OPEN template Alcatel, Lucent, Alcatel-Lucent, Nokia ... · PDF fileAlcatel, Lucent, Alcatel-Lucent, Nokia, Nuage Networks and the Nokia, Nuage Networks, and Alcatel- ... - Fewer"touch=points,"simpliﬁed"OSS/BSS"

OPEN template Alcatel, Lucent, Alcatel-Lucent, Nokia, Nuage Networks and the Nokia, Nuage Networks, and Alcatel-Lucent logos are trademarks of Nokia. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Nokia assumes no responsibility for inaccuracies contained herein. This slide must be kept when distributed externally.

2 COPYRIGHT © 2016 NOKIA. ALL RIGHTS RESERVED.

INTRODUCTION TO SOFTWARE DEFINED WIDE AREA NETWORKS (SD-‐WAN) APRICOT 2016 ALASTAIR JOHNSON FEBRUARY 2016


AGENDA

1.   What is SD-‐WAN?

2.  Why is SD-‐WAN happening?

3.  How does it work? 4.  Why do service providers care?

5.  Summary


WHAT IS SD-‐WAN?

SD-‐WAN (SoXware Defined Wide Area Network) is a new model for evolving the delivery of WAN services using SDN principals

SD-‐WAN changes the model of tradi\onal WAN networking with an IT-‐approach to network services, with centralized control and a decoupled service/transport architecture

Overlay(offers(transport(choices(

Self%governance-of-service-func1ons-

--

IT-‐approach to network service

delivery


WHAT IS SD-‐WAN?

•  Open Network Users Group (ONUG) Working Group -  Defini\on of use cases, test plans, and interop -  Whitepaper with core business requirements for SD-‐WAN -  Biannual showcases of products aligned with use cases -  Primarily enterprise focused, with vendor par\cipa\on and contribu\on •  Heavy focus on virtualiza5on -  Network Virtualiza\on -  Abstrac\on of service from transport – like MPLS did in the IP world (and IP did to Op\cal)

-  Virtual Machines/Network Func\on Virtualiza\on -  Abstrac\on of service func\on from hardware -  Virtualized router, firewall, …

•  Driven by enterprises looking for new technology advantages -  Opera\onal -  Financial -  Efficiency -  New capabili\es

1.  Ac\ve-‐ac\ve WAN transports (public/private)

2.  Virtual or physical CPE on commodity hardware

3.  Secure hybrid WAN architecture with dynamic traffic engineering

4.  Visibility, priori\za\on and steering of traffic

5.  Highly available and resilient WAN

6.  L2 and L3 interoperability

7.  Dashboard repor\ng

8.  Open north-‐bound APIs

9.  Zero touch deployment of branch site

10.  FIPS 140-‐2 cer\fica\on


SD-‐WAN – BIGGER PICTURE

MPLS WAN

Internet

Wellington

Christchurch

HQ/DC Auckland

SD-‐WAN enabled VPN Network

Centralized

Policy and Control

Any-‐to-‐any network connec\on

Transport Independent

Intelligent Traffic control

Policy based Network management Automated branch

and Services orchestra\on


NETWORK VIRTUALIZATION IS NOT NEW

P2P

VRF

VRF

VRF

VRF VRF

VRF

VRF VRF

Op\cal Transport and Service

IP service layer overlaid on op\cal transport

MPLS service on IP transport on op\cal transport

Service layers con\nue to be abstracted!


CPE CHANGES HOW IS THIS DIFFERENT FROM VCPE?

•  Virtualized CPE (VCPE) is looking at evolu\on of CPE, not at evolu\on of network or service •  CPE as a virtual machine on X86

-  Virtualized Network Func\on (VNF) running in the datacenter or on other commodity hardware •  X86 CPE plamorm at the customer premises that can host VNFs

•  ”Same same but different”

-  Changing the hardware plamorm to reduce cost or consolidate physical components -  Does not take advantage of the management or network abstrac\on benefits

