Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Dharma RajanPhilip Kippen
FUT1643BU
#VMworld #FUT1643BU
An Introduction to Service Function Chaining for Network Function Virtualization
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
#FUT1634BU CONFIDENTIAL 3
1 Introduction to Service Function Chaining (SFC)
2 SFC Architectural Models
3 SFC In vCloud NFV Today Using NSX
4 Future Direction
5 Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
What is Service Function Chaining?
#FUT1634BU CONFIDENTIAL 4
Deep Packet Inspection
Access Control
NAT
L2 Switching
L3 Routing
QOS
Should every
packet have
every service
applied to it
inline?
Instantiation of an ordered set of service functions and subsequent "steering" of traffic through them.
Service Function Chaining (SFC)
Physical Firewall Physical Router
::
vFW vFWvFW
X86 HW
Virtualization Layer
vRoutervNATvDPI
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional Network – Inefficiency in Service Functions
#FUT1634BU CONFIDENTIAL 5
Fixed service chains
Complex scale-out architecture
Limited visibility for troubleshooting
Policy enforcement challenges
Rules
SLAs
Actions QoS
Security
L4-L7
Policy-based routing and box-to-box cabling using
VMworld 2017 Content: Not fo
r publication or distri
bution
vCPE – Virtual Customer Premises Equipment
SD-WAN – Software Defined Wide Area Network
vEPC – Virtual Evolved Packet Core
VNF – Virtual Network Function
Why is SFC Important for Enterprise and Service Providers?
6
Network Functions Virtualization (NFV) is driving SFC use cases
Customer Need: Speed / Agility / Security / Multitenant / Topology and Location Independence
Expectation:
• SFC based on metadata information for L2 to L7 services
• Dynamic SFC modification based on changes to metadata
• Orchestration and Automation
WAN OPTIMIZER
TRAFFIC SHAPING
PROTOCOL
PROXY
SD-WAN
TCP OPTIMIZATION
LAWFUL INTERCEPT
HTTP HEADER ENRICHMENT
CACHING
vEPC - Gi-LAN
DHCP
NGFW
POLICY
CGNAT
DDOS
PARENTAL CONTROL
CONTENT FILTERING
ROUTER
AD INSERTION
vCPE - VNFs
IDS
IPS
VPN
LB
AV
DPI
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
#FUT1634BU CONFIDENTIAL 7
1 Introduction To Service Function Chaining (SFC)
2 SFC Architectural Models
3 SFC In vCloud NFV Today Using NSX
4 Future Direction
5 Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
Dynamic SFC Architecture
#FUT1634BU CONFIDENTIAL 8
Enterprise A Enterprise B
Management Plane
Control Plane
Data Plane
Classifier
NAT
SFC Controller
Topology Server
Service Function
Forwarder Classifier
FW LB Public Cloud
Access
Orchestration / Automation
DPI Dynamic
Redirection
VMworld 2017 Content: Not fo
r publication or distri
bution
VNF
5
Simple and Nested SFC
9
Classifier VNF
1
ClassifierVNF
4
VNF
3
VNF
2
Metadata Redirect
Dropped Packet
Simple VNF SFC
Nested VNF SFC
Efficient SFC Design and Orchestration is Paramount for Success
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SFC Implementation Model – Network Service Header (NSH)
#FUT1634BU CONFIDENTIAL 10
NSH Base Header 64-Bit
Network Platform
Service Platform
Network Shared
Services Shared
Four 32-bit context headers
Carrying opaque metadata
User Payload Service Chain Header Original Header
Layer 2 (e.g. Ethernet)
Network Service Header
Layer 3
Further Reading:
RFC – 7665 – SFC Arch.
