SD-WAN / Nuage VNS - Technical Deep Dive -...

© 2016 Nokia. All rights reserved. Nuage Networks is a Nokia venture.

SD-WAN / Nuage VNS - Technical Deep DiveRoman Pindrik

Nokia ION RBC

2NOKIA — PROPRIETARY AND CONFIDENTIAL — RESTRICTED — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW. COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.

TTP36009 Nuage Networks Virtualized Network Services (VNS) Fundamentals

AGENDA

SDN and SD-WAN Concepts

Virtualized Network Services (VNS) Portfolio

Overview and Architecture

Components (VSD, VSC, VRS, Gateways, NSG, VSAP)

Deployment Models, Key Functionality, and Use Cases



AGENDA








ENTERPRISE NETWORKING NEEDS A RETHINK

TRANSPORTDEPENDENT

LOCATION DEPENDENT

DEVICE DEPENDENT

MANUAL(TIME ‘DEPENDENT’)

ENTERPRISE WAN

1. Turn-up a new site

2. Reconfiguration of existing site

3. Transport introduction/upgrades

4. L2-L4 VPN service configuration

5. Security implementation

6. Security assessment

7. L4-L7 application insertion

8. Datacenter interconnection

9. Operational moves/adds/changes

10. Service assurance/fault localization

11. Service optimization/fault prevention

12. Device replacement

13. Configuration auditing/compliance

14. . . .



WHAT IS SD-WAN?

SD-WAN (Software Defined Wide Area Networks) is a new model for the delivery of Enterprise services over WAN based on SDN principles

Overlayofferstransportchoices

IT-approach to network service

delivery

SD-WAN promises to shift incremental control to enterprise IT



IMAGINE IF…

Private Cloud

Internet

On-Net

ANY Network

Branch officesEnterprise WAN

SEAMLESS on-boarding

ANY access

General Purposehardware

New fulfillment models

Public Cloud

Automated operations

Automated

Instantaneous policy-driven modifications

Simplified fulfillment and management

Freedom of choice

Open

ONE COHESIVE ENVIRONMENT: FROM BRANCH TO WAN TO DATA CENTER



VNS 3.2 Recap

Connectivity and Operations • Group-key encryption– Integrated key server

• Dual uplink support• Internet breakout• NSG HA device/link models• Dynamic NAT traversal

Operations• Controller-based CLI• VSAP integration• Traffic mirroring• Controlled NSG local SSH access

Application support• Dynamic service insertion• Multi-class of service QoS• Address Translation (NAT/PAT)

Open platform• Form factors– NSG-E (6-port GE UTP)– NSG-V (KVM and ESX)

• Bootstrapping– PKI support X.509 certs

• Hardware integration– Trusted platform module– Crypto engine acceleration

Release 3.2• Q2 2015



VNS Rel4.0R1 – R3 Recap

Connectivity and Application Support

• VLAN on Uplink• NSG HA device/link models• PPPoE on Uplink

• NSG onboard BGPv4

• CE-PE

• CE-CPE

Operations• Controller-less Operations (Phase1)

• VSD License Enhancements• VSD and NSG UI Self Branding• PAT Enhancements• Per uplink address translation pool• Per uplink NAT-T flag• “Start:Stop” Address Translation

Pool range definition• Static port forwarding for

incoming traffic

Open platformRelease 4.0r1• Q2 2016

• AWS AMI NSG-V Image• Auto Config (Bootstrapping)• TPM Status• IPSec (IPoESP) IKEv1 v2• SSH Hardening (phase1)

• Passwordless Login SSH keys• Configuration Support for

limiting Access



PROMISE OF SD-WAN: YOUR WAN ON YOUR TERMS

Centralized Management

And Network Policy Engine

Fixed and Mobile Access Networks

Software Defined Wide Area Network

IP-VPN Private IP Internet

Branch locations

L2-VPNBusiness

Internet



VNS: A NEW TYPE OF VPN



OVERLAY NETWORKS: DECOUPLING SERVICE AND TRANSPORT

VNS is an SDN overlay solution

VSC programs data plane for all NSGs

Aware of all L2/L3 topology behind each

NSG

Calculate once, program many

CPE becomes service instantiation point

Smart edge principle

VXLAN/VXLAN-IPsec service transport

Full mesh capability

Traffic is carried encapsulated over

underlay network

Underlay network could be any

infrastructure

Unaware of topology of overlay service

Simplifies and enables service chaining

New service introduction



OVERLAY SOLUTIONS

To address the requirements in the previous slides, VNS uses a VXLAN based overlay solution.

An overlay network is a virtual abstraction (L2 or L3 service) built on top of an existing physical network.

