Agile OpenStack Networking with Cisco
solutionsRohit Agarwalla, Technical Leader
BRKDCT-2445
[email protected], @rohitagarwalla
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
• Introduction to OpenStack
• Cisco and OpenStack
• OpenStack Networking – Neutron
• Neutron Network Architectures
• Cisco Integrations into Neutron
• Demo
• Advanced Neutron considerations
• Summary/Q&A
Agenda
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4BRKDCT-2445
Introduction to OpenStack
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 5
OpenStack Overview
Design tenets – scale & elasticity, share nothing & distribute everything
Open source Cloud Computing Platform for Private and Public Clouds
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
OpenStack Projects
Compute (Nova) Dashboard (Horizon) Database (Trove)
Network (Neutron) Image (Glance) Orchestration (Heat)
Object Storage (Swift) Identity (KeyStone) Data Processing (Sahara)
Block Storage (Cinder) Telemetry (Ceilometer) Deployment (Triple O)
Bare Metal (Ironic) DNS (Designate) Application Catalog (Murano)
Containers (Magnum) Key Management (Barbican) Policy (Congress)
File System (Manila) Messaging (Zaqar) ….
6
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 7
OpenStack Progress
Austin – Oct 2010
Bexar – Feb 2011
Cactus– April 2011
Diablo – Sept 2011
Essex – April 2012
Folsom– Sept 2012
Grizzly– April 2013
Havana – Oct 2013
IceHouse– April 2014
Juno – Oct 2014
Kilo – May 2015
130 contributors
30 new features
1400 contributors
342 new features
3,219 bugs fixed
133 companies
2010
2011
2012
2013
2014
Started with Compute
and Storage service
Infrastructure, Orchestration,
Data services and more
11th OpenStack release
1492 contributors
394 new features
7,257 bugs fixed
169 companies
Liberty – Oct 2015
24,000 people
495 companies
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKDCT-2445
Cisco and OpenStack
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 12
Cisco and OpenStack
• Cisco Validated Designs, UCSO
• Work closely and jointly with customers to design and build OpenStack environment
• OpenStack based Global Intercloud hosted across Cisco and partners data centers
• Cisco OpenStack Private Cloud (Formerly MetaCloud)
• Neutron/Cinder/Ironic Plugins/Drivers for Cisco infrastructure – Nexus, APIC, CSR1K, ASR1K, UCS• Cisco Applications on OpenStack
• Code contributions across several services – Network. Compute, Dashboard, Storage, Containers
Community Participation Engineering
Partners/ Customers
Cloud Services
• Incubating new OpenStack related Projects – GBP, PlaceWise, AVOS, VMTP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
• Transport Layer Security• Validate certificate order
API request for PKCS10
OpenStack Kilo release contributions lead by Cisco
Kilo release
Gnocchi
Kolla
Magnum
Neutron
HorizonDevstack
Metering
Barbican
Heat
• Multiple IPv6 prefixes• IPv6 router support• VLAN trunking• MTU selection and advertisement
support• UCSM driver• CSR1Kv VPN driver
• Archive Policy per metric level
• New resources for Neutron PCI Passthrough and Nova Flavor
• Heat template improvements
• Neutron IPv6 and L3 plugin support
• Kafka Publisher• Alarms severity• Network services notification
plugin
• PCI Passthrough port configuration• Ceph panel
• Containers - Ceilometer, Mongo, Neutron
• Container Sets - database-control, messaging-control, service-control, compute-control, compute-operation-nova
• Kubernetes plugin• Python API for k8s CLI
13
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKDCT-2445
OpenStack Networking - Neutron
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 17
OpenStack Network Architecture
Tenant A Compute Node (s)
Running Compute and
Network agents
Controller Node(s)
Running Database, Message
Queue Server, API Services, Scheduler..
Router
Network Node(s)
Running Network Service Agents
API Network
External Network
Internet
Data Network
Management Network
Network Purpose IP Address
Management Network
Used for internal communication between OpenStack Components
Reachable only within the data center
External Network
Used to provide VMs with Internet access
Reachable by anyone from the Internet
API Network Exposes all OpenStack APIs, including the OpenStack Networking API, to tenants
Reachable to Tenants
Data Network Used for VM data communication within the cloud deployment.
