NEUTRON ADVANCED SERVICESERIC LOPEZERIC.LOPEZ @ AKANDA.IO@ERICDLOPEZ

About Me

Sr. Solution Architect at Akanda Inc

Former Solution Architect @ VMware & Nicira

Openstack Security Guide Co-Author

Where are we headed today?

Neutron BasicsAdvance Services: LBaaS, VPNaaS, FWaaSAkanda an Advanced Service PluginNeutron: Liberty and Beyond

NEUTRON BASICS

OSI Model

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

1

2

3

4

5

6

7

TCP, UDP

IPv4,IPv6, ICMP

HTTP, DNS, etc

ARP, Ethernet, VLAN

OpenStack

What does the user see?

Compute API

Network API

Storage APIGUI, CLI, API Libs

KVM

ML2 Plugin

Ceph

Abstractions

Net110.0.0.0/24

Nova

Neutron

L2 virtual network

virtual port

virtual server

virtual interface (VIF)

virtual subnet

VM110.0.0.2

VM210.0.0.2

Using the API…VM1

10.0.0.2VM2

10.0.0.2/172.16.77.2

VM3172.16.77.1

Tenant A Net1

192.168.0.0/24

Tenant A Net2

172.16.77.0/24

Public Net10.0.0.0/8

VM110.0.0.2

VM210.0.0.2/172.1

6.77.2VM3

172.16.77.1

Tenant B Net1

192.168.0.0/24

Tenant B Net2

172.16.77.0/24

Router Router

Design Goals

Unified APISmall CorePluggable Open ArchitectureExtensible

UNDER THE HOOD

OpenStack

Reference Neutron

neutron-server

L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent

L3 AgentL3 Agent

L3 AgentL3 Agent

Database

L3 Agent

DHCP Agent

L2 Agent

Message

Queue

Adv Services

neutron-server

neutron-server

REST API SERVICE RPC SERVICE

PLUGIN

Provides REST API ServiceManages Logical ModelsPluggableExtensible

Plugin ExtensionsAdd logical resources to the REST APIDiscovered by server at startup

REST: /v2.0/extensionsCommon Extensions

Binding, DHCP, L3, Provider, Quota, Security GroupOther Extensions

Allowed Addresses, Extra Routes, Metering

BUILDING NETWORKS

Building Networks…

L2 vs L3

Tenant Isolation

GRE/VXLAN/GENEVE

VLAN

© Malcolm Leman | Dreamstime.com

Traditional L2802.1Q

Aggregation tier must be HA

MLAG is vendor proprietary

Aggregate/Core Scalability

limited number available

MAC/ARP table limits

East/West Bottleneck

L3 Maximizes Connectivity

HVHVHVHVHV

HVHVHVHVHV

HVHVHVHVHV

HVHVHVHVHV

Isolation via VXLANVXLAN

L2 encapsulated L3IP Fabrics Scale

Reduces L2 sizeECMP (Equal Cost Multi-Path)

Each link activePredictable latencyBetter failure handling

What is BUM Traffic?

BROADCAST

UNKNOWN UNICAST

MULTICAST

Tunneling BUM Traffic

A

D

CB

Tunneling BUM with L2 Population

A

D

CB

WHEN IS FLAT A GOOD IDEA?

LOAD BALANCING AS A SERVICE

Load Balancer as a Service

Tenant Provisioned Load Balancer InstancesNew API (v2) Released in Kilo

Updated Logical ModelTLS Support (requires Barbican)

Octavia Projecthttp://octavia.io

LBaaS HistoryFolsom Grizzly Havana Icehouse Juno KiloWorking Group

Experimental APIAPI v2 Stability

Improvements v2

Working Group

API v2

LBaaS Data Model

Logical Model renders on service providerLeast Common Denominator

Extra feature require extensions

Load Balancer

Pool

Pool

Listener

Load Balancer Model

VIP PortProvider

Load Balancer

Listener Model

ProtocolHTTP, HTTPS, TCP

PortDefault PoolTLS Information

Load Balancer Listener

Pool Model

Session PersistenceAlgorithmMember SetHealth monitor Set

Load Balancer Listener

Pool

Pool

Member Model

AddressPortWeightSubnet

Load Balancer Listener

Pool

Pool

Health Monitor ModelTypeTimeoutDelayFor HTTP

MethodResponse Code

Load Balancer Listener

Pool

Pool

Barbican

Provides secure storage, provisioning and management of secret dataPluggable crypto components