Overlay solutions fall under two main categories:

Network-centric overlays

Examples: VPLS, PBB-VPLS, SPBM, TRILL

Diminishing popularity due to one or more of:

MAC address, VLAN scaling

STP dependency, flooding limitations

Hardware/software requirements

Standards compatibility

Host-centric overlays

Examples: VXLAN, NV-GRE, STT, etc.

Increasing popularity due to one or more of:

Automated and simple VM provisioning

VM mobility

Scaled multi-tenancy



INFRASTRUCTURE (UNDERLAY) NETWORK

Physical IP network

Provides connectivity between IP routers and connected edge devices

Routing tables set up using OSPF, ISIS, BGP, static routes

Can provide other IP services. For example:

QoS

Multicast

ECMP

VXLAN (or any other overlay protocol) is encapsulated in IP packets and carried over the IP underlay



OVERLAY NETWORK

An overlay network is a separate network built on top of an existing infrastructure (underlay) network

Simplifies provisioning because the underlay does not change

Overlay traffic is ‘tunneled’ over the underlay network



VXLAN/EVPN OVERLAY VS. MPLS-BASED VPN

Overlay networks are not new: Layer 2 and Layer 3 VPNs have been implemented in IP/MPLS networks to connect customer sites in an isolated and scalable manner for many years



VXLAN ENCAPSULATION

VXLAN (virtual extensible LAN) characteristics:

Defined in IETF RFC 7348

Provides Layer 2 overlay networks over an Layer 3 network

Allows for 16 million tenant ID’s as opposed to 4 thousand VLAN’s

Inherent load balancing support in the DC network through ECMP using UDP source port hashing

Tunnel encapsulation/decapsulation performed by VTEP (virtual tunnel endpoint) capable devices

Most server NIC vendors and DC vendors have announced support for VXLAN



VXLAN PACKET FORMAT



VXLAN TRAFFIC FLOW EXAMPLE



SDN CONTROLLERAUTOMATION AND FLEXIBILITY THROUGH CENTRAL CONTROL

SDN controller:

Communicates with the NSG using OpenFlow protocol

MAC/IP address learning on LAN ports are alerted to the controller

Loads the forwarding information to all the NSGs



VNS: SD-WAN VXLAN-BASED VPN

Control plane OpenFlow and BGP EVPN

Data plane VXLAN

NSGs forward directly between each other using VXLAN as overlay

Underlay network VXLAN traffic (IP packets)

between endpoints

Data plane can be further encapsulated if needed



AGENDA








VNS ARCHITECTURAL REPRESENTATION

Virtualized Services Directory

(VSD)

Virtualized Services Controller

(VSC)

Hypervisor

Hypervisor

Hypervisor

Hypervisor

Hypervisor

Hypervisor

Secured

channels

MP-BGP MP-BGP

RR

MP-BGP

MP-BGP

VM VM

Hypervisor

Branch

Secured

channels

INTERNETIP

INTERNETINET



VSP/VNS: A UNIFIED SDN SOLUTION



NUAGE NETWORKS VIRTUALIZED SERVICES PLATFORM (VSP)

EDGE ROUTER

WAN/INT

7x50DC Gateway

Management Plane

VirtualizedServicesDirectory

Control Plane

VirtualizedServicesController

MP-BGP

Data Plane

VirtualRouting & Switching

IP Fabric

XMPP

5620 SAMwith VSAP

NetworkServicesGateway

OF-TLS

BMS

Containers

VMs

3PP ToR

OVSDB

REST

Datacenter SDN SDWAN

MP-BGP

SNMP

MP-BGP

OFXMPP

7850 VSG

VXLAN

Port / VLAN

Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics

Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set

Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets

Nuage Networks

Virtualized Services Platform (VSP)

Network Services Gateway (NSG)• Network service platform for branches• L2-L4 Switching/routing w/advanced network functions • Physical or Virtual form-factors

MP-BGP

VXLAN(oIPSec)

OSS / ORCHESTRATION

Port / VLAN



PLACEMENT OF VNS AND VSP COMPONENTS

Management Plane: VSD Programmable policy engine Northbound interface

Cloud management systems (example: OpenStack) Dedicated self-service portals

Control Plane: VSC Provides routing and switching controls

For virtual machines in a datacenter (VSP) For branch hosts/devices (VNS)

Data Plane: VRS, VRS-G, VSG (for VSP) NSG (for VNS)



AGENDA

Nuage Networks Certification Training








NUAGE VNS CORE COMPONENTS AND INTERFACES

MPLS

Internet

VSD

VSC Utility

NSG

VSC

VSD VSD VSD-N

RR

OSS

Control Infrastructure

DMZ

PE

ENT FW

SNMP UDP 161 (from SAM)/162(to SAM)

