Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
•
4 gostaram•1,336 visualizações
Nuage Networks' solution for a Policy Driven approach to Software Defined Networking. Including info on the OpenStack Group Based Policy Abstractions for Neutron. Keynote session, Interop Tokyo 2014
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
Semelhante a Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014 (20)
Último
Último (20)
Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
- 1. Copyright 2013 Alcatel-‐Lucent. All rights reserved. @ssneddon Sco= Sneddon Principal Solu-ons Architect, APAC Business Development Lead Nuage Networks A Policy Driven Approach to So6ware Defined Networking
- 2. SDN in 2014 § OpenFlow Controllers § Network VirtualizaFon § White Box Switching § Open Source Projects § Network as a Service Plenty of InnovaFon and DisrupFon…
- 3. Why SDN? § Reduce Cost § Asset UFlizaFon § Self Service § AutomaFon § Make the network more “Cloud” like We’re making great progress
- 4. The “ConsumpFon shi6” § Cloud is changing the way technology is being consumed § From “order and wait” § To “instant graFficaFon” Consumer expectaFons are shi6ing MulBple personas Single user On-‐demand personalized catalogue
- 5. § Compute is Virtualized § Available in Minutes § Network is ParBally Virtualized § ConfiguraBon takes Days/Weeks Network ConfiguraBon Compute Management New Tenant / ApplicaBon Request Auto-‐instanBaBon Compute Request completed in Minutes Help Desk Change Control IP Address VLAN Address Firewall Configuration LAN (VLAN) Configuration WAN (IP) Configuration Security / QA Team Project Coordinator Network Change completed in days/Weeks 00:01 Datacenter Network Service velocity is hindered by manual network process
- 6. § Network is “more” virtualized § Some things available in minutes – Some not so much § Many network elements are manually configured § Manual per-‐tenant network configuraBons Network ConfiguraBon Compute Management New Tenant / ApplicaBon Request Auto-‐instanBaBon Compute Request completed in Minutes SDN Controller Some Network Change completed In Minutes 00:01 00:01 So6ware Defined Datacenter Network Service velocity accelerated, but…
- 7. § Commi=ees sBll build “networks” § Audits/reviews § In a NaaS environment (OpenStack Neutron, AWS, etc) this is delegated to the tenant § Is this what your DevOps team should be doing? Network ConfiguraBon So6ware Defined Network ConfiguraFon We’ve only addressed part of the automaFon problem DevOps Team VLAN Address IP Address WAN (IP) Configuration Firewall Configuration Network Configuration created in days/Weeks
- 8. § Current Neutron Networking provides building blocks to create logical topologies § Networks, Ports, Subnets ,Routers, Security Groups neutron net-‐create web neutron subnet-‐create web 10.0.0.0/24 neutron router-‐create router1 neutron router-‐add-‐interface router1 web … § Not abstracted into a consumable model OpenStack Neutron Networks web VM VM VM VM VM VM app db Puts the burden of topology design on the DevOps team
- 9. § DevOps has an understanding of the specific applicaBon needs § SegmentaBon, Port numbers, ConnecBvity goals § Should not be burdened with the implementaBon details § Routes, Subnets, VLANs The DevOps team needs an Abstracted view A DevOps View web VM VM VM app VM VM VM web VM VM VM
- 10. Network Administrators need to… § Define connecBvity models § Paths § QoS § Access Control § Deploy service elements § Firewall § Load Balancer § IPS § Audit compliance § Audit usage A Network Admin View Firewall IPS Parental Ctl Firewall IPSParental Ctl Internet Policy Selector chain 1 chain 2 chain 3 chain 4
- 11. Policy approach to networking Policy Templates Users ApplicaBon Types Business Rules Policy EvaluaBon Firewall Firewall W BL BL W Firewall W W Firewall Firewall W BL BL W Firewall Firewall W BL BL W BL BL Design once, re-‐use mulFple Fmes ApplicaBon Networks
- 12. ApplicaFon = Web ApplicaFon = SAP ApplicaFon = Database Policy Based Network VirtualizaFon Group applicaFons into “network sandboxes”
