Copyright 2013 Alcatel-Lucent. All rights reserved.

Policy Driven Networking and Migration to OpenstackScott Sneddon@ssneddon

@nuagenetworks

The “Consumption shift”

Cloud is changing the way technology is being consumed

From “order and wait”

To “instant gratification”

Consumer expectations are shifting

Multiple personas

Single user

On-demand personalized catalogue

Compute is Virtualized

Available in Minutes

Network is Partially Virtualized

Configuration takes Days/Weeks

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request completed in

Minutes

Help DeskChange Control

IP Address

VLAN Address

FirewallConfiguration

LAN (VLAN)Configuration

WAN (IP)Configuration

Security / QATeam

ProjectCoordinator

Network Changecompleted in days/Weeks

00:01

Datacenter Network

Service velocity is hindered by manual network process

Network is “more” virtualized

Some things available in minutes – Some not so much

Many network elements are manually configured

Manual per-tenant network configurations

NetworkConfiguration

Compute Management

New Tenant / Application Request

Auto-instantiation

Compute Request completed in

Minutes

SDN Controller

Some Network Change completed In Minutes

00:01 00:01

Software Defined Datacenter Network

Service velocity accelerated, but…

Committees still build “networks”

Audits/reviews

In a NaaS environment (AWS, etc) this is delegated to the tenant

Is this what your DevOps team should be doing?

NetworkConfiguration

Software Defined Network Configuration

We’ve only addressed part of the automation problem

Security / QATeam

VLAN Address

IPAddress

WAN (IP)Configuration

FirewallConfiguration

Network Configurationcreated in days/Weeks

Application = Web

Application = SAP

Application = Database

Network Virtualization solutions…

Group applications into “network sandboxes”

Policy approach to networking

Policy Templates

Users

Application Types

Business Rules

Policy Evaluation

Firewall

Firewall

W

BLBL

W

FirewallW W

Firewall

Firewall

W

BLBL

W

Firewall

Firewall

W

BLBL

W

BLBL

Design once, re-use multiple times

Application Networks

Application-centric

How to expose network policy in Neutron?

OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• An Application-centric approach to networking• Moving away from traditional network constructs

• ports, subnets, routers, etc• Aiming for a highly abstracted interface for application developers to

• express desired connectivity of application components• and express high-level policies governing that connectivity

• Without imposing constraints on the underlying implementation

What is a Neutron network Policy?

OpenStack Group Based Policy Abstractions for Neutronhttps://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

Openstack Network Policy becomes more sophisticated

Nuage has provided policy abstractions for virtual and physical networks since first release

ACLs, QoS classification and enforcement

Difficult to express using existing Neutron constructs…

Which is why we’re contributing to Group Based Policy Cleanly express application policy in Neutron

Cloud Service Management Plane

Datacenter Control Plane

DatacenterData Plane

VirtualRouting & Switching

Nuage Networks Virtual Services PlatformNetwork virtualization and automation

VirtualizedServicesDirectory

VirtualizedServicesController

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

Brooklyn Datacenter - Zone 1

Virtualized Services Directory (VSD)• Network Policy Engine – abstracts complexity• Service templates and analytics

Virtualized Services Controller (VSC)• SDN Controller, programs the network• Rich routing feature set

Virtual Routing & Switching (VRS)• Distributed switch / router – L2-4 rules• Integration of bare metal assets

Nuage NetworksVirtualized Services Platform (VSP)

IP Fabric

Edge Router

MP-BGPMP-BGP

Hardware GW for Bare Metal

DATACENTERNETWORK

. . . .

Any Compute Virtualization Environment

Any Datacenter Networking Hardware

Any Server or Hypervisor

Open solution

Consistent capabilities across

Seamless interconnect between clouds Distributed L2 and L3 routing to

each hypervisor

Within clouds and across clouds

No choke points

Shared L2 and L3 networks across DCs

KVM, LXC, Xen, ESXi

Openstack, CloudstackHypervisor

Hypervisor

Legacy DC

Hypervisor

Hypervisor

Hypervisor

Private CloudHypervisor

Public Cloud

IP Fabric (DC & WAN)

Virtualized ServicesDirectory

Network, Security Admin Application developers

XaaS

App/Dev Container

App/Dev Container

App/Dev Container

Simplified migration to Openstack

Using a hypervisor-agnostic network platform

How to migrate apps to Openstack when they have network dependencies?

How to migrate while maintaining IP addresses?

How to migrate individual hosts within an application?

Physical to Virtual?

Virtual to Virtual?

. . . .

???

Demo…

Conclusions

• Creation of distributed virtual switches and virtual routers - great for virtual networks and better than old models, but …

• Creates a distributed virtual configuration and management challenge

• Provisioning and management of these endpoints can not be done with traditional methodology

• Policy abstraction is a proven framework

• Successfully shipping since May 2013

For more information…

• Nuage Networks Virtualized Services Platform

• http://www.nuagenetworks.net/solutions/

• OpenStack Neutron Group Based Policy Abstraction• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction

• OpenDaylight Application Policy Plugin• https://wiki.opendaylight.org/view/Project_Proposals:Application_Policy_Plugin

185/14/14

Network Policy NOW

@nuagenetworks

@ssneddon