Us navy network function virtualization 030316
-
Upload
cisco-public-sector -
Category
Technology
-
view
637 -
download
5
Transcript of Us navy network function virtualization 030316
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Virtualizing Network ServicesBrenden Buresh
DC TSA, CCIE #2073
March 3rd, 2016
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Make it Fast and Easy To Create, Deploy, Operate, and RetireResources and Capabilities
Business Problems(Simplification Candidates)
Workflows
Common Workflows
Identify choke points
Tasks
Repeatable Workflows/Profiles
Things to fix & achieve
SimplificationOperationally
New Capabilities
Create, Deploy, Operate, and Retire Workflows:• Places - Branch / Data Center / DMZ• Employee / Partner• Device / Thing• Applications – SAAS, IAAS / COTS, client/server• Customer / Tenant / Segment• Collaboration - Meetings
Architectures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
vSwitchWOCClassPolicy
FWClassPolicy
ADC MonitorQoSPolicyDNS
Traditional Non-Default Application Deployment Challenge
• Complex
• Costly
• Error prone
• Never remove policies
• Not secure
3
Traditional Network
Prime3rd Party WOCM FWM ADCM Prime
3rd Party
ApplicationOwner
vCenter
IPAMAdmin
NetworkAdmin
WANOptAdmin
SecurityAdmin
ADC/AppAdmin
MonitorAdmin
VirtualAdmin
WCCPRedirect VLAN Route
SNATSpanVACL
ClassMapDNS vPath
DC Network Admin
ServerClient
Con
figur
eP
olic
yIn
sert,
Cha
in,
Sca
le
DCNM
Auto has ~10,000 applications with ~10 year lifespan1000 applications deployed & retired per year
~10 applications/week programmed and unprogrammed (20% are non-default behavior)
CLI never intended to provide frequent policy changeChange control can’t keep up!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Identifying The Network Function Places
• Client Access Chains are on the perimeter of the access network
• Data center or Tenant Chains reside on the WAN or Internet edge of the data center
• Application Access Chains are in the server farm core with north/south traffic
• Application Interaction Chain is in the server farm access with east/west traffic
• Users, branches, extranet partners, and applications come and go
• Non-default application and user policies/configurations are constant, costly, and error prone
• Many users and applications require some experience, security, scale, or monitor service
• User and application interactions depend on the network and the myriad of network services
• Network functions/services are from many different vendors
Client / DMZAccess Chain
Data Center or Cloud/Tenant Access Chain
MirrorAppVM DB
Application Interaction Chain
Web
ApplicationAccess Chain
WANInternetClient Servers
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 5
Network Function Virtualization (nFV)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Network Function Virtualization Building Blocks
Hosting Nodes– UCS B-series– UCS C-series– UCS M-series– UCS Express– CSP-2100– CSX– ISA 3000
Service Node (Aka VNF)– WAN Optimization Controllers
(WOC) - WAAS– Security
Firewall - ASA NextGen Firewall - FirePower
– Application Delivery Controller (ADC)
– Application Performance Monitoring (APM) -NAM
– Secure Web Gateways - WSA– Content Delivery Network – VDS-
IS– Application Components
Transport Nodes– NX-OS
Nexus 9/7/6/5/3/2/1K– IOS XE
ASR CSR Catalyst 4500 ISR 4400
– IOS XR ASR 9000
– IOS Catalyst 2/3/6K ISR
6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Service Nodes Contain One or More Service Functions
• TransportRouting / VRFBridgingVirtual gatewayVPN
• ExperienceQoSDeep packet inspection WAN optimizationCaching of files/objectsApplication Response Time (ART)NetflowPerformance Routing
• Infrastructure ServicesVoice/video
Directory
DNS
NAS
Lifecycle manager
• Applications• Business
applications
• IOT
• Analytics
• Etc.
