cisco sdn/nvf innovations (sdn nvf day itb 2016)

Mohamad Ali Fahmi ([email protected])Released: March 21st, 2016

Cisco SDN/NFV Innovations

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Introduction• Architecture• Innovations• Summary

Agenda


• …a new approach*• …transforming the networking industry - challenging the way we think about engineering, implementing and managing networks• …providing new methods to interact with equipment/services –controllers, APIs• …empowering external influencers to network design and operations• …generating a LOT of ‘buzz’ and attention• …providing a catalyst for traditional Route/Switch engineers to branch-out

SDN is…

3* […not the first attempt!]


• …an easy button… but is intending to make things easier for all!• …a panacea or end-state• …well or narrowly defined• …meaning the death of network engineers• …a mandate for all network engineers to become C and Java programmers• …a new attempt at network evolution…

SDN is not…

4

I Wants SDN


Emerging TechnologiesMotivations and Strategy

ServiceOrchestration

ServiceOrchestration

NFVNFVSDNSDN

SDN – Open and Programmable at all LayersSimplify / Reduce Complexity

SDN – Open and Programmable at all LayersSimplify / Reduce Complexity

NFV – Elastic Resource CapacityReduce Total Costs Across all Services

NFV – Elastic Resource CapacityReduce Total Costs Across all Services

Service Orchestration – Customized DeliveryAutomation / Accelerate Time to Revenue

Service Orchestration – Customized DeliveryAutomation / Accelerate Time to Revenue

BUSINESS AGILITY

BUSINESS AGILITY

OPERATIONAL SIMPLICITY

OPERATIONAL SIMPLICITY

PROFITABILITYPROFITABILITY¥£€$


Cisco Strategy: Various models of programmability

Vendor-specific APIs

Applications

Programmable APIs

Control PlaneControl Plane

Data PlaneData Plane

VendorSpecific(e.g. onePK)

1Applications

Virtual Control PlaneVirtual Control Plane

Virtual Data PlaneVirtual Data Plane

OverlayProtocols(e.g. VXLAN)

Vendor-specificAPIs

3 Network Virtualization/Virtual Overlays



ControllerController


Applications


OpenFlow

2a Classic SDN


ControllerController


Applications


OpenFlow


2b Hybrid “SDN”




CLI, SNMP, …


ETSI: NFV Reference Architecture

ComputingHardware

StorageHardware

NetworkHardware

Hardware resources

Virtualisation LayerVirtualised

InfrastructureManager(s)

VNFManager(s)

VNF 2

OrchestratorOSS/BSS

NFVI

VNF 3VNF 1

Execution reference points Main NFV reference pointsOther reference points

Virtual Computing

Virtual Storage

Virtual Network

NFV Management and Orchestration

EMS 2 EMS 3EMS 1

Service, VNF and Infrastructure Description

Or-Vi

Or-Vnfm

Vi-Vnfm

Os-Ma

Se-Ma

Ve-Vnfm

Nf-Vi

Vn-Nf

Vl-Ha


ETSI: NFV Architecture

ComputingHardware

StorageHardware

NetworkHardware

Hardware resources

Virtualisation LayerVirtualised

InfrastructureManager(s)

VNFManager(s)

VNF 2

OrchestratorOSS/BSS

NFVI

VNF 3VNF 1

Execution reference points Main NFV reference pointsOther reference points

Virtual Computing

Virtual Storage

Virtual Network

NFV Management and Orchestration

EMS 2 EMS 3EMS 1

Service, VNF and Infrastructure Description

Or-Vi

Or-Vnfm

Vi-Vnfm

Os-Ma

Se-Ma

Ve-Vnfm

Nf-Vi

Vn-Nf

Vl-HaInfrastructure

S/W Architecture Management and

Operations


Cisco NFV Architecture Legend

VNF Manager

Cisco ESC Cisco CTCM 3rd Party

NFV-O & Resource Orchestration

NSO – Network Services Orchestrator enabled by Tail-f

North Bound APIs

Virtual Network Functions Cisco and 3rd Party

CSR ASAv vNAM vIPS

vPC-DI vIMS VideoOpt. 3rd Party

Cisco Physical Infrastructure

Network VIM

Linux (RHEL 7.1), Hyper Visor (KVM), Host Packages, Software Defined Storage

NFVI Scope

NetworkCompute (UCS) Storage Ceph

Unifi

ed M

anag

emen

t wi

th a

ssur

ance

.