Reachable within the Tenant address space
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 18
Neutron Overview
Tenant A Router
Subnet Red Subnet Blue
VM 1
Tenant A
VM 2 VM 1
Logical Model
Physical implementation
Compute Node
Compute Node
VM1 Controller Node(s)
Router
Network Node(s)
External Network
VM2 VM1
Internet
vswitch vswitchvswitch
Data Network
Namespace
Management Network
API Network
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
OpenStack Neutron Architecture
Neutron Server
REST API
Neutron Core plugins
Neutron Service plugins
• Core + Extension REST API’s
• Message Queue for communicating with Neutron Agents
• Core and Service Plugins
• Different vendor core plugins
• Different network technology support
• ML2 plugin with Type and Mechanism Drivers
• Service plugins with backend drivers
Core APINetwork Port Subnet
Resource and Attribute Extension APIProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS ….
Lo
ad B
ala
nce
r
Fir
ewa
ll
VP
N
HA
Pro
xy
IPTa
ble
s
Str
on
gS
wa
n
L3
Se
rvic
esN
ame
spa
ceType Drivers Mechanism Drivers
VLA
N
GR
E
VX
LA
N
Cis
co N
exu
s
OV
S
Ope
nD
ayL
igh
t
AP
IC
Mo
re v
end
or
dri
vers
ML
2
Oth
er
ven
do
r p
lugi
ns
DHCP Agent
L3 Agent
Message Queue
IPTables on Network
Node
L2 Agent
vSwitch
dnsmasq
19
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKDCT-2445
Neutron Architectures
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 23
Layer 2 network tenant topologies
Compute Node
Compute Node
VM3 VM4 VM2
vswitch vswitch
Data Network
VM1
Fabric Leaf, Top of Rack
Compute Node
Compute Node
VM3 VM4 VM2
vswitch vswitch
Data Network
VM1
Fabric Leaf, Top of Rack
Host and Network based VLAN
Host based overlays
Compute Node
Compute Node
VM3 VM4 VM2
vswitch vswitch
Data Network
VM1
Fabric Leaf , Top of Rack
Network based overlays
VLAN Overlay
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 24
Layer 2 network tenant topologies – Design Considerations
• Number of Tenant Network Segments• VLAN based tenant networks
• Host • Host and Network
• VXLAN based tenant networks• Host• VXLAN offload - Network• Multicast v/s Controller
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 26
Compute Node
vswitch
Layer 3 tenant network topologies
Linux Host
Compute Node
VM1
Network Node(s)
VM2
vswitchvswitch
Data Network
Namespace
Service VMs
Fabric, Top of Rack
VM1
Compute Node
VM2
vswitch
Data Network
Service VMs
Fabric, Top of Rack
Compute Node
VM1
Network Node(s)
VM
vswitch
Data Network
Fabric, Service Node
Fabric or Service Node
vswitch
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 27
Layer 3 network tenant topologies – Design Considerations
• Number of Tenant Routers• External connectivity for tenant networks• Floating IPs• L3 Traffic Pattern E-W and N-S Routing
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKDCT-2445
Cisco integrations into Neutron
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 29
Neutron Layer 2 Default Implementation
Neutron Server
Neutron Core plugin (ML2)
Network REST API requests
Open vSwitch/Linux Bridge
Mechanism Drivers
Compute Node
Network and Compute Nodes
VM VM
vswitchRPC message to agent on nodes
• Implements Neutron Core Resources
• Open vSwitch and Linux Bridge Mechanism Drivers
• Agents on Network and Compute Nodes
• Host based VLAN or Overlay (VXLAN, GRE) Type Drivers
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
Nova HostNova HostNova Host
Neutron Reference – East-West L2 (Switched) Traffic
30
VM1 Controller Host(s)
Router
NeutronHost(s)
DHCP ports
API NetworkExternal Network
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitchvswitch
Data Network
PKT
Packet path animation for packet
