Upload
lamanh
View
255
Download
14
Embed Size (px)
Citation preview
OPEN template Alcatel, Lucent, Alcatel-Lucent, Nokia, Nuage Networks and the Nokia, Nuage Networks, and Alcatel-Lucent logos are trademarks of Nokia. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Nokia assumes no responsibility for inaccuracies contained herein. This slide must be kept when distributed externally.
2 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
INTRODUCTION TO SOFTWARE DEFINED WIDE AREA NETWORKS (SD-‐WAN) APRICOT 2016 ALASTAIR JOHNSON FEBRUARY 2016
3 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
AGENDA
1. What is SD-‐WAN?
2. Why is SD-‐WAN happening?
3. How does it work? 4. Why do service providers care?
5. Summary
4 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
WHAT IS SD-‐WAN?
SD-‐WAN (SoXware Defined Wide Area Network) is a new model for evolving the delivery of WAN services using SDN principals
SD-‐WAN changes the model of tradi\onal WAN networking with an IT-‐approach to network services, with centralized control and a decoupled service/transport architecture
Overlay(offers(transport(choices(
Self%governance-of-service-func1ons-
--
IT-‐approach to network service
delivery
5 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
WHAT IS SD-‐WAN?
• Open Network Users Group (ONUG) Working Group - Defini\on of use cases, test plans, and interop - Whitepaper with core business requirements for SD-‐WAN - Biannual showcases of products aligned with use cases - Primarily enterprise focused, with vendor par\cipa\on and contribu\on • Heavy focus on virtualiza5on - Network Virtualiza\on - Abstrac\on of service from transport – like MPLS did in the IP world (and IP did to Op\cal)
- Virtual Machines/Network Func\on Virtualiza\on - Abstrac\on of service func\on from hardware - Virtualized router, firewall, …
• Driven by enterprises looking for new technology advantages - Opera\onal - Financial - Efficiency - New capabili\es
1. Ac\ve-‐ac\ve WAN transports (public/private)
2. Virtual or physical CPE on commodity hardware
3. Secure hybrid WAN architecture with dynamic traffic engineering
4. Visibility, priori\za\on and steering of traffic
5. Highly available and resilient WAN
6. L2 and L3 interoperability
7. Dashboard repor\ng
8. Open north-‐bound APIs
9. Zero touch deployment of branch site
10. FIPS 140-‐2 cer\fica\on
6 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
SD-‐WAN – BIGGER PICTURE
MPLS WAN
Internet
Wellington
Christchurch
HQ/DC Auckland
SD-‐WAN enabled VPN Network
Centralized
Policy and Control
Any-‐to-‐any network connec\on
Transport Independent
Intelligent Traffic control
Policy based Network management Automated branch
and Services orchestra\on
7 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
NETWORK VIRTUALIZATION IS NOT NEW
P2P
VRF
VRF
VRF
VRF VRF
VRF
VRF VRF
Op\cal Transport and Service
IP service layer overlaid on op\cal transport
MPLS service on IP transport on op\cal transport
Service layers con\nue to be abstracted!
8 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
CPE CHANGES HOW IS THIS DIFFERENT FROM VCPE?
• Virtualized CPE (VCPE) is looking at evolu\on of CPE, not at evolu\on of network or service • CPE as a virtual machine on X86
- Virtualized Network Func\on (VNF) running in the datacenter or on other commodity hardware • X86 CPE plamorm at the customer premises that can host VNFs
• ”Same same but different”
- Changing the hardware plamorm to reduce cost or consolidate physical components - Does not take advantage of the management or network abstrac\on benefits
