how to implement sdn technology in itb
TRANSCRIPT
How to Implement SDN Technology in ITB Affan BasalamahSDN/NFV Days ITB 201621-03-2016
# whoami• Affan Basalamah
• Head of IT Development
• Direktorat Sistem Teknologi Informasi (DSTI)
• Institut Teknologi Bandung
• @affanzbasalamah
Pesan dari Presentasi ini• Saya tunjukkan bagaimana sebuah perguruan tinggi
teknologi membuat jaringan dalam kampus menjadi platform riset teknologi SDN/NFV tanpa mengganggu jaringan production
Jabatan saya: IT• Apa yang harusnya saya lakukan:
• Connecting
• Connecting who?
• Academic/Research in ITB
• with: IT/Telco Industries outside: telco, tech vendor
Institut Teknologi Bandung Aula Barat ITB
Gedung PAU ITB
Era Kabel Kuning dan WaveLAN
Era Cisco Catalyst 6500, Fiber Optic dan PC Router
Campus Core Network
Apa yang telah dicapai• 20 tahun yg lalu ITB pernah membuat sebuah network
yang menghasilkan:
• Production network & development network
• Tidak ada SLA pada waktu itu
• Expert, dgn knowledge dan experience
• Dosen sebagai network/system admin
• Student volunteer sebagai network/system admin
Apa yang ingin dicapai• Dalam 2-3 tahun kedepan membuat sebuah network
yang mampu menghasilkan:
• Production network & development network
• Di saat SLA layanan IT & Internet sangat ketat
• Expert, dgn knowledge dan experience
• Dosen & students sebagai researcher
• IT sebagai developer
20161996 Future????
Expert w/ Knowledge Experience
Network Services
Expert w/ Knowledge Experience
Bagaimana mencapainya?• SDN-supported Datacenter, Core, dan Access Network
• Experimen SDN di ITB dapat memakai network ini
• Tanpa mengganggu production network
• SDN/NFV Research/Development activities
• SDN/NFV Labs, Testbeds, Research Center
• SDN/NFV Communities
Networking in 5+ minutes
What kind of networks• Edge: Connecting External Networks
• Datacenter: All of the application system
• Core: Networking highway
• Access: Connecting Endpoints
Network Components• Switching: Ethernet Switch, WiFi AP
• Routing: IP Router
• Services: Firewall, NAT, ADC
Production Network• Access to Edge via Core (outgoing)
• Access to Datacenter via Core (outgoing)
• Edge to Datacenter via Core (incoming)
• Datacenter to Datacenter via Core
• Every connection has network policies
• ACL, authentication, authorization, content policy
Experimental Network• Experiment access to Edge via Core
• Experiment access (labs) to Datacenter via Core
• Experiment cloud Datacenter to Datacenter via Core
• Experiment Edge to Datacenter (labs) via Core
• The policies are there are no network policies
• Firewall open, no authentication, etc.
Running under same equipment• Core Switch
• Datacenter switch
• Access switch
Campus Core Network
PAU Labtek V
Labtek VIII
CCAR
CRCS
PAU Labtek V
Labtek VIII
CCAR
CRCS
3 Tahap • Mengenal Jaringan
• Mengenal teknologi yang bisa dipakai
• Rencana & pelaksanaan Implementasi
ITB Enterprise Network
Core Network • 1 GbE optical & 1GbE copper
• 10 GbE optical, Ready for 40/100 GbE
• Enterprise features: STP, VLAN, OSPF, BGP, IPv6
• Service Provider: MPLS, L3VPN, L2VPN, VPLS
• Software Defined Network (SDN): OpenFlow v1.0/1.3
• Brocade MLXe-8 & Juniper EX9200
Enterprise Network Technology• L2 Switching
• L3 Routing: OSPF
• IPv6 Routing (OSPFv3, BGP)
• IPv6 Multicast Routing
• Policy Based Routing (PBR) and Access Control List (ACL)
• Existing network working as usual
High Availability Features• Redundant Management Module
• Redundant Power Supply with new UPS
• Link Aggregation Groups (LAG)
• BiDirectional Forwarding Detection (BFD)
Network Security Features• Management network CPU protection
