Us navy network function virtualization 030316

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Virtualizing Network ServicesBrenden Buresh

DC TSA, CCIE #2073

[email protected]

March 3rd, 2016

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Make it Fast and Easy To Create, Deploy, Operate, and RetireResources and Capabilities

Business Problems(Simplification Candidates)

Workflows

Common Workflows

Identify choke points

Tasks

Repeatable Workflows/Profiles

Things to fix & achieve

SimplificationOperationally

New Capabilities

Create, Deploy, Operate, and Retire Workflows:• Places - Branch / Data Center / DMZ• Employee / Partner• Device / Thing• Applications – SAAS, IAAS / COTS, client/server• Customer / Tenant / Segment• Collaboration - Meetings

Architectures


vSwitchWOCClassPolicy

FWClassPolicy

ADC MonitorQoSPolicyDNS

Traditional Non-Default Application Deployment Challenge

• Complex

• Costly

• Error prone

• Never remove policies

• Not secure

3

Traditional Network

Prime3rd Party WOCM FWM ADCM Prime

3rd Party

ApplicationOwner

vCenter

IPAMAdmin

NetworkAdmin

WANOptAdmin

SecurityAdmin

ADC/AppAdmin

MonitorAdmin

VirtualAdmin

WCCPRedirect VLAN Route

SNATSpanVACL

ClassMapDNS vPath

DC Network Admin

ServerClient

Con

figur

eP

olic

yIn

sert,

Cha

in,

Sca

le

DCNM

Auto has ~10,000 applications with ~10 year lifespan1000 applications deployed & retired per year

~10 applications/week programmed and unprogrammed (20% are non-default behavior)

CLI never intended to provide frequent policy changeChange control can’t keep up!


Identifying The Network Function Places

• Client Access Chains are on the perimeter of the access network

• Data center or Tenant Chains reside on the WAN or Internet edge of the data center

• Application Access Chains are in the server farm core with north/south traffic

• Application Interaction Chain is in the server farm access with east/west traffic

• Users, branches, extranet partners, and applications come and go

• Non-default application and user policies/configurations are constant, costly, and error prone

• Many users and applications require some experience, security, scale, or monitor service

• User and application interactions depend on the network and the myriad of network services

• Network functions/services are from many different vendors

Client / DMZAccess Chain

Data Center or Cloud/Tenant Access Chain

MirrorAppVM DB

Application Interaction Chain

Web

ApplicationAccess Chain

WANInternetClient Servers

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 5

Network Function Virtualization (nFV)


Network Function Virtualization Building Blocks

Hosting Nodes– UCS B-series– UCS C-series– UCS M-series– UCS Express– CSP-2100– CSX– ISA 3000

Service Node (Aka VNF)– WAN Optimization Controllers

(WOC) - WAAS– Security

Firewall - ASA NextGen Firewall - FirePower

– Application Delivery Controller (ADC)

– Application Performance Monitoring (APM) -NAM

– Secure Web Gateways - WSA– Content Delivery Network – VDS-

IS– Application Components

Transport Nodes– NX-OS

Nexus 9/7/6/5/3/2/1K– IOS XE

ASR CSR Catalyst 4500 ISR 4400

– IOS XR ASR 9000

– IOS Catalyst 2/3/6K ISR

6


Service Nodes Contain One or More Service Functions

• TransportRouting / VRFBridgingVirtual gatewayVPN

• ExperienceQoSDeep packet inspection WAN optimizationCaching of files/objectsApplication Response Time (ART)NetflowPerformance Routing

• Infrastructure ServicesVoice/video

Directory

DNS

NAS

Lifecycle manager

• Applications• Business

applications

• IOT

• Analytics

• Etc.

• SecurityFirewall (L2-4)

NextGen Firewall (L3-7)

DDoS

IDS / IPS

Antivirus (AV)

Data Leakage Prevention (DLP)

Anti-Malware Protection

Content Filtering

User / Device AAA

Network Auth 802.1x

Segmentation Tags


Service Node Standard Interface Meta Data - pt1

• Service NodeVendorProductCategory

• PlaceBranch / Store / BankData CenterCloud / Service Provider / Data CenterCarrier Transit Data Center PoP / CO

