SD-WAN / Nuage VNS - Technical Deep Dive -...
Transcript of SD-WAN / Nuage VNS - Technical Deep Dive -...
© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.
SD-WAN / Nuage VNS - Technical Deep DiveRoman Pindrik
Nokia ION RBC
2NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AGENDA
SDN and SD-WAN Concepts
Virtualized Network Services (VNS) Portfolio
Overview and Architecture
Components (VSD, VSC, VRS, Gateways, NSG, VSAP)
Deployment Models, Key Functionality, and Use Cases
3NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AGENDA
SDN and SD-WAN Concepts
Virtualized Network Services (VNS) Portfolio
Overview and Architecture
Components (VSD, VSC, VRS, Gateways, NSG, VSAP)
Deployment Models, Key Functionality, and Use Cases
4NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
ENTERPRISE NETWORKING NEEDS A RETHINK
TRANSPORTDEPENDENT
LOCATION DEPENDENT
DEVICE DEPENDENT
MANUAL(TIME ‘DEPENDENT’)
ENTERPRISE WAN
1. Turn-up a new site
2. Reconfiguration of existing site
3. Transport introduction/upgrades
4. L2-L4 VPN service configuration
5. Security implementation
6. Security assessment
7. L4-L7 application insertion
8. Datacenter interconnection
9. Operational moves/adds/changes
10. Service assurance/fault localization
11. Service optimization/fault prevention
12. Device replacement
13. Configuration auditing/compliance
14. . . .
5NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
WHAT IS SD-WAN?
SD-WAN (Software Defined Wide Area Networks) is a new model for the delivery of Enterprise services over WAN based on SDN principles
Overlayofferstransportchoices
IT-approach to network service
delivery
SD-WAN promises to shift incremental control to enterprise IT
6NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
IMAGINE IF…
Private Cloud
Internet
On-Net
ANY Network
Branch officesEnterprise WAN
SEAMLESS on-boarding
ANY access
General Purposehardware
New fulfillment models
Public Cloud
Automated operations
Automated
Instantaneous policy-driven modifications
Simplified fulfillment and management
Freedom of choice
Open
ONE COHESIVE ENVIRONMENT: FROM BRANCH TO WAN TO DATA CENTER
7NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS 3.2 Recap
Connectivity and Operations • Group-key encryption– Integrated key server
• Dual uplink support• Internet breakout• NSG HA device/link models• Dynamic NAT traversal
Operations• Controller-based CLI• VSAP integration• Traffic mirroring• Controlled NSG local SSH access
Application support• Dynamic service insertion• Multi-class of service QoS• Address Translation (NAT/PAT)
Open platform• Form factors– NSG-E (6-port GE UTP)– NSG-V (KVM and ESX)
• Bootstrapping– PKI support X.509 certs
• Hardware integration– Trusted platform module– Crypto engine acceleration
Release 3.2• Q2 2015
8NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS Rel4.0R1 – R3 Recap
Connectivity and Application Support
• VLAN on Uplink• NSG HA device/link models• PPPoE on Uplink
• NSG onboard BGPv4
• CE-PE
• CE-CPE
Operations• Controller-less Operations (Phase1)
• VSD License Enhancements• VSD and NSG UI Self Branding• PAT Enhancements• Per uplink address translation pool• Per uplink NAT-T flag• “Start:Stop” Address Translation
Pool range definition• Static port forwarding for
incoming traffic
Open platformRelease 4.0r1• Q2 2016
• AWS AMI NSG-V Image• Auto Config (Bootstrapping)• TPM Status• IPSec (IPoESP) IKEv1 v2• SSH Hardening (phase1)
• Passwordless Login SSH keys• Configuration Support for
limiting Access
9NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
PROMISE OF SD-WAN: YOUR WAN ON YOUR TERMS
Centralized Management
And Network Policy Engine
Fixed and Mobile Access Networks
Software Defined Wide Area Network
IP-VPN Private IP Internet
Branch locations
L2-VPNBusiness
Internet
10NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS: A NEW TYPE OF VPN
11NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
OVERLAY NETWORKS: DECOUPLING SERVICE AND TRANSPORT
VNS is an SDN overlay solution
VSC programs data plane for all NSGs
Aware of all L2/L3 topology behind each
NSG
Calculate once, program many
CPE becomes service instantiation point
Smart edge principle
VXLAN/VXLAN-IPsec service transport
Full mesh capability
Traffic is carried encapsulated over
underlay network
Underlay network could be any
infrastructure
Unaware of topology of overlay service
Simplifies and enables service chaining
New service introduction
12NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
OVERLAY SOLUTIONS
To address the requirements in the previous slides, VNS uses a VXLAN based overlay solution.
An overlay network is a virtual abstraction (L2 or L3 service) built on top of an existing physical network.