XMPP/XMPP-TLS TCP 5222 (VSC/Utils->VSD)BGP TCP dPort 179, sPort 1023HTTPS TCP 11443/12443

Stats - TCP 39090

RPC/Nuagemon - TCP 7407 (NSG->VSC)

NTP - UDP 123 (NSG->VSC, VSC->NTP)

NTP

HTTPS TCP 7443 OF-TLS TCP 6633 (NSG-VSC) DTLS UDP 4500 4789 NSG->VSC

DNS

DNS – UDP 53

SSH to VSC assumed over Mgmt interface

Trusted

Untrusted

NSG-V/BR

VSAP



VIRTUALIZED SERVICES DIRECTORY (VSD)



VSD CLUSTER DEPLOYMENT



VSD SERVICE ABSTRACTIONS

Domain

Equivalent to a single Nuage Networks dVRS instance

In standard networking terminology, a domain maps to a VRF instance

A logical distributed router that enables L2 and L3

communication

Zone

A set of network endpoints that must adhere to the

same security policies

Subnet

In standard networking terminology, a subnet is

instantiated as a R-VPLS instance

vPort

Can be explicitly created or auto-discovered

Attached to VMs, host and bridge interfaces which are mapped to NSG access ports



VSD MULTI-TENANT ARCHITECTURE

Cloud service provider administrator (csproot) can create different enterprise definitions for each tenant.

Each tenant can create their own user groups, domains and policies on the VSD.



SELF-SERVICE NETWORK SERVICE DELIVERY

Customer

Portal

Order Branch Equipment

Network Services Catalogue

Nuage NetworksVNS Solution

Fixed and Mobile Access Networks

Customer A - Software Defined Network Service

IP-VPN Private IP Internet

Customer locations

L2-VPNBusiness

Internet

The new operational model

Users can turn up new services on demand

Non-specialized personnel can turn up a site in

10 minutes or less

Select VNS Service

Public

cloudsPrivate

clouds



VIRTUALIZED SERVICES CONTROLLER (VSC)



VIRTUAL ROUTING AND SWITCHING (VRS)



VRS COMPONENTS

The VRS consists of two main components:

The VRS AgentNuage Networks-specific component that talks to the VSC using OpenFlow.

The Open vSwitch (OVS)Provides the switching and routing components, as well as the tunneling mechanisms to forward the traffic.



VRS AGENT

Nuage Networks-specific component that talks to the VSC using OpenFlow

Responsible for receiving and programming the actual L2 and L3 FIBs to allow communication: Between local VMs

Between local VMs and remove hosts using tunnels

Replies to all ARP requests (no flooding)

Acts as a DHCP proxy server for the VMs

Reports VM events to the VSC

Downloads QoS policies and ACLs for VM traffic

Handles statistics collection and reporting



VXLAN GATEWAYS: SOFTWARE OR HARDWARE

Software

VRS-G is a VM

Or runs on a x86 server

Hardware

7850 VSG

960 Gbps capacity

32 x 10G + 16 x 40G

VXLAN encapsulation at line rate

Both:

Control plane is integrated with VSC/VSD for automated VLAN/VXLAN mappings

L2 and L3 capable



VIRTUAL ROUTING AND SWITCHING GATEWAY (VRSG)



NETWORK SERVICES GATEWAY (NSG)



NETWORK SERVICES GATEWAY (NSG)

• Network Services Gateway is the VNS service delivery point for IP networking

- Logical entity with physical and virtual appliances

- Flexible physical form factors to meet different on-premises requirements

- VM edition to support cloud CPE environments

- Centrally managed through VSP environment as a fully automated endpoint

• Intel X86 based

- Leverage off-the-shelf hardware components

- Intel QuickAssist and AES-NI for encryption and forwarding acceleration

• Linux OS with Nuage VRS/NSG software

- Flexible embedded network and management services

- Secured, hardened management (SYSLOG, NTP, OF-TLS)

• Supports high scale L2 and L3 VPN service deployment

7850 NSG-E



NSG INSTANTIATION (ENTERPRISE LEVEL)



USING THE NSG



VNS 3.2 Recap

Connectivity and Operations • Group-key encryption– Integrated key server

• Dual uplink support• Internet breakout• NSG HA device/link models• Dynamic NAT traversal

Operations• Controller-based CLI• VSAP integration• Traffic mirroring• Controlled NSG local SSH access

Application support• Dynamic service insertion• Multi-class of service QoS• Address Translation (NAT/PAT)

Open platform• Form factors– NSG-E (6-port GE UTP)– NSG-V (KVM and ESX)

