cloudstack collab talk

37
Making a case for distributed overlay-based network virtualization Ben Cherian Chief Strategy Officer @bencherian Midokura

Upload: midokura

Post on 12-May-2015

810 views

Category:

Technology


0 download

DESCRIPTION

Making a case for network virtualization

TRANSCRIPT

Page 1: Cloudstack collab talk

Making a case for distributed overlay-

based network virtualization

Ben CherianChief Strategy Officer@bencherianMidokura

Page 2: Cloudstack collab talk

So, you’re building a cloud?

Page 3: Cloudstack collab talk

Requirements

Page 4: Cloudstack collab talk

Horizontal scaling

1 2 3 4 5

1 New1

vs

Page 5: Cloudstack collab talk

Building blocks of an IaaS cloud

Page 6: Cloudstack collab talk

Cloud management system

Page 7: Cloudstack collab talk

Compute

Page 8: Cloudstack collab talk

Storage

Page 9: Cloudstack collab talk

Networking

Page 10: Cloudstack collab talk

Traditional networking devices scale up

Page 11: Cloudstack collab talk

Service interruptions

Page 12: Cloudstack collab talk

High churn, micro granularity

Page 13: Cloudstack collab talk

Limitations of VLANs

Page 14: Cloudstack collab talk

Traffic trombones

Page 15: Cloudstack collab talk

Human costs don’t scale

Page 16: Cloudstack collab talk

Additional Requirements

Page 17: Cloudstack collab talk

• ACLs• Stateful (L4) Firewall

Security Groups

• VPN IPSec

• BGP gateway• REST API• Integration with CMS

CloudStack OpenStack

• Multi-tenancy• L2 isolation• L3 routing

isolation VPC Like VRF (virtual

routing and forwarding)

• Scalable control plane

ARP, DHCP, ICMP

• NAT (Floating IP)

IaaS Cloud Networking Requirements

Page 18: Cloudstack collab talk

Typical Network Topology

IaaS Cloud Networking Requirements

Page 19: Cloudstack collab talk

Solution: Distributed overlay-based network virtualization

Page 20: Cloudstack collab talk

Use encapsulation to build a virtual network

Page 21: Cloudstack collab talk

Handle network intelligence / network state at the edge

Page 22: Cloudstack collab talk

Require less of the physical network

Page 23: Cloudstack collab talk

• Isolation not using VLANs IP encapsulation

• Decouple from physical network• Provisioning VM doesn’t change underlay

state• Underlay delivers to destination host IP• Use scalable IGP (iBGP, OSPF) to build multi-

path underlay• Inspired by VL2 from MSR

Edge to Edge IP Overlays

Page 24: Cloudstack collab talk

• Packet processing on x86 CPUs (at edge)– Intel DPDK facilitates packet processing– Number of cores in servers increasing fast

• Clos Networks (for underlay)– Spine and Leaf architecture with IP– Economical and high E-W bandwidth

• Merchant silicon (cheap IP switches)– Broadcom, Intel (Fulcrum Micro), Marvell– ODMs (Quanta, Accton) starting to sell directly– Switches are becoming just like Linux servers

• Optical intra-DC Networks

Market trends supporting overlay model

Page 25: Cloudstack collab talk

• Virtual L2 Distributed Switching

• Virtual L2 Isolation

• Virtual L3 Distributed Routing

• Virtual L3 Isolation

• L4 Services (Load Balancing, Firewall)

• NAT

• Access Control Lists (ACLs)

• Virtual port and device monitoring

• Restful API

• Web based management control panel

The MidoNet Solution

Page 26: Cloudstack collab talk

Logical Topology

Private IP Network

MN

MN

MN

Internet

BGPMulti

Homing

Physical Topology

MNVM

VM

MNVM

VM

MNVM

VM

BGPTo ISP3

BGPTo ISP2

BGPTo ISP1

vPort

ProviderVirtualRouter

Tenant AVirtualRouter

Tenant BVirtualRouter

VirtualSwitch A1

VirtualSwitch A2

VirtualSwitch B1

vPort

vPort

vPort

vPort

vPort

Network State Database

MN MN MN

Tunnel

The MidoNet Solution

Page 27: Cloudstack collab talk

• Distributed and scalable control plane Handle all control packets at local MidoNet agent

adjacent to VM

• Scalable and fault tolerant central database Stores virtual network configuration Dynamic network state

MAC learning, ARP cache, etc Cached at edges on demand

• All packet modifications at ingress One virtual hop

No travel through middle boxes Drop at ingress

MN

Packet

Encapsulated

Tunnel

Drop/Block

Ingress

The MidoNet Solution

Page 28: Cloudstack collab talk

Scale out model

Page 29: Cloudstack collab talk

• Scalable edge gateway interface to external networks– Multihomed BGP to ISP

• REST API and GUI

• Integration with popular open source cloud stacks– OpenStack

• Removes SPOF of network node• Scalable and fault tolerant NAT for floating IP• Implements security groups efficiently

– CloudStack (in progress)

The MidoNet Solution

Page 30: Cloudstack collab talk

• Currently have L2 integration

• Full integration is slated for Q1, 2013– L3 isolation (without VM / appliance)– Security groups (stateful firewall)– Floating IP (NAT)– Load balancing (L4)

CloudStack integration

Page 31: Cloudstack collab talk

Questions?

Slides: http://www.slideshare.net/midokura

Page 32: Cloudstack collab talk

Backup slides

Page 33: Cloudstack collab talk

Candidate Models

• Traditional network

• Centrally controlled OpenFlow based hop-by-hop switching fabric

• Edge to edge overlays

Page 34: Cloudstack collab talk

Traditional Netowrk

• Ethernet VLANs for L2 isolation 4096 limit VLANs will have large spanning trees terminating on many hosts High churn in switch control planes doing MAC learning non-stop Need MLAG for L2 multi-path

Vendor specific

• MPLS VPN?• VRFs for L3 isolation

Not scalable to cloud scale Expensive hardware Not fault tolerant

Page 35: Cloudstack collab talk

OpenFlow Fabric

• State in switches Proportional to virtual network state Need to update all switches in path when

provisioning Not scalable, not fast enough to update, no

atomicity of updates

• Not good for IaaS cloud virtual networking

Page 36: Cloudstack collab talk

Spine and Leaf Network Architecture

Page 37: Cloudstack collab talk

Deep OpenStack Integration• Quantum Plugin

– L2 isolation, of course

• Also…– L3 isolation (without VM / appliance)– Security groups (stateful firewall)– Floating IP (NAT)– Load balancing (L4)

37