• PerformanceDPDK

SR-IOV

PCI Pass Through

VirtIO

• Form FactorsPhysical

ESX

KVM

Hyper-V

Xen

Amazon AMI

LXC / Docker Container


Service Node Standard Interface Meta Data – pt2

• Service InsertionType

GoThrough BridgedGoThrough RoutedGoTo VIP / LoopbackCopyTo

EncapsulationVLANVXLANNSH

ClustersWCCPAppNavvPath 2.0SFC

• Config Controller Support

APIC Opflex

APIC Device Package

APIC-EM

ODL

• Life Cycle ManagerESC

ESC-lite / VBO

Grapevine

• ProgrammabilityCLI / SSH

SNMP

GUI HTTPS

REST API

OpenFlow

Netconf / Restconf / Yang

Integrated Confd

NCS Tail-f Ned

Ubuntu / RHEL Openstack ML2 plugin


Virtual Network Function VNF Catalog• Inventory of all VNFs

Cisco first

3rd party as required

• Design/planning metadataConsumption availability by hypervisor (VMware, KVM, Microsoft, etc.) or cloud (AWS, Microsoft, etc.) - What service nodes are available on KVM?

Service node functions - What service nodes can perform firewall function? What functions are missing from the physical?

Service node performance gaps (Small Sourcefire VNF for vBranch)

Performance best practices (i.e. SSL, networking, etc.)

Service chaining - How can I chain the services?

Orchestration - What VNFs have NSO NEDs or ACI device packages?

• Services supportFeature impact on performance

Optimizing the configuration of the platform or VNF for minimal resource consumption

• Automating consumption of VNFs in the distributed cloudRepository to supply Cisco and 3rd party VNFs with meta data to reduce risk of oversubscription

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11Function Virtualization

Validated Designs

Standard Interfaces Offer Flexibility AND Reduced Complexity


Managing ComplexitySDN Is Simply Agent Based Management

Num

ber o

f Dev

ices

1985 1990

ClientPC

Server

WiredNetwork

1980 2000 20051995 2015 20202010

MobileAgent

IOSAndroid

Merakiagent

NetconfYang

ClientAgent

OpflexAgent

WirelessNetwork

APAgent Server

Agent

• 1993 – PCs transition from console to agent management• 2001 – Wireless Access Points AP adopt agent management• 2004 – Servers transition from console to agent management• 2007 – Google Android and Apple IOS adopt cloud agent based

management to achieve unprecedented growth• 2015 – Network devices transition from console to agent

management• Support staff grows with device growth until agent based

management is adopted


Solution ComponentsNetwork Services Orchestrator (NSO)Elastic Services Controller (ESC)Configuration Daemon (Confd)OpenstackLinux KVM


Network Services Orchestrator (NSO)


Network Service Orchestrator

YANG

Device Model

NED

Service Models

X-Domain Service Models

Industry leading capability in NG SP

device management

Common mechanism for native interface to any HW / SW system

Abstraction of capabilities and services supported in a device or system via NED/YANG

Construct services independent of infrastructure – reduce workflow in SP infra

Construct services independent of

infrastructure – reduce workflow in SP infra


CSRASAv

ODL/VPP*

SDN ControllerOVS(DC Overlay)

VMS Orchestration Component Mapping

Network Services Orchestrator (NFVO)

ESC Life Cycle Manager(VNF-M)

OpenStack Virtualization(VIM)

Service APIs

Infrastructure

Service Interface

Physical

OSS/BSS

Customer Facing ServicesResource Facing Services

SS

H

SS

H

vIPSWSAv

VNFs

* Innovation Pod Only


Network Services Orchestrator (NSO)

PnP Server

Transaction Database(CDB)

Open PnP

Service Manager

Device Manager

Network Element Drivers

x86ISR Virtual

Service Intent Service Intent Service Intent

Zero Touch Deployment(ZTD)

Open Method for ZTD Access

Transactional Database Allows full CRUD capabilities to Services.

Service Manager Interprets Service Intent with Service Instantiation Rules and derives configuration deltas.

Device Manager manages derived and validated configurations in a transaction manner towards derived infrastructure.