• Bootstrapping– PKI support X.509 certs

• Hardware integration– Trusted platform module– Crypto engine acceleration

Release 3.2• Q2 2015



VNS Rel4.0R1 – R3 Recap

Connectivity and Application Support

• VLAN on Uplink• NSG HA device/link models• PPPoE on Uplink

• NSG onboard BGPv4

• CE-PE

• CE-CPE

Operations• Controller-less Operations (Phase1)

• VSD License Enhancements• VSD and NSG UI Self Branding• PAT Enhancements• Per uplink address translation pool• Per uplink NAT-T flag• “Start:Stop” Address Translation

Pool range definition• Static port forwarding for

incoming traffic

Open platformRelease 4.0r1• Q2 2016

• AWS AMI NSG-V Image• Auto Config (Bootstrapping)• TPM Status• IPSec (IPoESP) IKEv1 v2• SSH Hardening (phase1)

• Passwordless Login SSH keys• Configuration Support for

limiting Access



Application Discovery (AD)

VNS Application Aware Routing (AAR)

• Policy-driven intelligent path selection for application traffic based on one way latency, jitter and packet loss measurements

• Path selection based on continuous probes and/or first packet detection

• Improve scalability with first packet detection

• Health metrics of overlay network connections between NSGs in a domain using performance monitors with a specified network profile (DSCP value, payload size, traffic rate).

• Performance metrics include one way packet loss, jitter and latency between the uplinks of different NSGs

• Monitoring and classification of application traffic coming into the access ports of a NSG

• Signature-based L7 classification (e.g. Skype, Facebook, Google, etc). A library with signatures is bundled with the NSG software

• Customized classification based on source/destination IP address, source/destination L4 ports, L4 Protocol (TCP/UDP)

Network Performance Measurement (NPM)

Application Policy and Visualization (APV)



• The intelligent forwarding of application traffic across the Enterprise WAN,ensuring that pre-defined per-application performance metrics (i.e. SLAs) are persistently met

Combining VNS application capabilitiesS

ite

1

Performance Measurement per Path – Delay, Delay Variation, Loss, BW

Voice Video Email

Voice Video

Email

Voice VideoEmail

Sit

e 2

Path 1 – low latency/variation/loss

Path 2 – higher latency

AD + NPM + APV =

+ +

NSG-BR

Application DiscoveryApplication Policy and

Visualization

Network Performance Measurement

1

Identify the Video Conferencing application flow to known destination, NSG at Site 2

Measure path performance

metrics over both uplinks2

Steer Video Conferencing application

flows over a SLA-compliant path

3



• Probe user defined Payload, Rate, FC.• Encapsulation of Probe is with VXLAN header (no Encryption) • Default Probe is set with an MTU of 512B, rate is 1 packet every 10 secs with Best Effort Forwarding class (these

values can be modified if needed). • Lowest enforced limit today is 10 probes per second (100mSec).

• For APV related probes, there is an idle timeout of 150 seconds after which the probe session is terminated - for 1st pkt.

• NPM probe results are reported via stats channel• Dampening Hard Coded to 30 Seconds today• Sampling frequency - Packet Loss, every 3 times probe sample. So probe Interval 1/sec, packet loss

calculated every 3 secs (3 x Probe Interval).• Sampling Frequency - Jitter/Delay, every packet.

AAR Specifics



AAR Visualization – Enterprise Top 5 APM groups

Accessed via Organization > Stats

Graphical Representation:• Applications identified ranked by Total Bytes



AAR Visualization – Enterprise Top 10 Applications

Fields Reported:• Domain• APM Group• Application• L7 Classification• Sum of Total MB

Accessed via Organization > Stats

Note: Statistics can be exported Raw or Formatted (csv)



AAR Visualization: Applications – NSG Bytes

Accessed via Organization > Domain > Infra

Graphical Representation:• Applications identified ranked by Total

Bytes



• Function:

- Allow underlay next-hop addresses (VTEP addresses) to use non-globally routable IP addresses, i.e. to allow for underlay addresses not to be leaked between the data-centre and wide-area environments

Active-active – ECMPActive-standby – Priority GroupsNSG-BR – resiliency

• Problem statement

- DC connectivity (trusted underlay) to the IPsec encrypted branch offices (untrusted underlay)

- Book-end underlays with NSG or use IKEv2

- VLAN hand off to PE, VRS-G and/or NSG

• NSG Border Router

- Logical function only

- Support on NSG-X and NSG-V

- Egress tunnel shaping

- Unified policy from SD WAN to DC

- Demarcation point between underlays

- Multi-tenancy

NSG Border Router (NSG-BR)