• L2 ACL, IPv4 & IPv6 ACL
• SSH & SCP authentication via TACACS+ & RADIUS
• DDoS Rate Limit Protection
Management Network• Dedicated ethernet management port
• SNMP
• TACACS+ & RADIUS
• Support RANCID
• NTP
• Syslog
• SFlow
• NETCONF
Datacenter Network• 10 GbE & 40 GbE interfaces
• Supporting Server technology:
• HPC Blade
• Cloud computing
• iSCSI Storage Area Networking
Ethernet Fabric• L2 for virtualization & cloud
• Inter datacenter with VPLS from Core Network
• VMware vCenter management & OpenStack plugins
• Fabric Ethernet technology with TRILL
• Brocade VDX6740 Fabric Ethernet Switch
Edge Gateway Network• Juniper MX80 for Gateway Router
• Juniper SRX650 for Firewall
• Sophos UTM650 for DPI
• Brocade ADX1000 for Application Delivery Switch
• Cisco ASR1002 for NREN Gateway Router
Access Network• L2 switches, mixed of:
• Brocade ICX6430/6450
• Juniper EX2200
• Cisco Catalyst 3560
• VLAN & Spanning-Tree
• Security features: DHCP snooping, 802.1x
Wireless Network• Ruckus Wireless
• Wifi Controller
• Wifi Access Point Indoor
• Ready for 3G Offload in Campus
• Wifi Access Point Outdoor
Management Network• Support for existing: SNMP, CLI, feeding Cacti & Nagios
• Management VRF
• SFlow for data collection & telemetry
• New apps with SFlow-RT with OpenFlow
• NETCONF & YANG
• Support new application
Brocade MLXe-8 Core Network
Brocade MLXe-8 Core Network
Campus Core Network
Campus Core Network
PAU Labtek V
Labtek VIII
CCAR
CRCS
Core & Access Network
PAU Labtek V
Labtek VIII
CCAR
CRCS
Campus Wifi Network
WiFi Controller
DHCP/DNS/ AAA
Internet
Firewall
DPI-L7
Router
PAU Labtek V
Labtek VIII
CCAR
CRCS
Datacenter Network
SLB
Firewall
DPI-L7
Router
Fabric Ethernet
Fabric Ethernet
Cloud/ BigData/
HPC
Cloud/ BigData/
HPCInternet
PAU Labtek V
Labtek VIII
CCAR
CRCS
Service Provider Network
MPLS Network• MPLS forwarding
• LDP or RSVP or BGP signalling
• L3VPN for new services
• L2VPN for new services
• VPLS for new services
Core & Access Network
PAU Labtek V
Labtek VIII
CCAR
CRCS
MPLS Service Network - L3VPN
Internet
Router
Surveillance Monitor System
Registration & Payment
PAU Labtek V
Labtek VIII
CCAR
CRCS
DPI-L7
Router
Internet
3G/4G Offload Wifi Network
WiFi ControllerCell1Cell2
Cell3
SSID Cell3
SSID Cell3SSID Cell2
SSID Cell2
SSID Cell1
SSID Cell1
DHCP/DNS/ AAA
PAU Labtek V
Labtek VIII
CCAR
CRCS
Wifi Network with VPLS
WiFi Controller
DHCP/DNS/ AAA
Internet
Firewall
DPI-L7
Router
PAU Labtek V
Labtek VIII
CCAR
CRCS
Datacenter Network with VPLS
SLB
Firewall
DPI-L7
Router
Fabric Ethernet
Fabric Ethernet
Cloud/ BigData/
HPC
Cloud/ BigData/
HPCInternet
PAU Labtek V
Labtek VIII
CCAR
CRCS
Research & Education Network
OpenFlow SDN• Core network support OpenFlow v1.0
• Hybrid Port Mode with Protected & Unprotected VLANs
• Protected VLANs is not subject to defined OpenFlow flows
• Regular network can coexist with OpenFlow
• VPLS support on VLAN on OpenFlow Hybrid Mode
• L2 mode & L3 mode
• OpenFlow actions & counters
Management, Control & Data Planes
14 © ipSpace.net 2013 SDN, OpenFlow and NFV for Skeptics
Management, Control and Data Planes
Adjacent routerAdjacent router Router
Control planeControl plane Control plane
Data plane Data planeData plane
OSPF OSPF
Neighbortable
Link statedatabase
IP routing table
Static routes
Forwarding table
Switching
Routing
OSPF
Management / Policy plane
Configuration / CLI / GUI
This material is copyrighted and licensed for the sole use by Affan Basalamah ([email protected] [202.152.202.105]). More information at http://www.ipSpace.net/Webinars
Existing toolbox for SDN
22 © ipSpace.net 2015 SDN – Four Years Later
SDN Toolbox: Existing Tools!
