Upload
get-your-build-on-with-software-for-the-network-beyond
View
1.124
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Border Gateway Protocol (BGP) is a protocol that has existed since 1995, and it can be seen as one of the first technologies to enable software-defined networking (SDN) network infrastructure. Through control plane activities, BGP allows the management of services and resources within and between network infrastructures. Recent developments have made BGP an even more service-aware technology, supporting enhanced and innovative off-path traffic manipulation to support resource and service mobility, which in turn will allow operators to optimize CapEx and OpEx in a services-aware data network. This webcast provides insight into the different areas where SDN-driven networks can benefit from enhanced BGP capabilities and design architectures to promote mobility, virtualization, and resource and service awareness. Register to listen to the WebEx replay at: http://tools.cisco.com/gems/cust/customerSite.do?METHOD=W&LANGUAGE_ID=E&SEMINAR_CODE=S20463&PRIORITY_CODE=194542_20
Citation preview
1 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Knowledge Network TechAdvantage Webinar BGP -Optimising the Foundational SDN Technology Gunter Van de Velde
Senior Technical Leader
11 May 2014
2 © 2014 Cisco and/or its affiliates. All rights reserved.
Agenda
• Some words about SDN • BGP-Assisted SDN Use-case
1. WAN Orchestration – BGP-LS 2. Flow Steering/Security Policies – BGP-FS 3. Peering Diagnostics – BMP 4. SLA Policies – BGP SLA
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introduction to SDN
4 © 2014 Cisco and/or its affiliates. All rights reserved.
The network paradigm as we know it…
5 © 2014 Cisco and/or its affiliates. All rights reserved.
Control and Data Plane resides within Physical Device
6 © 2014 Cisco and/or its affiliates. All rights reserved.
Software defined networking (SDN) is an approach to building computer networks that separates and abstracts elements of these
systems
What is SDN? (per Wikipedia definition)
7 © 2014 Cisco and/or its affiliates. All rights reserved.
In other words…
In the SDN paradigm, not all processing happens inside the
same device
8 © 2014 Cisco and/or its affiliates. All rights reserved.
A better definition
SDN Definition
Centralization of control of the network via the
Separation of control logic to off-device compute, that
Enables automation and orchestration of network
services via
Open programmatic interfaces
SDN Benefits
Efficiency: optimize existing applications, services, and
infrastructure
Scale: rapidly grow existing applications and services
Innovation: create and deliver new types of applications and services and business models
9 © 2014 Cisco and/or its affiliates. All rights reserved.
Private Cloud Automation
Research/ Academia
§ Experimental OpenFlow/SDN components for production networks
Massively Scalable Data Center
§ Customize with Programmatic APIs to provide deep insight into network traffic
Service Providers
§ Policy-based control and analytics to optimize and monetize service delivery
Enterprise
§ Virtual workloads, VDI, Orchestration of security profiles
Different customers, different pain points
Cloud
§ Automated provisioning and programmable overlay, OpenStack
Diverse Programmability Requirements Across Segments Most Requirements are for Automation & Programmability
Scalable Multi-Tenancy
Network Flow Management
Network “Slicing”
Agile Service Delivery
Transport Efficiency
10 © 2014 Cisco and/or its affiliates. All rights reserved.
SDN Hybrid Approach
• 20+ Years investment in Distributed Control Planes—capex, skills and expertise— by both vendors and customers
• Distributed Control Planes designed to survive battlefield conditions with the possibility of multiple failures
• Leave the distributed control plane in place for “normal” traffic, use SDN for traffic that needs special handling (routing, bandwidth reservation etc.)
• In the event of an SDN Controller failure, you still have a network that works, maybe not as optimally
Hybrid Control plane: Distributed control combined with central control (through Controllers) for optimized behavior (e.g. optimized performance)
Network Middleware “Controllers”
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
About BGP
12 © 2014 Cisco and/or its affiliates. All rights reserved.
Why is BGP successful?