NSG-1

NSG-2

NSG-BR

VRS-1

NSG-3

Service overlay

DCWAN

VXLANVXLANoIPsec



▪ Border Router Port

▪ New port type

▪ DC underlay IP interface

▪ VLAN + Static IP

▪ VXLAN

▪ vPort/VLAN/BGP

▪ Multi-Tenant

NSG-BR – Border Port

NSG-1

NSG-2

DCWAN

VXLANVXLANoIPsecVXLAN

VRS-1

VRS-2

BranchvPort

DCvPort

link

link

BRP

NSG-BR

NP1

NP2

Branch Domain DC Domain

NP Network PortBRP Border Router Port

BRP1NP1

NP2NSG-BR



PAT to OverlayDistributed PAT – Remote Domain▪ Distributed PAT

▪ Multiple PAT Pools

▪ Routable in destination domain

▪ Assign IP per NSG in Source domain

▪ Pool address management by VSD

▪ Local and Remote Shared domain

▪ Use Case: hosted service, B2B

NSG

NSG

NSG

SUB1

SUB2

NSG

IP1/32

Source Domain1

IP2/32

IP3/32

PAT

PAT

PAT

Shared Domain

PAT PoolIP1-IPn

NSG

SUB1

SUB2

SUB3

SUB4

PAT



PAT to OverlayDistributed PAT – Local Domain▪ Shared Domain subnets exists local on the NSG

▪ Use case local shared resource (e.g. Printer)

NSG

NSG

NSG

SUB1

SUB2

IP1/32

Source Domain1

IP2/32

IP3/32

PAT

PAT

PAT

Shared Domain

PAT PoolIP1-IPn

SUB1

SUB2

SUB3

SUB4

PAT

SUB3



PAT to OverlayTopologies

▪ Multiple Source domains

▪ Overlapping IP addressing

▪ Source domain addressing

▪ Source and PAT pool addressing

▪ Multiple Destination domains

▪ NOT Supported

vPortSource

Domain 1

SharedDomain

PAT

PAT Pool

IP6-IPn

PAT Pool

IP1-IP5

PAT

vPortSource

Domain 2

vPort SourceDomain 1

SharedDomain 1

PAT

PAT Pool

IP6-IPn

PAT Pool

IP1-IP5

PAT

SharedDomain 2



HEADLESS FORWARDING (Controller-Less Operation)

Definition: NSG in “Headless Mode” Defined as an NSG that has no

control plane connectivity to anyVSC

Special Case: NSG loses all connectivity to the Key Server (VSD)

Failure Detection: OF-TLS timeout (3x5s)

IPsec Key Update Miss

Data Plane: IPSec or VXLAN

VSD (Policy)

VSC(Control)

NSG(Data)

XMPP-TLS

OF-TLS

HTTPS

(via Proxy)

UNDERLAY-1 UNDERLAY-2

SINGLE UPLINK DUAL UPLINK DUAL UPLINK WITH REDUNDANT GROUP

LAN LAN LAN (VIP)

BR

BGP BGP



Hybrid WAN – Disjoint Underlay Solution

• Typical use case driving the adoption of SD WAN technology• Way to connect a geographically dispersed WAN over 2 or more separate network connections at a

customer site• Typically Business Internet type connectivity. The other a private MPLS based VPN service.

• Mandatory dynamic path selection for specific applications/application groups across ‘disjoint transport/underlay networks’

• Site to Site connectivity for Branches • Single connection to either the Internet or the Private MPLS based VPN• Dual homed sites to both underlays• Resilience in the event of loss of one of the network uplinks.

By using this approach, a hybrid WAN can give organizations a more versatile and cost-effective way to connect their offices while still relying on dedicated links to send mission-critical data and provide secure network resilience.



Sit

e 1

Private Network – Overlay Service

Sit

e 2

Internet – Overlay Service

Sit

e 1

Sit

e 2

Sit

e 1

Sit

e 2

NSG-BR

MPLS VPN Internet

MPLS VPN

Internet

VNS Topologies Supported

Sit

e 1

Sit

e 2

NSG-BR

MPLS VPN

Internet

MPLS VPN Inter-WorkingHybrid WAN – Overlay Service

Private IP Addressing (Overlapping)Public IP AddressingSD WAN Overlay Service

MPLS CE

BGP Multi-tenant



MULTI-TENANT DISJOINT UNDERLAYS

Separate Routing Context

Underlay-1Internet

Underlay-2VRF-cust1

Underlay-XVRF-custX

NSG-c1

NSG-cX

VSC

uBR-1

uBR-2

U1-1

U2-2

U2-1

B2-3

B2-2

B2-1

B1-3

B1-2

B1-1

S1

S1

U1-2

BR: NH Context per underlay to avoid

overlapping IP addresses Multi-tenant Routing table per

customer HA Proxy:

NH Context per underlay Single DNS name and globally unique

IP address is used for the proxy across all underlays with no overlaps

VSC: Multi-interface VSC using ESXi/trunk

ports Support 100 interfaces/VSC (Target)

C1-1

C1-2

C1-3

HA ProxyU1-1

U1-2

U1-3

The Hybrid WAN use case must be able to supportconnectivity to sites whose NSGs are only connected toeither uplink but not both. It should also support the casewhere the connection to transport “A” fails at one siteand the connection to transport “B” fails at the othersite.