• SecurityFirewall (L2-4)
NextGen Firewall (L3-7)
DDoS
IDS / IPS
Antivirus (AV)
Data Leakage Prevention (DLP)
Anti-Malware Protection
Content Filtering
User / Device AAA
Network Auth 802.1x
Segmentation Tags
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Service Node Standard Interface Meta Data - pt1
• Service NodeVendorProductCategory
• PlaceBranch / Store / BankData CenterCloud / Service Provider / Data CenterCarrier Transit Data Center PoP / CO
• PerformanceDPDK
SR-IOV
PCI Pass Through
VirtIO
• Form FactorsPhysical
ESX
KVM
Hyper-V
Xen
Amazon AMI
LXC / Docker Container
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Service Node Standard Interface Meta Data – pt2
• Service InsertionType
GoThrough BridgedGoThrough RoutedGoTo VIP / LoopbackCopyTo
EncapsulationVLANVXLANNSH
ClustersWCCPAppNavvPath 2.0SFC
• Config Controller Support
APIC Opflex
APIC Device Package
APIC-EM
ODL
• Life Cycle ManagerESC
ESC-lite / VBO
Grapevine
• ProgrammabilityCLI / SSH
SNMP
GUI HTTPS
REST API
OpenFlow
Netconf / Restconf / Yang
Integrated Confd
NCS Tail-f Ned
Ubuntu / RHEL Openstack ML2 plugin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Virtual Network Function VNF Catalog• Inventory of all VNFs
Cisco first
3rd party as required
• Design/planning metadataConsumption availability by hypervisor (VMware, KVM, Microsoft, etc.) or cloud (AWS, Microsoft, etc.) - What service nodes are available on KVM?
Service node functions - What service nodes can perform firewall function? What functions are missing from the physical?
Service node performance gaps (Small Sourcefire VNF for vBranch)
Performance best practices (i.e. SSL, networking, etc.)
Service chaining - How can I chain the services?
Orchestration - What VNFs have NSO NEDs or ACI device packages?
• Services supportFeature impact on performance
Optimizing the configuration of the platform or VNF for minimal resource consumption
• Automating consumption of VNFs in the distributed cloudRepository to supply Cisco and 3rd party VNFs with meta data to reduce risk of oversubscription
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11Function Virtualization
Validated Designs
Standard Interfaces Offer Flexibility AND Reduced Complexity
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Managing ComplexitySDN Is Simply Agent Based Management
Num
ber o
f Dev
ices
1985 1990
ClientPC
Server
WiredNetwork
1980 2000 20051995 2015 20202010
MobileAgent
IOSAndroid
Merakiagent
NetconfYang
ClientAgent
OpflexAgent
WirelessNetwork
APAgent Server
Agent
• 1993 – PCs transition from console to agent management• 2001 – Wireless Access Points AP adopt agent management• 2004 – Servers transition from console to agent management• 2007 – Google Android and Apple IOS adopt cloud agent based
management to achieve unprecedented growth• 2015 – Network devices transition from console to agent
management• Support staff grows with device growth until agent based
management is adopted
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13
Solution ComponentsNetwork Services Orchestrator (NSO)Elastic Services Controller (ESC)Configuration Daemon (Confd)OpenstackLinux KVM
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 14
Network Services Orchestrator (NSO)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Network Service Orchestrator
YANG
Device Model
NED
Service Models
X-Domain Service Models
Industry leading capability in NG SP
device management
Common mechanism for native interface to any HW / SW system
Abstraction of capabilities and services supported in a device or system via NED/YANG
Construct services independent of infrastructure – reduce workflow in SP infra
Construct services independent of
infrastructure – reduce workflow in SP infra
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
CSRASAv
ODL/VPP*
SDN ControllerOVS(DC Overlay)
VMS Orchestration Component Mapping
Network Services Orchestrator (NFVO)
ESC Life Cycle Manager(VNF-M)
OpenStack Virtualization(VIM)
Service APIs
Infrastructure
Service Interface
Physical
OSS/BSS
Customer Facing ServicesResource Facing Services
SS
H
SS
H
vIPSWSAv
VNFs
* Innovation Pod Only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Network Services Orchestrator (NSO)
PnP Server
Transaction Database(CDB)
Open PnP
Service Manager
Device Manager
Network Element Drivers
x86ISR Virtual
Service Intent Service Intent Service Intent
Zero Touch Deployment(ZTD)
Open Method for ZTD Access
Transactional Database Allows full CRUD capabilities to Services.
Service Manager Interprets Service Intent with Service Instantiation Rules and derives configuration deltas.
Device Manager manages derived and validated configurations in a transaction manner towards derived infrastructure.
Network Element Drivers Abstract the interfaces to the devices allowing 3rd party infrastructure to participate in Service Instantiation
Service Models written in Yang Abstract Service from underlying physical devices
Domain Controller(i.e. ESC)
Rest/NetConf/Yang
Network Services Orchestrator
Mapping ControllerMaps the Service Intent to
the Derived Device Topology. Known as “Fastmap”
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 18
Elastic Services Controller (ESC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Elastic Service Controller
API Confd
Rules Engine
Service Monitor
Public Clouds
Custom
DHCP
SNMP
Ganglia
Service Provisioning
Scale Up/Down
Elasticity
Custom
Day 0 Config
OpenStack
VM Provisioning & Configuration Module
VNS Bring-up & Initial Configuration Application.Multi-vendor Support.