Network Element Drivers Abstract the interfaces to the devices allowing 3rd party infrastructure to participate in Service Instantiation

Service Models written in Yang Abstract Service from underlying physical devices

Domain Controller(i.e. ESC)

Rest/NetConf/Yang

Network Services Orchestrator

Mapping ControllerMaps the Service Intent to

the Derived Device Topology. Known as “Fastmap”


Elastic Services Controller (ESC)


Elastic Service Controller

API Confd

Rules Engine

Service Monitor

Public Clouds

Custom

DHCP

SNMP

Ganglia

Service Provisioning

Scale Up/Down

Elasticity

Custom

Day 0 Config

OpenStack

VM Provisioning & Configuration Module

VNS Bring-up & Initial Configuration Application.Multi-vendor Support.

Allows Modular Communication with NSO.Data Model Driven.

Affinity Rules and Scale Requirements for the VNF components. Also manages the startup sequences.

ESC uses multidimensional approach to VNF Monitoring/Restartability

Programmable Interface to ESC allows Functional Interaction to ESC Subcomponents.

Elastic Services Controller(ESC)

NSO


ESC Management Functions• Agentless VNF management (Any Vendor, Any Application, Any VNF)

• VNF lifecycle management (Create, Read, Delete)

• VNF Day0 configurations

• VM and service monitoring

• VNF Auto-healing, recovery

• Service elasticity

• VNF license management

• Multi-VIM Infrastructure support

• End to End customization support for VNF operations

• Transaction resume and rollback

• Coupled VNF management (VM Affinity/Anti-affinity, startup order, VM interdependency )

• Service Advertisement

onboard

deploy

monitor

scaleHealing /

fault-recovery

update

undeploy

Elastic Services

Controller (ESC)

VNF


VNF Lifecycle management

Service Monitoring,

Elasticity and Recovery

vSphere

Public Cloud (AWS, Azure)

Linux Containers

Elastic Services Controller

Openstack/KVM*

Ubuntu

Openstack Heat Orchestration

Any 3rd Party NFV Orchestrator

Northbound Orchestration System

Cisco Network Services Orchestrator

* Available in subsequent releases

ESC Modularity

Yang Model driven or API Integration

API / Netconf/

Yang

Southbound VIM

Now

Now


List of Events

• VM Alive• Service Alive• Upper load threshold crossed• Lower load threshold crossed• Service Dead• VM Dead

List of Actions• Notify (callback)• Advertise Service• Withdraw Service• Restart VM• Scale up (add a VM)• Scale down (remove a VM)• Individually customizable

action(s) for every event

Simple RulesService Alive =>

advertiseVM Dead =>

withdrawUpper load => scale

up

Complex Rules

Upper load => Scale up, Notify, Advertise

Service Dead => Withdraw, Notify, Restart

Service Alive => Advertise, Notify

Elastic Services Controller

ProvisionVM

VM Bootstrapprocess

Service Bootstrap Process

Servicealive

VMalive Service

Functional

ServiceOverloaded/Underloaded

VNFProvisioning

VNF MonitorVNF Configuration

ConfigureService

Service DEAD

VM DEADCustom Script

Action

VMOverloaded/Underloaded

Predefined Action

Custom Script Action

Predefined Action

Custom Script Action Predefined Action




Analytic Engine Rule Engine

ESC VNF Lifecycle Management – Monitoring & Elasticity


Confd


Configuration Daemon Confd

• Custom engineering• Extraordinary effort• Inconsistent across interfaces

• Open source• Minimal effort• Single source of truth across

interfaces


ConfD For Configuration and Operational State Abstraction

• Management agents: NETCONF, SNMP, CLI, and Web

• Management backplane provides hierarchical view of config and statistics data through Management API

• Management database may be integrated CDB distributed XML or external


Hosting Platform Foundational Technologies• Policy management for User and

Application

• Clustering for HA and scale

• Chaining that is open and agentless

• Service lifecycle managementProvisioning, Operation, Monitoring, Troubleshooting

Simplified, Libvirt, and Openstack APIs

• Hypervisor and vSwitch provisioning/operations

• Bare-metal provisioning

• Hardware acceleration (when necessary)

Enterprise

Prime/APIC-EM

Service Provider

NSO

CommonTechnology

Stack

SegmentSpecific

OSS

Green - Cisco Value Add

WAAS

CMS

Source-FireIPS

CfgAgent

CSR

Agent

NetworkStorageCPUMemory Intel or Cavium

Services Control

Confd

Cloud OS On Linux KVMSFC, Custom hardware and I/O drivers

ASAv

CfgAgent


Virtual Services Levels Of Control

• Platform ManagementConfd provides CLI, API, WebUI (hypervisor appliance)NSO provisions virtual services through Netconf/Yang to Confd or 3rd party controller provisions through RESTconf API