Overlay solutions fall under two main categories:
Network-centric overlays
Examples: VPLS, PBB-VPLS, SPBM, TRILL
Diminishing popularity due to one or more of:
MAC address, VLAN scaling
STP dependency, flooding limitations
Hardware/software requirements
Standards compatibility
Host-centric overlays
Examples: VXLAN, NV-GRE, STT, etc.
Increasing popularity due to one or more of:
Automated and simple VM provisioning
VM mobility
Scaled multi-tenancy
13NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
INFRASTRUCTURE (UNDERLAY) NETWORK
Physical IP network
Provides connectivity between IP routers and connected edge devices
Routing tables set up using OSPF, ISIS, BGP, static routes
Can provide other IP services. For example:
QoS
Multicast
ECMP
VXLAN (or any other overlay protocol) is encapsulated in IP packets and carried over the IP underlay
14NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
OVERLAY NETWORK
An overlay network is a separate network built on top of an existing infrastructure (underlay) network
Simplifies provisioning because the underlay does not change
Overlay traffic is ‘tunneled’ over the underlay network
15NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VXLAN/EVPN OVERLAY VS. MPLS-BASED VPN
Overlay networks are not new: Layer 2 and Layer 3 VPNs have been implemented in IP/MPLS networks to connect customer sites in an isolated and scalable manner for many years
16NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VXLAN ENCAPSULATION
VXLAN (virtual extensible LAN) characteristics:
Defined in IETF RFC 7348
Provides Layer 2 overlay networks over an Layer 3 network
Allows for 16 million tenant ID’s as opposed to 4 thousand VLAN’s
Inherent load balancing support in the DC network through ECMP using UDP source port hashing
Tunnel encapsulation/decapsulation performed by VTEP (virtual tunnel endpoint) capable devices
Most server NIC vendors and DC vendors have announced support for VXLAN
17NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VXLAN PACKET FORMAT
18NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VXLAN TRAFFIC FLOW EXAMPLE
19NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
SDN CONTROLLERAUTOMATION AND FLEXIBILITY THROUGH CENTRAL CONTROL
SDN controller:
Communicates with the NSG using OpenFlow protocol
MAC/IP address learning on LAN ports are alerted to the controller
Loads the forwarding information to all the NSGs
20NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS: SD-WAN VXLAN-BASED VPN
Control plane OpenFlow and BGP EVPN
Data plane VXLAN
NSGs forward directly between each other using VXLAN as overlay
Underlay network VXLAN traffic (IP packets)
between endpoints
Data plane can be further encapsulated if needed
21NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AGENDA
SDN and SD-WAN Concepts
Virtualized Network Services (VNS) Portfolio
Overview and Architecture
Components (VSD, VSC, VRS, Gateways, NSG, VSAP)
Deployment Models, Key Functionality, and Use Cases
22NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS ARCHITECTURAL REPRESENTATION
Virtualized Services Directory
(VSD)
Virtualized Services Controller
(VSC)
Hypervisor
Hypervisor
Hypervisor
Hypervisor
Hypervisor
Hypervisor
Secured
channels
MP-BGP MP-BGP
RR
MP-BGP
MP-BGP
VM VM
Hypervisor
Branch
Secured
channels
INTERNETIP
INTERNETINET
23NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VSP/VNS: A UNIFIED SDN SOLUTION
24NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NUAGE NETWORKS VIRTUALIZED SERVICES PLATFORM (VSP)
EDGE ROUTER
WAN/INT
7x50DC Gateway
Management Plane
VirtualizedServicesDirectory
Control Plane
VirtualizedServicesController
MP-BGP
Data Plane
VirtualRouting & Switching
IP Fabric
XMPP
5620 SAMwith VSAP
NetworkServicesGateway
OF-TLS
BMS
Containers
VMs
3PP ToR
OVSDB
REST
Datacenter SDN SDWAN
MP-BGP
SNMP
MP-BGP
OFXMPP
7850 VSG
VXLAN
Port / VLAN
Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics
Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set
Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets
Nuage Networks
Virtualized Services Platform (VSP)
Network Services Gateway (NSG)• Network service platform for branches• L2-L4 Switching/routing w/advanced network functions • Physical or Virtual form-factors
MP-BGP
VXLAN(oIPSec)
OSS / ORCHESTRATION
Port / VLAN
25NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
PLACEMENT OF VNS AND VSP COMPONENTS
Management Plane: VSD Programmable policy engine Northbound interface
Cloud management systems (example: OpenStack) Dedicated self-service portals
Control Plane: VSC Provides routing and switching controls
