cisco sdn/nvf innovations (sdn nvf day itb 2016)
TRANSCRIPT
Mohamad Ali Fahmi ([email protected])Released: March 21st, 2016
Cisco SDN/NFV Innovations
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction• Architecture• Innovations• Summary
Agenda
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• …a new approach*• …transforming the networking industry - challenging the way we think about engineering, implementing and managing networks• …providing new methods to interact with equipment/services –controllers, APIs• …empowering external influencers to network design and operations• …generating a LOT of ‘buzz’ and attention• …providing a catalyst for traditional Route/Switch engineers to branch-out
SDN is…
3* […not the first attempt!]
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• …an easy button… but is intending to make things easier for all!• …a panacea or end-state• …well or narrowly defined• …meaning the death of network engineers• …a mandate for all network engineers to become C and Java programmers• …a new attempt at network evolution…
SDN is not…
4
I Wants SDN
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Emerging TechnologiesMotivations and Strategy
ServiceOrchestration
ServiceOrchestration
NFVNFVSDNSDN
SDN – Open and Programmable at all LayersSimplify / Reduce Complexity
SDN – Open and Programmable at all LayersSimplify / Reduce Complexity
NFV – Elastic Resource CapacityReduce Total Costs Across all Services
NFV – Elastic Resource CapacityReduce Total Costs Across all Services
Service Orchestration – Customized DeliveryAutomation / Accelerate Time to Revenue
Service Orchestration – Customized DeliveryAutomation / Accelerate Time to Revenue
BUSINESS AGILITY
BUSINESS AGILITY
OPERATIONAL SIMPLICITY
OPERATIONAL SIMPLICITY
PROFITABILITYPROFITABILITY¥£€$
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Strategy: Various models of programmability
Vendor-specific APIs
Applications
Programmable APIs
Control PlaneControl Plane
Data PlaneData Plane
VendorSpecific(e.g. onePK)
1Applications
Virtual Control PlaneVirtual Control Plane
Virtual Data PlaneVirtual Data Plane
OverlayProtocols(e.g. VXLAN)
Vendor-specificAPIs
3 Network Virtualization/Virtual Overlays
Control PlaneControl Plane
Data PlaneData Plane
ControllerController
Data PlaneData Plane
Applications
Vendor-specific APIs
OpenFlow
2a Classic SDN
VendorSpecific(e.g. onePK)
ControllerController
Data PlaneData Plane
Applications
Vendor-specific APIs
OpenFlow
Control PlaneControl Plane
2b Hybrid “SDN”
VendorSpecific(e.g. onePK)
Control PlaneControl Plane
Data PlaneData Plane
CLI, SNMP, …
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ETSI: NFV Reference Architecture
ComputingHardware
StorageHardware
NetworkHardware
Hardware resources
Virtualisation LayerVirtualised
InfrastructureManager(s)
VNFManager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution reference points Main NFV reference pointsOther reference points
Virtual Computing
Virtual Storage
Virtual Network
NFV Management and Orchestration
EMS 2 EMS 3EMS 1
Service, VNF and Infrastructure Description
Or-Vi
Or-Vnfm
Vi-Vnfm
Os-Ma
Se-Ma
Ve-Vnfm
Nf-Vi
Vn-Nf
Vl-Ha
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ETSI: NFV Architecture
ComputingHardware
StorageHardware
NetworkHardware
Hardware resources
Virtualisation LayerVirtualised
InfrastructureManager(s)
VNFManager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution reference points Main NFV reference pointsOther reference points
Virtual Computing
Virtual Storage
Virtual Network
NFV Management and Orchestration
EMS 2 EMS 3EMS 1
Service, VNF and Infrastructure Description
Or-Vi
Or-Vnfm
Vi-Vnfm
Os-Ma
Se-Ma
Ve-Vnfm
Nf-Vi
Vn-Nf
Vl-HaInfrastructure
S/W Architecture Management and
Operations
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco NFV Architecture Legend
VNF Manager
Cisco ESC Cisco CTCM 3rd Party
NFV-O & Resource Orchestration
NSO – Network Services Orchestrator enabled by Tail-f
North Bound APIs
Virtual Network Functions Cisco and 3rd Party
CSR ASAv vNAM vIPS
vPC-DI vIMS VideoOpt. 3rd Party
Cisco Physical Infrastructure
Network VIM
Linux (RHEL 7.1), Hyper Visor (KVM), Host Packages, Software Defined Storage
NFVI Scope
NetworkCompute (UCS) Storage Ceph
Unifi
ed M
anag
emen
t wi
th a
ssur
ance
.