Allows Modular Communication with NSO.Data Model Driven.
Affinity Rules and Scale Requirements for the VNF components. Also manages the startup sequences.
ESC uses multidimensional approach to VNF Monitoring/Restartability
Programmable Interface to ESC allows Functional Interaction to ESC Subcomponents.
Elastic Services Controller(ESC)
NSO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
ESC Management Functions• Agentless VNF management (Any Vendor, Any Application, Any VNF)
• VNF lifecycle management (Create, Read, Delete)
• VNF Day0 configurations
• VM and service monitoring
• VNF Auto-healing, recovery
• Service elasticity
• VNF license management
• Multi-VIM Infrastructure support
• End to End customization support for VNF operations
• Transaction resume and rollback
• Coupled VNF management (VM Affinity/Anti-affinity, startup order, VM interdependency )
• Service Advertisement
onboard
deploy
monitor
scaleHealing /
fault-recovery
update
undeploy
Elastic Services
Controller (ESC)
VNF
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
VNF Lifecycle management
Service Monitoring,
Elasticity and Recovery
vSphere
Public Cloud (AWS, Azure)
Linux Containers
Elastic Services Controller
Openstack/KVM*
Ubuntu
Openstack Heat Orchestration
Any 3rd Party NFV Orchestrator
Northbound Orchestration System
Cisco Network Services Orchestrator
* Available in subsequent releases
ESC Modularity
Yang Model driven or API Integration
API / Netconf/
Yang
Southbound VIM
Now
Now
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
List of Events
• VM Alive• Service Alive• Upper load threshold crossed• Lower load threshold crossed• Service Dead• VM Dead
List of Actions• Notify (callback)• Advertise Service• Withdraw Service• Restart VM• Scale up (add a VM)• Scale down (remove a VM)• Individually customizable
action(s) for every event
Simple RulesService Alive =>
advertiseVM Dead =>
withdrawUpper load => scale
up
Complex Rules
Upper load => Scale up, Notify, Advertise
Service Dead => Withdraw, Notify, Restart
Service Alive => Advertise, Notify
Elastic Services Controller
ProvisionVM
VM Bootstrapprocess
Service Bootstrap Process
Servicealive
VMalive Service
Functional
ServiceOverloaded/Underloaded
VNFProvisioning
VNF MonitorVNF Configuration
ConfigureService
Service DEAD
VM DEADCustom Script
Action
VMOverloaded/Underloaded
Predefined Action
Custom Script Action
Predefined Action
Custom Script Action Predefined Action
Custom Script Action Predefined Action
Custom Script Action Predefined Action
Custom Script Action Predefined Action
Analytic Engine Rule Engine
ESC VNF Lifecycle Management – Monitoring & Elasticity
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 23
Confd
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Configuration Daemon Confd
• Custom engineering• Extraordinary effort• Inconsistent across interfaces
• Open source• Minimal effort• Single source of truth across
interfaces
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
ConfD For Configuration and Operational State Abstraction
• Management agents: NETCONF, SNMP, CLI, and Web
• Management backplane provides hierarchical view of config and statistics data through Management API
• Management database may be integrated CDB distributed XML or external
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Hosting Platform Foundational Technologies• Policy management for User and
Application
• Clustering for HA and scale
• Chaining that is open and agentless
• Service lifecycle managementProvisioning, Operation, Monitoring, Troubleshooting
Simplified, Libvirt, and Openstack APIs
• Hypervisor and vSwitch provisioning/operations
• Bare-metal provisioning
• Hardware acceleration (when necessary)
Enterprise
Prime/APIC-EM
Service Provider
NSO
CommonTechnology
Stack
SegmentSpecific
OSS
Green - Cisco Value Add
WAAS
CMS
Source-FireIPS
CfgAgent
CSR
Agent
NetworkStorageCPUMemory Intel or Cavium
Services Control
Confd
Cloud OS On Linux KVMSFC, Custom hardware and I/O drivers