For virtual machines in a datacenter (VSP) For branch hosts/devices (VNS)
Data Plane: VRS, VRS-G, VSG (for VSP) NSG (for VNS)
26NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AGENDA
Nuage Networks Certification Training
SDN and SD-WAN Concepts
Virtualized Network Services (VNS) Portfolio
Overview and Architecture
Components (VSD, VSC, VRS, Gateways, NSG, VSAP)
Deployment Models, Key Functionality, and Use Cases
27NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NUAGE VNS CORE COMPONENTS AND INTERFACES
MPLS
Internet
VSD
VSC Utility
NSG
VSC
VSD VSD VSD-N
RR
OSS
Control Infrastructure
DMZ
PE
ENT FW
SNMP UDP 161 (from SAM)/162(to SAM)
XMPP/XMPP-TLS TCP 5222 (VSC/Utils->VSD)BGP TCP dPort 179, sPort 1023HTTPS TCP 11443/12443
Stats - TCP 39090
RPC/Nuagemon - TCP 7407 (NSG->VSC)
NTP - UDP 123 (NSG->VSC, VSC->NTP)
NTP
HTTPS TCP 7443 OF-TLS TCP 6633 (NSG-VSC) DTLS UDP 4500 4789 NSG->VSC
DNS
DNS – UDP 53
SSH to VSC assumed over Mgmt interface
Trusted
Untrusted
NSG-V/BR
VSAP
28NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VIRTUALIZED SERVICES DIRECTORY (VSD)
29NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VSD CLUSTER DEPLOYMENT
30NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VSD SERVICE ABSTRACTIONS
Domain
Equivalent to a single Nuage Networks dVRS instance
In standard networking terminology, a domain maps to a VRF instance
A logical distributed router that enables L2 and L3
communication
Zone
A set of network endpoints that must adhere to the
same security policies
Subnet
In standard networking terminology, a subnet is
instantiated as a R-VPLS instance
vPort
Can be explicitly created or auto-discovered
Attached to VMs, host and bridge interfaces which are mapped to NSG access ports
31NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VSD MULTI-TENANT ARCHITECTURE
Cloud service provider administrator (csproot) can create different enterprise definitions for each tenant.
Each tenant can create their own user groups, domains and policies on the VSD.
32NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
SELF-SERVICE NETWORK SERVICE DELIVERY
Customer
Portal
Order Branch Equipment
Network Services Catalogue
Nuage NetworksVNS Solution
Fixed and Mobile Access Networks
Customer A - Software Defined Network Service
IP-VPN Private IP Internet
Customer locations
L2-VPNBusiness
Internet
The new operational model
Users can turn up new services on demand
Non-specialized personnel can turn up a site in
10 minutes or less
Select VNS Service
Public
cloudsPrivate
clouds
33NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VIRTUALIZED SERVICES CONTROLLER (VSC)
34NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VIRTUAL ROUTING AND SWITCHING (VRS)
35NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VRS COMPONENTS
The VRS consists of two main components:
The VRS AgentNuage Networks-specific component that talks to the VSC using OpenFlow.
The Open vSwitch (OVS)Provides the switching and routing components, as well as the tunneling mechanisms to forward the traffic.
36NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VRS AGENT
Nuage Networks-specific component that talks to the VSC using OpenFlow
Responsible for receiving and programming the actual L2 and L3 FIBs to allow communication: Between local VMs
Between local VMs and remove hosts using tunnels
Replies to all ARP requests (no flooding)
Acts as a DHCP proxy server for the VMs
Reports VM events to the VSC
Downloads QoS policies and ACLs for VM traffic
Handles statistics collection and reporting
37NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VXLAN GATEWAYS: SOFTWARE OR HARDWARE
Software
VRS-G is a VM
Or runs on a x86 server
Hardware
7850 VSG
960 Gbps capacity
32 x 10G + 16 x 40G
VXLAN encapsulation at line rate
Both:
Control plane is integrated with VSC/VSD for automated VLAN/VXLAN mappings
L2 and L3 capable
38NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VIRTUAL ROUTING AND SWITCHING GATEWAY (VRSG)
39NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NETWORK SERVICES GATEWAY (NSG)
40NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NETWORK SERVICES GATEWAY (NSG)
• Network Services Gateway is the VNS service delivery point for IP networking
- Logical entity with physical and virtual appliances
- Flexible physical form factors to meet different on-premises requirements
- VM edition to support cloud CPE environments
- Centrally managed through VSP environment as a fully automated endpoint
• Intel X86 based
- Leverage off-the-shelf hardware components