L2

VCPE in DC PE

X86 VCPE at customer site


AGENDA

1.  What is SD-‐WAN?

2.   Why is SD-‐WAN happening?


5.  Summary


EVOLUTION

Flexibility

Cost Control •  Management scale

•  Centralization

•  IT-centric approach with APIs/programmability

•  Automation of management

•  Upgrades

•  Events

•  Visibility and reporting

•  Span/scope delegation

•  Hybrid transports

•  Mix and match MPLS, Wireless, Internet, …

•  Internet “good enough”

•  Sharp cost savings make it so

•  Primary transport for cloud/web applications

•  X86 platforms with high performance and modest cost

•  Mix and match site capabilities and network requirements •  Service chaining for new

functionality

•  Hybrid transports

•  Hybrid cloud environments

•  Improve site turn-up times


EVOLUTION

•  Complex rou\ng rela\onships

-  BGP, rou\ng policies -  Scale – PE control plane, rou\ng protocols •  Service provider in\mately involved in customer’s topology

•  Extensive configura\on required

•  Limited by network capability and reach

•  Lowest common denominator features

•  PE-‐CE rela\onship changes -  CE is completely stub node, no rou\ng protocols required -  SDN controllers can integrate with underlay networks and centralize rou\ng rela\onships

•  Underlay becomes unaware of the service layer

-  IP packets, not services -  No configura\on dependency •  Service abstrac\on

MPLS Core VRF VRF Any transport Svc Svc


EVOLUTION CENTRALIZED CONTROL

• Management

-  Reduce challenges of scaling management infrastructure -  Configura\on by necessity is pushed through SDN controllers, becoming the central point to query -  Sta\s\cs, alarms, events, audit all through single system with API-‐centric approach

•  Automa\on

-  Take advantage of the centralized management plane to automate tasks and events -  Reduce error and \me to service change

•  Introduce network features through centralized control

•  Scaling very large overlays -  Tunnel crea\on -  OAM •  IPsec key distribu\on and management

•  Service chaining -  Visibility of all nodes in the chain -  Configure forwarding based on flows to different elements

•  Performance Rou\ng and Hybrid Networks

-  Measure performance of different underlays and move traffic as required


AGENDA



3.   How does it work? 4.  Why do service providers care?

5.  Summary


Management/Policy

Hardware

OS

Controller

Hardware Hardware

SOFTWARE DEFINED NETWORKING RECAP

•  New ways of thinking about exis\ng ways of working

•  Separated management, control, and forwarding

•  Decoupled architecture means each vendor can focus on strengths

•  Decreased barrier to entry for startups provides mul\ple choices for customers

•  Feature stability, long hardware cycles do not affect soXware features

Forwarding Engine


PUTTING IT TOGETHER

•  EVPN delivers a control plane that can distribute MAC (L2) and IP (L3) reachability informa\on -  Scale is addressed: BGP has proven to scale well; federa\on becomes straight-‐forward -  Control is addressed: programma\c network topology, flexibility of rou\ng policies -  Efficiency is addressed: hybrid L2/L3 services over a single interface, redundancy and mul\-‐homing included •  VXLAN delivers a data plane that can deliver Ethernet frames over an L3 transport

-  L2VPN, L3VPN, …the Internet

BGP, OSPF, …

FIB

Control Plane

BGP, OSPF, …

Data Plane FIB


OVERLAY SD-‐WAN EXAMPLE

•  Controller programs forwarding plane for all CPEs

-  Aware of all L2/L3 topology behind each CPE -  Calculate once, program many •  CPE performs encapsula\on of VPN traffic (VXLAN)

•  Traffic is carried encapsulated over underlay network

-  Underlay network could be any infrastructure -  Unaware of topology of VPN service

CPE

Site 1

LAN

CPE

Site 3

LAN

CPE

Site 2

LAN

Underlay

Policy DB

SDN Controllers

SP Central Func\ons



• OpenFlow provides a mechanism to program the L2/L3 forwarding informa\on base (FIB) and provide no\fica\ons to the controller

-  MAC/IP address learning on LAN ports are alerted to the controller -  Controller determines whether the MAC/IP is to be programmed into FIB

•  Federa\on of topology between controllers via BGP-‐EVPN

-  MAC and IP reachability signaled -  VXLAN VNI informa\on combined with NEXT_HOP •  Redundancy of controllers is supported – CPE vSwitch registers and determines ac\ve/standby controllers

