View
246
Download
7
Category
Preview:
Citation preview
NEUTRON ADVANCED SERVICESERIC LOPEZERIC.LOPEZ @ AKANDA.IO@ERICDLOPEZ
About Me
Sr. Solution Architect at Akanda Inc
Former Solution Architect @ VMware & Nicira
Openstack Security Guide Co-Author
Where are we headed today?
Neutron BasicsAdvance Services: LBaaS, VPNaaS, FWaaSAkanda an Advanced Service PluginNeutron: Liberty and Beyond
NEUTRON BASICS
OSI Model
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
1
2
3
4
5
6
7
TCP, UDP
IPv4,IPv6, ICMP
HTTP, DNS, etc
ARP, Ethernet, VLAN
OpenStack
What does the user see?
Compute API
Network API
Storage APIGUI, CLI, API Libs
KVM
ML2 Plugin
Ceph
Abstractions
Net110.0.0.0/24
Nova
Neutron
L2 virtual network
virtual port
virtual server
virtual interface (VIF)
virtual subnet
VM110.0.0.2
VM210.0.0.2
Using the API…VM1
10.0.0.2VM2
10.0.0.2/172.16.77.2
VM3172.16.77.1
Tenant A Net1
192.168.0.0/24
Tenant A Net2
172.16.77.0/24
Public Net10.0.0.0/8
VM110.0.0.2
VM210.0.0.2/172.1
6.77.2VM3
172.16.77.1
Tenant B Net1
192.168.0.0/24
Tenant B Net2
172.16.77.0/24
Router Router
Design Goals
Unified APISmall CorePluggable Open ArchitectureExtensible
UNDER THE HOOD
OpenStack
Reference Neutron
neutron-server
L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent
L3 AgentL3 Agent
L3 AgentL3 Agent
Database
L3 Agent
DHCP Agent
L2 Agent
Message
Queue
Adv Services
neutron-server
neutron-server
REST API SERVICE RPC SERVICE
PLUGIN
Provides REST API ServiceManages Logical ModelsPluggableExtensible
Plugin ExtensionsAdd logical resources to the REST APIDiscovered by server at startup
REST: /v2.0/extensionsCommon Extensions
Binding, DHCP, L3, Provider, Quota, Security GroupOther Extensions
Allowed Addresses, Extra Routes, Metering
BUILDING NETWORKS
Building Networks…
L2 vs L3
Tenant Isolation
GRE/VXLAN/GENEVE
VLAN
© Malcolm Leman | Dreamstime.com
Traditional L2802.1Q
Aggregation tier must be HA
MLAG is vendor proprietary
Aggregate/Core Scalability
limited number available
MAC/ARP table limits
East/West Bottleneck
L3 Maximizes Connectivity
HVHVHVHVHV
HVHVHVHVHV
HVHVHVHVHV
HVHVHVHVHV
Isolation via VXLANVXLAN
L2 encapsulated L3IP Fabrics Scale
Reduces L2 sizeECMP (Equal Cost Multi-Path)
Each link activePredictable latencyBetter failure handling
What is BUM Traffic?
BROADCAST
UNKNOWN UNICAST
MULTICAST
Tunneling BUM Traffic
A
D
CB
Tunneling BUM with L2 Population
A
D
CB
WHEN IS FLAT A GOOD IDEA?