- Intel QuickAssist and AES-NI for encryption and forwarding acceleration
• Linux OS with Nuage VRS/NSG software
- Flexible embedded network and management services
- Secured, hardened management (SYSLOG, NTP, OF-TLS)
• Supports high scale L2 and L3 VPN service deployment
7850 NSG-E
41NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NSG INSTANTIATION (ENTERPRISE LEVEL)
42NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NSG INSTANTIATION (ENTERPRISE LEVEL)
43NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
USING THE NSG
44NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS 3.2 Recap
Connectivity and Operations • Group-key encryption– Integrated key server
• Dual uplink support• Internet breakout• NSG HA device/link models• Dynamic NAT traversal
Operations• Controller-based CLI• VSAP integration• Traffic mirroring• Controlled NSG local SSH access
Application support• Dynamic service insertion• Multi-class of service QoS• Address Translation (NAT/PAT)
Open platform• Form factors– NSG-E (6-port GE UTP)– NSG-V (KVM and ESX)
• Bootstrapping– PKI support X.509 certs
• Hardware integration– Trusted platform module– Crypto engine acceleration
Release 3.2• Q2 2015
45NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS Rel4.0R1 – R3 Recap
Connectivity and Application Support
• VLAN on Uplink• NSG HA device/link models• PPPoE on Uplink
• NSG onboard BGPv4
• CE-PE
• CE-CPE
Operations• Controller-less Operations (Phase1)
• VSD License Enhancements• VSD and NSG UI Self Branding• PAT Enhancements• Per uplink address translation pool• Per uplink NAT-T flag• “Start:Stop” Address Translation
Pool range definition• Static port forwarding for
incoming traffic
Open platformRelease 4.0r1• Q2 2016
• AWS AMI NSG-V Image• Auto Config (Bootstrapping)• TPM Status• IPSec (IPoESP) IKEv1 v2• SSH Hardening (phase1)
• Passwordless Login SSH keys• Configuration Support for
limiting Access
46NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
Application Discovery (AD)
VNS Application Aware Routing (AAR)
• Policy-driven intelligent path selection for application traffic based on one way latency, jitter and packet loss measurements
• Path selection based on continuous probes and/or first packet detection
• Improve scalability with first packet detection
• Health metrics of overlay network connections between NSGs in a domain using performance monitors with a specified network profile (DSCP value, payload size, traffic rate).
• Performance metrics include one way packet loss, jitter and latency between the uplinks of different NSGs
• Monitoring and classification of application traffic coming into the access ports of a NSG
• Signature-based L7 classification (e.g. Skype, Facebook, Google, etc). A library with signatures is bundled with the NSG software
• Customized classification based on source/destination IP address, source/destination L4 ports, L4 Protocol (TCP/UDP)
Network Performance Measurement (NPM)
Application Policy and Visualization (APV)
47NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
• The intelligent forwarding of application traffic across the Enterprise WAN,ensuring that pre-defined per-application performance metrics (i.e. SLAs) are persistently met
Combining VNS application capabilitiesS
ite
1
Performance Measurement per Path – Delay, Delay Variation, Loss, BW
Voice Video Email
Voice Video
Voice VideoEmail
Sit
e 2
Path 1 – low latency/variation/loss
Path 2 – higher latency
AD + NPM + APV =
+ +
NSG-BR
Application DiscoveryApplication Policy and
Visualization
Network Performance Measurement
1
Identify the Video Conferencing application flow to known destination, NSG at Site 2
Measure path performance
metrics over both uplinks2
Steer Video Conferencing application
flows over a SLA-compliant path
3
48NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
• Probe user defined Payload, Rate, FC.• Encapsulation of Probe is with VXLAN header (no Encryption) • Default Probe is set with an MTU of 512B, rate is 1 packet every 10 secs with Best Effort Forwarding class (these
values can be modified if needed). • Lowest enforced limit today is 10 probes per second (100mSec).
• For APV related probes, there is an idle timeout of 150 seconds after which the probe session is terminated - for 1st pkt.
• NPM probe results are reported via stats channel• Dampening Hard Coded to 30 Seconds today• Sampling frequency - Packet Loss, every 3 times probe sample. So probe Interval 1/sec, packet loss
calculated every 3 secs (3 x Probe Interval).• Sampling Frequency - Jitter/Delay, every packet.