UCSD

API

GUI

Virtual Infrastructure Manager

Mercury based on RHEL OSP 7 OpenStack

Assu

ranc

e

APIC VTS OSCor or 3rd Partyor

3rd Party

or


Cisco Innovations- vMS- vBranch- ACI- APIC-EM- Ultra Service Platform-ACE


Managed Services Today: Network based VPNs + physical appliances

PE PE

PE

PE

Data Centre

Today• Physical appliances in DC

• Services in the branch– Appliances or integrated

Two major disruptors• Cloud computing

• Overlay VPNs

• Different impacts !

IP/MPLS


Managed Services evolution Option 1: Network based VPNs + cloud computing

PE PE

PE

PE

Data Centre

• Simplification of the branchBasic routingL2 switching

• Primarily an SP play

• Service moves to DCVirtualized DCs spread across infrastructure

• Benefits Reduced equipment costs Reduced onsite effortMore flexibility

IP/MPLS


CPECust-A

CPECust-A

CPECust-B

ASA

Over The TopAccess

Flex-VPN

Internet

VR

VR ASA

CPECust-C

CPECust-C

NSO – NFV OrchestratorCloud VPN Services § 3 Service Models for Enterprise deployment flexibility:

§ Cloud VPN Foundation § Cloud VPN Advanced§ Cloud VPN Advanced w/Web Security

§ CSR1Kv: Virtual Router for Site-to-Site VPN with Secure IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels

§ ASAv: vFW with NAT and Policy (*)§ ASAv: vFW with IPSec/SSL Remote Access (*)§ WSAv for Enhanced Web Security (*)

Management and Orchestration§ Enterprise Admin Service Interface (Portal) driven service

instantiation § Zero-Touch Deployment of enterprise CPE (ISR G2)§ Model driven Network Services lifecycle management

with Network Service Orchestrator (NSO) from Tail-f§ VNF lifecycle management with Elastic Services

Controller (ESC)§ Virtual Infrastructure Management with Openstack

featuring: OVS and ODL/VPP as SDN Controllers

Advanced

VRFoundation

CPECust-B

ESC – VNF Manager

VMS Release 2.0: Delivering Comprehensive Cloud VPN Services

WSA∂∂∂

Advanced w/Web Security

PnP RFS VirTo RFSAPI

CPE Managed Orchestration Link

Foundation ServiceDirect Internet Access via

“Split Tunnel”

Access Model:Flex-VPN Links

IPSEC VPN

Service AccessvRouter

Internet Access/Remote Access

OpenStack – Virtual Infrastructure Manager


CPEISR 800, 1900,

2900, 3900, Series

VPN Managed WAN

Managed Security

VMS 1.0.2 Services

Branch

Branch

Firewall(ASAv)

Web Security(WSAv)

vRouter(CSR1Kv)

CloudVPN(IPSec)

Internet

Remote Access

CISCO CONFIDENTIAL –SHARED UNDER NDA ONLY

Scope of Orchestration


CPEISR 800, 1900,

2900, 3900, 4000 Series

VPN Managed WAN

Managed Security

VMS 2.0 Services

Branch

Branch

Firewall(ASAv)

Web Security(WSAv)

vRouter(CSR1Kv)

CloudVPN(IPSec)

Internet

Intrusion Prevention

(IPSv)

Remote Access




CPEISR 800, 1900,

2900, 3900, 4000 Series

VPN Managed WAN

Managed Security

VMS 2.1 Services

Branch

Branch

Firewall(ASAv)

Web Security(WSAv)

vRouter(CSR1Kv)

CloudVPN(IPSec)

Internet


(IPSv)