Simple and Scalable
Structured (Route Reflector) Divide and Conquer (ConfederaBon)
Low protocol overhead Simple FSM
Simple Messages
Extensible
MulB-‐protocols, AFs Incremental NLRI, PA, Community
Capability NegoBaBon Flexible Policy Many Services !!
HA and Secure
Run over TCP NSR
PIC, Add-‐Path MD5 authenBcaBon
RPKI validaBon
“Driven by PragmaBsm”, “Not perfect, but good enough” -‐-‐ Yakov Rekhter
13 © 2014 Cisco and/or its affiliates. All rights reserved.
Control-plane Evolution Many of services are moving towards BGP
13
Service/transport In 200X In 201X Market
Internet Peering BGP IPv4 BGP IPv4/v6
SP
SP L3VPN BGP IPv4 BGP IPv4/v6 + FRR + Scalability
MPLS transport LDP LDP + BGP+Label (Unified MPLS)
SP Multicast VPN PIM IPv4 BGP IPv4/v6 Multicast VPN
Multicast MPLS transport PIM / mLDP BGP signaling for segmented LSM (Mc Unified MPLS)
DDOS mitigation PBR, ACL BGP flowspec, BGP RTBH, uRPF check
Security Filters, ACL BGP Sec (RPKI)
Network Monitoring SNMP BGP monitoring protocol, BGP YANG
SDN BGP YANG/ BGP Link State /BGP SLA /BGP Flow Spec
Business & CE L2VPN LDP BGP AD/Sign (VPLS)
DCI NG L2VPN/L3VPN BGP AD/Sign (EVPN, PBB-EVPN ) DC / SP
Massive Scale DC OSPF/ISIS BGP IPv4/v6 Multipath, BGP EPE Segment Routing
DC SP-DC, Cloud-DC BGP Inter-AS, vPE, vCE, L3VPN/EVPN o X
Campus L3VPN & mVPN BGP IPv4 (IOS) BGP IPv4/v6 (NX-OS)
Ent-DC BGP + Fabric Path (LFA), BGP + VxLAN (Future)
Massive scale DMVPN NHRP / EIGRP BGP + Path Diversity
Enterprise FlexVPN BGP
Managed CPE BGP IPv4 BGP IPv4 & IPv6
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use case #1: WAN Orchestration
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
“.. not sure why folks keep talking about SDN as a datacenter technology - the value is in the WAN..”
• Vijay Gill
• https://twitter.com/vgill/status/227539039979446272
16 © 2014 Cisco and/or its affiliates. All rights reserved.
The SP Challenge
Traffic
Revenue
§ Traffic continues to increase, while revenue declines
§ On top of SPs’ minds: – Increase efficiency of existing assets – Create new revenue opportunities, and
be faster at it
§ SDN efforts in SP attempt to help with the above!
17 © 2014 Cisco and/or its affiliates. All rights reserved.
WAN BW optimization
WAN BW optimization: 90% - Distributed optimization - Full Mesh Auto BW RSVP-TE tunnels - HIGH OPEX (complex)
- Cust A>50K tunnels - Cust B>100K tunnels
- Generate Network Oscillation (instability)
Today
WAN BW, Latency, QoS optimization: 95% - Centralized optimization - SDN PCE controller driven WAN optimization - Adequate Segment Routing TE tunnel - Low OPEX (simple)
- Cust A <10 tunnels - Cust B<20 tunnels
WAN-Ochestration
SDN WAN controller
18 © 2014 Cisco and/or its affiliates. All rights reserved.
SDN WAN Orchestration End-to-End
DC/Cloud Providers
Customers
DC SDN Customer SDN
Workflow Orchestration/Apps
Collector Programming
Application Engine
NGN WAN
Viz & Analytics
APPS
APIs
State Control
Multi-Layer
SDN WAN
APPS
PCE-P BGP LS
19 © 2014 Cisco and/or its affiliates. All rights reserved.