• Virtual Service ManagementSome virtual services use proprietary agents / managersNSO offers service/device management for many through Network Element Driver (NED)

CommonTechnology

Stack

WAAS

CMS

Source-FireIPS

CfgAgent

CSR

Agent*


Services Control

FiresightManager

Confd

Cloud OS On RhelService Chaining and Optional Acceleration

WAAS CM

NSOVirtual ServiceRouter Config

ASAv

NED


Service Function Chaining SFC


Current Hypervisor Edge Application Service Chaining• Server farm service insertion is easy

• Traffic is destined for virtual machine through virtual switch

• One way in and one way out

• vSwitch captures bidirectional flows destined for virtual machine and can redirect to service node anywhere

• In path in middle of network service insertion is not trivial because there are multiple paths

• VMware DVS requires

VMware vSphere

APIAgent

Nexus 1000v or Vmware DVS

VNF#1

vPath 2.0 Client

VNF #2vPathClient

VNF#3

vPath 2.0Client

NetworkStorageCPUMemory

VMware vSphere

APIAgent

Nexus 1000v or Vmware DVS

APP#1

APP #2

APP#3


C

S

C C


vPath 2.0 to Network Service Header Non-Participant Service• IETF draft Network Services Header is missing a

control plane

• 18 month investment to add redirection client to a service node

• vPath 3.0 control plane

• Agentless vPath 3.0 supports any service node, on any VEM, anywhere

• Per service symmetric scale out

• KVM based

• Potential future container compatible

• Simplified operationsReduced subnet and IP address consumption

Reduced VLAN management

KVM

APIAgent

vPath 2.0 Server

VNF #1

VNF #2

VNF #3


C

S

C

S

C

S

C

S

C

S

C

S

KVM

APIAgent

Nexus 1000v vPath 3.0 Client & Server

VNF #1

VNF #2

VNF #3


CS

CS

CS

CS

CS

CS

C

S

C

S

C

S

C

S

C

S

C

S

CS

CS

CS

CS

CS

CS


Network Service Header (NSH)• IETF draft NSH encapsulation

Participant service offers enhanced classification and segmentation

Non-participant offers support for any 3rd party service via traditional VLAN or VXLAN

• Cisco NSH control planesNexus 1000v VEM with VSM

OVS

• BenefitsSimplified ordering of services across places

Simplified IP Address Management (IPAM)

Per service high available and symmetric scale out

KVM

APIAgent

vSwitch

ASA #1

WAAS #2

CSR #3


KVM

APIAgent

vSwitch

ASA #1

WAAS #2

CSR #3


ServerWAN

ClientLAN

CS

CS

C

S

C

CS

CSS

CS

CS

C

S

C

SC

S

C

S


Solutions Virtual Managed Services (VMS)


Virtual Managed Services – Customers Like Choices Common Software Elements – Flexible Network Access Models

Branch Offices

PrivateCloud

PublicCloud

InternetHQ

Dedicatedinternet Secure

MPLS

Branch Offices

PrivateCloud

`PublicCloud

HQ

Secure MPLS

INET INET

Service Provider Cloud

Internet

Business Locations

PrivateCloud

`PublicCloud

HQ

Secure Broadband

INET INET


Internet

Enterprise and Service Provider Deployment Models

Common Service Orchestration and Automation Consistent Portal and Service Dashboard Instrumentation

Application Aware Cloud Services Optimization Pervasive Security WAN Optimization Usage Based Pricing

Cloud VPN Cloud MPLS Cloud IWAN



Customer Experience in Brief

Order / Customize Your Services

1

CPE ships (if needed)2

CPE is connected(if needed)

3

Orchestration occursAutomatically!

4

10.12.162.x

Internet

CustomerVPN

Service is up and running

Service ProviderCloud


Self-Service User and Operator Portals – Customizable

Service health-awareness resource utilization is integrated with service orchestration into the operator and end-customer portals.


