Copyright  2013  Alcatel-­‐Lucent.  All  rights  reserved.    @ssneddon  

Sco=  Sneddon  Principal  Solu-ons  Architect,  APAC  Business  Development  Lead    Nuage  Networks    

A  Policy  Driven  Approach  to  So6ware  Defined  Networking  

SDN  in  2014  

§  OpenFlow  Controllers  §  Network  VirtualizaFon  §  White  Box  Switching  

§  Open  Source  Projects  §  Network  as  a  Service    

Plenty  of  InnovaFon  and  DisrupFon…  

Why  SDN?  

§  Reduce  Cost  §  Asset  UFlizaFon  §  Self  Service  §  AutomaFon  

§  Make  the  network  more  “Cloud”  like  

We’re  making  great  progress  

The  “ConsumpFon  shi6”  

§  Cloud  is  changing  the  way  technology  is  being  consumed  

§  From  “order  and  wait”  

§  To  “instant  graFficaFon”  

Consumer  expectaFons  are  shi6ing  

MulBple  personas  

Single  user  

On-­‐demand  personalized  catalogue  

§  Compute  is  Virtualized    

§  Available  in  Minutes  

§  Network  is  ParBally  Virtualized  

§  ConfiguraBon  takes  Days/Weeks  

Network  ConfiguraBon  

Compute    Management  

New  Tenant  /  ApplicaBon  Request  

Auto-­‐instanBaBon  

Compute Request completed in

Minutes Help Desk Change Control

IP Address

VLAN Address

Firewall Configuration

LAN (VLAN) Configuration

WAN (IP) Configuration

Security / QA Team

Project Coordinator

Network Change completed in days/Weeks

00:01  

Datacenter  Network  

Service  velocity  is  hindered  by  manual  network  process  

§  Network  is  “more”  virtualized  

§  Some  things  available  in  minutes  –  Some  not  so  much  

§  Many  network  elements  are  manually  configured  

§  Manual  per-­‐tenant  network  configuraBons  

Network  ConfiguraBon  

Compute    Management  

New  Tenant  /  ApplicaBon  Request  

Auto-­‐instanBaBon  

Compute Request completed in

Minutes

SDN Controller

Some Network Change completed In Minutes

00:01   00:01  

So6ware  Defined  Datacenter  Network  

Service  velocity  accelerated,  but…  

§  Commi=ees  sBll  build  “networks”  

§  Audits/reviews  

§  In  a  NaaS  environment  (OpenStack  Neutron,  AWS,  etc)  this  is  delegated  to  the  tenant  

§  Is  this  what  your  DevOps  team  should  be  doing?  

Network  ConfiguraBon  

So6ware  Defined  Network  ConfiguraFon  

We’ve  only  addressed  part  of  the  automaFon  problem  

DevOps Team

VLAN Address

IP Address

WAN (IP) Configuration

Firewall Configuration

Network Configuration created in days/Weeks

§  Current  Neutron  Networking  provides  building  blocks  to  create  logical  topologies  §  Networks,  Ports,  Subnets  ,Routers,  Security  Groups  

 

neutron  net-­‐create  web    neutron  subnet-­‐create  web  10.0.0.0/24    neutron  router-­‐create  router1  neutron  router-­‐add-­‐interface  router1  web  …      

§  Not  abstracted  into  a  consumable  model    

 

OpenStack  Neutron  Networks  

web  

VM   VM   VM   VM   VM   VM  

app   db  

Puts  the  burden  of  topology  design  on  the  DevOps  team  

§  DevOps  has  an  understanding  of  the  specific  applicaBon  needs  §  SegmentaBon,  Port  numbers,  ConnecBvity  goals  

§  Should  not  be  burdened  with  the  implementaBon  details  §  Routes,  Subnets,  VLANs  