traveling from VM1 VM3.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
VM on a Compute Nodes
Neutron Cisco Nexus Driver
Neutron Server
Neutron Core plugin (ML2)
Cisco Nexus Driver
Ncclient
Nexus
Nova
Compute Nodes
create/update port request sent to Neutron
Features
• Works with multiple Nexus platforms
• VLAN configuration
• VXLAN configuration• Nexus_VXLAN Type Driver • Multicast• VLAN to VNI association
Benefits
• No Trunk all tenant VLANs on compute node interfaces on ToR
• Dynamic provisioning/deprovisioning on ToR
• Network based overlays
Nexus ToR
VM VM
31
netconf
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 32
Sample Nexus Mechanism Driver configuration for VXLAN
• [ml2_type_vlan]
network_vlan_ranges = physnet1:10:500
• [ml2_type_nexus_vxlan]
vni_ranges=50000:55000
mcast_ranges=225.1.1.1:225.1.1.2
[ml2_mech_cisco_nexus:192.168.1.1]
ComputeHostA=1/10
username=admin
password=secretPassword
ssh_port=22
physnet=physnet1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 33
Demo Topology – Neutron ML2 Nexus Driver
Private1 Subnet Private2 Subnet
VM 1
Tenant A
VM 2 VM 3
Logical Model
Physical implementation
Compute Node
Compute Node
VM1
Controller + Network
Node
VM2 VM4
vswitch vswitchvswitch
Data Network
Management Network
DHCP NS
DHCP NS
ra-node11 ra-node13 ra-node14
Nexus 9K
1/6 1/3
1/4VM 4
VM3
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
VMs on Compute Node
N1Kv VEM
Compute Nodes
Neutron Cisco Nexus1000v Driver (KVM) Neutron Server
Neutron Core plugin (ML2)
Cisco N1Kv Driver
N1Kv VSM
Features:
• Associate Network Profiles to Neutron Networks
• Associate Policy Profiles to Neutron Ports
• Supports VLAN and VXLAN (unicast and multicast) network segmentation
• Horizon integration
Benefits
• Logical grouping of network segments
• Security, Monitoring, Quality of Service (QoS)
• Enhanced visibility and manageability of virtual machine traffic
REST API
Nova
Network Profile:Network Segment Pool
Policy Profile:Port Profile
VM VM
N1Kv VSM
34
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 35
neutron cisco-network-profile-create PROFILE_NAME vlan --segment_range 400-499
neutron net-create NETWORK_NAME --n1kv:profile PROFILE_ID
Neutron API extensions for N1Kv
Network Profile (admin)
Policy Profile defined in VSM (periodic polling)
Policy Profile
neutron cisco-policy-profile-list
neutron port-create NETWORK_NAME --n1kv:profile PROFILE_NAME
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
VMs on Compute Node
Neutron Cisco UCSM Driver (KVM)
Neutron Server
Neutron Core plugin (ML2)
Cisco UCSM driver
UCS Fabric Interconnect
UCSM SDK
Compute Nodes
Nova
create/update portFeatures:
• Nova and Neutron enhancements to support SR-IOV
• Supports VLAN configuration of SR-IOV ports (using port profiles) and vNIC ports (using Service Profiles)
• Enables configuration of VLAN profiles and automatic association with network ports
Benefits
• SR-IOV and non SR-IOV based UCS Fabric Interconnect configurations
VM VM
36
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
Neutron DHCP Implementation
Neutron Server
Neutron DHCP Service
Network REST API requests
Compute Node
Network Node
DNSMASQRPC message to agent on nodes
• Namespace and dnsmasq for every network
• Dnsmasq Reloads with every port add/delete
DHCP agent
37
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
Nova HostNova HostNova Host
Neutron Reference – DHCP Traffic
38
VM1 Controller Host(s)
Router
NeutronHost(s)
DHCP ports
API NetworkExternal Network
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitchvswitch
Data Network
DHCP request/response animation for
packet traveling from VM1 DHCP port.