L2
VCPE in DC PE
X86 VCPE at customer site
9 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
AGENDA
1. What is SD-‐WAN?
2. Why is SD-‐WAN happening?
3. How does it work? 4. Why do service providers care?
5. Summary
10 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
EVOLUTION
Flexibility
Cost Control • Management scale
• Centralization
• IT-centric approach with APIs/programmability
• Automation of management
• Upgrades
• Events
• Visibility and reporting
• Span/scope delegation
• Hybrid transports
• Mix and match MPLS, Wireless, Internet, …
• Internet “good enough”
• Sharp cost savings make it so
• Primary transport for cloud/web applications
• X86 platforms with high performance and modest cost
• Mix and match site capabilities and network requirements • Service chaining for new
functionality
• Hybrid transports
• Hybrid cloud environments
• Improve site turn-up times
11 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
EVOLUTION
• Complex rou\ng rela\onships
- BGP, rou\ng policies - Scale – PE control plane, rou\ng protocols • Service provider in\mately involved in customer’s topology
• Extensive configura\on required
• Limited by network capability and reach
• Lowest common denominator features
• PE-‐CE rela\onship changes - CE is completely stub node, no rou\ng protocols required - SDN controllers can integrate with underlay networks and centralize rou\ng rela\onships
• Underlay becomes unaware of the service layer
- IP packets, not services - No configura\on dependency • Service abstrac\on
MPLS Core VRF VRF Any transport Svc Svc
12 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
EVOLUTION CENTRALIZED CONTROL
• Management
- Reduce challenges of scaling management infrastructure - Configura\on by necessity is pushed through SDN controllers, becoming the central point to query - Sta\s\cs, alarms, events, audit all through single system with API-‐centric approach
• Automa\on
- Take advantage of the centralized management plane to automate tasks and events - Reduce error and \me to service change
• Introduce network features through centralized control
• Scaling very large overlays - Tunnel crea\on - OAM • IPsec key distribu\on and management
• Service chaining - Visibility of all nodes in the chain - Configure forwarding based on flows to different elements
• Performance Rou\ng and Hybrid Networks
- Measure performance of different underlays and move traffic as required
13 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
AGENDA
1. What is SD-‐WAN?
2. Why is SD-‐WAN happening?
3. How does it work? 4. Why do service providers care?
5. Summary
14 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
Management/Policy
Hardware
OS
Controller
Hardware Hardware
SOFTWARE DEFINED NETWORKING RECAP
• New ways of thinking about exis\ng ways of working
• Separated management, control, and forwarding
• Decoupled architecture means each vendor can focus on strengths
• Decreased barrier to entry for startups provides mul\ple choices for customers
• Feature stability, long hardware cycles do not affect soXware features
Forwarding Engine
15 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
PUTTING IT TOGETHER
• EVPN delivers a control plane that can distribute MAC (L2) and IP (L3) reachability informa\on - Scale is addressed: BGP has proven to scale well; federa\on becomes straight-‐forward - Control is addressed: programma\c network topology, flexibility of rou\ng policies - Efficiency is addressed: hybrid L2/L3 services over a single interface, redundancy and mul\-‐homing included • VXLAN delivers a data plane that can deliver Ethernet frames over an L3 transport
- L2VPN, L3VPN, …the Internet
BGP, OSPF, …
FIB
Control Plane
BGP, OSPF, …
Data Plane FIB
16 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
OVERLAY SD-‐WAN EXAMPLE
• Controller programs forwarding plane for all CPEs
- Aware of all L2/L3 topology behind each CPE - Calculate once, program many • CPE performs encapsula\on of VPN traffic (VXLAN)
• Traffic is carried encapsulated over underlay network
- Underlay network could be any infrastructure - Unaware of topology of VPN service
CPE
Site 1
LAN
CPE
Site 3
LAN
CPE
Site 2
LAN
Underlay
Policy DB
SDN Controllers
SP Central Func\ons
17 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
OVERLAY SD-‐WAN EXAMPLE
• OpenFlow provides a mechanism to program the L2/L3 forwarding informa\on base (FIB) and provide no\fica\ons to the controller
- MAC/IP address learning on LAN ports are alerted to the controller - Controller determines whether the MAC/IP is to be programmed into FIB
• Federa\on of topology between controllers via BGP-‐EVPN