VLAN/BGP

per Tenant

VLAN/BGP

per Tenant



NSG-BR/DISJOINT UNDERLAY Connector • Base Principle: Logical Representation – Route Table

Underlay-1

Underlay-2

Underlay-3

NSG-1

NSG-2

NSG-3VSC-3

VSC-2

VSC-1

U1-1

U2-1

U2-2

U3-3

U3-2

B2-3

B2-2

B2-1

B1-3

B1-2

B1-1

S1

S2 + Default

S3

S4

S3->S1 via BR-1 or BR-2S3->S2 via underlay-2 NH U2-2S3->S4 via BR-1 or BR-2S3-> default via underlay-2 NH U2-2

S1->S2 via underlay-1 NHU2-1S1->S3 via BR-1 or BR-2 S1->S4 via BR-1 or BR-2S1-> default via underlay-1 NH U2-1

NH-ID NH tagNSG-2 U2-1 Underlay-1/Pref1

(B1-1 Underlay-1/Pref lowest)(B2-1 Underlay-1/pref lowest)

NSG-3 B1-1 Underlay-1/Pref lowestB2-1 Underlay-1/Pref lowest

BR-1 B1-1 Underlay-1/pref lowestBR-2 B2-1 Underlay-1/Pref lowest

NH-ID NH tagNSG-2 U2-2 Underlay-2/Pref 2

(B1-2 Underlay-2/Pref lowest)(B2-2 underlay-2/Pref lowest)

BR-1 B1-2 Underlay-2/Pref lowestB1-3 Underlay-3/Pref lowest

BR-2 B2-2 Underlay-2/Pref lowestB2-3 Underlay-3/Pref lowest

Routing Table NSG-3

Routing Table NSG-1

uBR-1

uBR-2

Prefix NH-IDS1 localS2 NSG-2S3 NSG-3S4 BR-1

BR-2Default NSG-2

Prefix NH-IDS1 BR-1

BR-2S2 NSG-2S3 localS4 BR-1

BR-2Default NSG-2



• uBR as Last resort only

• Path to NSG via direct attached underlays always preferred

NSG-uBR Phase 1 – Path Preference

Path Preference

Underlay-1

Underlay-2

Underlay-3

NSG-1

NSG-2

NSG-3

uBR-1

uBR-2

U2-1

U2-2

U3-3

U3-2

B2-3

B2-2

B2-1

B1-3

B1-2

B1-1

U1-1

Always preferred

1.



NSG-v

VNS HW Family – expanding SD-WAN deployment Use cases USE CASE/DELPOY

LOCATIONS

NSG-C

500MB100MB10MB< 1G 2G 5G 10G >10G

IoT

Small Branch (Soho)

Medium Branch

Medium Branch, & LAN

Small Branch & LAN

Large Branch, HQ

PoP & DC

NSG-E

NSG-F

NSG-X / BR

Launched Sept 2015

Planned 2017

Planned Q4 2016

NSG-L

Throughput

Planned Oct 2016Planned 2017

Planned

Cloud NSG-AMIPlanned 1H 2016

Launched Dec 2014

Available



7850 Network Services Gateways

Cloud S/M Branch Sites M/L Branch Sites / DC

NSG-V NSG-C NSG-E NSG-F* NSG-X

• NSG-V KVM Image

• NSG-V ESXi Image

• NSG-V Amazon Machine Image (AMI)

• NSG-V Azure*

• Intel Atom-based (2C)

• 3 x 10/100/1000 BASE-T

• 2GB RAM

• 16GB Primary Storage

• Trusted Platform Module

• 1X AC PSU

• 2X USB

• 1X RJ45 Serial Console

• Intel Atom-based (2C)

• 6x 10/100/1000BASE-T


• Compact Flash storage

• 1X AC PSU

• 2X USB


• Intel Xeon D (4C)

• 4x 10/100/1000BASE-T

• 2x 1000BASE-x SFP

• 16GB RAM

• 32GB Primary Storage

• Trusted Platform

• 64GB SSD Secondary Storage

• 2X AC PSU

• 2X USB3.0


• Intel Xeon D (8C)

• 2x 10GBASE-x SFP+ WAN

• 4+4 x 1000BASE-(T/SFP)

