branching out with sdn going beyond datacenters

Copyright 2015 Alcatel-Lucent. All rights reserved.

BRANCHING OUT WITH SDN GOING BEYOND DATACENTERS Alastair JOHNSON March 2015 – MPLS-SDN World Congress, Paris


Automation

Constrained access options

Limited hardware

Limited Automation

Private Cloud

Public Clouds

Evolved Datacenter Infrastructure Automated

Instantaneous modifications

Simplified policy-driven management

Freedom of choice

Open

Status Quo at the Remote Location o Manual provisioning

o Costly moves, adds and changes

o Complex management

o Limited choice

o Proprietary hardware, vertically integrated

Unconstrained options

Branch offices Enterprise WAN DC Infrastructure

WAN Service

2

NETWORKING CONSUMPTION MUST EVOLVE END-TO-END


VXLAN encapsulates Ethernet in IP IPv4 or IPv6

UDP-based, source port is a hash of MAC or IPs to provide load balancing entropy

8 byte VXLAN header provides 24 bit VXLAN Network Identifier (VNI) and flags

Total encapsulation overhead is ~50 bytes

VXLAN is routable: underlay network may be any network with existing resiliency and load balancing mechanisms ECMP

IGPs/BGP

IP FRR

VXLAN tunnel endpoints can be on network equipment or computing infrastructure Deliver a VPN straight to a compute resource

IP Network (IP FRR, ECMP, IGP)

IP Network

IP Network

3

TECHNOLOGY RECAP: VXLAN


Data Plane

Control Plane

EVPN MP-BGP RFC7432

EVPN over MPLS for VLL, VPLS and E-Tree services All-active multihoming for VPWS RSVP-TE or LDP MPLS protocols

EVPN with PBB PE functionality for scaling very large networks over MPLS All-active multihoming for PBB-

VPLS

EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsulations Provides Layer 2 and Layer 3 DCI

Multiprotocol Label Switching

(MPLS) RFC7432

Provider Backbone Bridges

(PBB) draft-ietf-l2vpn-pbb-evpn

Network Virtualization Overlay

(NVO) draft-ietf-bess-evpn-overlay

4

TECHNOLOGY RECAP: EVPN


Proven and inherent BGP control plane scalability to MAC routes

Consistent signaled FDB in any size network instead of flooding

Even more scalability and hierarchy with route reflectors

BGP advertises MACs and IPs for next hop resolution with EVPN NLRI

AFI = 25 (L2VPN) and SAFI = 70 (EVPN)

Fully supports IPv4 and IPv6 in the control and data plane

Offers greater control over MAC learning

What is signaled, from where and to whom

Ability to apply MAC learning policies

Maintains virtualization and isolation of EVPN instances

Enables traffic load balancing for multihomed CEs with ECMP MAC routes

Route Distinguisher (8 octets)

Ethernet Segment Identifier (10 octets)

Ethernet Tag ID (4 octets)

MAC Address Length (1 octet)

MAC Address (6 octets)

IP Address Length (1 octet)

IP Address (0 or 4 or 16 octets)

MPLS Label1 (3 octets)

MPLS Label2 (0 or 3 octets)

MAC Advertisement Route (Light Green Fields are Optional)

5

TECHNOLOGY RECAP: EVPN


Existing model is cumbersome and inefficient

Manual configuration with some automation

Moves/Adds/Changes take weeks, not seconds

Compromising business efficiency

Network configuration, not business policy

NMS EMS CONFIG DB

SERVICE PROVIDER

Define policies and templates once, reuse many

Business logic defines network services

Realtime changes reflected to the network

Vetted against templates and security

Service velocity is not hindered by manual network process

BUSINESS LOGIC TEMPLATES

REALTIME CHANGES

6

POLICY IS KEY


POLICY

Centralized Control plane abstraction Instantaneous Programmable Federation-ready