PKT
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 39
CPNR
Neutron DHCP Implementation with Cisco Prime Network Registrar (CPNR)
Neutron Server
Neutron DHCP Service
Network REST API requests
Compute Node
Network Node
DHCP Relay
CPNR
• DHCP configuration includes CPNR API end point configuration
• Mapping –• Network to Virtual Private Network
(VPN) • Subnet to Scope
• Request and Responses handled using UDP ports
• Benefits• Relay is stateless and can be run in
Active-Active• Highly Available CPNR Server for all
tenants
REST API DHCP Traffic
RPC message to agent on nodes
DHCP agent
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 41
Neutron Routing Implementation
Neutron Server
Neutron Service plugin (L3)
Routing REST API requests
L3 agent on Network Node
L3 agent on Network Nodes
Default Gateway, Namespace and
IPTables
Namespace maps to a Neutron logical router. IPTables handle address translations
Agent Scheduler
Picks a L3 agent on a Network Node
Compute Node
Compute Nodes
L3 traffic goes through Network node
VM VM
Neutron router HA capabilities using VRRP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
Nova HostNova HostNova Host
Neutron Reference – East-West L3 (Routed) Traffic
42
VM1 Controller Host(s)
Router
NeutronHost(s)
API NetworkExternal Network
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitchvswitch
Data Network
PKT
Routing
Packet path animation for packet
traveling from VM1 VM4
Virtual Router
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
Nova HostNova HostNova Host
Neutron Reference – North-South L3 Traffic (NAT)
43
VM1 Controller Host(s)
Router
NeutronHost(s)
API NetworkExternal Network
Management Network
VM6VM5VM2 VM3 VM4
Internet
vswitch vswitch vswitchvswitch
Data Network
PKT
NAT
Packet path animation for packet
traveling from VM1 Internet
Virtual Router
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 44
Issues in Neutron Reference L3 and ASR1K Solutions • NAT for External Connectivity:
• Issue - Scale limitation in Linux iptables software NAT.
• Solution - ASR1K can scale up to 4 million dynamic NAT entries and 16K static NAT entries.
• Tenant Routing:
• Issue - Scale limitations in Linux namespaces based software tenant networking.
• Solution - ASR1K uses Virtual Routing and Forwarding (VRF) instances for tenant routers. ASR1K can scale up to 4k VRFs (8k in upcoming release).
• Tenant Networks:
• Issue- Scale limitations in Linux software based interfaces.
• Solution - ASR1K plugin maps tenant networks to sub-interfaces on ASR1K. ASR1K supports up to 64k sub-interfaces.
• Data Throughput:
• Issue - Performance limitations with software packet forwarding and NAT on generic compute hardware.
• Solution - ASR1K can perform packet forwarding and NAT at rates upto 230 Gbps.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 45
Neutron Cisco ASR1000 for Neutron L3 Service• Mapping of Neutron reference L3
implementation - • Linux namespaces - ASR1K VRF• Internal Router ports – ASR1K VLAN
or Port Channel sub interfaces• External Gateway ports – ASR1K
VLAN or Port Channel sub interfaces
• Linux IPTables – ASR1K NAT
Neutron Server
Neutron Service plugin (L3)
Routing Device Driver (ASR1K)
Config AgentCisco Config Agent
NexusASR1K
netconf
• Benefits• Routing using physical
infrastructure• Support for HSRP and Port
Channel
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 46
OpenStack Neutron + Nexus + ASR : Physical Topology Example
Layer-3 Network Core
ASR 1000 Routers
OpenStack ControllerNeutron Server withCisco Config Agent
Nova Compute Nodes
Nexus Layer-2 FabricTenant VLANs and
External Traffic
Management Network (NETCONF provisioning)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
ASR1K
NeutronHost(s)
Nova HostNova HostNova Host
ML2 Nexus and ASR1K - East-West L3 (Routed) Traffic
47
VM1Controller Node(s)
RouterAPI NetworkExternal Network
Data Network
(L3 routed)
Management Network
VM6VM5VM2 VM3 VM4
Internet
ML2 Nexus Driver
vSW vSW vSW
Nexus TOR Nexus TOR
ASR1K
L3
Plugin
VRF with default GW and NAT (to global routing).
PKT
Note : Packet animation included –
VM1 VM4
Virtual Router
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
ASR1K
NeutronHost(s)
Nova HostNova HostNova Host
ML2 Nexus and ASR1K - North-South L3 Traffic (NAT)
48
VM1Controller Node(s)
RouterAPI NetworkExternal Network
Data Network
(L3 routed)
Management Network
VM6VM5VM2 VM3 VM4
Internet
ML2 Nexus Driver
vswitch vswitch vswitch
Nexus TOR Nexus TOR
ASR1K
L3
Plugin
VRF with default GW and NAT (to global routing).