Cisco Virtual Managed ServicesCloud VPN and Cloud MPLS Packages

Customers

Flexible CPE

Cisco ISREthernet NID

Self-Service Portal Service Provider Cloud

Cisco® Virtual Managed Services Platform

Service Catalog Orchestration Engine

Open APIs

StorageNetwork Compute

vFirewall vWSA vIPS

Cisco Evolved Programmable Network

vRouter

Secure BroadbandSecure WAN

IPsec / MPLS


Cisco Virtual Managed ServicesCloud Intelligent WAN (IWAN) Packages

Self-Service Portal Service Provider Cloud



Open APIs


vRouter WAAS AVC PfR


Secure WAN

Secure Broadband

Public Cloud

Private Cloud

InternetInternet

MPLS

Customers

CPE

CPE


Cisco Virtual Managed ServicesCloud Security Packages

Customers

Flexible CPE

Cisco ISR Ethernet NID

Self-Service Portal

Secure WAN




Open APIs


vRouter vFirewall vWSA vIPS



Cisco Virtual Managed Services – Flexible Deployment and Licensing Models

Cisco® Evolved Programmable Network (NFV Infrastructure)

Cisco® Evolved Services Platform (NFV MANO)

End-User Self-Service, Operator Portals

Automated Services Orchestration Plus SDN

Virtual Infrastructure Managers

Advanced and Consulting Services

Virtual Managed Services

AdvancedCloud VPN

ASAv

Cloud VPNCSR1kv

AdvancedCloud IWAN

vWAAS

Cloud IWANCSR1Kv

AdvancedCloud Security

vIPS

Cloud SecurityASAv

Cloud VPN Cloud IWAN Cloud security

Physical and Virtual Elements

Open, Pluggable Platform Packages

Software Function Service-Level Packages Mobile

ServicesSolution

Virtual Managed ServicesSolution

VideoServicesSolution

Portable across hardware Pay-as-you-grow metering

FoundationPackages

AdvancedPackages


VMS Complete Lifecycle Services Smart

Service Capabili

ties

Define Fast Deploy Fast Scale Fast Greater Customer Satisfaction

Accelerate Your Time to Revenue

Plan

Vision and Strategy

Business Justification Assessment

Consulting Service Strategy and Assessment Service

Build

Design and Validation

Deployment and Integration

Design and Deployment Service

Manage

SupportService

Optimization Support

Adoption Acceleration

ServiceOptimization

Service


Cloud Services Platform CSP-2100


Data Center Network Services Use Cases

TenantAccess

Chain

AppAccess

Chain

VPN

ADC

FW

WOC

MON

FW

FW

VPN

FW

MON

FW

VPN

ADC

WOC

FW

VPN

FW

WOC

VPN

FW

VPN VPN VPN

ServerFarm

MON MON MON MON

ASR

Application Server Environment

Tena

nt

Dat

a C

ente

rA

cces

s C

hain

WOC

Small Medium Large

Client

Application

App

Acc

ess

Cha

in

App

Acc

ess

Cha

in

Vagrant

Libvirt

CSR #1

CfgAgent

WAAS #2

CfgAgent

ASA #3

CfgAgent

NAM #4

CfgAgent


confd

Services Controller

NFV Hosting Software, Agentless NSH, and Optional Acceleration

Vagrant

Libvirt

ASA #2 CfgAgent

ADC #2CfgAgent


confd

Services Controller


Vagrant

Libvirt

ASA #1 CfgAgent

ADC #1CfgAgent


confd

Services Controller


Vagrant

Libvirt

ASA #2 CfgAgent

NAM #2CfgAgent


confd

Services Controller


Vagrant

Libvirt

ASA #1 CfgAgent

NAM #1CfgAgent


confd

Services Controller



Keeping Up with the Server Team

OpenStack Complexity

ESXi Product and Support Costs

Little or No Access to vCenter Server

Lack of a Toolset to Manage Virtual Services

Lack of Linux/OS Expertise

Comfort with Dedicated HW

Appliances

Need for HW Performance (Sometimes)

Today’s Data Center Network Administrator Challenges


RHEL 7, OVS, DPDK*, PCIe Passthrough, SR-IOV*

Network I/O

Network I/O ConfD

GUI CLI

Service 1 Service 2 Service 3

What is the CSP 2100?

UCS C220M4128G RAM, 4TB HDD, 16 cores, 6x1G & 2x10G SFP+ ports

REST / NetConf Yang

Now Orderable: SKU = CSP-2100 $32.5K at UCS discounts

© 2015 Cisco and/or its affiliates. All rights reserved. 45

What Virtual Services Can I Run on the CSP 2100?