LOAD BALANCING AS A SERVICE
Load Balancer as a Service
Tenant Provisioned Load Balancer InstancesNew API (v2) Released in Kilo
Updated Logical ModelTLS Support (requires Barbican)
Octavia Projecthttp://octavia.io
LBaaS HistoryFolsom Grizzly Havana Icehouse Juno KiloWorking Group
Experimental APIAPI v2 Stability
Improvements v2
Working Group
API v2
LBaaS Data Model
Logical Model renders on service providerLeast Common Denominator
Extra feature require extensions
Load Balancer
Pool
Pool
Listener
Load Balancer Model
VIP PortProvider
Load Balancer
Listener Model
ProtocolHTTP, HTTPS, TCP
PortDefault PoolTLS Information
Load Balancer Listener
Pool Model
Session PersistenceAlgorithmMember SetHealth monitor Set
Load Balancer Listener
Pool
Pool
Member Model
AddressPortWeightSubnet
Load Balancer Listener
Pool
Pool
Health Monitor ModelTypeTimeoutDelayFor HTTP
MethodResponse Code
Load Balancer Listener
Pool
Pool
Barbican
Provides secure storage, provisioning and management of secret dataPluggable crypto components
KMIPHSM
Load Balancer as a Service
NEUTRON ADVANCED SERVICES
Firewall as a Service
Tenant Provisioned Edge FirewallLogically at the edge
In reality maybe anywhere in data path API still deprecatedWill be replaced in Mitaka
Security Groups
Logically Protect VIF
Allow East/West Filtering
Based on Whitelist
VMs with multiple groups per VIF
Ingress/Egress Rules
Different from AWS
LOOKING AHEAD
OpenStack’s Big Tent
Open Design
Open Development
Open Community
Open Source
The Neutron Stadium
Common Forum
Improved Consistency
Shared Governance
Neutron: LibertyQoS Plugin Model - Extension and API
LBaaS v2
IPv6 Prefix Delegation
IPAM pluggable model framework
Network RBAC
Paying Down Technical Debt Canadian2006 - Liberty, Saskatchewan (CC-by-sa-3.0)
commons.wikimedia.org/w/index.php?title=User:Canadian2006&action=edit&redlink=1
Service Function Chaining
Forwarding Graph of Functionsie Firewall > Router > Load Balancer
Some SDNs support SFC todayClassification rules used to steer traffic
LB FWSource DestClassifie
r QoSCache
INTRODUCING ASTARA
Astara Core Developer TeamMark McClain (IRC: markmcclain)
Co-Founder/CTO at Akanda IncOpenStack Technical Committee MemberFormer OpenStack Networking PTL
Ryan Petrello (IRC: ryanpetrello)Senior Developer at DreamhostOpenstack Contributor since 2012
Adam Gandelman (IRC: adam_g)Openstack Astara PTLSenior Developer at Akanda IncOpenstack Stable Branch Maintenance Team MemberFormer Openstack Developer at Canonical and HP
David Lenwell (IRC: davidlenwell)Senior Developer at Akanda IncOpenstack refstack Technical Project LeadFormer Openstack Developer at Piston, HP, and Bluebook
Core Astara Principles
SimpleCompatibleOpen Development (Apache v2)
Reference Neutron
neutron-server
L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent
L3 AgentL3 Agent
L3 AgentL3 Agent
Database
L3 Agent
DHCP Agent
L2 Agent
Message
Queue
Adv Services
neutron-server
Neutron+Astara
neutron-server
L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent
Database
Astara L2 Agent
Message
Queue
neutron-server
THE RUG
“REALLY TIED THE ROOM TOGETHER”
The Rug
Control Plane OrchestrationLogically CentralizedPluggable DriversMulti-Process/Multi-ThreadedUtilizes standard APIs/interfaces for Neutron, Nova, Glance and Ceilometer
Astara Architecture
AstaraManagement
/Orchestratio
nPhysical Network (L2)
Nova
Neutron
Open:OVS/LinuxBridge Proprietary
Astara L2 Agnostic Overlay Support
Astara Adv Services: Routing/LB/FW
OpenStack APIs
Neutron Reference
HVHVHVHVHV
HVHVHVHVHV
HVHVHVHVHV
Network NodeNetwork Node
Astara
HVHVHVHVHV
HVHVHVHVHV
HVHVHVHVHV
HVHVHVHVHV
or with containers
HVHVHVHVHV
CCCCC
CCCCC
HVHVHVHVHV
Astara Project
Get the source: https://github.com/openstack/astaraProject status and tarballs: https://launchpad.net/astaraDocumentation: http://docs.akanda.ioIRC - #openstack-astara on freenode.net
THANK YOU
Astara Liberty Feature Release
HA orchestration daemonService Appliance Pool ResourcingLBaaS v2 support -
QUESTIONS?
Recommended