Router
Control plane
Data plane
Neighbortable
Link statedatabase
IP routing table
Static routes
Forwarding table
OSPF
Management / Policy plane
Configuration / CLI / GUINETCONF
ForCES, BGP Flowspec, MPLS-TP
PCEP
BGP SNMP
This material is copyrighted and licensed for the sole use by Affan Basalamah ([email protected] [180.214.233.86]). More information at http://www.ipSpace.net/Webinars22 © ipSpace.net 2015 SDN – Four Years Later
SDN Toolbox: Existing Tools!
Router
Control plane
Data plane
Neighbortable
Link statedatabase
IP routing table
Static routes
Forwarding table
OSPF
Management / Policy plane
Configuration / CLI / GUINETCONF
ForCES, BGP Flowspec, MPLS-TP
PCEP
BGP SNMP
This material is copyrighted and licensed for the sole use by Affan Basalamah ([email protected] [180.214.233.86]). More information at http://www.ipSpace.net/Webinars
Emerging toolbox for SDN
23 © ipSpace.net 2015 SDN – Four Years Later
SDN Toolbox: Emerging Protocols!
OF-Config, XMPP, OVSDB, Puppet/Chef
OpenFlow
I2RS, OVSDB
OnePK
Router
Control plane
Data plane
Neighbortable
Link statedatabase
IP routing table
Static routes
Forwarding table
OSPF
Management / Policy plane
Configuration / CLI / GUI
This material is copyrighted and licensed for the sole use by Affan Basalamah ([email protected] [180.214.233.86]). More information at http://www.ipSpace.net/Webinars
23 © ipSpace.net 2015 SDN – Four Years Later
SDN Toolbox: Emerging Protocols!
OF-Config, XMPP, OVSDB, Puppet/Chef
OpenFlow
I2RS, OVSDB
OnePK
Router
Control plane
Data plane
Neighbortable
Link statedatabase
IP routing table
Static routes
Forwarding table
OSPF
Management / Policy plane
Configuration / CLI / GUI
This material is copyrighted and licensed for the sole use by Affan Basalamah ([email protected] [180.214.233.86]). More information at http://www.ipSpace.net/Webinars
SDN for Device ConfigurationController
Router Access switch
Apps
Core switch
Distrib switch
Core switch
Core switch
Core switch
Core switch
Device configuration
SDN for Service ConfigurationController
Router
Hypervisor
Apps
Core switch
Multitenant VM
Core switch
Core switch
Core switch
Core switch
Service configuration
Hypervisor
ToR switch
Figure 1-6. Storage node
Example Component ConfigurationTable 1-2 and Table 1-3 include example configuration and considerations for boththird-party and OpenStack components:
Table 1-2. Third-party component configurationComponent Tuning Availability Scalability
MySQL binlog-format = row
Master/master replication. However, both nodes arenot used at the same time. Replication keeps allnodes as close to being up to date as possible(although the asynchronous nature of the replicationmeans a fully consistent state is not possible).Connections to the database only happen through aPacemaker virtual IP, ensuring that most problemsthat occur with master-master replication can beavoided.
Not heavily considered. Onceload on the MySQL serverincreases enough thatscalability needs to beconsidered, multiple mastersor a master/slave setup canbe used.
Example Architecture—OpenStack Networking | 19
Figure 1-6. Storage node
Example Component ConfigurationTable 1-2 and Table 1-3 include example configuration and considerations for boththird-party and OpenStack components:
Table 1-2. Third-party component configurationComponent Tuning Availability Scalability
MySQL binlog-format = row
Master/master replication. However, both nodes arenot used at the same time. Replication keeps allnodes as close to being up to date as possible(although the asynchronous nature of the replicationmeans a fully consistent state is not possible).Connections to the database only happen through aPacemaker virtual IP, ensuring that most problemsthat occur with master-master replication can beavoided.
Not heavily considered. Onceload on the MySQL serverincreases enough thatscalability needs to beconsidered, multiple mastersor a master/slave setup canbe used.