Verified KVM 3rd Party Services

• Juniper SRX• Citrix NetScaler VPX• F5 LTM Virtual Edition• A10 Networks

KVM Open Operating Systems

• Linux • Red Hat• Ubuntu

• Windows

Any KVM-based service• Open Daylight ODL• RYU

Existing Nexus 1010/1110 Services

• Network Analysis Module vNAM

• Virtual Security Gateway VSG

• Virtual Supervisor Module VSM

Cisco KVM Virtual Services

• Elastic Services Controller ESC

• Virtual Topology System VTS

• Prime Network Services Controller PNSC

• Prime Service Catalog PSC

• IOS XRv 9000• Cloud Services Rotuer

CSR• Adaptive Security

Appliance ASAv• Data Center Network

Manager DCNM


CSP-2100 Software Block Diagram

• Runs on CSP-2100 hardware, using RHEL 7.0 kernel• Uses ConfD to supply much of the user interface and configuration storage :– IOS-XR -like CLI– REST / NetConf / Yang– AAA

RHEL 7.0 Kernel

ConfDRest API CLI

GUI

LibVirtC/Python

User

Customer SW

Images

AAA

Conf Database

WebServer

CSP2100


Key TenetsAttributes Features

Easy-to-use GUI• Turn-key, simple, and intuitive• Lifecycle Management• Ability to quickly provision and manage services

Automation • REST API and NETCONF support for north-bound MANO tools

Clustering• Pool of resources• n # of nodes• Deploy services in HA pair

Performance • DPDK, PCIe passthrough• HW Crypto, NSH, and OVS offloads; SR-IOV (roadmap)

Service Chaining• ODL + NSH + CSP 2100 (roadmap)• GUI to create service graph (roadmap)• Policy-based, not VLANs (roadmap)


Branch NFV


Supporting Branch Virtualization Trends• Ethernet handoff availability growing

• IP telephony centralized call control and gateways

• Internet offload

• Direct Internet access

• Availability of virtualized network services

• Re-introduction of centrally managed x86 compute

• Internet of Things (IOT) / Internet of Everything (IOE)


Automated network operations

Deployment of best-of-breed

OPEX decrease by reduction of branch visits or shipments

Enterprise Branch NFV Benefits

Reduction of network elements to manage & deploy

Operational efficiencies through virtualization

Service Elasticity – Quick time to market

Reduced complexity for High Availability

Capex reduction by deployment of standard x86-based servers


Virtual Branch Architecture

NFV OS (Linux+ ESC Lite+ PnP+CLI Agent)

VNF vAPPvAPPVNF VNFVNF

NIC NIM BMCSwitch

X86 Processor

Life Cycle Management (ESC Lite)• Provide Northbound interface for Management/Orchestration• Provide System level information• Provide VNF management - Create, Modify, Delete• Provide interface with onboard LAN switch• Performance Monitoring of VNF’s

Orchestration & Management Plug-n-Play

VM life cycle managementProvisioning of VNFs

PnP Agent• PnP Agent must automatically configure WAN interface• Must download Platform Profile

CLI/WebUI Agent• Interface to configure onboard switch• Provide Cisco CLI wrapper• Agnostic to switch vendor selected

NFV OS

NICIncreased performance using SRIOV

Mirroring of traffic between VNFs

Switch 8 Port Integrated Switch (only on Low)

Optional UPOE Support

Server Monitoring Agent• BMC Agent to interact with BMC• Web GUI Interface for Management and Configuration

Drivers, Firmware and Agents • NIC and interface drivers• Optional Crypto support