• 32G RAM

• 32G Primary Storage


• 256GB SSD Secondary Storage

• 2X AC PSU

• 2X USB3.0


NFV Capable* Roadmap features



NSG-X – Specification

▪ Intel Xeon D-1548 8C, 2.0 GHz,12MB Cache

▪ 2x 10GBASE-x SFP+ WAN

▪ 4+4 x 1000BASE-(T/SFP)

▪ Intel DH89xx Quick Assist

▪ 32GB RAM

▪ Primary Storage 32GB (m.2)

▪ Secondary Storage 256GB SSD

▪ TPM

▪ 2X AC PSU

▪ 2X USB (3.0)

▪ 1X RJ45 Serial Console

2x10GbE 4x1GbE 4x1GbE

3xFan 2xPSU

Slot for futurecapabilities

PSU Alarm suppression

Console

2xUSB

Intel QuickAssist



NSG-C

3x1000BASE-T

1xUSB3.0

USB2.0Serial ConsoleSoft Reset

▪ 4.0.R4 PoC support – Prototypes available▪ 4.0.R6 Software Support▪ End of November – Hardware availability – CP(DR4)

▪ Specification▪ Intel Atom based▪ BayTrail E3825 2C, 1.33GHz▪ 3 x 10/100/1000BASE-T▪ 2GB RAM▪ 16GB mSATA MLC▪ TPM▪ Fanless▪ 1X AC PSU▪ 2X USB (2.0 and 3.0)▪ 1X RJ45 Serial Console



VNS 5.0 BIG ROCKS (2017 – EARLY PREVIEW)

• 4G/LTE WAN Uplink• Dongle / Embedded*

• External Antenna

• VNFs on NSG (Thick CPE)

• Single VNF: Firewall / WAN

Acceleration (initial target)

• Integrated WiFi (NSG-E)

• OSPF on Access

• IPv6 Underlay Support

• IPv6 Overlay Support

• Multiple VLANs on Uplinks

• NAT-T Enhancements

• Multicast (IGMP Overlay)

• …

• NSG Border Router+

• NSG Disjoint Underlay+

• Public Cloud (AWS

Marketplace, Azure)

CPE Access / WAN Edge DC Edge (Public/Private)

PERFORMANCE / SCALE / SECURITY HARDWARE EVOLUTION

NSG-CPE NSG-HUB

WAN Core

ENTERPRISEDATA

CENTER

* TBC



3G / 4G LTE – PLANS – EARLY INVESTIGATION

• Demo / Limited Availability

• Dongle Based Integration• Customer Specific Dongle

Validation

• Features• 1+1 Uplink Support (1LTE, 1WAN)

• Minimal VSD Integration

Q4 2016 1H 2017

• GA Availability• Customer Managed Procurement,

Activation & Support

• Dongle Based Support

• Features• 1 LTE Uplink Only or 1+1

• Circuit of Last Resort (2+1)*

*Stretch



VNFs on NSG (VAS) – EARLY INVESTIGATION

Goals:• Support VM & Container FF VNFs

• Virtual FW, WAN Optimization

• Single vNF Phase1

• Minimal (common) workflow for VM &

Containers managed via VSD1. VNF Life Cycle Management

2. Service Insertion/Extensibility

Framework

3. VNF Initialization & Configuration

4. OAM / VNF or SVC Health Check

• Support L2 & L3 Services

• HW: NSG-X or NSG-F

Phase I Plan (1H 2017):• VNF Selection – VM FF / Virtual FW (TBD)

• VNF Life Cycle Management• Image Mgmt, Resource Mgmt, Scheduler

• CloudInit / Blob-based Initialization (license

management, management IP)

• Heath-checks and Reporting

• L2 Service Insertion• Single VNF in Service Chain

• Access side / Transparent service

(bump in the wire)

• Symmetric Services

• Basic Failover Detection

• HW: NSG-X



AGENDA








AUTOMATION AND FLEXIBILITY VIA CENTRAL CONTROL OF OVERLAY VPN SERVICES

• OpenFlow provides a mechanism to program the

L2/L3 forwarding information base (FIB) and

provide notifications to the controller

- MAC/IP address learning on LAN ports are alerted to

the controller

- Controller determines whether the MAC/IP is to be

programmed into FIB

• Federation of topology between controllers via

BGP-EVPN

- MAC and IP reachability signaled

- VXLAN VNI information combined with NEXT_HOP

- Interworking with IP/MPLS environments

NSG

VSC

OpenFlow

OVSDB

BGP EVPN

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

10.2.0.0/24

10.2.0.1/32 aa:bb:cc:dd:ee:ff



OVERLAY VPN SERVICES

• A new way of delivering VPNs

• CPE forward directly between each other using VXLAN as overlay

- 10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI 123456

- 10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI xyz

• Underlay network sees only outer header IP/UDP traffic between endpoints

- Inner Ethernet header encapsulated with VXLAN header

- Traffic management = IP

- Transport = IP

• Simplifies service chaining

• Dataplane can be further encapsulated if needed

UnderlayOverlay Overlay



MANAGED ROUTER SERVICE

• Re-think of existing MRS products to solve problems:

- CPE management and lifecycle- CPE cost and performance- Customer self care- Basis for enabling Value Added Services

• Multi-tenanted VSP allows customers to self-manage their network and CPE

- VSD Architect or customer portal interface- VSC is VPRN-aware and exists in multiple transport VPRNs- NSG can operate in IP-mode or Overlay-mode

• Centralized VSP infrastructure with redundancy

- Distribute VSCs to multiple POPs- Solved: CPE configuration management, time-to-implement- Improves: CPE replacement, reduces truck-rolls- Supports: vCPE/vCE architecture

IP-VPN

Customer

Portal



IPSEC OVERLAY DATA-PLANE

• Single-click to enable IPsec dataplane

• Hub-and-spoke (IKEv2) and/or full-mesh (Key-Server)

• Separation of key-computation from symmetric key-generation allows for fine-grained rekeying

• Maintains service and transport separation thus maintaining service attributes

• Per Tenant, Per-subnet encrypted forwarding flexibility

• IPsec Forwarding acceleration in NSG platform

• Support for dynamic NAT-T

• Sequence-based anti-replay

• Multi-tenanted Key-server as part of unified policy (VSD)

• Integrated PKI and device infrastructure provisioning

• Includes automation of all machinery:

- PKI for certificate management- IPSEC infrastructure provisioning- Security policies definition and distribution- Revocation logic - Visibility and monitoring

UnderlayOverlay Overlay

VSD: Key-server and

PKI

VSC: Re-keying and

device authentication



DUAL UPLINK AND TRAFFIC STEERING

Private Data Center (or HQ)

VSD

VSC

Site1

Site2

Enterprise admin

Voice

Video

NSG

ECMP across both links

Intelligent Traffic Steering

IP/ MPLS WAN (Provider Network)

Internet (3G/LTE, BB, etc.)

Public Cloud, SaaS

NSG



DUAL UPLINK AND FAILOVER

Private Data Center (or HQ)

VSD

VSC

Site1

Site2

Enterprise admin

Video

NSG

ECMP across both links

Intelligent Traffic Steering

Seamless Backup

X

Voice

IP/ MPLS WAN (Provider Network)

Public Cloud, SaaS

NSG

Internet (3G/LTE, BB, etc.)



APPLICATION AWARE ROUTING

• Objective: Dynamically forward traffic to NSG network uplinks based on one-way measurement of overlay

- DPI based application classification- OWAMP based synthetic traffic measurements

- Measure symmetric paths (not cross paths)

- Compare results to per application SLA- Pick conforming path

IPVPN

NSG

Internet

Sit

e 1

Sit

e 2

NSG

Performance Measurement per Path – Delay, Delay Variation, Loss, BW

Path 1 – low latency/variation/loss

Path 2 – higher latency

Application

Aware

Routing

Voice Video Email

Voice Video

EmailVoice VideoEmail

Policies configured in VSD

Application-Groups, Applications, Application Probes, Application SLAs

Probe measurements can be triggered based on ToD or packet-detection

Attached to vPort to enable feature



APPLICATION AWARE ROUTINGPROBES/RESPONDERS

Full-mesh

NSG

Any-IP responder

Eg. www.google.com

IP RTT probe

Third-party responder

Hub-SpokeShadow-responder

OWAMP probe

Subsequent releases

Subsequent releases Subsequent releases

Server application

R4.0R4 GA

NSG

NSG

NSG

NSG

NSG NSG-E NSG-C NSG-F

NSG-XNSG-E or BYOD

TWAMP RTT probe

NSG NSG NSG

7750 SR

NSG



APPLICATION AWARE ROUTINGUSE CASES

NSG

PPS mode

Known apps Known apps

PPS mode

ToD scheduled monitoring – known applications/known subset of sites

e.g. - Video conference meeting

Known applications/unknown sites – 1st packet trigger

I would like to discover which applications are running at my site

NSG

Discovery mode

Unknown apps

e.g. - Detect branch applications

PPS mode

Custom apps Unknown destinations

I would like to monitor custom apps independent of destination

e.g. - Enterprise in-house developed applications

NSG NSG

NSG

PPS mode

Known apps Known apps

PPS mode

e.g. - VoIP call between users

NSG XNSG X

THANK YOU

SD-WAN / Nuage VNS - Technical Deep Dive -...

Documents

Transcript of SD-WAN / Nuage VNS - Technical Deep Dive -...