PKT
Note : Packet animation included –
VM1 Internet
Virtual Router
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 49
Neutron Cisco CSR1000v for Neutron L3 Service
• Mapping of Neutron reference L3 implementation - • Linux namespaces - CSR1Kv VRF• Router ports (qr) on bridge –
CSR1Kv VLAN sub interfaces• Gateway ports (qg) on bridge -
CSR1Kv VLAN sub interfaces• Linux IPTables – CSR1Kv NAT
• Benefits• Virtual Form Factor• Integrates with N1Kv and OVS• Device that can offer more services
REST API/netconf
Neutron Server
Neutron Service plugin (L3)
Cisco CSR1Kv Device Driver
Device Manag
er
Scheduler
Config AgentVMs on Compute
Node
Cisco Config Agent
Nova
Compute Nodes
CSR1KvVM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 50
Demo Topology – Neutron L2 Nexus Driver and L3 CSR1Kv Driver
Private SubnetPrivate1 Subnet
VM 1
Tenant A
VM 2 VM 3
Logical Model
Physical implementation
Compute Node
Compute Node
VM1
Controller + Network
Node
VM2 VM4
vswitch vswitchvswitch
Data Network
Management Network
DHCP NS
DHCP NS
ra-node11 ra-node13 ra-node14
Nexus 9K
1/6 1/3
1/4
CSR1Kv VM
Router
VM3
VM 4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 55
VMs on Compute Nodes
Neutron Cisco Application Policy Infrastructure Controller (APIC) Driver
Neutron Server
Neutron Core plugin (ML2)
Cisco L2 APIC Driver
APIC
VMs on Compute Nodes
Cisco L3 APIC Driver
ACI Spine/Leaf Switches
REST APINetwork:EPG, Router:Contract
Provides distributed L2,L3 functionality
Neutron L3 Plugin
Neutron API: Network, Router, Subnet, Security Group
L2 / L3 enforced in fabric, security groups enforced on hypervisor
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 56
Group-Based Policy ModelPolicy Group: Set of endpoints with the same properties. Often a tier of an application.
Policy RuleSet: Set of Classifier / Actions describing how Policy Groups communicate.
Policy Classifier: Traffic filter including protocol, port and direction.
Policy Action: Behavior to take as a result of a match. Supported actions include “allow” and “redirect”
Service Chains: Set of ordered network services between Groups.
L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter
L3 Policy: An isolated address space containing L2 Policies / Subnets
Policy Rule Set
Policy Rule
Policy Rule
Service Chain
Classifier Action
Classifier Action
L2 Policy
Policy Group
Policy Target
Policy Target
Policy Target
Policy Group
Policy Target
Policy Target
Policy Target
L2 Policy
provide consume
Node Node
L3 Policy
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 57
Group Based Policy and Neutron
VMs on Compute Nodes
Group Based Policy (GBP)
GBP Neutron Driver
NeutronAPIC
VMs on Compute Nodes
APIC GBP Driver
ACI Spine/Leaf Switches
REST APIPolicy Group, Ruleset
Provides distributed L2,L3 functionality
GBP Driver
Neutron Plugins/Dri
vers
Network, Router
Create Classifier/ Rulegbp policy-classifier-create web-traffic –protocol tcp –port-range 80 –direction in
gbp policy-rule-create web-policy-rule –classifier web-traffic –actions allow
Create Policy RuleSetgbp ruleset-create web-ruleset –policy-rules web-policy-rule
Create Groupgbp group-create web
Group Associationgbp group-update web –provided-rulesets web-ruleset
Launch Web Server VM using Endpoint in EPGgbp member-create –group web web-1
vswitch
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 58
Purpose Using Cisco Product Juno Code Availability Kilo Code Availability Status
Network Layer 2 Virtual Switch Nexus 1000v OpenStack Neutron Juno StackForge Networking-Cisco Kilo Preview
SR-IOV, non-SR-IOV
UCS Fabric Interconnect
Cisco OpenStack Neutron Juno Plus Tech Preview
StackForge Networking-Cisco Kilo Preview
Physical Switch Nexus OpenStack Neutron Juno StackForge Networking-Cisco Kilo Preview
DHCP IPAM Prime Network Registrar - Not upstream yet Preview
Network Layer 3 Virtual Router Cloud Services Router 1000v OpenStack Neutron Juno StackForge Networking-Cisco Kilo Preview
Physical Router ASR 1000 - Not upstream yet Preview
Network Services Virtual Firewall and VPN
Cloud Services Router 1000v
Firewall - Cisco OpenStack Juno Tech PreviewVPN - Cisco OpenStack Juno Plus Tech Preview
Firewall – OpenStack Neutron Firewall KiloVPN- OpenStack Neutron VPN Kilo Preview
Network Layer2, Layer3, Services Controller