- 13. What is a network Policy? OpenStack Group Based Policy AbstracBons for Neutron h=ps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstracBon • An ApplicaBon-‐centric approach to networking • Moving away from tradiBonal network constructs • ports, subnets, routers, etc • Aiming for a highly abstracted interface for applicaBon developers to • express desired connecBvity of applicaBon components • and express high-‐level policies governing that connecBvity • Without imposing constraints on the underlying implementaBon
- 14. Policy AbstracFons for Neutron OpenStack Group Based Policy AbstracBons for Neutron h=ps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstracBon Outside EPG Web EPG App EPG DB EPG VM VM VM VM VM VM VM VM Web Contract App Contract App Contract Public Network Private Networks • Endpoint (EP) – an IP addressable enBty • Endpoint Group (EPG) – a grouping of Endpoints • Policy Rule – individual rule that defines communicaBon criteria • Contract – a collecBon of Policy Rules that are applied to traffic between EPG’s
- 15. In applicaBon development… § We first define the applicaBon through source code § We then compile the applicaBon into machine instrucBons § Then we bind that applicaBon to a plaeorm at run Bme § Assigning compute registers and memory locaBons In a Policy driven network… § We first define the applicaBon’s connecBvity requirements and business rules § ApplicaBon Policy § We then map this applicaBon to a network service § Predefined network templates, network contracts § Then we implement these network services when the applicaBon is deployed § Automated, Dynamic To Achieve a Policy Driven Network
- 16. APPLICATION ATTRIBUTES SDN FRAMEWORK TOPOLOGY ATTRIBUTES Service Mapping Service Binding Application Request TECHNOLOGY ATTRIBUTES web app web web app db To Achieve a Policy Driven Network
- 17. Policy Driven Networking Delivered § Nuage has provided policy abstracBons for virtual and physical networks since our first release § L2, L3, ACLs, QoS, Service Chaining, Traffic StaBsBcs § Difficult to express using exisBng Neutron constructs… § Which is why we’re contribuBng to Group Based Policy Cleanly express applicaFon policy in Neutron
- 18. Cloud Service Management Plane Datacenter Control Plane Datacenter Data Plane Virtual RouBng & Switching R2.1 GA in April 2014 Virtualized Services Directory Virtualized Services Controller HYPERVISOR HYPERVISOR HYPERVISOR HYPERVISOR HYPERVISOR HYPERVISOR Brooklyn Datacenter -‐ Zone 1 Virtualized Services Directory (VSD) • Network Policy Engine – abstracts complexity • Service templates and analyBcs Virtualized Services Controller (VSC) • SDN Controller, programs the network • Rich rouBng feature set Virtual RouFng & Switching (VRS) • Distributed switch / router – L2-‐4 rules • IntegraBon of bare metal assets Nuage Networks Virtualized Services Pla`orm (VSP) IP Fabric Edge Router MP-‐BGP MP-‐BGP Hardware GW for Bare Metal Nuage Networks Virtual Services Pla`orm
- 19. DATACENTER NETWORK . . . . Any Compute VirtualizaFon Environment Any Datacenter Networking Hardware Any Server or Hypervisor Open soluFon Consistent capabiliFes across
- 20. Nuage Networks policy templates and role-‐based workflow Compute Management Tenant / ApplicaBon Request Networking Security/ Compliance Service velocity is not hindered by manual network process Auto-‐instanBaBon Compute Request completed in Minutes 00:01 IP address WAN interconnect Policy / Security Zones L2 /L3 Service AD Service chaining Templates Nuage Networks VSP Policy InstanFaFon • IP address 10.x.y.z • VLAN configuraBon • WAN configuraBon • Security / FW sekngs • QoS parameters • … Network Change Completed automatically 00:01
- 21. Conclusions • CreaBon of distributed virtual switches and virtual routers -‐ great for virtual networks and be=er than VLAN’s, but … • Creates a distributed virtual configuraBon and management challenge • Provisioning and management of these endpoints can not be done with tradiBonal methodology • Policy abstracBon is a proven framework • Successfully shipping since May 2013
- 22. For more informaFon… • Nuage Networks Virtualized Services Plaeorm • h=p://www.nuagenetworks.net • OpenStack Neutron Group Based Policy AbstracBon • h=ps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstracBon • OpenDaylight ApplicaBon Policy Plugin • h=ps://wiki.opendaylight.org/view/Project_Proposals:ApplicaBon_Policy_Plugin
- 23. While at Interop Tokyo… • Visit the Nuage Networks booth in the SDI ShowCase
- 24. 24 6/16/14 Network Policy NOW @nuagenetworks @ssneddon