UCSD
API
GUI
Virtual Infrastructure Manager
Mercury based on RHEL OSP 7 OpenStack
Assu
ranc
e
APIC VTS OSCor or 3rd Partyor
3rd Party
or
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Innovations- vMS- vBranch- ACI- APIC-EM- Ultra Service Platform-ACE
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Managed Services Today: Network based VPNs + physical appliances
PE PE
PE
PE
Data Centre
Today• Physical appliances in DC
• Services in the branch– Appliances or integrated
Two major disruptors• Cloud computing
• Overlay VPNs
• Different impacts !
IP/MPLS
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Managed Services evolution Option 1: Network based VPNs + cloud computing
PE PE
PE
PE
Data Centre
• Simplification of the branchBasic routingL2 switching
• Primarily an SP play
• Service moves to DCVirtualized DCs spread across infrastructure
• Benefits Reduced equipment costs Reduced onsite effortMore flexibility
IP/MPLS
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPECust-A
CPECust-A
CPECust-B
ASA
Over The TopAccess
Flex-VPN
Internet
VR
VR ASA
CPECust-C
CPECust-C
NSO – NFV OrchestratorCloud VPN Services § 3 Service Models for Enterprise deployment flexibility:
§ Cloud VPN Foundation § Cloud VPN Advanced§ Cloud VPN Advanced w/Web Security
§ CSR1Kv: Virtual Router for Site-to-Site VPN with Secure IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels
§ ASAv: vFW with NAT and Policy (*)§ ASAv: vFW with IPSec/SSL Remote Access (*)§ WSAv for Enhanced Web Security (*)
Management and Orchestration§ Enterprise Admin Service Interface (Portal) driven service
instantiation § Zero-Touch Deployment of enterprise CPE (ISR G2)§ Model driven Network Services lifecycle management
with Network Service Orchestrator (NSO) from Tail-f§ VNF lifecycle management with Elastic Services
Controller (ESC)§ Virtual Infrastructure Management with Openstack
featuring: OVS and ODL/VPP as SDN Controllers
Advanced
VRFoundation
CPECust-B
ESC – VNF Manager
VMS Release 2.0: Delivering Comprehensive Cloud VPN Services
WSA∂∂∂
Advanced w/Web Security
PnP RFS VirTo RFSAPI
CPE Managed Orchestration Link
Foundation ServiceDirect Internet Access via
“Split Tunnel”
Access Model:Flex-VPN Links
IPSEC VPN
Service AccessvRouter
Internet Access/Remote Access
OpenStack – Virtual Infrastructure Manager
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPEISR 800, 1900,
2900, 3900, Series
VPN Managed WAN
Managed Security
VMS 1.0.2 Services
Branch
Branch
Firewall(ASAv)
Web Security(WSAv)
vRouter(CSR1Kv)
CloudVPN(IPSec)
Internet
Remote Access
CISCO CONFIDENTIAL –SHARED UNDER NDA ONLY
Scope of Orchestration
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPEISR 800, 1900,
2900, 3900, 4000 Series
VPN Managed WAN
Managed Security
VMS 2.0 Services
Branch
Branch
Firewall(ASAv)
Web Security(WSAv)
vRouter(CSR1Kv)
CloudVPN(IPSec)
Internet
Intrusion Prevention
(IPSv)
Remote Access
CISCO CONFIDENTIAL –SHARED UNDER NDA ONLY
Scope of Orchestration
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPEISR 800, 1900,
2900, 3900, 4000 Series
VPN Managed WAN
Managed Security
VMS 2.1 Services
Branch
Branch
Firewall(ASAv)
Web Security(WSAv)
vRouter(CSR1Kv)
CloudVPN(IPSec)
Internet
Intrusion Prevention
(IPSv)
Remote Access
VMS – Cloud VPN “as a Service”
CISCO CONFIDENTIAL –SHARED UNDER NDA ONLY
Scope of Orchestration
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4000 Series
VPNCPEISR 800, 1900,
2900, 3900, 4000 Series
Managed WAN
Managed Security
VMS 2.2 Services
Branch
Branch
vRouter(CSR1Kv)
CloudVPN(IPSec)
Branch
Branch
vPE(CSR1Kv)
MPLS VPN(MPLS)
Firewall(ASAv)
Web Security(WSAv)
Intrusion Prevention
(IPSv)
Remote Access