KMIPHSM

Load Balancer as a Service

NEUTRON ADVANCED SERVICES

Firewall as a Service

Tenant Provisioned Edge FirewallLogically at the edge

In reality maybe anywhere in data path API still deprecatedWill be replaced in Mitaka

Security Groups

Logically Protect VIF

Allow East/West Filtering

Based on Whitelist

VMs with multiple groups per VIF

Ingress/Egress Rules

Different from AWS

LOOKING AHEAD

OpenStack’s Big Tent

Open Design

Open Development

Open Community

Open Source

The Neutron Stadium

Common Forum

Improved Consistency

Shared Governance

Neutron: LibertyQoS Plugin Model - Extension and API

LBaaS v2

IPv6 Prefix Delegation

IPAM pluggable model framework

Network RBAC

Paying Down Technical Debt Canadian2006 - Liberty, Saskatchewan (CC-by-sa-3.0)

commons.wikimedia.org/w/index.php?title=User:Canadian2006&action=edit&redlink=1

Service Function Chaining

Forwarding Graph of Functionsie Firewall > Router > Load Balancer

Some SDNs support SFC todayClassification rules used to steer traffic

LB FWSource DestClassifie

r QoSCache

INTRODUCING ASTARA

Astara Core Developer TeamMark McClain (IRC: markmcclain)

Co-Founder/CTO at Akanda IncOpenStack Technical Committee MemberFormer OpenStack Networking PTL

Ryan Petrello (IRC: ryanpetrello)Senior Developer at DreamhostOpenstack Contributor since 2012

Adam Gandelman (IRC: adam_g)Openstack Astara PTLSenior Developer at Akanda IncOpenstack Stable Branch Maintenance Team MemberFormer Openstack Developer at Canonical and HP

David Lenwell (IRC: davidlenwell)Senior Developer at Akanda IncOpenstack refstack Technical Project LeadFormer Openstack Developer at Piston, HP, and Bluebook

Core Astara Principles

SimpleCompatibleOpen Development (Apache v2)

Reference Neutron

neutron-server

L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent

L3 AgentL3 Agent

L3 AgentL3 Agent

Database

L3 Agent

DHCP Agent

L2 Agent

Message

Queue

Adv Services

neutron-server

Neutron+Astara

neutron-server

L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent

Database

Astara L2 Agent

Message

Queue

neutron-server

THE RUG

“REALLY TIED THE ROOM TOGETHER”

The Rug

Control Plane OrchestrationLogically CentralizedPluggable DriversMulti-Process/Multi-ThreadedUtilizes standard APIs/interfaces for Neutron, Nova, Glance and Ceilometer

Astara Architecture

AstaraManagement

/Orchestratio

nPhysical Network (L2)

Nova

Neutron

Open:OVS/LinuxBridge Proprietary

Astara L2 Agnostic Overlay Support

Astara Adv Services: Routing/LB/FW

OpenStack APIs

Neutron Reference

HVHVHVHVHV

HVHVHVHVHV

HVHVHVHVHV

Network NodeNetwork Node

Astara

HVHVHVHVHV

HVHVHVHVHV

HVHVHVHVHV

HVHVHVHVHV

or with containers

HVHVHVHVHV

CCCCC

CCCCC

HVHVHVHVHV

Astara Project

Get the source: https://github.com/openstack/astaraProject status and tarballs: https://launchpad.net/astaraDocumentation: http://docs.akanda.ioIRC - #openstack-astara on freenode.net

THANK YOU

Astara Liberty Feature Release

HA orchestration daemonService Appliance Pool ResourcingLBaaS v2 support -

QUESTIONS?