Remote Access

VMS – Cloud VPN “as a Service”




4000 Series

VPNCPEISR 800, 1900,

2900, 3900, 4000 Series

Managed WAN

Managed Security

VMS 2.2 Services

Branch

Branch

vRouter(CSR1Kv)

CloudVPN(IPSec)

Branch

Branch

vPE(CSR1Kv)

MPLS VPN(MPLS)

Firewall(ASAv)

Web Security(WSAv)


(IPSv)

Remote Access

Internet

CPEBranch

Headquarters

IWANIWAN

Internet(IPSec)

MPLS VPN(MPLS)

InternetDMVPN

MPLSDMVPN

IWAN(BR/MC)




Delivering services to the branch Today’s approaches

GoodBest in breedCustomer choiceModular build-outDrawbacksEnvironmental (space / power / wiring)Onsite + complex installationTruck rolls

BenefitsFully integrated solutionNo truck rollSimpler environmentalDrawbacksReduced customer choiceUpfront hardware investmentSoftware inter-dependencies

Integrated Branch Solution

Rack and Stack


What is vBranch Orchestration

IP network

X86 entity CSR1kvASAv vWAAS3rd party

NFV Orchestration (NCS)

User & Operator portal

VNF EMS / NMS / Controller

• Centrally orchestration branch level NFV solution

• Central portal Infrastructure

• NFV orchestrator - NCS

• VNF EMS / NMS / Controller - choice

• Elastic Services Controller @ branchGUI + Local life cycle management

• x86 capability at the branch


Customer Experience in BriefOrder / Customize Your Services

1

CPE ships (if needed)2

CPE is connected(if needed)

3

Orchestrationoccurs

Automatically!4

10.12.162.x

Internet

CustomerVPN

Service is up and running

Service ProviderCloud


Self-Service User and Operator Portals –Customizable

Service health-awareness resource utilization is integrated with service orchestration into the operator and end-customer portals.


Cisco Virtual Managed ServicesCloud VPN and Cloud MPLS Packages

Customers

Flexible CPE

Cisco ISREthernet NID

Self-Service PortalSelf-Service Portal Service Provider Cloud

Cisco® Virtual Managed Services Platform

Service CatalogService Catalog Orchestration EngineOrchestration Engine

Open APIs

StorageStorageNetworkNetwork ComputeCompute

vFirewallvFirewall vWSAvWSA vIPSvIPS

Cisco Evolved Programmable Network

vRoutervRouter

Secure BroadbandSecure WAN

IPsec / MPLS


OPEN RESTFUL APISCENTRALIZED POLICY MODEL

OPEN SOURCE

CONTROLLER

APIC

ACI BUILDING BLOCKSNEXT GENERATION NEXUS—TRADITIONAL NETWORKS

POLICY MODEL

ACI

BUILT-IN LINE RATE END POINT DIRECTORY

INTEGRATED OVERLAY40G NON-BLOCKING FABRIC

SIMPLE, SECURE

>_>_

50% SIMPLER CODE BASE

FUTURE PROOF UPGRADABLE

TO ACI

PROGRAMMABILITY AND AUTOMATION

NETWORK VIRTUALIZATION

SUPPORT

RESILIENCY: IN SERVICE PATCHING,

UPGRADE, FAST RESTART

ACI BUILDING BLOCKSFUTURE PROOF—SOFTWARE UPGRADABLE TO ACI

NEXUS 9500 and 9300I N N OVA T I ON S I N SOF T WA RE H A RD WA RE A N D SYST EM D ESIGN

PR I C E POW ER EF F I C I EN CYPR OGR A M M A B IL IT YPOR T D EN SI T YPER F OR M A N C E

OPTIMIZED NX-OSSCALE OUT WITHOUT COMPROMISECOMMON BUILDING BLOCKS - ACCESS AND CORE

APIC


All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements

All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements

DB TierDB Tier

StorageStorage StorageStorage

Application Client

Web TierWeb Tier

App TierApp Tier

Application policy model: Defines the application requirements (application network profile)