- MAC and IP reachability signaled - VXLAN VNI informa\on combined with NEXT_HOP • Redundancy of controllers is supported – CPE vSwitch registers and determines ac\ve/standby controllers
CPE
SDN Controller
OpenFlow
OVSDB
BGP EVPN
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
10.2.0.0/24
10.2.0.1/32 aa:bb:cc:dd:ee:ff
18 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
OVERLAY SD-‐WAN EXAMPLE
• CPE forward directly between each other using VXLAN as overlay
- 10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI 123456 - 10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI xyz • Underlay network sees VXLAN traffic between endpoints
• Dataplane can be further encapsulated for confiden\ality (e.g. IPsec)
10.1.0.0/24 10.3.0.0/24
192.0.2.1 192.0.2.3
VNI = 123456
19 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
CHANGES FROM AN EXISTING MODEL
• Overlays simplify network topology
• SP network needs to know less about customer topology
• Increases flexibility of delivery – L2 services over L3, On Net, Off Net, Internet, etc
- Use mul\ple underlays and move traffic between them • Provisioning simplified
- Reuse of ac\va\on processes from broadband networks
VRF VRF
Many provisioning touch points
BGP Routing Policy
RIB scale Failover Redundancy LAN ports
WAN ports Aggregation network
GRT GRT
Dynamic Provisioning
One-‐\me Provisioning
GRT GRT
20 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
Auckland Wellington
Primary Link
2Mbps
Secondary Link
20Mb/s Burst
Centralized policy push to route traffic over specific links depending on type
Provider A
(IP-‐VPN)
INTERNET
SD-‐WAN
Cri\cal Branch App
Call Centre Voice
HD Video Conference
Centralized Management
and Network Policy Engine
INTELLIGENT TRAFFIC STEERING
21 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
OVERLAYS ENABLE SERVICE CHAINING
• Centralized policy enforcement
- Firewall - Between zones/subnets/branch types - Extranet applica\ons - To Internet through central func\ons - Content filtering - Selec\ve content filtering (schools – teacher/student; public WiFi in retail environments bypasses)
• Network analy\cs and monitoring
- Tap and mirror - IDS/IDP - DPI and DLP
LAN WAN
CPE DC
LAN CPE
LAN WAN
CPE DC
LAN CPE
22 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
INTERWORKING
• How do I connect the new to the exis/ng? • EVPN with VXLAN termina\on direct into exis\ng MPLS PE routers
- End-‐to-‐end network is BGP and VXLAN aware allowing for PE routers to act as VXLAN/MPLS interworking func\on - Streamlined and simplified rou\ng • Use CPE as gateway - Break VXLAN services out to Ethernet VLANs at PE router - Best for high performance security encapsula\ons
GRT VRF Internet IP/MPLS
VRF
VRF Internet
IP/MPLS VRF
Traditional VPN environment Overlay VPN Environment IWF
Traditional VPN environment Overlay VPN Environment
23 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
COMPARISON
Tradi5onal L2/L3VPN model • Overlay driven (MPLS) • Services limited to network reach • Distributed topology and control • High performance • Limited ability to introduce new func\ons (service chaining) • Tradi\onal rou\ng protocols for traffic management and distribu\on • Ver\cally integrated CPE model (but evolving)
SD-‐WAN model • Overlay driven (VXLAN, GRE, IPsec, …) • Decoupled service/transport model • Services available where IP transport is available • Centralized control with distributed topology • Na\ve capability for service chaining • Protocols designed for flow based traffic management allowing for mul\ple ac\ve links/underlays to transport service • Deployable on X86/virtualiza\on
24 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
AGENDA
1. What is SD-‐WAN?
2. Why is SD-‐WAN happening?
3. How does it work? 4. Why do service providers care?
5. Summary
25 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
WHY DO SERVICE PROVIDERS CARE?
• Network problems that Enterprises have are the problems that Service Providers have
• Automa5on brings proven advantages to service providers
- Fewer touch points = fewer errors - Faster service ac\va\on = happier customers and financial controllers • Separa5on of service and transport - Proven model, with new encapsula\ons = more network flexibility - Take services deeper, over other network transports - Reduce service awareness in the network = can be cheaper • Management and control brings network efficiency
- Fewer touch-‐points, simplified OSS/BSS - Bewer self-‐control of the network, more efficiency in links and equipment • Ignoring it and being a bit-‐carrier is perfectly viable as well!