Requirements:
• Need NSH-aware network switches
• VNFs need to understand NSH
• NSH protocol support and additional new header
– Adds 24 bytes per packet that will use SFC
Challenges:
• Additional packet processing overhead
• No state management, Security
• Need Services Topology layer built
VMworld 2017 Content: Not fo
r publication or distri
bution
SFC Implementation Model – VLAN-Based Q-in-Q Encoding
• A simpler alternative, and an efficient method to do SFC without NSH
• Meets all known use cases
– Uses two VLAN-IDs. One for service chain ID and the other for metadata encapsulation
– Creates services plane using 802.1Q and 802.1ad Q-in-Q encoding
#FUT1634BU CONFIDENTIAL 11
Ether Type – 32 bits
Tag
Protocol
ID 16 bits
TCI
PCP
3 bits
DEI
1 bit
VID
12 bits
0x000, 0x001
Reserved 0xFFF (4095) Reserved0x002
0xFFE
(4094)…………………….
Ether Type – 32 bits
Tag
Protocol
ID 16 bits
TCI
PCP
3 bitsDEI
1 bit
VID
12 bits
Service Chain ID 12 bits Traffic Class 3 bits Application / User Classification 9 bits
(511 applications)
PCP – Priority Code Point
DEI – Drop Eligibility Indicator
VID – VLAN Identifier
TCI – Tag Control Information
VMworld 2017 Content: Not fo
r publication or distri
bution
SFC Using VLAN-Based Q-in-Q Encoding
#FUT1634BU CONFIDENTIAL 12
Advantages:
• Use of virtual network topology for SFC
• Uses IEEE 802.1ad standard
• No Ethernet frame overhead
• Ability to change the forwarding route on the service chain ID
• Supports dynamic SFC
• Works for any SDN overlay solution
– OpenContrail
– Nuage Networks
– VMware NSX®, and so forth . . .
100 – Direct traffic
101 – Referral traffic
102 – Organic traffic
103 – HTTP
104 – HTTPS
:
:
200 – Unknown
Traffic TypeVLAN-ID
Start
VLAN-ID
End
100Web Traffic 200
201Video 300
301SSH 400
401SSL 500
801 – Sensitive traffic
802 – Best-effort traffic
803 – Undesired traffic
804 – Social traffic
805 – Parental control
:
:
900 – Unknown
501Voice 600
601Signaling 700
701Routing 800
801QoS 900
1901Application 2000
2001Future Use 4094
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
#FUT1634BU CONFIDENTIAL 13
1 Introduction To Service Function Chaining (SFC)
2 SFC Architectural Models
3 SFC In vCloud NFV Today Using NSX
4 Future Direction
5 Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
Some Terminology
NSH - Network Service Header : Protocol
NFV - Network Function Virtualization : A Industry Terminology
NSX - Network Virtualization : A VMware Product
14#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware vCloud NFV Platform
15
Multi-vendor VNF support
Ecosystem of partners
vSAN NSXvSphere
NFVI NFVI Operations
vCloud Director
VMware Integrated OpenStack
vRealize Operations
vRealize Log Insight
vRealize Network Insight
Storage NetworkingCompute VIM Analytics
VNF VNFVNF
EMS EMSEMS
OSS/BSS Orchestrator
NFVO
VNF-MSome Vendor-specific SFC today at VNF level
Target :SFC at infrastructure levels to support multi-vendor VNFsfor all services
vCloud NFV – A Modular NFVI Platform To Support SFC
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Support Today in NSX
#FUT1634BU CONFIDENTIAL 16
VDS
Guest VMPartner
Service 1 VM
DFWSlot 2
Slot 4
Traffic Redirection
Module
Slot 5Filtering Module
Partner
Service 2 VM
• “Semi-dynamic” service chaining
• Policy rule based
• Selective steering
Guest
Introspection