Policy instantiation: Each device dynamically instantiates the required changes based on the policies

VMVM VMVMVMVM

10.2.4.7

VMVM

10.9.3.37

VMVM

10.32.3.7

VMVMVMVM

APIC


Cisco ACI Introduces Logical Network Provisioning of Stateless Hardware

Cisco® ACI Fabric

Scale-Out Penalty-Free Overlay

App DBWeb

QoS

Filter

Filter

ServiceService

QoS

FilterOutside

(Tenant VRF)

Cisco Application Policy Infrastructure

Controller (APIC)


TWO TYPES OF LANGUAGESInfrastructure Language App Language

HumanTranslator

• Application Tier Policy and Dependencies

• Security Requirements• Service Level Agreement• Application Performance• Compliance• Geo Dependencies

• VLAN• IP Address• Subnets• Firewalls • Quality of Service • Load Balancer• Access Lists


APIC-EM: Common Policy Model from Branch to Data Center

Application Network Flow Profile

SLA, Security, QoS, Load Balancing

User and Things Network Profile

QoS, Security, SLA, Device, Location, Role

Cloud Data Center WAN Access

POLICY

DATA CENTER WAN AND ACCESS

CISCO® ADVANTAGEBROWNFIELD AND

GREENFIELD END TO END POLICY FRAMEWORK: FOCUS ON APPLICATION AND USER ENABLEMENT


Virtual Mobile Network

Firewall vPolicy

Pkt. Core Voice DPI

Physical Mobile Network

Services Core

Ultra Service Platform : From Physical to Virtualized Mobile Networks

Firewall vPolicy

Pkt. Core Voice DPIVoice

InfrastructureNFV

Services

Virtual Functions VNFM

VIM

MANO

NFVO

InternetVoice

VPC Voice SecurityvDPI vPolicy

EMS EMS EMS


Service: Controller

Minimal but “Sufficient” distributed control plane on network nodesCentralized intelligence on the SDN service controller

Transport: Segment Routing

Auto-discovery

Agile Carrier Ethernet - ACE

• Transport: Autonomic self-deployed and self-protected, dynamic, ECMPs, flexible traffic engineering

• Service: SDN + BGP for service, programmable

Agile Carrier Ethernet

SDN ControllerNetconf/yang


Agile Carrier Ethernet - ACE

Autonomic NetworkingAutonomic Networking

SegmentRoutingSegmentRouting

SDN Orchestration

SDN Orchestration

Virtual Out of Band Channel Autonomic Control Plane

Secure & Zero Touch deployment

Auto IP / IP unnumbered

Reduced Protocols

Application Integration

TI-LFA

Simplified TE

NSO / Tail-F for Service and static Label provisioning

XRv for central control plane

Open SDN Controller and WAE as add-ons for SR TE


Autonomic Networking: Secure, Plug-n-Play

RegistrarDarkLayer2

Cloud

Michael

Steve

AAAMisconfig/RoutingMisconfig

`

• Plug-n-Play: New node use v6 link local address to build adjacency with existing nodes, no initial configuration is required

• Secure: New node is authenticated using its ID, and then build encrypted tunnel with its adjacent nodes

• Always-on VOOB: Consistent reachability between Controller and network devices over Virtual Out-of-band management VRF. Even with user mis-configuration, the VOOB will still remain up

31


Transport Evolution with Segment Routing (SR)

• Application Enabled Forwarding- Each engineered application flow is mapped on a path- A path is expressed as an ordered list of segments- The network maintains segments

• Simple: less Protocols, less Protocol interaction, less state- No requirement for RSVP, LDP

• Scale: less Label Databases, less TE LSP- Leverage MPLS services & hardware

• Forwarding based on Labels with simple ISIS/OSPF extension

• 50msec FRR service level guarantees

• Leverage multi-services properties of MPLS

Millions of Applications

flows

A path is mapped on a

list of segments

The network only

maintains segments

No application

state

The state is no longer in the network but in the packet


AggregationAccess AccessAggregationCore

DC

Unified MPLS with SR ß Simplified MPLS Transport• Isolated network domains with common IP/MPLS technology using segment routing• Autonomic: auto-discovery, plug-n-play• Intra-domain routing: shortest-path, TI-FRR, anycast node SID for node redundancy• Inter-domain routing: SDN controlled inter-domain end-to-end routing• Back compatible: with existing unified MPLS network, LDP/RSVP-TE, RFC 3107