Application Policy Infrastructure Controller
APIC L2 - OpenStack Neutron JunoAPIC L3 - OpenStack Neutron Juno
APIC L2 – StackForge Networking-Cisco KiloAPIC L3 – StackForge Networking-Cisco Kilo
Released
Declarative Policy Model
Group Based Policy Framework Group Based Policy StackForge Juno Not upstream yet Released
Summary of OpenStack integration with Cisco Networking Solutions Presented
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 59BRKDCT-2445
Advanced Neutron considerations
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 60
Neutron IPv6 for tenant data network
• IPv6 addressing using two attributes - • ipv6_ra_mode – Determines who sends RA • ipv6_address_mode – Determines how instances obtain IPv6 address, default gateway,
and/or optional information.
• Support for different IPv6 addressing schemes• SLAAC• DHCPv6-stateless• DHCPv6-stateful
• Dual Stack Support
• IPv6 Routing
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 61
Neutron Addressing Schemesipv6_ra_mode ipv6_address_mode ResultSLAAC N/S Address using Neutron routerN/S SLAAC Address using external routerSLAAC SLAAC Address using Neutron router
ipv6_ra_mode ipv6_address_mode ResultDHCPv6-stateless
N/S Address using Neutron router and optional information using external service
N/S DHCPv6-stateless Address using external router and optional information using Neutron DHCP implementation
DHCPv6-stateless
DHCPv6-stateless Address and optional information using Neutron router and DHCP implementation respectively
ipv6_ra_mode ipv6_address_mode ResultDHCPv6-stateful N/S Address and optional information using
external serviceN/S DHCPv6-stateful Address and optional information using
Neutron DHCP implementationDHCPv6-stateful DHCPv6-stateful Address and optional information using
Neutron DHCP implementation
Address Configuration Flags
Value
Auto 1Managed 0Other 0
Address Configuration Flags
Value
Auto 1Managed 0Other 1
Address Configuration Flags
Value
Auto 0Managed 1Other 1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 64
Neutron IPv6 routing
Tenant Router
Tenant Network
Tenant VM
IPv4 and multiple IPv6 subnets associated
External NetworkIPv4 and IPv6 subnets associated
Dual stack external router port with IPv4 and IPv6 addresses
IPv4 internal router port and separate IPv6 internal router port with multiple IPv6 addresses
Tenant Router
Tenant Network
Tenant VM
IPv6 subnet with GUA prefix
External NetworkNo IPv6 subnet association required
External Router
Gateway port configured with a IPv6 LLA
LLA advertised to Neutron tenant router
Tenant router has next hop information to external router
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 65
Network Function Virtualization
Tenant ACompute
NodeCompute
Node
VM1
Network Node(s)
VM2 VM1
vswitch vswitchvswitch
Data Network
Namespace
10.1.0.4 10.1.0.5
10.1.0.1 10.1.1.1
10.1.1.4
Admin provisioned Service
Compute Node
Compute Node
VM1 VM2 VM1
vswitch vswitch
Data Network
10.1.0.4 10.1.0.5
Tenant provisioned Service
ServiceVM
10.1.1.4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 66
Neutron and NFV
• Issue• Anti-spoofing rules to ensure traffic
originates and terminates as expected• Doesn’t work for NFV VNF use cases
• Solution• Added Port Security Extension
• Adds new “Port Security enabled” attribute to Network and Port Resources
• Only tenant owner can set this attribute on the resources
• Security Group and Allowed Address Pair are not allowed to be set
• Issue• VXLAN for tenant isolation and VLAN for
app traffic isolation within the tenant • No means to identify VLAN transparent
networks
• Solution• Added Network Resource Extension
• Adds new “Vlan Transparent” attribute to Network Resource
• Only tenant owner can set this attribute on the resources
• No firewalling on VLAN tagged packets
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKDCT-2445
Summary
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 68
Summary• OpenStack rapidly becoming the de-facto standard for data center orchestration
• Cisco’s broad-based OpenStack strategy spans products, partners and services
• Cisco is leading contribution in projects such as Neutron and others in the OpenStack community
• Wide range of Cisco solutions available for integration with OpenStack Networking
• Still lots to do…..