AAR Specifics
49NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AAR Visualization – Enterprise Top 5 APM groups
Accessed via Organization > Stats
Graphical Representation:• Applications identified ranked by Total Bytes
50NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AAR Visualization – Enterprise Top 10 Applications
Fields Reported:• Domain• APM Group• Application• L7 Classification• Sum of Total MB
Accessed via Organization > Stats
Note: Statistics can be exported Raw or Formatted (csv)
51NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AAR Visualization: Applications – NSG Bytes
Accessed via Organization > Domain > Infra
Graphical Representation:• Applications identified ranked by Total
Bytes
52NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
• Function:
- Allow underlay next-hop addresses (VTEP addresses) to use non-globally routable IP addresses, i.e. to allow for underlay addresses not to be leaked between the data-centre and wide-area environments
Active-active – ECMPActive-standby – Priority GroupsNSG-BR – resiliency
• Problem statement
- DC connectivity (trusted underlay) to the IPsec encrypted branch offices (untrusted underlay)
- Book-end underlays with NSG or use IKEv2
- VLAN hand off to PE, VRS-G and/or NSG
• NSG Border Router
- Logical function only
- Support on NSG-X and NSG-V
- Egress tunnel shaping
- Unified policy from SD WAN to DC
- Demarcation point between underlays
- Multi-tenancy
NSG Border Router (NSG-BR)
NSG-1
NSG-2
NSG-BR
VRS-1
NSG-3
Service overlay
DCWAN
VXLANVXLANoIPsec
53NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
▪ Border Router Port
▪ New port type
▪ DC underlay IP interface
▪ VLAN + Static IP
▪ VXLAN
▪ vPort/VLAN/BGP
▪ Multi-Tenant
NSG-BR – Border Port
NSG-1
NSG-2
DCWAN
VXLANVXLANoIPsecVXLAN
VRS-1
VRS-2
BranchvPort
DCvPort
link
link
BRP
NSG-BR
NP1
NP2
Branch Domain DC Domain
NP Network PortBRP Border Router Port
BRP1NP1
NP2NSG-BR
54NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
PAT to OverlayDistributed PAT – Remote Domain▪ Distributed PAT
▪ Multiple PAT Pools
▪ Routable in destination domain
▪ Assign IP per NSG in Source domain
▪ Pool address management by VSD
▪ Local and Remote Shared domain
▪ Use Case: hosted service, B2B
NSG
NSG
NSG
SUB1
SUB2
NSG
IP1/32
Source Domain1
IP2/32
IP3/32
PAT
PAT
PAT
Shared Domain
PAT PoolIP1-IPn
NSG
SUB1
SUB2
SUB3
SUB4
PAT
55NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
PAT to OverlayDistributed PAT – Local Domain▪ Shared Domain subnets exists local on the NSG
▪ Use case local shared resource (e.g. Printer)
NSG
NSG
NSG
SUB1
SUB2
IP1/32
Source Domain1
IP2/32
IP3/32
PAT
PAT
PAT
Shared Domain
PAT PoolIP1-IPn
SUB1
SUB2
SUB3
SUB4
PAT
SUB3
56NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
PAT to OverlayTopologies
▪ Multiple Source domains
▪ Overlapping IP addressing
▪ Source domain addressing
▪ Source and PAT pool addressing
▪ Multiple Destination domains
▪ NOT Supported
vPortSource
Domain 1
SharedDomain
PAT
PAT Pool
IP6-IPn
PAT Pool
IP1-IP5
PAT
vPortSource
Domain 2
vPort SourceDomain 1
SharedDomain 1
PAT
PAT Pool
IP6-IPn
PAT Pool
IP1-IP5
PAT
SharedDomain 2
57NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
HEADLESS FORWARDING (Controller-Less Operation)
Definition: NSG in “Headless Mode” Defined as an NSG that has no
control plane connectivity to anyVSC
Special Case: NSG loses all connectivity to the Key Server (VSD)
Failure Detection: OF-TLS timeout (3x5s)
IPsec Key Update Miss
Data Plane: IPSec or VXLAN
VSD (Policy)
VSC(Control)
NSG(Data)
XMPP-TLS
OF-TLS
HTTPS
(via Proxy)
UNDERLAY-1 UNDERLAY-2
SINGLE UPLINK DUAL UPLINK DUAL UPLINK WITH REDUNDANT GROUP
LAN LAN LAN (VIP)
BR
BGP BGP
58NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
Hybrid WAN – Disjoint Underlay Solution
• Typical use case driving the adoption of SD WAN technology• Way to connect a geographically dispersed WAN over 2 or more separate network connections at a
customer site• Typically Business Internet type connectivity. The other a private MPLS based VPN service.
• Mandatory dynamic path selection for specific applications/application groups across ‘disjoint transport/underlay networks’
• Site to Site connectivity for Branches • Single connection to either the Internet or the Private MPLS based VPN• Dual homed sites to both underlays• Resilience in the event of loss of one of the network uplinks.
By using this approach, a hybrid WAN can give organizations a more versatile and cost-effective way to connect their offices while still relying on dedicated links to send mission-critical data and provide secure network resilience.
59NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
Sit
e 1
Private Network – Overlay Service
Sit
e 2
Internet – Overlay Service
Sit
e 1
Sit
e 2
Sit
e 1
Sit
e 2
NSG-BR
MPLS VPN Internet
MPLS VPN
Internet
VNS Topologies Supported
Sit
e 1
Sit
e 2
NSG-BR
MPLS VPN
Internet
MPLS VPN Inter-WorkingHybrid WAN – Overlay Service
Private IP Addressing (Overlapping)Public IP AddressingSD WAN Overlay Service
MPLS CE
BGP Multi-tenant
60NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
MULTI-TENANT DISJOINT UNDERLAYS
Separate Routing Context
Underlay-1Internet
Underlay-2VRF-cust1
Underlay-XVRF-custX
NSG-c1
NSG-cX
VSC
uBR-1
uBR-2
U1-1
U2-2
U2-1
B2-3
B2-2
B2-1
B1-3
B1-2
B1-1
S1
S1
U1-2
BR: NH Context per underlay to avoid
overlapping IP addresses Multi-tenant Routing table per
customer HA Proxy:
NH Context per underlay Single DNS name and globally unique
IP address is used for the proxy across all underlays with no overlaps
VSC: Multi-interface VSC using ESXi/trunk
ports Support 100 interfaces/VSC (Target)
C1-1
C1-2
C1-3
HA ProxyU1-1
U1-2
U1-3
The Hybrid WAN use case must be able to supportconnectivity to sites whose NSGs are only connected toeither uplink but not both. It should also support the casewhere the connection to transport “A” fails at one siteand the connection to transport “B” fails at the othersite.