CPE

SDN Controller

OpenFlow

OVSDB

BGP EVPN

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

10.2.0.0/24

10.2.0.1/32 aa:bb:cc:dd:ee:ff



•  CPE forward directly between each other using VXLAN as overlay

-  10.1.0.0/24 NEXT_HOP 192.0.2.1 VNI 123456 -  10.3.0.0/24 NEXT_HOP 192.0.2.3 VNI xyz •  Underlay network sees VXLAN traffic between endpoints

•  Dataplane can be further encapsulated for confiden\ality (e.g. IPsec)

10.1.0.0/24 10.3.0.0/24

192.0.2.1 192.0.2.3

VNI = 123456


CHANGES FROM AN EXISTING MODEL

• Overlays simplify network topology

•  SP network needs to know less about customer topology

•  Increases flexibility of delivery – L2 services over L3, On Net, Off Net, Internet, etc

-  Use mul\ple underlays and move traffic between them •  Provisioning simplified

-  Reuse of ac\va\on processes from broadband networks

VRF VRF

Many provisioning touch points

BGP Routing Policy

RIB scale Failover Redundancy LAN ports

WAN ports Aggregation network

GRT GRT

Dynamic Provisioning

One-‐\me Provisioning

GRT GRT


Auckland Wellington

Primary Link

2Mbps

Secondary Link

20Mb/s Burst

Centralized policy push to route traffic over specific links depending on type

Provider A

(IP-‐VPN)

INTERNET

SD-‐WAN

Cri\cal Branch App

Call Centre Voice

HD Video Conference

Centralized Management

and Network Policy Engine

INTELLIGENT TRAFFIC STEERING


OVERLAYS ENABLE SERVICE CHAINING

•  Centralized policy enforcement

-  Firewall -  Between zones/subnets/branch types -  Extranet applica\ons -  To Internet through central func\ons -  Content filtering -  Selec\ve content filtering (schools – teacher/student; public WiFi in retail environments bypasses)

•  Network analy\cs and monitoring

-  Tap and mirror -  IDS/IDP -  DPI and DLP

LAN WAN

CPE DC

LAN CPE

LAN WAN

CPE DC

LAN CPE


INTERWORKING

•  How do I connect the new to the exis/ng? •  EVPN with VXLAN termina\on direct into exis\ng MPLS PE routers

-  End-‐to-‐end network is BGP and VXLAN aware allowing for PE routers to act as VXLAN/MPLS interworking func\on -  Streamlined and simplified rou\ng •  Use CPE as gateway -  Break VXLAN services out to Ethernet VLANs at PE router -  Best for high performance security encapsula\ons

GRT VRF Internet IP/MPLS

VRF

VRF Internet

IP/MPLS VRF

Traditional VPN environment Overlay VPN Environment IWF

Traditional VPN environment Overlay VPN Environment


COMPARISON

Tradi5onal L2/L3VPN model •  Overlay driven (MPLS) •  Services limited to network reach •  Distributed topology and control •  High performance •  Limited ability to introduce new func\ons (service chaining) •  Tradi\onal rou\ng protocols for traffic management and distribu\on •  Ver\cally integrated CPE model (but evolving)

SD-‐WAN model •  Overlay driven (VXLAN, GRE, IPsec, …) •  Decoupled service/transport model •  Services available where IP transport is available •  Centralized control with distributed topology •  Na\ve capability for service chaining •  Protocols designed for flow based traffic management allowing for mul\ple ac\ve links/underlays to transport service •  Deployable on X86/virtualiza\on


AGENDA



3.  How does it work? 4.   Why do service providers care?

5.  Summary


WHY DO SERVICE PROVIDERS CARE?

•  Network problems that Enterprises have are the problems that Service Providers have

•  Automa5on brings proven advantages to service providers

-  Fewer touch points = fewer errors -  Faster service ac\va\on = happier customers and financial controllers •  Separa5on of service and transport -  Proven model, with new encapsula\ons = more network flexibility -  Take services deeper, over other network transports -  Reduce service awareness in the network = can be cheaper • Management and control brings network efficiency

-  Fewer touch-‐points, simplified OSS/BSS -  Bewer self-‐control of the network, more efficiency in links and equipment •  Ignoring it and being a bit-‐carrier is perfectly viable as well!