Gathering up-to-date WAN network state
• To do its job SDN WAN Controller requires up-to-date network visibility information, primarily about
• Load/Capacity è SNMP, NetFlow, NETCONF/YANG
• Topology è IGP (OSPF/ISIS) information, direct link/passive, or better: BGP
19
Collector Programming
Application Engine
NGN WAN
Viz & Analytics
State
Multi-Layer
SDN WAN
20 © 2014 Cisco and/or its affiliates. All rights reserved.
High Level perspective of BGP-LinkState (BGP-LS)
• BGP may be used to advertise link state and link state TE database of a network (BGP-LS)
• Provides a familiar operational model to easily aggregate topology information across domains
• New link-state address family
• Support for distribution of OSPF and IS-IS link state databases
• Topology information distributed from IGP into BGP (only if changed)
• Support introduced in IOS XR 5.1.1 Domain 1 Domain 2
Domain 0
BGP-LS
TED
BGP-LS BGP-LS
RR
PCE
21 © 2014 Cisco and/or its affiliates. All rights reserved.
router isis DEFAULT is-type level-2-only net 49.0000.1720.1625.5001.00 distribute bgp-ls level 2 address-family ipv4 unicast metric-style wide mpls traffic-eng level-2-only mpls traffic-eng router-id Loopback0 ! […] ! ! ! router bgp 65172 address-family link-state link-state ! neighbor 172.31.0.1 description Controller remote-as 65172 update-source Loopback0 address-family link-state link-state ! ! !
BGP Link State Configuration – Cisco IOS XR 5.1.1
Distribute level-2 link state database
into BGP-LS
Enable link-state addresses and specify BGP-LS
peer
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use case #2: Controlling Flows via BGP
23 © 2014 Cisco and/or its affiliates. All rights reserved.
Introduction
• BGP (like any other routing protocol) influences destination-based routing
• BGP routing information can be injected from a central place (“SDN controller”)
• Why not use it for more than just giving a destination address to route packets to?
• “Flow Specification Rules” • Application aware Filtering/redirect/mirroring • Dynamic and adaptive technology • Simple to configure
24 © 2014 Cisco and/or its affiliates. All rights reserved.
Use case 1: Security DDoS mitigation
DDOS scrubber
Security Controller
DDOS Analyser
Scan Netflow data To detect DDOS signature
SP
Description:The goal is to push policies to match on certain flows under DDoS attacks and drop/rate limit or redirect traffic to DDoS scrubber to protect peering / enterprise customers
Business:SP to sale DDoS mitigation services to enterprise customers, generating add value to IP transit services
Flexible Netflow BGP flowspec Match: DDOS flow Action: redirect to DDOS scruber
25 © 2014 Cisco and/or its affiliates. All rights reserved.
Use case 2: Redirection to DC/NfV
Description: The goal to redirect certain flows from IP NGN or Internet transit network to DC and NfV appliances
Business: SP to sale NfV appliance services to enterprise customers, generating add value to IP NGN and IP transit services
NAT
VM
Firewall
VM
SBC
VM
dDOS
VM
NAT
VM
Firewall
VM
SBC
VM
dDOS
VM
NAT
VM
Firewall
VM
SBC
VM
dDOS
VM
NAT
VM
Firewall
VM
SBC
VM
dDOS
VM
default HTTP
BGP flowspec Match: HTTP flows Action: redirect to DC/NfV
26 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco BGP flowspec is
Standard supported
• BGP flowspec: RFC5575
• IPv6 support: draft-ietf-idr-flow-spec-v6-05
• IP Next Hop redirection options: draft-ietf-idr-flowspec-redirect-ip-01
• Origin check relax: draft-ietf-idr-bgp-flowspec-oid-02
• Optimized flow based forwarding plane.
• Controller, Route Reflection and Client.
Tested with exaBGP (IPv4 controller), Arbor (IPv4 controller), Juniper (IPv4 client) and Alcatel (IPv4 & IPv6 client)
XR 5.2.0 June 2014
27 © 2014 Cisco and/or its affiliates. All rights reserved.