ASAv
CfgAgent
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Virtual Services Levels Of Control
• Platform ManagementConfd provides CLI, API, WebUI (hypervisor appliance)NSO provisions virtual services through Netconf/Yang to Confd or 3rd party controller provisions through RESTconf API
• Virtual Service ManagementSome virtual services use proprietary agents / managersNSO offers service/device management for many through Network Element Driver (NED)
CommonTechnology
Stack
WAAS
CMS
Source-FireIPS
CfgAgent
CSR
Agent*
NetworkStorageCPUMemory Intel or Cavium
Services Control
FiresightManager
Confd
Cloud OS On RhelService Chaining and Optional Acceleration
WAAS CM
NSOVirtual ServiceRouter Config
ASAv
NED
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 28
Service Function Chaining SFC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Current Hypervisor Edge Application Service Chaining• Server farm service insertion is easy
• Traffic is destined for virtual machine through virtual switch
• One way in and one way out
• vSwitch captures bidirectional flows destined for virtual machine and can redirect to service node anywhere
• In path in middle of network service insertion is not trivial because there are multiple paths
• VMware DVS requires
VMware vSphere
APIAgent
Nexus 1000v or Vmware DVS
VNF#1
vPath 2.0 Client
VNF #2vPathClient
VNF#3
vPath 2.0Client
NetworkStorageCPUMemory
VMware vSphere
APIAgent
Nexus 1000v or Vmware DVS
APP#1
APP #2
APP#3
NetworkStorageCPUMemory
C
S
C C
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
vPath 2.0 to Network Service Header Non-Participant Service• IETF draft Network Services Header is missing a
control plane
• 18 month investment to add redirection client to a service node
• vPath 3.0 control plane
• Agentless vPath 3.0 supports any service node, on any VEM, anywhere
• Per service symmetric scale out
• KVM based
• Potential future container compatible
• Simplified operationsReduced subnet and IP address consumption
Reduced VLAN management
KVM
APIAgent
vPath 2.0 Server
VNF #1
VNF #2
VNF #3
NetworkStorageCPUMemory
C
S
C
S
C
S
C
S
C
S
C
S
KVM
APIAgent
Nexus 1000v vPath 3.0 Client & Server
VNF #1
VNF #2
VNF #3
NetworkStorageCPUMemory
CS
CS
CS
CS
CS
CS
C
S
C
S
C
S
C
S
C
S
C
S
CS
CS
CS
CS
CS
CS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Network Service Header (NSH)• IETF draft NSH encapsulation
Participant service offers enhanced classification and segmentation
Non-participant offers support for any 3rd party service via traditional VLAN or VXLAN
• Cisco NSH control planesNexus 1000v VEM with VSM
OVS
• BenefitsSimplified ordering of services across places
Simplified IP Address Management (IPAM)
Per service high available and symmetric scale out
KVM
APIAgent
vSwitch
ASA #1
WAAS #2
CSR #3
NetworkStorageCPUMemory
KVM
APIAgent
vSwitch
ASA #1
WAAS #2
CSR #3
NetworkStorageCPUMemory
ServerWAN
ClientLAN
CS
CS
C
S
C
CS
CSS
CS
CS
C
S
C
SC
S
C
S
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 32
Solutions Virtual Managed Services (VMS)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Virtual Managed Services – Customers Like Choices Common Software Elements – Flexible Network Access Models
Branch Offices
PrivateCloud
PublicCloud
InternetHQ
Dedicatedinternet Secure
MPLS
Branch Offices
PrivateCloud
`PublicCloud
HQ
Secure MPLS
INET INET
Service Provider Cloud
Internet
Business Locations
PrivateCloud
`PublicCloud
HQ
Secure Broadband
INET INET
Service Provider Cloud
Internet
Enterprise and Service Provider Deployment Models
Common Service Orchestration and Automation Consistent Portal and Service Dashboard Instrumentation
Application Aware Cloud Services Optimization Pervasive Security WAN Optimization Usage Based Pricing
Cloud VPN Cloud MPLS Cloud IWAN
Service Provider Cloud
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Customer Experience in Brief
Order / Customize Your Services
1
CPE ships (if needed)2
CPE is connected(if needed)
3
Orchestration occursAutomatically!