• More information can be found at • www.cisco.com/go/openstack• https://developer.cisco.com/openstack/
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 69
Reading Material• Cisco Nexus Driver for OpenStack Neutron -
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/openstack-at-cisco/data_sheet_c78-727737.html
• Cisco Virtual Networking Solution for OpenStack - http://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000v-kvm/datasheet-c78-730833.pdf
• Cisco Application Policy Infrastructure Controller Driver for OpenStack - http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/openstack-at-cisco/datasheet-c78-732353.pdf
• Group-Based Policy for OpenStack - http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-733126.pdf
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 70
Configuration Guides• OpenStack/UCS Mechanism Driver for ML2 Plugin - http://docwiki.cisco.com/wiki/OpenStack/UCS_Mechanism_Driver_for_ML2_Plugin_-_Juno_Plus
• OpenStack/ML2NexusMechanismDriver - http://docwiki.cisco.com/wiki/OpenStack/ML2NexusMechanismDriver
• Juno Plus Install and Setup of Cloud Services Router(CSR) for OpenStack VPN- http://docwiki.cisco.com/wiki/Juno_Plus_Install_and_Setup_of_Cloud_Services_Router(CSR)_for_OpenStack_VPN
• Cisco Nexus 1000V for KVM OpenStack REST API Configuration Guide - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/kvm/config_guide/os_rest_api/5x/b_Cisco_N1KV_KVM_OpenStack_REST_API_Config_5x.html
• Cisco Nexus 1000V for KVM Installation Guide on RedHat - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/kvm/install_guide/521SK321_RH/b_Cisco_N1KV_KVM_Install_Guide_521SK321.html
• Cisco Nexus 1000V for KVM Installation Guide on Ubuntu - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/kvm/install_guide/521SK122/b_Cisco_N1KV-KVM_Install_Guide_521SK122.html
• Installing the Cisco APIC OpenStack Driver on RedHat, Ubuntu - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/api/openstack/b_Cisco_APIC_OpenStack_Driver_Install_Guide.html
• Installing Group Based Policy on RedHat - https://www.rdoproject.org/Neutron_GBP
• Installing Group Based Policy on Ubuntu - https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallUbuntu
• Installing and Running GBP with Cisco APIC - https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallCiscoACI
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 71
Collateral Release Date
Deploying RedHat Enterprise Linux OpenStack Platform 3.0 on Flexpod with Cisco UCS, Cisco Nexus and NetApp Storage
Nov 2013
Suse Cloud Integration with Cisco UCS and Cisco Nexus Platforms March 2014
Accelerate Cloud Initiatives with Cisco UCS and Ubuntu OpenStack May 2014
Ubuntu OpenStack Architecture on Cisco UCS Platform June 2014
RedHat Enterprise Linux OpenStack Platform 4.0 on Cisco UCS and Cisco Nexus July 2014
Hadoop as a Service (HaaS) with Cisco UCS Common Platform Architecture (CPA v2) for Big Data and OpenStack
August 2014
RedHat OpenStack Architecture on Cisco UCS Platform Sept 2014
InterCloud Data Center ACI 1.0 Implementation Guide Feb 2015
Partner OpenStack Distributions on Cisco Infrastructure
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 72
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include • Your favorite speaker’s Twitter handle @rohitagarwalla• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
73
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445 74
Continue Your Education• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
75© 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKDCT-2445