-end high performance and reliability. The network

fabric operation is simplified by leveraging NEC’s unique network

virtualization solution and API based automation capabilities. In terms

of building and architecting a data center fabric, Programmable

Network Fabric is an agile solution to incrementally grow the network to

fit traffic patterns and business needs.

NEC ProgrammableFlow: An Open and Programmable Network ...

Documents

Transcript of NEC ProgrammableFlow: An Open and Programmable Network ...