4
10.12.162.x
Internet
CustomerVPN
Service is up and running
Service ProviderCloud
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Self-Service User and Operator Portals – Customizable
Service health-awareness resource utilization is integrated with service orchestration into the operator and end-customer portals.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Cisco Virtual Managed ServicesCloud VPN and Cloud MPLS Packages
Customers
Flexible CPE
Cisco ISREthernet NID
Self-Service Portal Service Provider Cloud
Cisco® Virtual Managed Services Platform
Service Catalog Orchestration Engine
Open APIs
StorageNetwork Compute
vFirewall vWSA vIPS
Cisco Evolved Programmable Network
vRouter
Secure BroadbandSecure WAN
IPsec / MPLS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Cisco Virtual Managed ServicesCloud Intelligent WAN (IWAN) Packages
Self-Service Portal Service Provider Cloud
Cisco® Virtual Managed Services Platform
Service Catalog Orchestration Engine
Open APIs
StorageNetwork Compute
vRouter WAAS AVC PfR
Cisco Evolved Programmable Network
Secure WAN
Secure Broadband
Public Cloud
Private Cloud
InternetInternet
MPLS
Customers
CPE
CPE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Cisco Virtual Managed ServicesCloud Security Packages
Customers
Flexible CPE
Cisco ISR Ethernet NID
Self-Service Portal
Secure WAN
Service Provider Cloud
Cisco® Virtual Managed Services Platform
Service Catalog Orchestration Engine
Open APIs
StorageNetwork Compute
vRouter vFirewall vWSA vIPS
Cisco Evolved Programmable Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Cisco Virtual Managed Services – Flexible Deployment and Licensing Models
Cisco® Evolved Programmable Network (NFV Infrastructure)
Cisco® Evolved Services Platform (NFV MANO)
End-User Self-Service, Operator Portals
Automated Services Orchestration Plus SDN
Virtual Infrastructure Managers
Advanced and Consulting Services
Virtual Managed Services
AdvancedCloud VPN
ASAv
Cloud VPNCSR1kv
AdvancedCloud IWAN
vWAAS
Cloud IWANCSR1Kv
AdvancedCloud Security
vIPS
Cloud SecurityASAv
Cloud VPN Cloud IWAN Cloud security
Physical and Virtual Elements
Open, Pluggable Platform Packages
Software Function Service-Level Packages Mobile
ServicesSolution
Virtual Managed ServicesSolution
VideoServicesSolution
Portable across hardware Pay-as-you-grow metering
FoundationPackages
AdvancedPackages
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
VMS Complete Lifecycle Services Smart
Service Capabili
ties
Define Fast Deploy Fast Scale Fast Greater Customer Satisfaction
Accelerate Your Time to Revenue
Plan
Vision and Strategy
Business Justification Assessment
Consulting Service Strategy and Assessment Service
Build
Design and Validation
Deployment and Integration
Design and Deployment Service
Manage
SupportService
Optimization Support
Adoption Acceleration
ServiceOptimization
Service
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 41
Cloud Services Platform CSP-2100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Data Center Network Services Use Cases
TenantAccess
Chain
AppAccess
Chain
VPN
ADC
FW
WOC
MON
FW
FW
VPN
FW
MON
FW
VPN
ADC
WOC
FW
VPN
FW
WOC
VPN
FW
VPN VPN VPN
ServerFarm
MON MON MON MON
ASR
Application Server Environment
Tena
nt
Dat
a C
ente
rA
cces
s C
hain
WOC
Small Medium Large
Client
Application
App
Acc
ess
Cha
in
App
Acc
ess
Cha
in
Vagrant
Libvirt
CSR #1
CfgAgent
WAAS #2
CfgAgent
ASA #3
CfgAgent
NAM #4
CfgAgent
NetworkStorageCPUMemory Intel or Cavium
confd
Services Controller
NFV Hosting Software, Agentless NSH, and Optional Acceleration
Vagrant
Libvirt
ASA #2 CfgAgent
ADC #2CfgAgent
NetworkStorageCPUMemory Intel or Cavium
confd
Services Controller
NFV Hosting Software, Agentless NSH, and Optional Acceleration
Vagrant
Libvirt
ASA #1 CfgAgent
ADC #1CfgAgent
NetworkStorageCPUMemory Intel or Cavium
confd
Services Controller
NFV Hosting Software, Agentless NSH, and Optional Acceleration
Vagrant
Libvirt
ASA #2 CfgAgent
NAM #2CfgAgent
NetworkStorageCPUMemory Intel or Cavium
confd
Services Controller
NFV Hosting Software, Agentless NSH, and Optional Acceleration
Vagrant
Libvirt
ASA #1 CfgAgent
NAM #1CfgAgent
NetworkStorageCPUMemory Intel or Cavium
confd
Services Controller
NFV Hosting Software, Agentless NSH, and Optional Acceleration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Keeping Up with the Server Team
OpenStack Complexity
ESXi Product and Support Costs
Little or No Access to vCenter Server
Lack of a Toolset to Manage Virtual Services
Lack of Linux/OS Expertise
Comfort with Dedicated HW
Appliances
Need for HW Performance (Sometimes)
Today’s Data Center Network Administrator Challenges
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
RHEL 7, OVS, DPDK*, PCIe Passthrough, SR-IOV*
Network I/O
Network I/O ConfD
GUI CLI
Service 1 Service 2 Service 3
What is the CSP 2100?