Internet
CPEBranch
Headquarters
IWANIWAN
Internet(IPSec)
MPLS VPN(MPLS)
InternetDMVPN
MPLSDMVPN
IWAN(BR/MC)
CISCO CONFIDENTIAL –SHARED UNDER NDA ONLY
Scope of Orchestration
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Delivering services to the branch Today’s approaches
GoodBest in breedCustomer choiceModular build-outDrawbacksEnvironmental (space / power / wiring)Onsite + complex installationTruck rolls
BenefitsFully integrated solutionNo truck rollSimpler environmentalDrawbacksReduced customer choiceUpfront hardware investmentSoftware inter-dependencies
Integrated Branch Solution
Rack and Stack
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is vBranch Orchestration
IP network
X86 entity CSR1kvASAv vWAAS3rd party
NFV Orchestration (NCS)
User & Operator portal
VNF EMS / NMS / Controller
• Centrally orchestration branch level NFV solution
• Central portal Infrastructure
• NFV orchestrator - NCS
• VNF EMS / NMS / Controller - choice
• Elastic Services Controller @ branchGUI + Local life cycle management
• x86 capability at the branch
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customer Experience in BriefOrder / Customize Your Services
1
CPE ships (if needed)2
CPE is connected(if needed)
3
Orchestrationoccurs
Automatically!4
10.12.162.x
Internet
CustomerVPN
Service is up and running
Service ProviderCloud
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Self-Service User and Operator Portals –Customizable
Service health-awareness resource utilization is integrated with service orchestration into the operator and end-customer portals.
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Virtual Managed ServicesCloud VPN and Cloud MPLS Packages
Customers
Flexible CPE
Cisco ISREthernet NID
Self-Service PortalSelf-Service Portal Service Provider Cloud
Cisco® Virtual Managed Services Platform
Service CatalogService Catalog Orchestration EngineOrchestration Engine
Open APIs
StorageStorageNetworkNetwork ComputeCompute
vFirewallvFirewall vWSAvWSA vIPSvIPS
Cisco Evolved Programmable Network
vRoutervRouter
Secure BroadbandSecure WAN
IPsec / MPLS
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
OPEN RESTFUL APISCENTRALIZED POLICY MODEL
OPEN SOURCE
CONTROLLER
APIC
ACI BUILDING BLOCKSNEXT GENERATION NEXUS—TRADITIONAL NETWORKS
POLICY MODEL
ACI
BUILT-IN LINE RATE END POINT DIRECTORY
INTEGRATED OVERLAY40G NON-BLOCKING FABRIC
SIMPLE, SECURE
>_>_
50% SIMPLER CODE BASE
FUTURE PROOF UPGRADABLE
TO ACI
PROGRAMMABILITY AND AUTOMATION
NETWORK VIRTUALIZATION
SUPPORT
RESILIENCY: IN SERVICE PATCHING,
UPGRADE, FAST RESTART
ACI BUILDING BLOCKSFUTURE PROOF—SOFTWARE UPGRADABLE TO ACI
NEXUS 9500 and 9300I N N OVA T I ON S I N SOF T WA RE H A RD WA RE A N D SYST EM D ESIGN
PR I C E POW ER EF F I C I EN CYPR OGR A M M A B IL IT YPOR T D EN SI T YPER F OR M A N C E
OPTIMIZED NX-OSSCALE OUT WITHOUT COMPROMISECOMMON BUILDING BLOCKS - ACCESS AND CORE
APIC
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements
All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements
DB TierDB Tier
StorageStorage StorageStorage
Application Client
Web TierWeb Tier
App TierApp Tier
Application policy model: Defines the application requirements (application network profile)
Policy instantiation: Each device dynamically instantiates the required changes based on the policies
VMVM VMVMVMVM
10.2.4.7
VMVM
10.9.3.37
VMVM
10.32.3.7
VMVMVMVM
APIC
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI Introduces Logical Network Provisioning of Stateless Hardware
Cisco® ACI Fabric
Scale-Out Penalty-Free Overlay
App DBWeb
QoS
Filter
Filter
ServiceService
QoS
FilterOutside
(Tenant VRF)
Cisco Application Policy Infrastructure