VLAN/BGP
per Tenant
VLAN/BGP
per Tenant
61NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NSG-BR/DISJOINT UNDERLAY Connector • Base Principle: Logical Representation – Route Table
Underlay-1
Underlay-2
Underlay-3
NSG-1
NSG-2
NSG-3VSC-3
VSC-2
VSC-1
U1-1
U2-1
U2-2
U3-3
U3-2
B2-3
B2-2
B2-1
B1-3
B1-2
B1-1
S1
S2 + Default
S3
S4
S3->S1 via BR-1 or BR-2S3->S2 via underlay-2 NH U2-2S3->S4 via BR-1 or BR-2S3-> default via underlay-2 NH U2-2
S1->S2 via underlay-1 NHU2-1S1->S3 via BR-1 or BR-2 S1->S4 via BR-1 or BR-2S1-> default via underlay-1 NH U2-1
NH-ID NH tagNSG-2 U2-1 Underlay-1/Pref1
(B1-1 Underlay-1/Pref lowest)(B2-1 Underlay-1/pref lowest)
NSG-3 B1-1 Underlay-1/Pref lowestB2-1 Underlay-1/Pref lowest
BR-1 B1-1 Underlay-1/pref lowestBR-2 B2-1 Underlay-1/Pref lowest
NH-ID NH tagNSG-2 U2-2 Underlay-2/Pref 2
(B1-2 Underlay-2/Pref lowest)(B2-2 underlay-2/Pref lowest)
BR-1 B1-2 Underlay-2/Pref lowestB1-3 Underlay-3/Pref lowest
BR-2 B2-2 Underlay-2/Pref lowestB2-3 Underlay-3/Pref lowest
Routing Table NSG-3
Routing Table NSG-1
uBR-1
uBR-2
Prefix NH-IDS1 localS2 NSG-2S3 NSG-3S4 BR-1
BR-2Default NSG-2
Prefix NH-IDS1 BR-1
BR-2S2 NSG-2S3 localS4 BR-1
BR-2Default NSG-2
62NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
• uBR as Last resort only
• Path to NSG via direct attached underlays always preferred
NSG-uBR Phase 1 – Path Preference
Path Preference
Underlay-1
Underlay-2
Underlay-3
NSG-1
NSG-2
NSG-3
uBR-1
uBR-2
U2-1
U2-2
U3-3
U3-2
B2-3
B2-2
B2-1
B1-3
B1-2
B1-1
U1-1
Always preferred
1.
63NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NSG-v
VNS HW Family – expanding SD-WAN deployment Use cases USE CASE/DELPOY
LOCATIONS
NSG-C
500MB100MB10MB< 1G 2G 5G 10G >10G
IoT
Small Branch (Soho)
Medium Branch
Medium Branch, & LAN
Small Branch & LAN
Large Branch, HQ
PoP & DC
NSG-E
NSG-F
NSG-X / BR
Launched Sept 2015
Planned 2017
Planned Q4 2016
NSG-L
Throughput
Planned Oct 2016Planned 2017
Planned
Cloud NSG-AMIPlanned 1H 2016
Launched Dec 2014
Available
64NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
7850 Network Services Gateways
Cloud S/M Branch Sites M/L Branch Sites / DC
NSG-V NSG-C NSG-E NSG-F* NSG-X
• NSG-V KVM Image
• NSG-V ESXi Image
• NSG-V Amazon Machine Image (AMI)
• NSG-V Azure*
• Intel Atom-based (2C)
• 3 x 10/100/1000 BASE-T
• 2GB RAM
• 16GB Primary Storage
• Trusted Platform Module
• 1X AC PSU
• 2X USB
• 1X RJ45 Serial Console
• Intel Atom-based (2C)
• 6x 10/100/1000BASE-T
• Trusted Platform Module
• Compact Flash storage
• 1X AC PSU
• 2X USB
• 1X RJ45 Serial Console
• Intel Xeon D (4C)
• 4x 10/100/1000BASE-T
• 2x 1000BASE-x SFP
• 16GB RAM
• 32GB Primary Storage
• Trusted Platform
• 64GB SSD Secondary Storage
• 2X AC PSU
• 2X USB3.0
• 1X RJ45 Serial Console
• Intel Xeon D (8C)
• 2x 10GBASE-x SFP+ WAN
• 4+4 x 1000BASE-(T/SFP)
• 32G RAM
• 32G Primary Storage
• Trusted Platform Module
• 256GB SSD Secondary Storage
• 2X AC PSU
• 2X USB3.0
• 1X RJ45 Serial Console
NFV Capable* Roadmap features
65NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NSG-X – Specification
▪ Intel Xeon D-1548 8C, 2.0 GHz,12MB Cache
▪ 2x 10GBASE-x SFP+ WAN
▪ 4+4 x 1000BASE-(T/SFP)
▪ Intel DH89xx Quick Assist
▪ 32GB RAM
▪ Primary Storage 32GB (m.2)
▪ Secondary Storage 256GB SSD
▪ TPM
▪ 2X AC PSU
▪ 2X USB (3.0)
▪ 1X RJ45 Serial Console
2x10GbE 4x1GbE 4x1GbE
3xFan 2xPSU
Slot for futurecapabilities
PSU Alarm suppression
Console
2xUSB
Intel QuickAssist
66NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
NSG-C
3x1000BASE-T
1xUSB3.0
USB2.0Serial ConsoleSoft Reset
▪ 4.0.R4 PoC support – Prototypes available▪ 4.0.R6 Software Support▪ End of November – Hardware availability – CP(DR4)
▪ Specification▪ Intel Atom based▪ BayTrail E3825 2C, 1.33GHz▪ 3 x 10/100/1000BASE-T▪ 2GB RAM▪ 16GB mSATA MLC▪ TPM▪ Fanless▪ 1X AC PSU▪ 2X USB (2.0 and 3.0)▪ 1X RJ45 Serial Console
67NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNS 5.0 BIG ROCKS (2017 – EARLY PREVIEW)
• 4G/LTE WAN Uplink• Dongle / Embedded*
• External Antenna
• VNFs on NSG (Thick CPE)
• Single VNF: Firewall / WAN
Acceleration (initial target)
• Integrated WiFi (NSG-E)
• OSPF on Access
• IPv6 Underlay Support
• IPv6 Overlay Support
• Multiple VLANs on Uplinks
• NAT-T Enhancements
• Multicast (IGMP Overlay)
• …
• NSG Border Router+
• NSG Disjoint Underlay+
• Public Cloud (AWS
Marketplace, Azure)
CPE Access / WAN Edge DC Edge (Public/Private)
PERFORMANCE / SCALE / SECURITY HARDWARE EVOLUTION
NSG-CPE NSG-HUB
WAN Core
ENTERPRISEDATA
CENTER
* TBC
68NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
3G / 4G LTE – PLANS – EARLY INVESTIGATION
• Demo / Limited Availability
• Dongle Based Integration• Customer Specific Dongle
Validation
• Features• 1+1 Uplink Support (1LTE, 1WAN)
• Minimal VSD Integration
Q4 2016 1H 2017
• GA Availability• Customer Managed Procurement,
Activation & Support
• Dongle Based Support
• Features• 1 LTE Uplink Only or 1+1
• Circuit of Last Resort (2+1)*
*Stretch
69NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
VNFs on NSG (VAS) – EARLY INVESTIGATION
Goals:• Support VM & Container FF VNFs
• Virtual FW, WAN Optimization
• Single vNF Phase1
• Minimal (common) workflow for VM &
Containers managed via VSD1. VNF Life Cycle Management
2. Service Insertion/Extensibility
Framework
3. VNF Initialization & Configuration
4. OAM / VNF or SVC Health Check
• Support L2 & L3 Services
• HW: NSG-X or NSG-F
Phase I Plan (1H 2017):• VNF Selection – VM FF / Virtual FW (TBD)
• VNF Life Cycle Management• Image Mgmt, Resource Mgmt, Scheduler
• CloudInit / Blob-based Initialization (license
management, management IP)
• Heath-checks and Reporting
• L2 Service Insertion• Single VNF in Service Chain
• Access side / Transparent service
(bump in the wire)
• Symmetric Services
• Basic Failover Detection
• HW: NSG-X
70NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AGENDA
SDN and SD-WAN Concepts
Virtualized Network Services (VNS) Portfolio
Overview and Architecture
Components (VSD, VSC, VRS, Gateways, NSG, VSAP)
Deployment Models, Key Functionality, and Use Cases
71NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
AUTOMATION AND FLEXIBILITY VIA CENTRAL CONTROL OF OVERLAY VPN SERVICES
• OpenFlow provides a mechanism to program the
L2/L3 forwarding information base (FIB) and
provide notifications to the controller
- MAC/IP address learning on LAN ports are alerted to
the controller
- Controller determines whether the MAC/IP is to be
programmed into FIB
• Federation of topology between controllers via
BGP-EVPN
- MAC and IP reachability signaled
- VXLAN VNI information combined with NEXT_HOP
- Interworking with IP/MPLS environments
NSG
VSC
OpenFlow
OVSDB
BGP EVPN
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
10.2.0.0/24
10.2.0.1/32 aa:bb:cc:dd:ee:ff
72NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
OVERLAY VPN SERVICES
• A new way of delivering VPNs
• CPE forward directly between each other using VXLAN as overlay
- 10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI 123456
- 10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI xyz
• Underlay network sees only outer header IP/UDP traffic between endpoints
- Inner Ethernet header encapsulated with VXLAN header
- Traffic management = IP
- Transport = IP
• Simplifies service chaining
• Dataplane can be further encapsulated if needed
UnderlayOverlay Overlay
73NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
MANAGED ROUTER SERVICE
• Re-think of existing MRS products to solve problems:
- CPE management and lifecycle- CPE cost and performance- Customer self care- Basis for enabling Value Added Services
• Multi-tenanted VSP allows customers to self-manage their network and CPE