UCS C220M4128G RAM, 4TB HDD, 16 cores, 6x1G & 2x10G SFP+ ports
REST / NetConf Yang
Now Orderable: SKU = CSP-2100 $32.5K at UCS discounts
© 2015 Cisco and/or its affiliates. All rights reserved. 45
What Virtual Services Can I Run on the CSP 2100?
Verified KVM 3rd Party Services
• Juniper SRX• Citrix NetScaler VPX• F5 LTM Virtual Edition• A10 Networks
KVM Open Operating Systems
• Linux • Red Hat• Ubuntu
• Windows
Any KVM-based service• Open Daylight ODL• RYU
Existing Nexus 1010/1110 Services
• Network Analysis Module vNAM
• Virtual Security Gateway VSG
• Virtual Supervisor Module VSM
Cisco KVM Virtual Services
• Elastic Services Controller ESC
• Virtual Topology System VTS
• Prime Network Services Controller PNSC
• Prime Service Catalog PSC
• IOS XRv 9000• Cloud Services Rotuer
CSR• Adaptive Security
Appliance ASAv• Data Center Network
Manager DCNM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
CSP-2100 Software Block Diagram
• Runs on CSP-2100 hardware, using RHEL 7.0 kernel• Uses ConfD to supply much of the user interface and configuration storage :– IOS-XR -like CLI– REST / NetConf / Yang– AAA
RHEL 7.0 Kernel
ConfDRest API CLI
GUI
LibVirtC/Python
User
Customer SW
Images
AAA
Conf Database
WebServer
CSP2100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Key TenetsAttributes Features
Easy-to-use GUI• Turn-key, simple, and intuitive• Lifecycle Management• Ability to quickly provision and manage services
Automation • REST API and NETCONF support for north-bound MANO tools
Clustering• Pool of resources• n # of nodes• Deploy services in HA pair
Performance • DPDK, PCIe passthrough• HW Crypto, NSH, and OVS offloads; SR-IOV (roadmap)
Service Chaining• ODL + NSH + CSP 2100 (roadmap)• GUI to create service graph (roadmap)• Policy-based, not VLANs (roadmap)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 48
Branch NFV
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Supporting Branch Virtualization Trends• Ethernet handoff availability growing
• IP telephony centralized call control and gateways
• Internet offload
• Direct Internet access
• Availability of virtualized network services
• Re-introduction of centrally managed x86 compute
• Internet of Things (IOT) / Internet of Everything (IOE)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Automated network operations
Deployment of best-of-breed
OPEX decrease by reduction of branch visits or shipments
Enterprise Branch NFV Benefits
Reduction of network elements to manage & deploy
Operational efficiencies through virtualization
Service Elasticity – Quick time to market
Reduced complexity for High Availability
Capex reduction by deployment of standard x86-based servers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Virtual Branch Architecture
NFV OS (Linux+ ESC Lite+ PnP+CLI Agent)
VNF vAPPvAPPVNF VNFVNF
NIC NIM BMCSwitch
X86 Processor
Life Cycle Management (ESC Lite)• Provide Northbound interface for Management/Orchestration• Provide System level information• Provide VNF management - Create, Modify, Delete• Provide interface with onboard LAN switch• Performance Monitoring of VNF’s
Orchestration & Management Plug-n-Play
VM life cycle managementProvisioning of VNFs
PnP Agent• PnP Agent must automatically configure WAN interface• Must download Platform Profile
CLI/WebUI Agent• Interface to configure onboard switch• Provide Cisco CLI wrapper• Agnostic to switch vendor selected
NFV OS
NICIncreased performance using SRIOV
Mirroring of traffic between VNFs
Switch 8 Port Integrated Switch (only on Low)
Optional UPOE Support
Server Monitoring Agent• BMC Agent to interact with BMC• Web GUI Interface for Management and Configuration
Drivers, Firmware and Agents • NIC and interface drivers• Optional Crypto support
Onboard StorageM.2 SSD Default Storage
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
NFVOS Architecture
CLI NETCONF REST
Yang Models
BSANSO
Console / SSH Web UI
Confd
Switch OVSvebPlatform Perf Monitor
ESC-liteNetworkPlugin
PlatformPlugin
SwitchPlugin
Perf MonitorPlugin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
CSR1 WAAS1
SRVinside
Pass-through
x86LAN