Example Architecture—OpenStack Networking | 19
Multitenant VM
SDN for RIB/FIB AdjustmentsController
Router Access switch
Access point
Hypervisor
Apps
Core switch
Distrib switch
Core switch
Core switch
Core switch
Core switch
Routing & Forwarding Adjustment
BGP-LS, PCEP, Quagga
MPLS-TE automatic tunnel
Centralized Control Plane - OpenFlow
Router Access switch
Access point
Hypervisor
Apps
Core switch
Distrib switch
Core switch
Core switch
Core switch
Core switch
Forwarding flow (e.g. 11-tuples)
OpenFlow
SDN for DDoS ProtectionOpenFlow
-RT DDoS
User
PAU Labtek V
Labtek VIII
CCAR
CRCS
Network Slicing with OpenFlowFlowVisorOpenFlow
C1C2C3
Slice 1
Slice 2
Slice 3
PAU Labtek V
Labtek VIII
CCAR
CRCS
Software Defined NetworkOpenFlow
Juniper MX80 Mikrotik
OpenWRT
OpenvSwitch
Apps
PAU Labtek V
Labtek VIII
CCAR
CRCS
SDN, Cloud & DevOps Tools
Mininet
Opensource SDN Process Simplified
SDN Activities & Research
SDN Activities in Campus• Existing:
• SDN Course in ITB: Telecommunication Engineering : EL5244 - Software Defined Networking by by Dr.-Ing. Eueung Mulyana
• SDN Testbed Trial di Campus Backbone (Tugas Akhir)
• OF@TEIN
• Coming possibility:
• SDN/NFV Labs and Research Center
• SDN/NFV Testbed between campus in Indonesia
SDN Course in ITBTelecommunication Engineering : EL5244 - Software Defined Networking
• Lectured by Dr.-Ing. Eueung Mulyana
Thesis/Final Projects:
• Design & Implementation of Multicast Streaming Application on A Local OpenFlow Network
• Design & Implementation of MPLS Service on OpenFlow Network with Open vSwitch
• Implementation & Analysis of Elastic Load Balancing for DNS Service on OpenStack Cloud
• Sustainable Campus-Scale OpenFlow Testbed at ITB
• Design & Implementation Site-to-Site IPsec VPN on OpenStack
Design & Implementation of Multicast Streaming Application on A Local OpenFlow Network
Dummy%client
Streaming%server OpenFlow%Controller
Client%1 Client%2 Client%3
Design Multicast Video Streaming Application on Unicast Network Using Floodlight (OF1.0)
Campus-Scale OpenFlow Testbed
Campus-Scale OpenFlow Testbed
Campus-Scale OpenFlow Testbed
Possibility• SDN/NFV Labs to Research Center
• SDN/NFV Testbed antar campus di Indonesia
SDN/NFV Labs• Laboratorium SDN/NFV
• Proof of concept for SDN/NFV application
• Start from the labs, experiment across campus
• Expanding to SDN/NFV Research Center
SDN/NFV Test Bed• Experimental test bed across campus
• Extending test bed between campus/research group
• Leveraging Indonesia Research Education Network
What’s Next: Collaboration
But don’t forget the human• Pengembangan human resource
• SDN/NFV community in ITB
• Activity: discussion, small labs, seminar
• Next step: meetup, small workshop
• Extending to: seminar, workshop, training
SDNRG ITB• SDN Research Group at ITB
• http://sdnrg.itb.ac.id
• twitter.com/sdnrgitb
• facebook.com/sdnrgitb
• Special Interest Groups on Networking and Connected Services (e.g. OpenStack, Internet of Thing)
But why?
• SDN & Cloud Computing is multidiscipline topics
• No entities can understand it all completely
• Academics, Operators & Vendors needs each others:
• Academics need real use case for their research
• Operators need help for their problems
• Vendors need customers to propose their solutions
SDNRG ITB can bridge the gaps
• Academic can get real use case from practitioners
• Networkers can get help understanding SDN tech
• Vendors can promote SDN tech to educated community
After the gaps is small, whats next?
• Educated researchers can build SDN tech solutions for practitioners that fit to the real use case
• Educated networkers can architect better SDN solutions that leads to better network, with help from researchers & vendors
• Educated vendors can propose SDN solutions to the right customers
SDNRG 1st Meetup, Bandung 2014
OpenStack Mini Workshop, Bandung 2015
The Message• Saya tunjukkan bagaimana sebuah perguruan tinggi
teknologi membuat jaringan dalam kampus menjadi platform riset teknologi SDN/NFV tanpa mengganggu jaringan production
Let’s make it happen!
Terima kasih!