Metro IGP domain Metro IGP domain

DC domain

Core IGP domain

A BGW1

GW1GW2

GW2

Controller

ACE Transport: Unified MPLS with Segment Routing

33


CoreMetro1 Metro2

A B

GW21 1002GW22 1002

GW11 1001GW12 1001

IGP/SRmetroisland

IGP/SRmetroisland

CoreIGP

NSO

Lowlatencypath SR-TEbindingSID:16888à [SIDlistfortheSR-TERED]

SRlabel:[1001,16888,B]OSC/WAE WAEcalculatethepathandprovidethe

informationtoNSO

ACE Transport Architecture:

SDNcontrolledend-to-endLSP(SRsegmentlist)

SR-TE

SRbindingSIDprovideanenhancedinter-domainTEwithout requiredeeplabelstacksupport ontheaccessnodes

BGP-LS


AggregationAccess AccessAggregationCore

Unified VPN simple service model• P2P L2VPN: static PW provisioned by NSO• MP L2VPN: static PW within the domain, EVPN between domains• L3VPN: centralized on the GW node using PWHE virtual interface

IP-VPN

A BGW1

GW1GW2

GW2

ACE Service Architecture: Unified VPN Service Model

PW PW

PWHE PWHE

EVPNPW PW

PWP2P L2VPN

MP L2VPN

L3VPN

VPN service provisioning

NSO

35


Automate Service Provisioning through SDN

A B C

M N O

Z

D

P

§ Label stack between service nodes is provided through Segment Routing

§ SDN controller pushes static service labels on the end nodes through e.g. Netconf/Yang, optionnally stitching may be used on the mid-nodes

§ Service nodes implement forwarding service (L3/L2 based), distributed or centralized

Controller Service ProvisioningCE

Automation through open API’s

VRFStatic PW LabelStatic PW Label

Node Anycast GW

A 101

Z 101

Service Label

PW-123 123

PW-234 234

VRF VRF

SP’s OSS/BSS


Optimize Infrastructure with SDN WAEController

Path AZ expressed as {66, 68, 65}

A B C

M N O

Z

D

P

FULL66

6865

§ SDN controller, such as WAN Automation Engine, monitors and re-optimizes the infrastructure according to Service Provider business rules (h, link cost, delay)

§ SDN controller modifies instantaneously network flows by pushing label stack to source node only

§ PCEP provides programmatic interfaces to the source nodes while BGP-LSprovides network state to the controller

PCEP

BGP-LS


From device-centric to network-as-platform

Orchestration

SDNController

OrchestrationOrchestration

SDNController

Centralizedserviceprovisioning

Workwithexistingnetworkdevices

OnDeviceMinimalbutsufficient

AN:AutonomicNetworkingSR:SegmentRoutingVPNservices: eVPN +staticPW

NetworkasPlatformFullyprogrammable

DeviceisPnPcomponent

NSONSO

WAE

NSO

XRv+ODLWAE

Next:ACE Network-as-PlatformNow

NSO: Network Service OrchestratorWAE: Wan Automation EngineODL: Open Daylight


Summary

§ SDN NFV is evolving , Cisco is developing solutions based on Open Standard and Market Requirements

§ SDN NFV is covering All segments in the network § NFV is getting mature and a lot of deployment in production

§ Need more Development in SDN Solutions§ IT Engineers also need to evolve from hardware centric to software centric§ Basic knolwledge of IT (OS, Network, Hypervisor, etc) is a foundation of SDN NFV§ Cisco provides development portal for engineers, http://Devnet.cisco.com

cisco sdn/nvf innovations (sdn nvf day itb 2016)

Technology