The  DevOps  team  needs  an  Abstracted  view    

A  DevOps  View  

web  

VM  

VM  

VM  

app  

VM  

VM  

VM  

web  

VM  

VM  

VM  

Network  Administrators  need  to…  §  Define  connecBvity  models  

§  Paths  §  QoS  §  Access  Control    

§  Deploy  service  elements  §  Firewall  §  Load  Balancer  §  IPS  

§  Audit  compliance  §  Audit  usage  

A  Network  Admin  View  

Firewall

IPS

Parental Ctl

Firewall IPSParental Ctl

Internet

Policy Selector

chain 1 chain 2 chain 3 chain 4

Policy  approach  to  networking  

Policy  Templates  

Users  

ApplicaBon  Types  

Business  Rules  

Policy  EvaluaBon  

Firewall  

Firewall  

W  

BL  BL  

W  

Firewall  W   W  

Firewall  

Firewall  

W  

BL  BL  

W  

Firewall  

Firewall  

W  

BL  BL  

W  

BL  BL  

Design  once,  re-­‐use  mulFple  Fmes  

ApplicaBon  Networks  

ApplicaFon  =  Web  

ApplicaFon  =  SAP  

ApplicaFon  =  Database  

Policy  Based  Network  VirtualizaFon  

Group  applicaFons  into  “network  sandboxes”  

What  is  a  network  Policy?  

OpenStack  Group  Based  Policy  AbstracBons  for  Neutron  h=ps://blueprints.launchpad.net/neutron/+spec/group-­‐based-­‐policy-­‐abstracBon  

•  An  ApplicaBon-­‐centric  approach  to  networking  •  Moving  away  from  tradiBonal  network  constructs    

•  ports,  subnets,  routers,  etc  •  Aiming  for  a  highly  abstracted  interface  for  applicaBon  developers  to  

•  express  desired  connecBvity  of  applicaBon  components  •  and  express  high-­‐level  policies  governing  that  connecBvity  

•  Without  imposing  constraints  on  the  underlying  implementaBon      

Policy  AbstracFons  for  Neutron  

OpenStack  Group  Based  Policy  AbstracBons  for  Neutron  h=ps://blueprints.launchpad.net/neutron/+spec/group-­‐based-­‐policy-­‐abstracBon  

Outside EPG

Web EPG App EPG DB EPG

VM

VM

VM

VM

VM

VM

VM

VM

Web Contract

App Contract

App Contract

Public Network

Private Networks

•  Endpoint  (EP)  –  an  IP  addressable  enBty  •  Endpoint  Group  (EPG)  –  a  grouping  of  Endpoints  •  Policy  Rule  –  individual  rule  that  defines  communicaBon  criteria  •  Contract  –  a  collecBon  of  Policy  Rules  that  are  applied  to  traffic  between  EPG’s  

In  applicaBon  development…  §  We  first  define  the  applicaBon  through  source  code  §  We  then  compile  the  applicaBon  into  machine  instrucBons    §  Then  we  bind  that  applicaBon  to  a  plaeorm  at  run  Bme  

§  Assigning  compute  registers  and  memory  locaBons  

In  a  Policy  driven  network…  §  We  first  define  the  applicaBon’s  connecBvity  requirements  and  business  rules  

§  ApplicaBon  Policy  

§  We  then  map  this  applicaBon  to  a  network  service  §  Predefined  network  templates,  network  contracts  

§  Then  we  implement  these  network  services  when  the  applicaBon  is  deployed  §  Automated,  Dynamic  

To  Achieve  a  Policy  Driven  Network  

APPLICATION ATTRIBUTES

SDN FRAMEWORK

TOPOLOGY ATTRIBUTES

Service Mapping

Service Binding Application

Request

TECHNOLOGY ATTRIBUTES

web  

VM  

VM  

VM  

app  

VM  

VM  

VM  

web  

VM  

VM  

VM  

web   app   db  

To  Achieve  a  Policy  Driven  Network  

Policy  Driven  Networking  Delivered  

§  Nuage  has  provided  policy  abstracBons  for  virtual  and  physical  networks  since  our  first  release  