AGENDA




5.   Summary


SUMMARY WHAT’S GOING ON, AND WHAT DO I DO NEXT?

•  SDN as a technology has proven deployment use-‐cases that make sense

-  Not just experiments or ‘doing the same thing but differently’ • Overlays are not new -  ATM, MPLS, IPv6 transi\on technologies have all been using overlay func\ons for years •  Service layer overlay is a natural evolu\on of the network -  Segment Rou\ng for TE -  Overlay for service •  Real service provider use-‐cases exist for leveraging the same technology as deployed in datacenters

•  Speed, flexibility, op\miza\on of network service delivery points


TECHNOLOGY RECAP: VXLAN THE DATAPLANE

•  VXLAN encapsulates Ethernet in IP -  Runs over IPv4 or IPv6 -  UDP-‐based, source port is a hash of MAC or IPs to provide load balancing entropy -  8 byte VXLAN header provides 24 bit VXLAN Network Iden\fier (VNI) and flags -  Total encapsula\on overhead is ~50 bytes

•  VXLAN is routable with IP, so the underlay network may be any network that uses exis\ng resiliency and load balancing mechanisms

-  ECMP -  IGPs/BGP -  IP FRR

•  VXLAN tunnel endpoints can be on network equipment or compu\ng infrastructure

-  Deliver tunneled packets straight to a hypervisor vSwitch -  Or to a tenant VM

•  VXLAN is hardware accelerated on many plamorms today

•  Can be further encapsulated in other protocols such as IPsec

IP Network (IP FRR, ECMP, IGP)

IP Network

IP Network

Other dataplanes such as GRE, NVGRE, etc may be considered


Data

Plane

Control

Plane

EVPN MP-‐BGP

RFC7432

TECHNOLOGY RECAP: EVPN

§ EVPN over MPLS for VLL, VPLS and E-‐Tree services

§ All-‐ac\ve mul\homing for VPWS § RSVP-‐TE or LDP MPLS protocols

§ EVPN with PBB PE func\onality for scaling very large networks over MPLS

§ All-‐ac\ve mul\homing for PBB-‐VPLS

§ EVPN over NVO tunnels (VXLAN, NVGRE, MPLSoGRE) for data center fabric encapsula\ons

§ Provides Layer 2 and Layer 3 DCI

Mul5protocol Label Switching

(MPLS) RFC7432

Provider Backbone Bridges

(PBB) dra\-‐ie]-‐l2vpn-‐pbb-‐evpn

Network Virtualiza5on Overlay

(NVO)

dra\-‐ie]-‐bess-‐evpn-‐overlay


TECHNOLOGY RECAP: EVPN

•  Brings proven and inherent BGP control plane scalability to MAC routes

-  Consistent signaled FDB in any size network instead of flooding -  Even more scalability and hierarchy with route reflectors •  BGP adver\ses MACs and IPs for next hop resolu\on with EVPN NLRI

-  AFI = 25 (L2VPN) and SAFI = 70 (EVPN) -  Fully supports IPv4 and IPv6 in the control and data plane •  Offers greater control over MAC learning

-  What is signaled, from where and to whom -  Ability to apply MAC learning policies • Maintains virtualiza\on and isola\on of EVPN instances

•  Enables traffic load balancing for mul\homed CEs with ECMP MAC routes

Route Dis5nguisher (8 octets)

Ethernet Segment Iden5fier (10 octets)

Ethernet Tag ID (4 octets)

MAC Address Length (1 octet)

MAC Address (6 octets)

IP Address Length (1 octet)

IP Address (0 or 4 or 16 octets)

MPLS Label1 (3 octets)

MPLS Label2 (0 or 3 octets)

MAC Adver\sement Route (Light Blue Fields are Op\onal)

Documents

OPEN template Alcatel, Lucent, Alcatel-Lucent, Nokia ... · PDF fileAlcatel, Lucent, Alcatel-Lucent, Nokia, Nuage Networks and the Nokia, Nuage Networks, and Alcatel- ... - Fewer"touch=points,"simpliﬁed"OSS/BSS"