Onboard StorageM.2 SSD Default Storage


NFVOS Architecture

CLI NETCONF REST

Yang Models

BSANSO

Console / SSH Web UI

Confd

Switch OVSvebPlatform Perf Monitor

ESC-liteNetworkPlugin

PlatformPlugin

SwitchPlugin

Perf MonitorPlugin


CSR1 WAAS1

SRVinside

Pass-through

x86LAN

WAN

Trunk

WAN1

Bank Non-Redundant x86 Virtual Topology


CSR1 WAAS1

SRVinside

Pass-through

x86LAN

CSR2 WAAS2

SRVinside

x86LAN

WAN WAN

Trunk Trunk

Pass-through

WAN1 WAN2

Bank Redundant x86 Virtual Topology


IPSFirePower CSR

UntrustedTrusted

Pass-through

x86LAN

WAN

Trunk

WAN1

Insurance Company Non-Redundant x86 Virtual Topology

Local Service 1

IPSFirePower CSR

UntrustedTrusted

Pass-through

x86LAN

WAN

Trunk

WAN2

Local Service 2


IPSFirePower CSR

SRVinside

Pass-through

x86LAN

WAN

WAN1

Insurance Redundant Link x86 Virtual Topology

NAS WAN2


CSR1Local

Service 1

SRVinside

Pass-through

x86LAN

CSR2Local Service 2

SRVinside

x86LAN

WAN WAN

Trunk Trunk

Pass-through

WAN1 WAN2

Generic Company Redundant x86 Virtual Topology


X86 CPE

NFVOS (w/ESC Lite)

Tenant Portal

Network Service Orchestrator (Tail-f NCS)

NETCONF/YANG

PnP Functionality Zero Touch Provisioning

OpenStack

X86

Serv

er InternetGatewa

y

ProvisionCSR1Kv

X86 CPE Shipped atCustomer

Site, connected &Powered ON

Customer Orders Service

Provide Day 1 Configuration

Establish VPN: IP Overlay, Layer2

PnP server

vRouter vWSA

OVS

Elastic Services Controller (ESC)

vRouter vFW

Operator PortalService Assurance

Marketplace

vBranch Orchestration Architecture


ServicesHost

ServicesHost

BranchWANEdge

BranchWANEdge

Insurance Company Architecture and Operations• Branch

85% of 19,000 5 agent office

TemplateRouter/VPN – CSR

Firewall/IPS – ASAv/Firepower

NAS – Ctera

$500 per visitScheduled 1 time per year

Unscheduled 1-2 times per year

~10% move per year

• Data CenterNAS Manager

WLC

Centralized call control

WAN / Internet

SiSiSiSiSiSi SiSiSiSiSiSi


KVM

FutureVNF

C fg A g e n t

CteraNAS

C fg A g e n t

Security

C fg A g e n t

CSRC fg A g e n t

NetworkStorageCPUMemory Hardware Assist

confd

ServicesController

NFV OS, Agentless NSH*, and Hardware Drivers KVM

FutureVNF

C fg A g e n t

CteraNAS

C fg A g e n t

Security

C fg A g e n t

CSRC fg A g e n t

NetworkStorageCPUMemory Hardware Assist

confd

ServicesController

NFV OS, Agentless NSH*, and Hardware Drivers

Ctera

WLC

CCM

Ctera

WLC

CCM


Enterprise Branch NFV New Technology Adoption

• Adoption PhasesEnterprise proves NFV is viable functionally and operationally for any place Enterprise operates at sufficient scale to understand cost of ownershipEnterprise optionally turns over operations to managed service providers for cost savings

• BenefitsX86 platform for enterprise and service providerEnterprise device, cluster, and group managedEnterprise switches to service provider managedPotential for hybrid enterprise and service provider hosting and management

CommonTechnology

Stack

FutureVNF

CfgAgent

CteraNAS

CfgAgent

Source-FireIPS

CfgAgent

CSR

CfgAgent


confd

Device or Cluster

Management

Enterprise ESA Group

Based Management

Service Provider

MultitenantVMSServices

Controller



ServicesHost

ServicesHost

ServicesPod

ServicesPod

DC WAN edge DC WAN edge Internet Edge

NFV Use Cases

WAN / Internet



CDS CDS

3rd Party 3rd Party

CCM CCM

KVM

Confd

OVS

VS #1

VS #2

VS #3


KVM

Confd

OVS

VS #1

VS #2

VS #3


KVM

Confd

OVS

VS #1

VS #2

VS #3


KVM

Confd

OVS

VS #1

VS #2

VS #3


KVM

ConfdOVS

VS #1

VS #2

VS #3


KVM

ConfdOVS

VS #1

VS #2

VS #3

NetworkS torageCPUMemory

KVM

ConfdOVS

VS #1

VS #2

VS #3


KVM

ConfdOVS

VS #1

VS #2

VS #3


KVM

ConfidOVS

VS #1

VS #2

VS #3


• Fog / Edge / BranchRouter, firewall, WOC, CDN, application

• Data center branch/core WAN edgeRouter, WOC, firewall, monitor

• Data center coreADC, firewall, IPS/IDS, monitor

• Server farmFirewall, IPS/IDS, monitor

DevOps to automate device package registration

• DeMilitarized Zone (DMZ)Employee Internet Management (ADC, F-Proxy)