WAN
Trunk
WAN1
Bank Non-Redundant x86 Virtual Topology
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
CSR1 WAAS1
SRVinside
Pass-through
x86LAN
CSR2 WAAS2
SRVinside
x86LAN
WAN WAN
Trunk Trunk
Pass-through
WAN1 WAN2
Bank Redundant x86 Virtual Topology
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
IPSFirePower CSR
UntrustedTrusted
Pass-through
x86LAN
WAN
Trunk
WAN1
Insurance Company Non-Redundant x86 Virtual Topology
Local Service 1
IPSFirePower CSR
UntrustedTrusted
Pass-through
x86LAN
WAN
Trunk
WAN2
Local Service 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
IPSFirePower CSR
SRVinside
Pass-through
x86LAN
WAN
WAN1
Insurance Redundant Link x86 Virtual Topology
NAS WAN2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
CSR1Local
Service 1
SRVinside
Pass-through
x86LAN
CSR2Local Service 2
SRVinside
x86LAN
WAN WAN
Trunk Trunk
Pass-through
WAN1 WAN2
Generic Company Redundant x86 Virtual Topology
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
X86 CPE
NFVOS (w/ESC Lite)
Tenant Portal
Network Service Orchestrator (Tail-f NCS)
NETCONF/YANG
PnP Functionality Zero Touch Provisioning
OpenStack
X86
Serv
er InternetGatewa
y
ProvisionCSR1Kv
X86 CPE Shipped atCustomer
Site, connected &Powered ON
Customer Orders Service
Provide Day 1 Configuration
Establish VPN: IP Overlay, Layer2
PnP server
vRouter vWSA
OVS
Elastic Services Controller (ESC)
vRouter vFW
Operator PortalService Assurance
Marketplace
vBranch Orchestration Architecture
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
ServicesHost
ServicesHost
BranchWANEdge
BranchWANEdge
Insurance Company Architecture and Operations• Branch
85% of 19,000 5 agent office
TemplateRouter/VPN – CSR
Firewall/IPS – ASAv/Firepower
NAS – Ctera
$500 per visitScheduled 1 time per year
Unscheduled 1-2 times per year
~10% move per year
• Data CenterNAS Manager
WLC
Centralized call control
WAN / Internet
SiSiSiSiSiSi SiSiSiSiSiSi
SiSiSiSiSiSi SiSiSiSiSiSi
KVM
FutureVNF
C fg A g e n t
CteraNAS
C fg A g e n t
Security
C fg A g e n t
CSRC fg A g e n t
NetworkStorageCPUMemory Hardware Assist
confd
ServicesController
NFV OS, Agentless NSH*, and Hardware Drivers KVM
FutureVNF
C fg A g e n t
CteraNAS
C fg A g e n t
Security
C fg A g e n t
CSRC fg A g e n t
NetworkStorageCPUMemory Hardware Assist
confd
ServicesController
NFV OS, Agentless NSH*, and Hardware Drivers
Ctera
WLC
CCM
Ctera
WLC
CCM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Enterprise Branch NFV New Technology Adoption
• Adoption PhasesEnterprise proves NFV is viable functionally and operationally for any place Enterprise operates at sufficient scale to understand cost of ownershipEnterprise optionally turns over operations to managed service providers for cost savings
• BenefitsX86 platform for enterprise and service providerEnterprise device, cluster, and group managedEnterprise switches to service provider managedPotential for hybrid enterprise and service provider hosting and management
CommonTechnology
Stack
FutureVNF
CfgAgent
CteraNAS
CfgAgent
Source-FireIPS
CfgAgent
CSR
CfgAgent
NetworkStorageCPUMemory Intel or Cavium
confd
Device or Cluster
Management
Enterprise ESA Group
Based Management
Service Provider
MultitenantVMSServices
Controller
NFV Hosting Software, Agentless NSH, and Optional Acceleration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
ServicesHost
ServicesHost
ServicesPod
ServicesPod
DC WAN edge DC WAN edge Internet Edge
NFV Use Cases
WAN / Internet
SiSiSiSiSiSi SiSiSiSiSiSi
SiSiSiSiSiSi SiSiSiSiSiSi
CDS CDS
3rd Party 3rd Party
CCM CCM
KVM
Confd
OVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
Confd
OVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
Confd
OVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
Confd
OVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
ConfdOVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
ConfdOVS
VS #1
VS #2
VS #3
NetworkS torageCPUMemory
KVM
ConfdOVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
ConfdOVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
KVM
ConfidOVS
VS #1
VS #2
VS #3
NetworkStorageCPUMemory