26 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
AGENDA
1. What is SD-‐WAN?
2. Why is SD-‐WAN happening?
3. How does it work? 4. Why do service providers care?
5. Summary
27 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
SUMMARY WHAT’S GOING ON, AND WHAT DO I DO NEXT?
• SDN as a technology has proven deployment use-‐cases that make sense
- Not just experiments or ‘doing the same thing but differently’ • Overlays are not new - ATM, MPLS, IPv6 transi\on technologies have all been using overlay func\ons for years • Service layer overlay is a natural evolu\on of the network - Segment Rou\ng for TE - Overlay for service • Real service provider use-‐cases exist for leveraging the same technology as deployed in datacenters
• Speed, flexibility, op\miza\on of network service delivery points
29 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TECHNOLOGY RECAP: VXLAN THE DATAPLANE
• VXLAN encapsulates Ethernet in IP - Runs over IPv4 or IPv6 - UDP-‐based, source port is a hash of MAC or IPs to provide load balancing entropy - 8 byte VXLAN header provides 24 bit VXLAN Network Iden\fier (VNI) and flags - Total encapsula\on overhead is ~50 bytes
• VXLAN is routable with IP, so the underlay network may be any network that uses exis\ng resiliency and load balancing mechanisms
- ECMP - IGPs/BGP - IP FRR
• VXLAN tunnel endpoints can be on network equipment or compu\ng infrastructure
- Deliver tunneled packets straight to a hypervisor vSwitch - Or to a tenant VM
• VXLAN is hardware accelerated on many plamorms today
• Can be further encapsulated in other protocols such as IPsec
IP Network (IP FRR, ECMP, IGP)
IP Network
IP Network
Other dataplanes such as GRE, NVGRE, etc may be considered
30 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
Data
Plane
Control
Plane
EVPN MP-‐BGP
RFC7432
TECHNOLOGY RECAP: EVPN
§ EVPN over MPLS for VLL, VPLS and E-‐Tree services
§ All-‐ac\ve mul\homing for VPWS § RSVP-‐TE or LDP MPLS protocols
§ EVPN with PBB PE func\onality for scaling very large networks over MPLS
§ All-‐ac\ve mul\homing for PBB-‐VPLS
§ EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsula\ons
§ Provides Layer 2 and Layer 3 DCI
Mul5protocol Label Switching
(MPLS) RFC7432
Provider Backbone Bridges
(PBB) dra\-‐ie]-‐l2vpn-‐pbb-‐evpn
Network Virtualiza5on Overlay
(NVO)
dra\-‐ie]-‐bess-‐evpn-‐overlay
31 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.
TECHNOLOGY RECAP: EVPN
• Brings proven and inherent BGP control plane scalability to MAC routes
- Consistent signaled FDB in any size network instead of flooding - Even more scalability and hierarchy with route reflectors • BGP adver\ses MACs and IPs for next hop resolu\on with EVPN NLRI
- AFI = 25 (L2VPN) and SAFI = 70 (EVPN) - Fully supports IPv4 and IPv6 in the control and data plane • Offers greater control over MAC learning
- What is signaled, from where and to whom - Ability to apply MAC learning policies • Maintains virtualiza\on and isola\on of EVPN instances
• Enables traffic load balancing for mul\homed CEs with ECMP MAC routes
Route Dis5nguisher (8 octets)
Ethernet Segment Iden5fier (10 octets)
Ethernet Tag ID (4 octets)
MAC Address Length (1 octet)
MAC Address (6 octets)
IP Address Length (1 octet)
IP Address (0 or 4 or 16 octets)
MPLS Label1 (3 octets)
MPLS Label2 (0 or 3 octets)
MAC Adver\sement Route (Light Blue Fields are Op\onal)