BGP flowspec infrastructure
BGP flowspec
BGP
Platform hardware
Policy Infrastructure (E-PBR)
Flowspec Manager
CLI YANG
Phase 2
Phase 1
XR XML
BGP
28 © 2014 Cisco and/or its affiliates. All rights reserved.
Router acting as BGP flowspec client
BGP flowspec
BGP
Platform hardware
Policy Infrastructure (E-PBR)
Flowspec Manager
CLI YANG
Phase 2
Phase 1
XR XML
BGP
BGP Flowspec Match X Action Y
29 © 2014 Cisco and/or its affiliates. All rights reserved.
Router acting as BGP flowspec server
BGP flowspec
BGP
Platform hardware
Policy Infrastructure (E-PBR)
Flowspec Manager
CLI YANG
Phase 2
Phase 1
XR XML
BGP
BGP Flowspec Match X Action Y
30 © 2014 Cisco and/or its affiliates. All rights reserved.
BGP flowspec tuple support for IPv4/v6
BGP Flowspec NLRI type QoS match fields Value input method Controller ASR9k
As client CRS As client
Type 1 IPv4/v6 Destination address Prefix length ü ü ü
Type 2 IPv4/v6 Source address Prefix length ü ü ü
Type 3 IPv4/v6 protocol Multi value range ü ü ü
Type 4 IPv4/v6 source or destination port Multi Value range û ü ü
Type 5 IPv4/v6 destination port Multi Value range ü ü ü
Type 6 IPv4/v6 Source port Multi Value range ü ü ü
Type 7 IPv4/v6 ICMP type Multi value range ü Future ü
Type 8 IPv4/v6 ICMP code Multi value range ü Future ü
Type 9 IPv4/v6 TCP flags (2 bytes include reserved bits) Bit mask ü Only lower byte not all bits
Type 10 IPv4/v6 Packet length Multi value range ü ü ü
Type 11 IPv4/v6 DSCP, Traffic Class Multi value range ü ü ü
Type 12 IPv4 fragmentation bits Bit mask ü Only indication of fragment ü
Type 13 IPv6 flow label optional header Muti value range ü Future future
31 © 2014 Cisco and/or its affiliates. All rights reserved.
BGP flowspec extended community actions
BGP ext-community value PBR Action
XR PI ASR9k CRS
0x8006 (RFC5575) Traffic Rate 0
drop ü ü ü
0x8006 (RFC5575) Traffic Rate <rate>
police ü ü ü
0x8008 (RFC5575) Redirect VRF
redirect vrf ü ü ü
0x8009 (RFC5575) Traffic Marking
Set dscp
ü ü ü
0x800b (IP redirect draft) Redirect IP NH
nexthop IPv4/v6 ü ü ü
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use case #3: Routing Visibility
33 © 2014 Cisco and/or its affiliates. All rights reserved.
Optimizing Routing towards the Internet
• When your network is multi-homed to multiple SPs, balancing the traffic across the potential exit points can become a cumbersome task: 1. Baseline the situation 2. Tweak BGP attributes (MED, local preference, AS-path) to shift traffic to other exits 3. Watch the result 4. If not happy, go back to 2
• How about letting software do this for you?
• It knows the topology (via BGP-LS, see earlier)
• It knows the traffic/matrix (via NetFlow, LSP stats, interface load)
• It misses information about the BGP routing table and its attributes
34 © 2014 Cisco and/or its affiliates. All rights reserved.
Achieving Routing Visibility
• As a routing protocol, it can also be used to update the controller with granular routing information
• Easy.
• Really?
Internet PE
Transit1
Transit2
Controller
iBGP
35 © 2014 Cisco and/or its affiliates. All rights reserved.