• Fog / Edge / BranchRouter, firewall, WOC, CDN, application
• Data center branch/core WAN edgeRouter, WOC, firewall, monitor
• Data center coreADC, firewall, IPS/IDS, monitor
• Server farmFirewall, IPS/IDS, monitor
DevOps to automate device package registration
• DeMilitarized Zone (DMZ)Employee Internet Management (ADC, F-Proxy)
.com hosting (Router, ADC, firewall, IDS/IPS, R-Proxy, monitor)
Extranet (Router, firewall, VPN, IDS/IPS, monitor)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 62
Compute
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Planned Branch Purpose Built x86 Compute
CSX-L6,8,12 Core Intel
Storage
CSX-H8,12,16 Core Intel
StorageIntegrated Switch
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Compute For Any Place, Segment, or Environment
UCS C-series
CSX
UCS Mini
ISR EmbeddedUCS E-series
UCS B-seriesUCS M-series
ISA 3000 Industrial Appliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Intrinsic NFV Framework on UCS - Software
Framework for the orchestration of OS, FW, Drivers, etc.• Day 0 out of the box experience with UCS Director
• Firmware, patching, and configuration operations on physical devices rolled into centralized policy
• Usage of out of band management infrastructure into each element possible
• Programmatic integration of VNF locality information to coordinate maintenance within infrastructure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Intrinsic NFV Framework on UCS - Software
Fully open API for well-known operations within a domain/service group• AAA configurations, keystores, NTP, admin emails, SNMP, fault coordination,
Callhome transport gateway, service advertisements, etc.
• Services Advertisement, Performance Feedback, Performance Estimation, etc. (UCS Performance Manager and followons)
• Single GUI with extendable framework – to host the user presentation tier (NSO) with dynamic adds/removals
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Intrinsic NFV Framework on UCS - Hardware• 5-9’s in service maintenance via policy – by moving the NFV VMs around to
enable a portion of HW to be in a maintenance mode
• SR-IOV and DPDK needs to be in for the DMA right in to NFV guest kernel buffer space
• DPDK update in semantics of v2.2 with optimized performance
• Crypto offload function as part of a library to the NFV via card options (Mezz, PCIe, and mLOM)
• Native Multi platform support (Blade scale, Rack scale, Cartridge scale)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Enterprise Network Function Virtualization Architecture
Service Model Policy and Service Repository
Access BranchWAN
Branch/Campus
Core
CoreWAN
DCCore/Agg
DCServer Farm
PublicCloud
Distributed KVM Compute / Storage
Confd + ESC-Lite ESC + OpenstackNetconf / NED
Network Service Orchestrator NSONetconf /
NED
vBranch VMSiVPN / iWAN CSP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Enterprise Cloud and NFV Architecture
Access Edge Router Core Access Server
Private Cloud
Fog EdgeBranch WAN
Internet
CDNDavra IPSNAMCSR
CteraWOC DNSADCCSR WOC FW
vBranch on CSX or UCS CSP on UCS OR VMS ASR, Nexus 9000, x86NFV OS with Confd CSP OS with Confd Metapod Openstack
User / Branch PolicyUser / Application Policy
Application Policy
Service RepositoryWOCCSR NAMCDN
IPSFW ProxyNAS
DNSVoice DavraVMS
X86 OS Hosting StoreCSPNFVOS
Linux
Metapod
ESXWindows
MapRRMQ MySQL ScaleArcApacheApprda FW SLB
PrivateEdge/Core DC/Cloud
Core
User & Application Policy StoreAppSecAppExp AppMonAppScale
TelephonyUserPolicy
SAASPolicy
BranchTemplate
• Local performance• Local availability• Local processing• Distributed scale
InternetConnect
PublicCloud
Apprenda
Pivotal
Mantl.io
Hortonworks
RabbitMQ
ScaleArc
Apache
WAF
MySQL
Access Server
ACI + UCSMetapod Openstack
Application Policy
MapRRMQ MySQL ScaleArcApachePivotal FW SLB
OSP OtherAzureStack
• Dynamic scale on x86• Wire once, run any• Optional acceleration
• Data protection• Lowest cost• Fixed/known capacity
• Public facing presentation
• Intercompany• Disaster Recovery• Unknown/burst/one-time
ConfigAgent
ConfigAgent
ConfigAgent
ConfigAgent
ConfigAgent
ConfigAgent
ConfigAgent
ConfigAgent
Thank you.