§  L2,  L3,  ACLs,  QoS,  Service  Chaining,  Traffic  StaBsBcs  

§  Difficult  to  express  using  exisBng  Neutron  constructs…  

§  Which  is  why  we’re  contribuBng  to  Group  Based  Policy     Cleanly  express  applicaFon  policy  in  Neutron  

Cloud  Service    Management  Plane  

Datacenter    Control  Plane  

Datacenter  Data  Plane  

Virtual  RouBng  &  Switching    

R2.1  GA  in  April  2014  

Virtualized  Services  Directory  

Virtualized  Services  Controller  

HYPERVISOR  

HYPERVISOR  

HYPERVISOR  

HYPERVISOR  

HYPERVISOR  

HYPERVISOR  

Brooklyn  Datacenter  -­‐    Zone  1  

Virtualized  Services  Directory  (VSD)  •  Network  Policy  Engine  –  abstracts  complexity  •  Service  templates  and  analyBcs  

Virtualized  Services  Controller  (VSC)  •  SDN  Controller,  programs  the  network  •  Rich  rouBng  feature  set    

Virtual  RouFng  &  Switching  (VRS)  •  Distributed  switch  /  router  –  L2-­‐4  rules  •  IntegraBon  of  bare  metal  assets  

Nuage  Networks  Virtualized  Services  Pla`orm  (VSP)  

IP  Fabric  

Edge  Router    

MP-­‐BGP    

MP-­‐BGP    

Hardware  GW  for  Bare  Metal    

Nuage  Networks  Virtual  Services  Pla`orm  

DATACENTER    NETWORK  

.   .   .   .  

Any  Compute  VirtualizaFon  Environment  

Any  Datacenter  Networking  Hardware  

Any  Server  or  Hypervisor  

Open  soluFon  

Consistent  capabiliFes  across  

Nuage  Networks  policy  templates  and  role-­‐based  workflow  

Compute    Management  

Tenant  /  ApplicaBon  Request  Networking

Security/ Compliance

Service  velocity  is  not  hindered  by  manual  network  process  

Auto-­‐instanBaBon  

Compute Request completed in Minutes

00:01  

IP address

WAN interconnect

Policy / Security Zones

L2 /L3 Service AD

Service chaining

Templates

Nuage Networks VSP  

Policy  InstanFaFon  •  IP  address  10.x.y.z  •  VLAN  configuraBon  •  WAN  configuraBon  •  Security  /  FW  sekngs  •  QoS  parameters  •  …  

Network Change Completed automatically

00:01  

Conclusions  

•  CreaBon  of  distributed  virtual  switches  and  virtual  routers  -­‐  great  for  virtual  networks  and  be=er  than  VLAN’s,  but  …  

•  Creates  a  distributed  virtual  configuraBon  and  management  challenge      •  Provisioning  and  management  of  these  endpoints  can  not  be  done  

with  tradiBonal  methodology  

•  Policy  abstracBon  is  a  proven  framework  

•  Successfully  shipping  since  May  2013  

For  more  informaFon…  

•  Nuage  Networks  Virtualized  Services  Plaeorm  

•  h=p://www.nuagenetworks.net  

•  OpenStack  Neutron  Group  Based  Policy  AbstracBon  •  h=ps://blueprints.launchpad.net/neutron/+spec/group-­‐based-­‐policy-­‐abstracBon  

•  OpenDaylight  ApplicaBon  Policy  Plugin  •  h=ps://wiki.opendaylight.org/view/Project_Proposals:ApplicaBon_Policy_Plugin  

While  at  Interop  Tokyo…  

•  Visit  the  Nuage  Networks  booth  in  the  SDI  ShowCase  

24  6/16/14  

Network  Policy  NOW  

@nuagenetworks  

@ssneddon