.com hosting (Router, ADC, firewall, IDS/IPS, R-Proxy, monitor)

Extranet (Router, firewall, VPN, IDS/IPS, monitor)


Compute


Planned Branch Purpose Built x86 Compute

CSX-L6,8,12 Core Intel

Storage

CSX-H8,12,16 Core Intel

StorageIntegrated Switch


Compute For Any Place, Segment, or Environment

UCS C-series

CSX

UCS Mini

ISR EmbeddedUCS E-series

UCS B-seriesUCS M-series

ISA 3000 Industrial Appliance


Intrinsic NFV Framework on UCS - Software

Framework for the orchestration of OS, FW, Drivers, etc.• Day 0 out of the box experience with UCS Director

• Firmware, patching, and configuration operations on physical devices rolled into centralized policy

• Usage of out of band management infrastructure into each element possible

• Programmatic integration of VNF locality information to coordinate maintenance within infrastructure


Intrinsic NFV Framework on UCS - Software

Fully open API for well-known operations within a domain/service group• AAA configurations, keystores, NTP, admin emails, SNMP, fault coordination,

Callhome transport gateway, service advertisements, etc.

• Services Advertisement, Performance Feedback, Performance Estimation, etc. (UCS Performance Manager and followons)

• Single GUI with extendable framework – to host the user presentation tier (NSO) with dynamic adds/removals


Intrinsic NFV Framework on UCS - Hardware• 5-9’s in service maintenance via policy – by moving the NFV VMs around to

enable a portion of HW to be in a maintenance mode

• SR-IOV and DPDK needs to be in for the DMA right in to NFV guest kernel buffer space

• DPDK update in semantics of v2.2 with optimized performance

• Crypto offload function as part of a library to the NFV via card options (Mezz, PCIe, and mLOM)

• Native Multi platform support (Blade scale, Rack scale, Cartridge scale)


Enterprise Network Function Virtualization Architecture

Service Model Policy and Service Repository

Access BranchWAN

Branch/Campus

Core

CoreWAN

DCCore/Agg

DCServer Farm

PublicCloud

Distributed KVM Compute / Storage

Confd + ESC-Lite ESC + OpenstackNetconf / NED

Network Service Orchestrator NSONetconf /

NED

vBranch VMSiVPN / iWAN CSP


Enterprise Cloud and NFV Architecture

Access Edge Router Core Access Server

Private Cloud

Fog EdgeBranch WAN

Internet

CDNDavra IPSNAMCSR

CteraWOC DNSADCCSR WOC FW

vBranch on CSX or UCS CSP on UCS OR VMS ASR, Nexus 9000, x86NFV OS with Confd CSP OS with Confd Metapod Openstack

User / Branch PolicyUser / Application Policy

Application Policy

Service RepositoryWOCCSR NAMCDN

IPSFW ProxyNAS

DNSVoice DavraVMS

X86 OS Hosting StoreCSPNFVOS

Linux

Metapod

ESXWindows

MapRRMQ MySQL ScaleArcApacheApprda FW SLB

PrivateEdge/Core DC/Cloud

Core

User & Application Policy StoreAppSecAppExp AppMonAppScale

TelephonyUserPolicy

SAASPolicy

BranchTemplate

• Local performance• Local availability• Local processing• Distributed scale

InternetConnect

PublicCloud

Apprenda

Pivotal

Mantl.io

Hortonworks

RabbitMQ

ScaleArc

Apache

WAF

MySQL

Access Server

ACI + UCSMetapod Openstack

Application Policy

MapRRMQ MySQL ScaleArcApachePivotal FW SLB

OSP OtherAzureStack

• Dynamic scale on x86• Wire once, run any• Optional acceleration

• Data protection• Lowest cost• Fixed/known capacity

• Public facing presentation

• Intercompany• Disaster Recovery• Unknown/burst/one-time

ConfigAgent

ConfigAgent

ConfigAgent

ConfigAgent

ConfigAgent

ConfigAgent

ConfigAgent

ConfigAgent

Thank you.

Us navy network function virtualization 030316

Technology

Transcript of Us navy network function virtualization 030316