Controller (APIC)
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TWO TYPES OF LANGUAGESInfrastructure Language App Language
HumanTranslator
• Application Tier Policy and Dependencies
• Security Requirements• Service Level Agreement• Application Performance• Compliance• Geo Dependencies
• VLAN• IP Address• Subnets• Firewalls • Quality of Service • Load Balancer• Access Lists
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC-EM: Common Policy Model from Branch to Data Center
Application Network Flow Profile
SLA, Security, QoS, Load Balancing
User and Things Network Profile
QoS, Security, SLA, Device, Location, Role
Cloud Data Center WAN Access
POLICY
DATA CENTER WAN AND ACCESS
CISCO® ADVANTAGEBROWNFIELD AND
GREENFIELD END TO END POLICY FRAMEWORK: FOCUS ON APPLICATION AND USER ENABLEMENT
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtual Mobile Network
Firewall vPolicy
Pkt. Core Voice DPI
Physical Mobile Network
Services Core
Ultra Service Platform : From Physical to Virtualized Mobile Networks
Firewall vPolicy
Pkt. Core Voice DPIVoice
InfrastructureNFV
Services
Virtual Functions VNFM
VIM
MANO
NFVO
InternetVoice
VPC Voice SecurityvDPI vPolicy
EMS EMS EMS
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service: Controller
Minimal but “Sufficient” distributed control plane on network nodesCentralized intelligence on the SDN service controller
Transport: Segment Routing
Auto-discovery
Agile Carrier Ethernet - ACE
• Transport: Autonomic self-deployed and self-protected, dynamic, ECMPs, flexible traffic engineering
• Service: SDN + BGP for service, programmable
Agile Carrier Ethernet
SDN ControllerNetconf/yang
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agile Carrier Ethernet - ACE
Autonomic NetworkingAutonomic Networking
SegmentRoutingSegmentRouting
SDN Orchestration
SDN Orchestration
Virtual Out of Band Channel Autonomic Control Plane
Secure & Zero Touch deployment
Auto IP / IP unnumbered
Reduced Protocols
Application Integration
TI-LFA
Simplified TE
NSO / Tail-F for Service and static Label provisioning
XRv for central control plane
Open SDN Controller and WAE as add-ons for SR TE
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Autonomic Networking: Secure, Plug-n-Play
RegistrarDarkLayer2
Cloud
Michael
Steve
AAAMisconfig/RoutingMisconfig
`
• Plug-n-Play: New node use v6 link local address to build adjacency with existing nodes, no initial configuration is required
• Secure: New node is authenticated using its ID, and then build encrypted tunnel with its adjacent nodes
• Always-on VOOB: Consistent reachability between Controller and network devices over Virtual Out-of-band management VRF. Even with user mis-configuration, the VOOB will still remain up
31
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transport Evolution with Segment Routing (SR)
• Application Enabled Forwarding- Each engineered application flow is mapped on a path- A path is expressed as an ordered list of segments- The network maintains segments
• Simple: less Protocols, less Protocol interaction, less state- No requirement for RSVP, LDP
• Scale: less Label Databases, less TE LSP- Leverage MPLS services & hardware
• Forwarding based on Labels with simple ISIS/OSPF extension
• 50msec FRR service level guarantees
• Leverage multi-services properties of MPLS
Millions of Applications
flows
A path is mapped on a
list of segments
The network only
maintains segments
No application
state
The state is no longer in the network but in the packet
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AggregationAccess AccessAggregationCore
DC