Services
Network
Introspection
Services
Security
Service
IDS / IPS
Security Policy
Inserted into traffic flow and
chained together
Antivirus or vulnerability
management
IPS and Forensics
• Supports integrated third-party VNFs with NetX
• Number of VNFs limited to 8
• Assign unique service chain for different VMs
VMworld 2017 Content: Not fo
r publication or distri
bution
An Innovative New Approach for SFC
17
• Build general topologies at L2 and L3
• Extend DvFilter and NetX functionality of NSX
• Dynamic policy-based routing and classification
Benefits:
• Leverage existing NSX overlay network
• No new service topology
• No new network header
• Will work with VXLAN, SST, GENEVE
• Support for orchestration
• NetX API and REST API
Distributed Logical Router
VNF1 VNF2 VNF3 VNF4
LS1 LS2 LS3 LS4
NSX-M
1.1.1.2
1.1.1.1 3.3.3.12.2.2.1 4.4.4.1
2.2.2.2 3.3.3.2 4.4.4.2
Policy Passed
Next hop 2.2.2.2 3.3.3.2 4.4.4.2 NULL
Previous hop NULL 1.1.1.2 2.2.2.2 3.3.3.2
4.4.4.2Next Hop
Egress Port
Policy installed on
ingress port
Next hop 2.2.2.2 3.3.3.2 4.4.4.2 NULL
Previous hop NULL 1.1.1.2 2.2.2.2 3.3.3.2
Install
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
#FUT1634BU CONFIDENTIAL 18
1 Introduction To Service Function Chaining (SFC)
2 SFC Architectural Models
3 SFC In vCloud NFV Today Using NSX
4 Future Direction
5 Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
Future Direction
19
HOST SYSTEM
VM-1 VM-2 VM-3 VM-4
HYPERVISOR-1
PHYSICAL COMPUTING RESOURCE
DLR-1
HOST SYSTEM
VM-5 VM-6 VM-7Control
VM
HYPERVISOR-2
PHYSICAL COMPUTING RESOURCE
DLR-1
Source
Network
Destination
Network
✦ Provision
✦ Configure
✦ Monitor
✦ Manage
Service
Orchestration
Virtual
Infrastructure
Manager
Private Micro
Datacenter
Mobile Edge
Computing Node
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Industry Direction on SFC
• Demand for SFC is increasing
– Cable, Enterprises, Mobile Core, Edge and Wireline
• Implementations to date are vendor specific at VNF level
– NSH implementation has challenges.
– VLAN-ID based technique – a step in the right direction
#FUT1634BU CONFIDENTIAL 20
HOME CLOUD POINT
• Future use cases, such as cross-cloud, micro data center, IOT, and 5G networks, will depend on SFC
VMworld 2017 Content: Not fo
r publication or distri
bution
Summary
21
vCPE SD-WAN
vEPC
Classifier
NA
T
SFC Controller
Topology Server
Service Function
Forwarder Classifier
FW L
BPublic Cloud
Acces
s
Orchestration / Automation
DPI
Dynamic Redirection
NFV Orchestrator
VNF-M
VNF
5
VNF
1
VNF
4
VNF
3
VNF
2
vSAN NSXvSphere
NFVI NFVI Operations
vCloud Director
VMware Integrated OpenStack
vRealize Operations
vRealize Log Insight
vRealize Network Insight
Storage NetworkingComputeVIM Analytics
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
@ VMworld
22
NFV HOL Labs 1886-01-EMT
1886-02-EMT
Tuesday Aug 29 1:30 p.m. - 3:00 p.m.
[ELW188601U] vCloud NFV - Getting Started
Workshop
Wednesday, Aug 30
1:15 p.m. - 2:00 p.m. [MTE4855U] NFV – Meet the
Expert Session – Dharma Rajan
2:00 p.m. - 3:00 p.m [FUT1744BU] The Benefits of
VMware Integrated OpenStack for
Your NFV Platform Hassan Hamade and Mauricio
Valdueza
#FUT1634BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
www.vmware.com/go/nfv
# vmworld2017
# vmwaretelco
[email protected] 2017 Content: N
ot for publicatio
n or distribution