BGP RIBs
• BGP speaker maintains multiple Routing Tables:
• Adj-RIB-in (per neighbor) • These are the updates as received by the peer • Incoming route policy is applied, attributes are changed • Updates which are dropped by the incoming route-policy are discarded, to save on memory
• “soft-reconfiguration inbound” keeps them, paths flagged with “received-only” in “show bgp …”
• Loc-RIB (or Local RIB) • BGP calculates best path among eligible paths in Adj-RIB in and places them into Loc-RIB • provides a view of all entries kept by the BGP router to forward traffic
36 © 2014 Cisco and/or its affiliates. All rights reserved.
BGP Monitor Protocol
• We saw one case where we want to know exactly what the neighbor sent us (original attributes)
• For troubleshooting/monitoring, a record of prefixes received by neighbors (even those we configured to ignore) can be valuable tool
36
eBGP Inbound filtering
eBGP
Loc-RIB
Inbound filtering
Adj-RIB-in (before filter)
Loc-RIB
Adj-RIB-in BMP collector
37 © 2014 Cisco and/or its affiliates. All rights reserved.
What is BMP?
• BMP is intended to be used for monitoring BGP sessions
• BMP is intended to provide a more convenient interface for obtaining route views
• Design goals • Simplicity • Easy to use • Minimal service affecting
• BMP is not impacting the routing decision process and is only used to provide monitoring information
• BMP provides access to the Adj-RIB-In of a BGP peer on an ongoing basis and provide s a periodic dump of statistical information. A monitoring station can use this for further analysis
• http://tools.ietf.org/html/draft-ietf-grow-bmp-07 (AKA BMPv3)
• https://code.google.com/p/bmpreceiver/ (ExaBGP BMP code)
38 © 2014 Cisco and/or its affiliates. All rights reserved.
Deployment Models • Deployment Model 1
• Peering diagnostics and analytics • Deployment Model 2
• Internal diagnostics and analytics
BMP Session
BMP Session
AS#4567
AS#1234
IGP 1
IGP 2 IGP 3
IGP 4
Analyser
IGP 5
BMP Session BMP Session
AS#4567
AS#1234
IGP 1
IGP 2 IGP 3
IGP 4
Analyser
IGP 5
BMP Session
39 © 2014 Cisco and/or its affiliates. All rights reserved.
Configuration
router bgp <asn> neighbor <ip-address> BMP monitor all / server 1 server 2 …
bmp server <1-32> activate address <ipv4/6 address> port-number <num> update-source <interface> description <string> failure-retry-delay <seconds> flapping-delay <seconds> initial-delay <seconds> set ip dscp value <1-7> stats-reporting-period <seconds>
bmp buffer-size <megabytes> bmp initial-refresh {delay <seconds> | skip }
XR 5.2.2 November 2014
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Use case #4: Controlling SLA via BGP
41 © 2014 Cisco and/or its affiliates. All rights reserved.
Introduction
• BGP (like any other routing protocol) influences destination-based routing
• BGP routing information can be injected from a central place (“SDN controller”)
• Why not use it for more than just giving a destination address to route packets to?
• “SLA Rules” • Application aware QoS • Dynamic and adaptive technology • Simple to configure
42 © 2014 Cisco and/or its affiliates. All rights reserved.
Controlling SLA via BGP
SLA SDN Controller
BGP SLA - VPN Green - 25% Gold - 25% Silver - 50% BE
Managed CPE Unmanaged CPE Customer
Customer Portal
Change SLA to - 25% Gold - 25% Silver - 50% BE
1
2
3
draft-ietf-idr-sla-exchange
Future
DEMO is available
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wrapping Up
44 © 2014 Cisco and/or its affiliates. All rights reserved.
Summary
• Flexibility: SDN enhances the way we’re doing networking, automates tasks, introduces new possibilities through open APIs
• Investment Protection: SDN can co-exist with traditional networking protocols, it even leverages them.
• Rich implementation: BGP provides a couple of essential tools in the toolbox for topology and routing distribution and flow control / SLA control
• Cost Effective: We hope you will make use of them to make your network infrastructure more agile and cost-effective
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Questions?
Thank you.