- VSD Architect or customer portal interface- VSC is VPRN-aware and exists in multiple transport VPRNs- NSG can operate in IP-mode or Overlay-mode
• Centralized VSP infrastructure with redundancy
- Distribute VSCs to multiple POPs- Solved: CPE configuration management, time-to-implement- Improves: CPE replacement, reduces truck-rolls- Supports: vCPE/vCE architecture
IP-VPN
Customer
Portal
74NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
IPSEC OVERLAY DATA-PLANE
• Single-click to enable IPsec dataplane
• Hub-and-spoke (IKEv2) and/or full-mesh (Key-Server)
• Separation of key-computation from symmetric key-generation allows for fine-grained rekeying
• Maintains service and transport separation thus maintaining service attributes
• Per Tenant, Per-subnet encrypted forwarding flexibility
• IPsec Forwarding acceleration in NSG platform
• Support for dynamic NAT-T
• Sequence-based anti-replay
• Multi-tenanted Key-server as part of unified policy (VSD)
• Integrated PKI and device infrastructure provisioning
• Includes automation of all machinery:
- PKI for certificate management- IPSEC infrastructure provisioning- Security policies definition and distribution- Revocation logic - Visibility and monitoring
UnderlayOverlay Overlay
VSD: Key-server and
PKI
VSC: Re-keying and
device authentication
75NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
DUAL UPLINK AND TRAFFIC STEERING
Private Data Center (or HQ)
VSD
VSC
Site1
Site2
Enterprise admin
Voice
Video
NSG
ECMP across both links
Intelligent Traffic Steering
IP/ MPLS WAN (Provider Network)
Internet (3G/LTE, BB, etc.)
Public Cloud, SaaS
NSG
76NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
DUAL UPLINK AND FAILOVER
Private Data Center (or HQ)
VSD
VSC
Site1
Site2
Enterprise admin
Video
NSG
ECMP across both links
Intelligent Traffic Steering
Seamless Backup
X
Voice
IP/ MPLS WAN (Provider Network)
Public Cloud, SaaS
NSG
Internet (3G/LTE, BB, etc.)
77NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
APPLICATION AWARE ROUTING
• Objective: Dynamically forward traffic to NSG network uplinks based on one-way measurement of overlay
- DPI based application classification- OWAMP based synthetic traffic measurements
- Measure symmetric paths (not cross paths)
- Compare results to per application SLA- Pick conforming path
IPVPN
NSG
Internet
Sit
e 1
Sit
e 2
NSG
Performance Measurement per Path – Delay, Delay Variation, Loss, BW
Path 1 – low latency/variation/loss
Path 2 – higher latency
Application
Aware
Routing
Voice Video Email
Voice Video
EmailVoice VideoEmail
Policies configured in VSD
Application-Groups, Applications, Application Probes, Application SLAs
Probe measurements can be triggered based on ToD or packet-detection
Attached to vPort to enable feature
78NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
APPLICATION AWARE ROUTINGPROBES/RESPONDERS
Full-mesh
NSG
Any-IP responder
Eg. www.google.com
IP RTT probe
Third-party responder
Hub-SpokeShadow-responder
OWAMP probe
Subsequent releases
Subsequent releases Subsequent releases
Server application
R4.0R4 GA
NSG
NSG
NSG
NSG
NSG NSG-E NSG-C NSG-F
NSG-XNSG-E or BYOD
TWAMP RTT probe
NSG NSG NSG
7750 SR
NSG
79NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals
APPLICATION AWARE ROUTINGUSE CASES
NSG
PPS mode
Known apps Known apps
PPS mode
ToD scheduled monitoring – known applications/known subset of sites
e.g. - Video conference meeting
Known applications/unknown sites – 1st packet trigger
I would like to discover which applications are running at my site
NSG
Discovery mode
Unknown apps
e.g. - Detect branch applications
PPS mode
Custom apps Unknown destinations
I would like to monitor custom apps independent of destination
e.g. - Enterprise in-house developed applications
NSG NSG
NSG
PPS mode
Known apps Known apps
PPS mode
e.g. - VoIP call between users
NSG XNSG X
THANK YOU