Unified MPLS with SR ß Simplified MPLS Transport• Isolated network domains with common IP/MPLS technology using segment routing• Autonomic: auto-discovery, plug-n-play• Intra-domain routing: shortest-path, TI-FRR, anycast node SID for node redundancy• Inter-domain routing: SDN controlled inter-domain end-to-end routing• Back compatible: with existing unified MPLS network, LDP/RSVP-TE, RFC 3107
Metro IGP domain Metro IGP domain
DC domain
Core IGP domain
A BGW1
GW1GW2
GW2
Controller
ACE Transport: Unified MPLS with Segment Routing
33
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CoreMetro1 Metro2
A B
GW21 1002GW22 1002
GW11 1001GW12 1001
IGP/SRmetroisland
IGP/SRmetroisland
CoreIGP
NSO
Lowlatencypath SR-TEbindingSID:16888à [SIDlistfortheSR-TERED]
SRlabel:[1001,16888,B]OSC/WAE WAEcalculatethepathandprovidethe
informationtoNSO
ACE Transport Architecture:
SDNcontrolledend-to-endLSP(SRsegmentlist)
SR-TE
SRbindingSIDprovideanenhancedinter-domainTEwithout requiredeeplabelstacksupport ontheaccessnodes
BGP-LS
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AggregationAccess AccessAggregationCore
Unified VPN simple service model• P2P L2VPN: static PW provisioned by NSO• MP L2VPN: static PW within the domain, EVPN between domains• L3VPN: centralized on the GW node using PWHE virtual interface
IP-VPN
A BGW1
GW1GW2
GW2
ACE Service Architecture: Unified VPN Service Model
PW PW
PWHE PWHE
EVPNPW PW
PWP2P L2VPN
MP L2VPN
L3VPN
VPN service provisioning
NSO
35
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automate Service Provisioning through SDN
A B C
M N O
Z
D
P
§ Label stack between service nodes is provided through Segment Routing
§ SDN controller pushes static service labels on the end nodes through e.g. Netconf/Yang, optionnally stitching may be used on the mid-nodes
§ Service nodes implement forwarding service (L3/L2 based), distributed or centralized
Controller Service ProvisioningCE
Automation through open API’s
VRFStatic PW LabelStatic PW Label
Node Anycast GW
A 101
Z 101
Service Label
PW-123 123
PW-234 234
VRF VRF
SP’s OSS/BSS
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Optimize Infrastructure with SDN WAEController
Path AZ expressed as {66, 68, 65}
A B C
M N O
Z
D
P
FULL66
6865
§ SDN controller, such as WAN Automation Engine, monitors and re-optimizes the infrastructure according to Service Provider business rules (h, link cost, delay)
§ SDN controller modifies instantaneously network flows by pushing label stack to source node only
§ PCEP provides programmatic interfaces to the source nodes while BGP-LSprovides network state to the controller
PCEP
BGP-LS
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From device-centric to network-as-platform
Orchestration
SDNController
OrchestrationOrchestration
SDNController
Centralizedserviceprovisioning
Workwithexistingnetworkdevices
OnDeviceMinimalbutsufficient
AN:AutonomicNetworkingSR:SegmentRoutingVPNservices: eVPN +staticPW
NetworkasPlatformFullyprogrammable
DeviceisPnPcomponent
NSONSO
WAE
NSO
XRv+ODLWAE
Next:ACE Network-as-PlatformNow
NSO: Network Service OrchestratorWAE: Wan Automation EngineODL: Open Daylight
39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary
§ SDN NFV is evolving , Cisco is developing solutions based on Open Standard and Market Requirements
§ SDN NFV is covering All segments in the network § NFV is getting mature and a lot of deployment in production
§ Need more Development in SDN Solutions§ IT Engineers also need to evolve from hardware centric to software centric§ Basic knolwledge of IT (OS, Network, Hypervisor, etc) is a foundation of SDN NFV§ Cisco provides development portal for engineers, http://Devnet.cisco.com