CONTROL PLANE

Scalable Controllable Efficient Federated Multi-topology/service

DATA PLANE

Ubiquitous Layer 2 Layer 3 Service independence from transport

7

PUTTING IT TOGETHER


THE PAST DECADE OR TWO… THE BRANCH UNSHACKLED

Control plane

ETH/IP

BRANCH NETWORKING DEVICE

Management plane

Forwarding plane

GENERAL PURPOSE COMPUTE

OPEN OS

Virtual Routing & Switching

Flo

w e

ntr

ies

PROPRIETARY HARDWARE

Security Traffic

Steering QoS

OPEN CPE


Controller programs forwarding plane for all CPEs Aware of all L2/L3 topology behind each CPE Calculate once, program many

CPE becomes service instantation point Smart edge principle VXLAN service transport

Traffic is carried encapsulated over underlay network Underlay network could be any infrastructure Unaware of topology of overlay service

CPE

Site 1

LA

N CPE

Site 3

LA

N

CPE

Site 2

LA

N

Underlay

Policy DB

SDN Controllers

SP Central Functions

9

A NEW WAY OF DELIVERING VPNS


OpenFlow provides a mechanism to program the L2/L3 forwarding information base (FIB) and provide notifications to the controller MAC/IP address learning on LAN ports are

alerted to the controller Controller determines whether the

MAC/IP is to be programmed into FIB

Federation of topology between controllers via BGP-EVPN MAC and IP reachability signaled VXLAN VNI information combined with

NEXT_HOP

CPE

SDN Controller

OpenFlow OVSDB

BGP EVPN

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

10.2.0.0/24 10.2.0.1/32 aa:bb:cc:dd:ee:ff

10



CPE forward directly between each other using VXLAN as overlay 10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI

123456 10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI

xyz

Underlay network sees only VXLAN traffic between endpoints Traffic management = IP Transport = IP

Dataplane can be further encapsulated if needed

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

VNI = 123456

11



Overlays simplify network topology

SP network needs to know less about customer topology

Increases flexibility of delivery – L2 services over L3, On Net, Off Net, Internet, etc

Provisioning simplified

VRF VRF

Many provisioning touch points

BGP

Routing Policy

RIB scale Failover Redundancy LAN ports

WAN ports Aggregation network

GRT GRT

Dynamic Provisioning

One-time Provisioning

12

VPN FLEXIBILITY


Centralized policy enforcement Firewall

Between zones/subnets/branch types Extranet applications To Internet through central functions

Content filtering Selective content filtering (schools –

teacher/student; public WiFi in retail environments bypasses)

Network analytics and monitoring Tap and mirror IDS/IDP DPI and DLP

LAN

WAN

CPE DC

LAN CPE

LAN

WAN

CPE DC

LAN CPE

13

OVERLAYS ENABLE SERVICE CHAINING


How do I connect the new to the existing? 1. EVPN with VXLAN termination direct into existing

MPLS PE routers End-to-end network is BGP and VXLAN aware allowing

for PE routers to act as VXLAN/MPLS interworking function

Streamlined and simplified routing

2. Use CPE as gateway Break VXLAN services out to Ethernet VLANs at PE

router Faster to deploy but less flexible

GRT VRF Internet

IP/MPLS VRF

VRF

Internet

IP/MPLS VRF

Traditional VPN environment Overlay VPN Environment IWF

Traditional VPN environment Overlay VPN Environment

14

INTERWORKING


Branches

Fixed and Mobile Networks

SINGLE SERVICE NETWORK FOR APPLICATION

Internet Private IP

Business Internet

Global Workforce

IP-VPN

SERVICE NETWORK PER CUSTOMER/APPLICATION

Public Cloud

Network Policy Engine

Network Policy Engine

15

FINAL VIEW: NETWORKS WITHOUT BORDERS

ONE COHESIVE ENVIRONMENT: FROM BRANCH TO WAN TO DATACENTER

Automated

Instantaneous policy-driven modifications

Simplified fulfillment & management

Freedom of choice

Open

Private Cloud


nuagenetworks.net/vns @nuagenetworks

branching out with sdn going beyond datacenters

Technology